Agencies must submit FISMA reports online


Changes are coming to the Federal Information Security Management Act (FISMA) reporting process. Agencies and departments are now required to use a new automated reporting system to file their annual FISMA and privacy reports starting with this year's reports. The Office of Management and Budget issued a 20-page memo last week outlining the changes. Jeffrey D. Zients, OMB's deputy director for management, and Federal CIO Vivek Kundra said reporting categories and questions remain the same.

In the past, agencies were required to use spread sheets to report data. This year, agencies will be using the automated reporting tool, a major step forward in embracing online tools for the reporting requirement. As a result of this change, OMB extended by two months, to Nov. 18, the deadline for agencies to file their reports.

"While the content of the report has changed little since 2008, the means of collection has changed substantially," Zients, and Kundra said in a memo about the change. "This year, rather than using spreadsheets, the annual FISMA report data collection will occur via an automated reporting tool," which will allow both manual data entry and automatic upload of data.

Kundra called the existing reporting system cumbersome, requiring more than 160 agencies to submit more than 200 spreadsheets. An Internet-enabled database would allow "the collection of more evaluative metrics, such as performance metrics," he said.

In an article by on FISMA's reporting changes, one former federal CIO was anonymously critical of the automation: "This does the proverbial 'paving of the cow path,'" he said, by automating a business process without considering whether the process is effective or efficient in the first place. "We aren't changing or reengineering the process or easing the requirements. The fact that you can submit online is nice, but it doesn't change the complexity or the real burden."

For more on automating FISMA requirements:
- check out this article