FISMA reporting must use automated tool

OMB requires agencies to use automated reporting tool, not spreadsheets, to submit FISMA data

Agencies must use an automated reporting tool to show their compliance with the Federal Information Security Management Act this year, Obama administration officials have said.

This year the Office of Management and Budget will only accept annual FISMA reports from agencies submitted with a new automated reporting tool that will allow manual data entry and an automated upload of data, OMB said in a memo to heads of departments and agencies. Previously, the agencies reported data by using spreadsheets.

“The reporting categories and questions are generally the same as last year, and the report will cover the same areas as in previous years,” Jeffrey Zients, OMB’s deputy director for management and Vivek Kundra, the federal CIO, said in the memo dated Aug. 20. “However, while the content of the report has changed little since 2008, the means of collection have changed substantially.”

The administration officials said CIOs, inspectors general and privacy officials – all officials who report data to OMB on FISMA compliance – will have to use the new tool. OMB said a test version of the tool will be available this month and that because of the new collection system, the reports will be due Nov. 18.

In a response letter dated June 23 included in a recent report on agencies’ information security from the Government Accountability Office, Kundra said OMB was planning to move FISMA reporting for fiscal 2009 to an Internet-enabled database.

Kundra called the current process is “both manual and cumbersome” and said the automation would allow for more evaluative metrics, such as performance metrics, to be collected.

Meanwhile, OMB also said agencies should use the automated reporting tool to submit separate documents showing how their policies for securing personally identifiable information and notifying people about data breaches have changed. Agencies should submit:

  • Any changes in data breach notification policy since last year’s report.
  • An update on their progress in eliminating the unnecessary use of Social Security numbers by the agency.
  • An update on the review and reduction of personally identifiable information held by the agency.

“Agency reports must reflect the agency head’s determination of the adequacy and effectiveness of information security and privacy policies, procedures, and practices,” the memo said.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.