Home » Management Discussion and Analysis » Performance Section » Financial Section » Other Accompanying Information » Appendices »
	Mission Organization and Structure Performance Goals, Objectives, and Results Joint Strategic Planning Performance Summary Analysis of Financial Statements Analysis of Systems, Controls, and Legal Compliance Management Assurances Government Management Reform Act Federal Information Security Management Act Improper Payments Information Act Other Management Information
	Web Site People (Last Name) Publications Advanced search options...

Federal Information Security Management Act (FISMA)

FISMA, part of the Electronic Government Act of 2002, provides the framework for securing the federal government’s information systems. Agencies covered by FISMA are required to report annually to OMB and Congress on the effectiveness of their information security programs. Specifically, FISMA requires agencies to have: (1) periodic risk assessments; (2) information security policies, procedures, standards, and guidelines; (3) delegations of authority to the CIO to ensure compliance with policy; (4) security awareness training programs; (5) procedures for detecting, reporting, and responding to security incidents; and (6) plans to ensure continuity of operations. FISMA also requires an annual independent evaluation of the Agency’s information security program by the Agency IG. This report is separate from the Performance and Accountability Report (PAR). Weaknesses found under FISMA are to be identified as a significant deficiency, reportable condition, or other weakness, and FISMA weaknesses that fall into the category of significant deficiency are required to be reported as a material weakness under the FMFIA. This year’s evaluation concluded that USAID generally met the requirements of FISMA, and that the Agency has made many positive strides in addressing information security weaknesses. However, USAID still faces several important challenges in the areas of certification and accreditation, contingency planning, risk assessments, security categorizations, and establishing policies and procedures. Based on last year’s report, Congress awarded an A+ (a perfect 100) to USAID in recognition of the exceptional status of the information security program. USAID is the first and only federal agency to receive this distinction. USAID has developed an excellent risk-based information security program that includes processes, training, and security technologies, and the Agency expects to continue to receive high marks for its work in this area.

Back to Top ^ | < Previous Page | Next Page >