FISMA reporting must use automated tool

OMB requires agencies to use automated reporting tool, not spreadsheets, to submit FISMA data

Agencies must use an automated reporting tool to show their compliance with the Federal Information Security Management Act this year, Obama administration officials have said.

This year the Office of Management and Budget will only accept annual FISMA reports from agencies submitted with a new automated reporting tool that will allow manual data entry and an automated upload of data, OMB said in a memo to heads of departments and agencies. Previously, the agencies reported data by using spreadsheets.

“The reporting categories and questions are generally the same as last year, and the report will cover the same areas as in previous years,” Jeffrey Zients, OMB’s deputy director for management and Vivek Kundra, the federal CIO, said in the memo dated Aug. 20. “However, while the content of the report has changed little since 2008, the means of collection have changed substantially.”

The administration officials said CIOs, inspectors general and privacy officials – all officials who report data to OMB on FISMA compliance – will have to use the new tool. OMB said a test version of the tool will be available this month and that because of the new collection system, the reports will be due Nov. 18.

In a response letter dated June 23 included in a recent report on agencies’ information security from the Government Accountability Office, Kundra said OMB was planning to move FISMA reporting for fiscal 2009 to an Internet-enabled database.

Kundra called the current process is “both manual and cumbersome” and said the automation would allow for more evaluative metrics, such as performance metrics, to be collected.

Meanwhile, OMB also said agencies should use the automated reporting tool to submit separate documents showing how their policies for securing personally identifiable information and notifying people about data breaches have changed. Agencies should submit:

  • Any changes in data breach notification policy since last year’s report.
  • An update on their progress in eliminating the unnecessary use of Social Security numbers by the agency.
  • An update on the review and reduction of personally identifiable information held by the agency.

“Agency reports must reflect the agency head’s determination of the adequacy and effectiveness of information security and privacy policies, procedures, and practices,” the memo said.

About the Author

Ben Bain is a reporter for Federal Computer Week.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Thu, Oct 29, 2009 Travis

Regarding civilian contractors who handle FISMA reporting on behalf of government agencies: 1. Will they be able to access and input data collection into the automated reporting tool? 2.If this tool is made available to 3rd parties who handle FISMA reporting for government agencies, how do they apply for access? 3. Will this tool also apply to financial institutions and or the health care industry who also comply with FISMA regulations?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group