7. Implement Information Security and Privacy Controls

Information technology changes rapidly and agencies must have the flexibility to address known and emerging threats while making continuous improvements.

FISMA and OMB Circular A-130 require each Federal Agency to develop, document, and implement an agency-wide information security program for the information and information systems that support the agency’s operations and assets, including those provided or managed by another agency, contractor, or other source. 19 FISMA also provides for the development and maintenance of minimum controls to protect Federal information and information systems. Moreover, OMB Circular A-130 requires agencies to develop, implement, document, maintain, and oversee an agency-wide privacy program including people, processes, and technologies. Each agency-wide privacy program must implement privacy controls and verify that those controls are operating as intended and continuously monitored and assessed.

A. Agencies must follow the policies, principles, standards, and guidelines on information security and privacy, in accordance with FISMA and other laws. Each agency is already required to implement security and privacy policies as set forth in OMB Circular A-130 and National Institute of Standards and Technology (NIST) Special Publication 800-44, Guidelines on Securing Public Web Servers; and other associated standards and 800 series guidelines from NIST. 20

B. All agency domains must be in compliance with OMB Memorandum M-08-23, Securing the Federal Government’s Domain Name System Infrastructure, and any future updates to identity, credentialing, and access management policy. 21


19:44 U.S.C. § 3554(b)

20: https://www.whitehouse.gov/omb/circulars_default/, https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf, http://csrc.nist.gov/publications

21: https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-23.pdf