June 13, 2005
FOR THE HEADS OF DEPARTMENTS AND AGENCIES
Deputy Director for Management
2005 Reporting Instructions for the Federal Information Security Management
Act and Agency Privacy Management
This memorandum provides
instructions for agency reporting under the Federal Information Security
Management Act of 2002 (FISMA).
This year, we are
asking a number of questions regarding your agency’s privacy program.
As noted in the instructions, the privacy program questions (Section D
of the report) shall be completed by the Senior Agency Official for Privacy,
in consultation with other agency privacy officials as appropriate. These
questions relate, in part, to agency implementation of the privacy provisions
of the E-Government Act. Thus, OMB will no longer ask agencies to include
privacy related information in their annual E-Government Act submissions.
As you know, FISMA
provides the framework for securing the Federal government’s information
technology including both unclassified and national security systems.
All agencies must implement the requirements of FISMA and report annually
to the Office of Management and Budget (OMB) and Congress on the effectiveness
of their security programs.
OMB uses the information
to help evaluate agency-specific and government-wide security performance,
develop its annual security report to Congress, assist in improving and
maintaining adequate agency security performance, and inform development
of the E-Government Scorecard under the President’s Management Agenda.
Reports are most helpful
when they clearly and accurately reflect the status of the Agency’s
information security program. To promote accuracy and clarity, please
make every attempt to resolve any discrepancies between the CIO and IG
sections of the report before transmittal. If discrepancies cannot be
reconciled, please explain the reasons for the differences in your transmittal
letter to the OMB Director and to Congress.
Agencies shall transmit
their reports to OMB by October 7, 2005, in the manner described
in the attached instructions. In addition to the formal report transmittal
to OMB, an electronic copy shall be sent to firstname.lastname@example.org.
Please contact Kim Johnson, Kim_A._Johnson@omb.eop.gov,
or Kristy LaLonde, email@example.com,
if you have any questions regarding information technology security. Eva
Kleederman should be contacted at Eva_Kleederman@omb.eop.gov
regarding privacy questions.