FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

OMB - Office of E-Gov & IT


This memorandum provides instructions for meeting your agency’s FY 2008 reporting requirements under the Federal Information Security Management Act of 2002 (FISMA) (Title III, Pub. L. No. 107-347). It also includes reporting instructions on your agency’s privacy management program.

Because the Office of Management and Budget (OMB) and Congress use this report to evaluate agency-specific and Government-wide security performance, it is especially important your agency’s report clearly and accurately reflect the overall status of your program and not include conflicting views of, or unresolved differences among, the various parties contributing to the report including the Chief Information Officer (CIO), the Inspector General (IG), and the Senior Agency Official for Privacy (SAOP).

Although the reporting categories and questions are generally the same as last year, there are some updates based on security and privacy policies issued within the year. In particular, there are additional questions related to OMB Memorandum M-08-09 of January 18, 2008 New FISMA Privacy Reporting Requirements for FY 2008.

Agencies should also submit their most current documentation related to OMB Memorandum M-07-16, of May 22, 2007, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,”1 This information should be provided in an appendix to your annual report and include the following items for your agency:

  • Breach notification policy
  • Implementation plan and progress update on eliminating unnecessary use of Social Security Numbers (SSN);
  • Implementation plan and progress update on review and reduction of holdings of personally identifiable information (PII); and
  • Policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules.