Agencies get GISRA instructions

Reporting Instructions for the Government InformationSecurity Reform Act

The Office of Management and Budget last week released the official instructions for what agencies should include in their first reports under the Government Information Security Reform Act of 2000, due Sept.10.

The June 22 memo is OMB's second set of guidelines on GISRA. The act, which President Clinton signed in October 2000 as part of the fiscal 2001 Defense Authorization Act, requires agencies to implement good security management practices, conduct an internal and an independent review of those practices, and report on their actions to OMB. Those reports will then be summarized for a report to Congress in October.

The first guidelines, issued in January, provided a specific description of responsibilities and a general explanation of the reporting requirements for the reports that must be submitted as part of agencies' fiscal 2003 budget materials.

A draft of the new memo was circulated in April, and the final instructions have not changed much from that version. It includes brief instructions for agency chief information officers and inspectors general for the executive summary, which will form the basis of the OMB report to Congress. There are also 11 specific questions covering a range from an accounting of the agency's security funding to the performance measures used by the head of the agency to make sure the agency's information security plan is being used.

OMB will be working continually with agencies to meet the Sept. 10 deadline, and there could be additional guidance before the fall, OMB spokeswoman Jennifer Wood said.