Fiscal Year 2016 - 2017 Guidance on Federal Information Security and Privacy Management Requirements

November 4, 2016

M-17-05

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

FROM: Shaun Donovan- Director

SUBJECT: Fiscal Year 2016 - 2017 Guidance on Federal Information Security and Privacy Management Requirements

Purpose

This memorandum establishes current Administration information security priorities and provides agencies with Fiscal Year (FY) 2016-2017 Federal Information Security Modernization Act (FISMA) and Privacy Management reporting guidance and deadlines, as required by the Federal Information Security Modernization Act of 2014 (Pub. L. No. 113-283, 128 Stat. 3073) (FISMA 2014), to ensure consistent government-wide performance and best practices to protect national security, privacy and civil liberties while limiting economic and mission impact of incidents.

This memorandum is directed to Federal Executive Branch agencies and does not apply to national security systems. Agencies operating national security systems, however, are encouraged to adopt the initiatives herein and abide by the spirit of this memorandum.

Background

The Federal Government has seen a marked increase in the number of information security incidents that have the potential to affect the integrity, confidentiality, and/or availability of government information, systems, and services. These incidents demonstrate the need to ensure that we comprehensively address information security practices, policies, and governance. In response to these persistent threats, the Federal Government has taken a number of significant actions to improve Federal information security.

Earlier this year, the President directed his Administration to implement the Cybersecurity National Action Plan (CNAP) to increase the level of cybersecurity in both the Federal Government and the larger digital ecosystem. The CNAP builds on the initiatives set forth in OMB Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government. Concurrent with the release of the CNAP, President Obama issued an Executive Order establishing the Federal Privacy Council1. Furthermore, in July 2016, the Office of Management and Budget (OMB) issued the first update since 2000 to Circular A-130, Managing Information as a Strategic Resource, the Federal Government’s governing document for the management of Federal information resources. A-130 provides the foundation for the planning, budgeting, governance, acquisition, security, privacy, and management of Federal information resources and codifies a number of important best practices in these areas.

Summary of Contents

Section I: Information Security and Privacy Program Oversight and Reporting Requirements

This section is comprised of requirements to assist agencies with the adoption of Administration priorities and provide OMB the performance indicators necessary to conduct oversight and understand risk through an enterprise-wide lens. Furthermore, this section refines existing guidance to agencies on addressing requirements established in FISMA 2014. Specifically, this section:

  • Provides Federal agencies with timelines and requirements for quarterly and annual reporting; and
  • Establishes detailed instructions for preparing the annual agency FISMA reports, which must be submitted through the Department of Homeland Security’s (DHS) CyberScope reporting system no later than November 10, 2016.

Section II: Updated Major Incident Definition and DHS US-CERT Incident Notification Guidelines

This section includes updates to both the definition of “major incident” and the DHS United States Computer Emergency Readiness Team (US-CERT) Incident Notification Guidelines.

In addition to the sections referenced above, updates to the Frequently Asked Questions can be found at the following link: https://community.max.gov/x/ewJhRQ


Footnotes

1: Executive Order 13719, Establishment of the Federal Privacy Council (February 9, 2016)