Every year, the CIOs, CISOs and agency Inspectors General at the 24 largest federal agencies are asked to answer questions concerning the processes and policies they use to secure federal computer systems and comply with the Federal Information Security Management Act (FISMA). The questions fall into one of seven categories. Here is a nearly complete list of the questions.Annual Testing What percentage of agency programs and systems has the CIO and/or agency Inspectors General reviewed this year for security vulnerabilities? The degree to which agency program officials and the agency CIO have used appropriate methods in the past fiscal year to ensure that contractor or agency provided services are adequately secure and meet policy requirements. The degree to which the agency used the National Institute of Standards and Technology’s self-assessment guide or equivalent methodology this year to conduct security reviews. Has the agency appointed a senior information security officer who reports directly to the CIO? Plan of Action and Milestones Has the agency developed a plan of action and milestones POA&M for each significant security deficiency identified in the past fiscal year? Has the agency developed, implemented and managed an agency-wide POA&M process that includes incorporating known IT security weaknesses into the POA&M; program officials reporting to the CIO at least quarterly on their remediation progress; and the CIO tracking, maintaining, and reviewing POA&M activities on a quarterly basis, among other steps?Certification & Accreditation What percent of systems has been certified and accredited, has had the costs of security controls integrated into the systems’ life cycles, has been tested for security controls in the past fiscal year, and has a contingency plan that has been tested in the past fiscal year?Configuration Management Has the CIO implemented agencywide policies that require detailed security configurations and what percentage of systems has received these configurations for programs such as Microsoft Windows variations, Solaris, HP, Linux, Cisco routers, Oracle and others?Incident Detection and ResponseDoes the agency have documented policies and procedures for reporting security incidents internally, to law enforcement authorities, and to the U.S. Computer Emergency Readiness Team (US-CERT)? What percentage of systems has undergone vulnerability scans and penetration tests in the past fiscal year?TrainingWhat percentage of agency employees has received security training and awareness, as well as specialized security training?Inventory Has the CIO created an inventory of agency systems and updated it annually, including reaching an agreement with the Inspector General on the number of programs, systems and contractor operations? Source: How Grades Were Assigned revised Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Regulation Regulation news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe