Guidance out on security reports
- By Diane Frank
- Apr 23, 2001
Defense Authorization Act
The Office of Management and Budget is circulating draft guidance on what agencies should include in the annual reports they must produce under the Government Information Security Reform Act (GISRA).
The act, passed last October as part of the fiscal 2001 Defense Authorization Act, is intended to foster good security practices within civilian and national security agencies. It requires chief information officers and inspectors general to perform vulnerability assessments on their agencies' security programs and practices.
OMB officials issued general guidance in January explaining the approach that agency program managers and IGs should take on the assessments. But now, it details exactly what information should be included. OMB asks agencies for:
n An executive summary from the agency head regarding how the agency is implementing GISRA. The summary should join information from the agency CIO and the agency IG, and form the basis of OMB's summary to Congress.
n Details about the agencies' annual program reviews and evaluations. Agencies will provide details by answering 11 questions that range from identifying funding to describing the performance measures used by program managers and CIOs.
Agencies' reports are due to OMB by September.