OMB to standardize FISMA guidance
Agencies will no longer have to submit full action plans and milestones on every system twice a year.
Office of Management and Budget officials are working to standardize information security guidance to avoid releasing all new guidance each year, an official said today.
In the next couple of months, OMB officials expect to modify guidelines for agencies on the Federal Information Security Management Act (FISMA) of 2002 and rely on addendums for new information each year, said Kamela White, security policy analyst at the Information Technology Policy Branch of OMB's Office of Information and Regulatory Affairs.
"There won't be new OMB guidance each year," White said, speaking today at an event sponsored by the Potomac Forum Ltd. and ICG Government. "Rather, where necessary, we'll simply make additions."
OMB officials tell agencies how to comply with FISMA policies. Agencies are required to track and fix security vulnerabilities, and report regularly to OMB.
OMB officials also plan to stop requiring agencies to submit full action plans and milestones on every system twice a year. Instead, OMB will rely on quarterly updates on security matters provided by agencies and included in the president's management agenda scorecard, White said.
Agency inspector generals work closely in reviewing agency remediation processes for fixing security gaps, she said. OMB officials will still be able to request action plans and milestones from agencies on major systems when needed.
"Rather than have agencies focus on submitting all those plans to OMB, [OMB will] rely on the quarterly updates," White said. "We're cutting down on the reporting requirement for you."
NEXT STORY: Agencies to get security scores