• United States



by CSO Staff

The Seven Categories

May 01, 20053 mins
Data and Information Security

Every year, the CIOs, CISOs and agency Inspectors General at the 24 largest federal agencies are asked to answer questions concerning the processes and policies they use to secure federal computer systems and comply with the Federal Information Security Management Act (FISMA). The questions fall into one of seven categories. Here is a nearly complete list of the questions.

Annual Testing

  • What percentage of agency programs and systems has the CIO and/or agency Inspectors General reviewed this year for security vulnerabilities?
  • The degree to which agency program officials and the agency CIO have used appropriate methods in the past fiscal year to ensure that contractor or agency provided services are adequately secure and meet policy requirements.
  • The degree to which the agency used the National Institute of Standards and Technology’s self-assessment guide or equivalent methodology this year to conduct security reviews.
  • Has the agency appointed a senior information security officer who reports directly to the CIO?

Plan of Action and Milestones

  • Has the agency developed a plan of action and milestones POA&M for each significant security deficiency identified in the past fiscal year?
  • Has the agency developed, implemented and managed an agency-wide POA&M process that includes incorporating known IT security weaknesses into the POA&M; program officials reporting to the CIO at least quarterly on their remediation progress; and the CIO tracking, maintaining, and reviewing POA&M activities on a quarterly basis, among other steps?

Certification & Accreditation

What percent of systems has been certified and accredited, has had the costs of security controls integrated into the systems’ life cycles, has been tested for security controls in the past fiscal year, and has a contingency plan that has been tested in the past fiscal year?

Configuration Management

Has the CIO implemented agencywide policies that require detailed security configurations and what percentage of systems has received these configurations for programs such as Microsoft Windows variations, Solaris, HP, Linux, Cisco routers, Oracle and others?

Incident Detection and Response

Does the agency have documented policies and procedures for reporting security incidents internally, to law enforcement authorities, and to the U.S. Computer Emergency Readiness Team (US-CERT)? What percentage of systems has undergone vulnerability scans and penetration tests in the past fiscal year?


What percentage of agency employees has received security training and awareness, as well as specialized security training?


Has the CIO created an inventory of agency systems and updated it annually, including reaching an agreement with the Inspector General on the number of programs, systems and contractor operations?

Source: How Grades Were Assigned revised