The White House Office of Management and Budget (OMB) issued a memorandum on Oct. 16 for agencies to submit their Federal Information Security Modernization Act (FISMA) reports to the Government Accountability Office by March 1, 2018.
The agencies are also required to submit their reports to the Department of Homeland Security, OMB, and Congress.
In their reports, agencies must include their privacy plans, descriptions of any changes made to their privacy plans, their breach response plans, their privacy continuous monitoring strategies, the URL for their privacy plans, and their written policies to ensure that any new collection or use of Social Security numbers (SSNs) is necessary and descriptions of any steps the agencies took during the reporting period to explore alternatives to the use of SSNs as a personal identifier.
Agencies also must submit reports on any major incidents that occurred during the reporting period.
“A major incident is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” the memorandum said.
Agencies must tell Congress and their inspectors general of any breach no later than seven days after it was detected. The FISMA reports should include the threats and vulnerabilities relating to the incident; the risk assessments conducted on the affected information systems before the breach; whether the systems complied with security standards before the breach; and the detection, response, and remediation actions.