- About Us
- Information Technology
- Contact Us
Report Fraud, Waste, or Abuse
The Federal Information Security Management Act of 2002 (FISMA), codified the importance of information security to the economic and national security interests of the United States. FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized the need for cost-effective, risk-based security programs. FISMA requires Inspectors General, as well as agency program officials and Chief Information Officers, to conduct annual reviews of the agency's information security program and report the results to the Office of Management and Budget (OMB). OMB uses these data to assist in its oversight responsibilities and to prepare an annual report to Congress on agency compliance with the act.
To produce security standards and guidelines for FISMA, the National Institute of Standards and Technology (NIST) established the FISMA Implementation Project in 2003. The project aims to support the implementation of and compliance with FISMA standards. Per FISMA, an effective information security program should include, among other things,
In support of FISMA, OMB requires executive agencies within the federal government to
A key element of the FISMA Implementation Project is NIST's integrated Risk Management Framework, which effectively brings together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.
OIGs are not expected to conduct their own full risk analysis but rather to evaluate how agencies are evaluating risk and prioritizing security issues. OIGs are encouraged to evaluate agency findings and compare them to existing agency priorities, administration priorities, and key FISMA metrics.
Our office assesses the information security programs of the Board and the CFPB in the following 11 areas:
We evaluate 96 attributes across these 11 areas and determine whether the Board and the CFPB have established a program for information security in each area. We then determine whether specific elements were in place for each program and report the data to OMB.
IT FAQsSee common Information Technology questions and answers.