This Appendix documents specific action items including deadlines and action item owners. Engagement will occur as needed to close out the action items

Number Action Deadline Responsible Party
#1 Report agency performance against the Annual,FY 2016 FISMA CIO, Inspector General, and Senior,Agency Official for Privacy metrics. November 10, 2016 All agencies
#2 Privacy Program Memorandum. November 10, 2016 All agencies
#3 Deliver agency annual report, including agency head letter, to Congress. March 1, 2017 All agencies
#4 Update responses to FISMA questions and metrics at least quarterly. Quarter 1: no later than January,15,2017 Quarter 2: no later than April,15, 2017 Quarter 3: no later than July 15, 2017,Quarter 4 I FY 2017 Annual: no later than October 31, 2017 CFO Act agencies
#5 Report,incidents designated as “major” to Congress within seven (7) days of the date on which the agency has a reasonable basis,to conclude a major incident has occurred. On Going All agencies
#6 Notify OMB within one (1) hour of an agency notifying DHS that a major incident has occurred. Ongoing DHS
#7 Notify affected individuals, in accordance with FISMA 2014, as “expeditiously as practicable, without unreasonable delay.” Ongoing All agencies
#8 Following the identification of an incident as “major,” provide to Congress, as soon as it is available, additional information on the threats, actors, and risks posed, as well as previous risk assessments of the affected, system, the current status of the affected system, and the detection, response,,and remediation actions that were taken. Ongoing All agencies
#9 Reporting in the revised US- CERT lncident Reporting System format. April l, 2017 All agencies
#10 US-CERT will provide every Federal agency with a log of information security incidents it has reported over the previous quarter. 5ft day of each quarter DHS
#11 Agencies will validate that the data provided by US-CERT is correct and up to date. 20th day of each quarter All agencies