Updated FISMA guidance puts new reporting mandates on agencies

cybersecurity (vs148/ 

The Office of Management and Budget has released updated guidance to federal civilian agencies on complying with the Federal Information Security Management Act, outlining timelines and deliverables for reporting security incidents, information sharing and vulnerability scans of federal systems and websites.

The memo specifies that annual reports from each agency to Congress are due no later than March 2, 2020, and outlines a host of new deadlines. Chief Financial Officer Act agency CIOs are expected to update the metrics they use for evaluating the security of their systems and identifying high-value assets on a quarterly basis, while non-CFO Act agencies must do the same twice a year.

Under FISMA, civilian agencies are required to report security incidents to the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, including the attack vector used, impact category and other attributes.

Starting this month, and on the 15th of every month after that, CISA will start sending OMB details for each incident as well as summary reports for incidents that are determined to be at a medium priority level or higher. Each agency must also submit a letter signed by the agency head assessing the agency's security posture and detailing the total number of incidents reported to CISA.

Major security incidents, defined as instances where the attack is “likely to result in demonstrable harm to the national security interests, foreign relations or … economy of the United States or the public confidence, civil liberties or public health,” will still be reported to OMB within one hour of that determination being made and to Congress within a week. The agency must send detailed descriptions of each major security incident to OMB, including how staff responded, remediation actions taken, mission and system impacts along with risk assessments and compliance status for affected systems at the time of an incident.

The memo also directs DHS to conduct vulnerability scans of internet-accessible addresses and public-facing segments of civilian agency systems. To facilitate those activities, all federal civilian agencies must provide a list of systems and IP addresses for external websites, servers and other access points and ensure DHS has authorization to scan.

To improve information sharing, each agency must ensure that its CIO and chief information security officer have security clearances at the Top Secret level. The memo makes it clear OMB considers this the bare minimum required for agency IT executives to participate in interagency sharing and view classified information on tactics, techniques and procedures used by malicious actors to attack federal systems.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

Stay Connected