FISMA reporting must use automated tool

OMB requires agencies to use automated reporting tool, not spreadsheets, to submit FISMA data

• By Ben Bain
• Aug 25, 2009

Agencies must use an automated reporting tool to show their compliance with the Federal Information Security Management Act this year, Obama administration officials have said.

This year the Office of Management and Budget will only accept annual FISMA reports from agencies submitted with a new automated reporting tool that will allow manual data entry and an automated upload of data, OMB said in a memo to heads of departments and agencies. Previously, the agencies reported data by using spreadsheets.

“The reporting categories and questions are generally the same as last year, and the report will cover the same areas as in previous years,” Jeffrey Zients, OMB’s deputy director for management and Vivek Kundra, the federal CIO, said in the memo dated Aug. 20. “However, while the content of the report has changed little since 2008, the means of collection have changed substantially.”

The administration officials said CIOs, inspectors general and privacy officials – all officials who report data to OMB on FISMA compliance – will have to use the new tool. OMB said a test version of the tool will be available this month and that because of the new collection system, the reports will be due Nov. 18.

In a response letter dated June 23 included in a recent report on agencies’ information security from the Government Accountability Office, Kundra said OMB was planning to move FISMA reporting for fiscal 2009 to an Internet-enabled database.

Kundra called the current process is “both manual and cumbersome” and said the automation would allow for more evaluative metrics, such as performance metrics, to be collected.

Meanwhile, OMB also said agencies should use the automated reporting tool to submit separate documents showing how their policies for securing personally identifiable information and notifying people about data breaches have changed. Agencies should submit:

• Any changes in data breach notification policy since last year’s report.
• An update on their progress in eliminating the unnecessary use of Social Security numbers by the agency.
• An update on the review and reduction of personally identifiable information held by the agency.

“Agency reports must reflect the agency head’s determination of the adequacy and effectiveness of information security and privacy policies, procedures, and practices,” the memo said.

Reader comments