FISMA Certification and Accreditation Handbook

Excellent firms don t believe in excellence only in constant improvement and constant change.
Tom Peters
Each year, every agency has the opportunity to improve its annual Federal Computer Security Report Card. Aside from being audited by their own OIG and then by the GAO, agencies are required to self-report FISMA and privacy information annually. The White House Office of Management and Budget gives specific instructions on how to prepare and submit your agency s FISMA information. An overview for agencies to use on how to self-report their FISMA information is listed in memorandum M-05-15 available at www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html.
Detailed self-reporting instructions are available at www.whitehouse.gov/omb/memoranda/fy2005/m05-15_att.pdf.
The Excel template into which you enter your FISMA information is available at www.whitehouse.gov/omb/inforeg/fisma/FY05_ FISMA_reporting_template_CIO.xls.
Agency Inspector Generals are required to file their own report on their agency based on the subset of systems and documents that they review when they come on site for audits.
Each agency receives a roll-up score based on the consummate score from the agency s bureaus and their respective departments. Every year the report card grade changes. If your agency scored well last year, that doesn t necessarily mean they will score well in subsequent years. Each year, the self-reporting templates that contain the roll-up scores all change somewhat. Last year, the self-reporting template put emphasis in the following areas:
Number of systems certified and accredited (including contractor systems)
Configuration management
Security policies and procedures
Security training and awareness
Number of security incidents reported
Incident detection capabilities