Who provides implementation guidance for the information security program?
1.6.4 Agency IT Authorities – OMB GuidanceThis section consists of language from OMB guidance that further demarcates, expands upon, or clarifies IT authorities assigned to agencies. This language directly or indirectly tasks the CIO with duties or responsibilities pertaining to information security and privacy. See sections on OMB Memoranda and OMB Circulars for more information about these forms of OMB guidance. See sections on Office of Inspector General (OIG) and Government Accountability Office (GAO) to review how compliance with policies is measured. Show
Privacy Agencies shall:
Information Security Reporting Pursuant to OMB Circular No. A-130, Appendix I [Security Budget Estimates]
Privacy Privacy Risk Privacy Impact Assessments (PIA) Risk Management Framework [Privacy Budget Estimates]
Designation of the [SAOP] To ensure that agencies effectively carry out the privacy-related functions described in law and OMB policies, Executive Order 13719 requires the head of each agency to designate or re- designate an SAOP who has agency-wide responsibility and accountability for the agency’s privacy program. (OMB M-16-24. Role and Designation of Senior Agency Officials for Privacy. 9/15/2016.) [SAOP
Reporting Requirements]
High Value Asset (HVA) Program
The Agency HVA Process Information Security Management Information Security and Privacy Program Oversight and FISMA Reporting Requirements At a minimum, CFO Act agencies must update their CIO Metrics quarterly and non-CFO Act agencies must update their CIO metrics on a semiannual basis. Reflecting the Administration’s shift from compliance to risk management, as well as the guidance and requirements outlined in OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program, and Binding Operational Directive 18-02, Securing High Value Assets, CIO Metrics are not limited to assessments and capabilities within [NIST] security baselines, and agency responses should reflect actual implementation levels. Although FISMA requires an annual IG assessment, OMB strongly encourages CIOs and IGs to discuss the status of information security programs throughout the year. Cybersecurity Reporting: Overview and Purpose Policy to Require Secure Connections across Federal Websites and Web Services [To] promote the efficient and effective deployment of HTTPS, the timeframe for [compliance is outlined below]. This Memorandum requires that Federal agencies deploy HTTPS on their domains using the following guidelines. (OMB M-15-13. Policy to Require Secure Connections across Federal Websites and Web Services. 6/8/2015.)
FISMA Reporting and Agency Privacy Management Below are activities explicitly outlined in FISMA: CIO/CISO Interviews
Submit Privacy Documents
OMB [requires] agencies to submit these four privacy documents whether or not the documents have changed from versions submitted in previous years. Information Security Continuous Monitoring (ISCM) Federal Information Security Management Act (FISMA) Agency Reporting Activities
CyberScope is the platform for the FISMA reporting process. Agencies should note that a Personal Identity Verification card, compliant with Homeland Security Presidential Directive 12 is required for access to CyberScope. No FISMA submissions [are] accepted outside of CyberScope. For information related to CyberScope, please visit: https://max.omb.gov. (The website MAX.gov is only accessible to federal employees.) CIOs, Inspectors General, and Senior Agency Officials for Privacy [all] report through CyberScope. Micro agencies (According to M-11-33, micro agencies are agencies employing 100 or fewer full time equivalents (FTEs)) [also] report using this automated collection tool. (OMB M-11-33. FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. 9/14/2011). Agency Implementation of Identify Credentialing and Access Management (ICAM) [Telework Security Guidelines]
[Telework Security Point of Contact] WHO issued security classification guides for Systems Plans Programs projects or missions?Department of Defense (DoD) 5200.1-R, Information Security Program and Army Regulation (AR) 380-5, Department of the Army Information Security Program provide for the issuance of a security classification guide (SCG) for each system, plan, program, or project involving classified information.
What information do security classification guides provide about systems?SCGs provide detailed classification guidance on program-specific information for use by derivative classifiers in applying appropriate classification markings and facilitate the proper and uniform derivative classification of information.
What does a security classification guide provide quizlet?In order of preference, a Security Classification Guide (SCG), a properly marked source document, and DD Form 254. This form is a contract document which officially and legally conveys classification guidance to a cleared contractor.
Who is responsible for the review of written materials for public release?The Defense Office of Prepublication and Security Review manages the Department of Defense Security Review program, reviewing written materials both for public and controlled release.
|