OMB Memos 10-15 (PDF, 27 pages - 274 KB) and 10-28 (PDF, 2 pages - 38.6 KB) outline Department of Homeland Security responsibilities for FISMA. M-10-15 states that the Department of Homeland Security will provide additional operational support to federal agencies in securing federal systems. The Department will monitor and report agency progress to ensure the effective implementation of this guidance. This memo also outlines the new FISMA process that follows a three-tiered approach:
- Data feeds directly from security management tools
- Government-wide benchmarking on security posture
- Agency-specific interviews
This three-tiered approach is a result of the task force established in September 2009 to develop new, outcome-focused metrics for information security performance for federal agencies. This task force concentrated on developing metrics that would advance the security posture of agencies and departments.
M-10-28 outlines and clarifies the respective responsibilities and activities of the Office of Management and Budget (OMB), the Cybersecurity Coordinator, and the Department of Homeland Security, in particular with respect to the federal government's implementation of the Federal Information Security Management Act of 2002 (FISMA; 44 U.S.C. §§ 3541-3549).
The Department will exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to the federal information systems that fall within FISMA under 44 U.S.C. §3543. In carrying out this responsibility and the accompanying activities, the Department shall be subject to general OMB oversight in accordance with section 3543(a), and the Department shall be subject to the limitations and requirements that apply to OMB under Section 3543(b)-(c).
Department of Homeland Security activities will include (but will not be limited to):
- overseeing the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance;
- overseeing and assisting government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity;
- overseeing the agencies' compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report;
- overseeing the agencies' cybersecurity operations and incident response and providing appropriate assistance; and
- annually reviewing the agencies' cybersecurity programs.
All departments and agencies are required to coordinate and cooperate with the Department of Homeland Security as it carries out its cybersecurity responsibility and activities as noted in the OMB Memos 10-15 and 10-28.