Reporting Instructions for the Government Information Security Reform Act and Updated Guidance on Security Plans of Action and Milestones [open pdf - 297KB]
The President has given a high priority to the security of the Federal government's operations and assets. Protecting the information and information systems on which the Federal government depends, requires agencies to identify and resolve current security weaknesses and risks, as well as protect against future vulnerabilities and threats. Fulfilling the requirements of the Government Information Security Reform Act of 2000 (Security Act) is the key method for meeting this priority. Last year OMB issued memorandum 01-24, guidance on reporting the results of agencies' annual security reviews and evaluations. OMB also issued memorandum 02-01, guidance for security plans of action and milestones to assist agencies in closing security performance gaps identified in their reviews. Based on lessons learned from last year's reporting, along with input from agency officials, Inspectors General (IGs), and the General Accounting Office, this memorandum provides updated guidance. This guidance has a three part focus on: 1) agency progress in remediating the security weaknesses identified in FY01; 2) the results of FY02 agency reviews and IG evaluations; and 3) specific performance measures for agency officials accountable for information and IT security. OMB's FY02 report to Congress will be based largely on the information agencies report according to these three areas. It will also measure progress against the performance baseline established in last year's security report.