5.1 Office of Management & Budget (OMB)
OMB is responsible for overseeing Federal agencies’ information technology practices. As a part of this core function, OMB develops and ensures implementation of policies and guidelines that drive enhanced technology performance and budgeting across the Executive Branch. The Federal CIO heads OMB’s Office of E-Government and Information Technology (E-Gov), which develops and provides direction in the use of Internet-based technologies. The two major policies and guidelines are FITARA and FISMA.
With FITARA, the Common Baseline was set forth and the role of Agency CIOs was expanded with increased responsibilities through the National Defense Authorization Act for Fiscal Year 2015. (Public Law 113-291. Sec. 831. National Defense Authorization Act for Fiscal Year 2015.) Per OMB M-15-14, the specific requirements of FITARA include:
- Agency CIO Authority Enhancements
- Enhanced Transparency and Improved Risk Management in IT Investments
- Portfolio Review
- Federal Data Center Consolidation Initiative
- Expansion of Training and Use of IT Cadres
- Maximizing the Benefit of the Federal Strategic Sourcing Initiative
- Governmentwide Software Purchasing Program (OMB M-15-14. Management and Oversight of Federal Information Technology. 6/10/2015.)
With FISMA, information security requirements were set forth based on NIST compliance documents. (NIST. Federal Information Security Management Act (FISMA) Implementation Project.) FISMA requires annual evaluations of the information security program at each federal agency, which are reviewed by DHS and OMB, and incorporated into an annual report to Congress. FISMA states:
- The Director [OMB] shall oversee agency information security policies and practices, including developing and overseeing the implementation of policies, principles, standards, and guidelines on information security.
- Not later than March 1 of each year, the Director [OMB], in consultation with the Secretary [DHS], shall submit to Congress a report on the effectiveness of information security policies and practices during the preceding year.
Each year, not later than such date established by the Director [OMB], the head of each agency shall submit to the Director [OMB] the results of [their agency’s] evaluation required under this section. (CIO Council. CISO Handbook.)