The Federal Information Security Modernization Act (FISMA), first enacted in 2002 and updated in December 2014, established roles and responsibilities for OMB, DHS, and agency CIOs to provide accountability for the delivery of information security capabilities. (CISA. Federal Information Security Modernization Act.) The 2014 FISMA update simplifies existing reporting to eliminate inefficient or wasteful reporting, while adding new reporting requirements for major information security incidents. FISMA requires the head of each Federal agency to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems. Additionally, FISMA requires agency heads to report on the adequacy and effectiveness of the information security policies, procedures, and practices of their enterprise. (CISA. Fiscal Year 2020 CIO FISMA Metrics.)
FISMA requires agencies to report the status of their information security programs to OMB and requires Inspectors General (IG) to conduct annual independent assessments of those programs. OMB and DHS collaborate with interagency partners to develop the CIO FISMA metrics, and with IG partners to develop the IG FISMA metrics to facilitate these processes. 0MB also works with the Federal privacy community to develop [SAOP] metrics. These three sets of metrics together provide a comprehensive picture of an agency's cybersecurity and privacy performance. (OMB M-20-04. Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements. 11/19/2019.)
The legislation also provides DHS with authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. FISMA codifies DHS’s authority to administer the implementation of information security policies for non-national security Executive Branch systems, including providing technical assistance and deploying technologies to these systems. It also places the federal information security incident center (a function fulfilled by US-CERT (CISA. US-CERT)) within DHS by law.