Updated FISMA guidance puts new reporting mandates on agencies

The Office of Management and Budget has released updated guidance to federal civilian agencies on complying with the Federal Information Security Management Act, outlining timelines and deliverables for reporting security incidents, information sharing and vulnerability scans of federal systems and websites.

The memo specifies that annual reports from each agency to Congress are due no later than March 2, 2020, and outlines a host of new deadlines. Chief Financial Officer Act agency CIOs are expected to update the metrics they use for evaluating the security of their systems and identifying high-value assets on a quarterly basis, while non-CFO Act agencies must do the same twice a year.

Under FISMA, civilian agencies are required to report security incidents to the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, including the attack vector used, impact category and other attributes.

Starting this month, and on the 15th of every month after that, CISA will start sending OMB details for each incident as well as summary reports for incidents that are determined to be at a medium priority level or higher. Each agency must also submit a letter signed by the agency head assessing the agency's security posture and detailing the total number of incidents reported to CISA.

Major security incidents, defined as instances where the attack is “likely to result in demonstrable harm to the national security interests, foreign relations or … economy of the United States or the public confidence, civil liberties or public health,” will still be reported to OMB within one hour of that determination being made and to Congress within a week. The agency must send detailed descriptions of each major security incident to OMB, including how staff responded, remediation actions taken, mission and system impacts along with risk assessments and compliance status for affected systems at the time of an incident.

The memo also directs DHS to conduct vulnerability scans of internet-accessible addresses and public-facing segments of civilian agency systems. To facilitate those activities, all federal civilian agencies must provide a list of systems and IP addresses for external websites, servers and other access points and ensure DHS has authorization to scan.

To improve information sharing, each agency must ensure that its CIO and chief information security officer have security clearances at the Top Secret level. The memo makes it clear OMB considers this the bare minimum required for agency IT executives to participate in interagency sharing and view classified information on tactics, techniques and procedures used by malicious actors to attack federal systems.