This memorandum provides instructions for federal agencies to meeting their agency’s FY 2010 reporting requirements under the Federal Information Security Management Act of 2002 (FISMA). It also includes reporting instructions on each agency’s privacy management program.
Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way. Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and other agency management need to have different levels of this information presented to them in ways that enable timely decision making. To do this, agencies need to automate security-related activities, to the extent possible, and acquire tools that correlate and analyze security-related information. Agencies need to develop automated risk models and apply them to the vulnerabilities and threats identified by security management tools.