7.4 FISMA Reporting
FISMA metrics are aligned to the five functions outlined in NIST’s Framework for Improving Critical Infrastructure and Cybersecurity: Identify, Protect, Detect, Respond, and Recover. Annually, OMB releases a memorandum establishing FISMA reporting guidance and deadlines with additional details provided through CyberScope and MAX. (GSA. FISMA Implementation Guide. CIO-IT Security-04-26. 4/16/2019.) FISMA documents are available on the cisa.gov website for each fiscal year of FISMA, while the memorandums are available on the whitehouse.gov website. (CISA. Federal Information Security Modernization Act.)
Typically, the memorandum is released around October or November for the upcoming fiscal year, see OMB M-20-04 for the FY20 guidance. (OMB M-20-04. Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements. 11/19/2019.) The memorandum will also specify the reported performance metrics with any Cross Agency Priorities (CAP), as well as provide instructions on report content and details for the development of annual agency FISMA reports. Typical CAP metrics include specific metrics around the categories of Information Security Continuous Monitoring, Identify and Credential Access Management, Anti-Phishing and Malware Defense.
FISMA data is assessed both quarterly and annually. Quarterly, as mandated by OMB and the NSC, agencies are required to collect FISMA performance metrics data and upload the results into CyberScope. This collection typically involves multiple persons working with the responsible POC and is then reviewed by the CISO and CIO prior to being uploaded. The Annual FISMA Report typically consists of three main sections:
- CIO: Implementation of FISMA CAP measures and base measures
- SAOP: Implementation of a Privacy Program in compliance with the Privacy Act
- IG: Questions about security and privacy programs independently answered by the agency IG
Typically, these sections will be completed by the relevant teams within agencies, incorporated into the annual report, reviewed, and then are required to be approved and signed by the head of the agency. Additionally, agencies may also use this time to conduct a FISMA self-assessment to assess and support their FISMA compliance.
Finally, the annual report is also required to be submitted to the Chairperson and Ranking Member of the House Committee on Oversight and Government Reform, the House Committee on Homeland Security, the House Committee on Science, Space, and Technology, the Senate Committee on Homeland Security and Government Affairs, the Senate Committee on Commerce, Science, and Transportation, the appropriate authorization and appropriations committees in both the House and Senate, as well as to the GAO and to the Comptroller General of the United States. For more information consult the Reporting Calendar.