M-05-15, FY 2005 Reporting Instructions for the FISMA
June 13, 2005
MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES
Deputy Director for Management
SUBJECT:FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
This memorandum provides instructions for agency reporting under the Federal Information Security Management Act of 2002 (FISMA).
This year, we are asking a number of questions regarding your agency’s privacy program. As noted in the instructions, the privacy program questions (Section D of the report) shall be completed by the Senior Agency Official for Privacy, in consultation with other agency privacy officials as appropriate. These questions relate, in part, to agency implementation of the privacy provisions of the E-Government Act. Thus, OMB will no longer ask agencies to include privacy related information in their annual E-Government Act submissions.
As you know, FISMA provides the framework for securing the Federal government’s information technology including both unclassified and national security systems. All agencies must implement the requirements of FISMA and report annually to the Office of Management and Budget (OMB) and Congress on the effectiveness of their security programs.
OMB uses the information to help evaluate agency-specific and government-wide security performance, develop its annual security report to Congress, assist in improving and maintaining adequate agency security performance, and inform development of the E-Government Scorecard under the President’s Management Agenda.
Reports are most helpful when they clearly and accurately reflect the status of the Agency’s information security program. To promote accuracy and clarity, please make every attempt to resolve any discrepancies between the CIO and IG sections of the report before transmittal. If discrepancies cannot be reconciled, please explain the reasons for the differences in your transmittal letter to the OMB Director and to Congress.
Agencies shall transmit their reports to OMB by October 7, 2005, in the manner described in the attached instructions. In addition to the formal report transmittal to OMB, an electronic copy shall be sent to firstname.lastname@example.org. Please contact Kim Johnson, Kim_A._Johnson@omb.eop.gov, or Kristy LaLonde, email@example.com, if you have any questions regarding information technology security. Eva Kleederman should be contacted at Eva_Kleederman@omb.eop.gov regarding privacy questions.