4.7 Chief Information Security Officer (CISO)
The agency CISO plays a key role in working with the agency CIO to ensure information security requirements are properly implemented. (CIO Council. CISO Handbook.) In most cases, the agency’s internal policies delegate management of the agency’s information to the CIO, who has the authority under FISMA to delegate tasks related to information security to the agency CISO. FISMA does not instruct agencies on how to develop or maintain their information security programs; it simply lists agencies’ information security responsibilities. As a result, no two CISO roles are exactly the same. Some CISOs are responsible for all information security tasks at their agency, while others work with separate operations centers or take on tasks outside of information security to help with organizational priorities. Although FISMA allows for these nuances, CIOs and CISOs are ultimately statutorily responsible for information security, so they must be aware of the range of information security responsibilities assigned to agencies.
An agency CIO should view their CISO as a trusted partner and advisor for developing and implementing information security requirements. While each agency’s organizational and reporting structure may be different, building a productive relationship between the CIO and CISO is essential for effective IT and security management.
The CISO Council is a committee under the CIO Council led by the Federal CISO and an agency Vice- Chair. Its membership consists of agency CISOs from the 24 CFO Act Executive branch agencies.