Doc:M-09-29 Attachment CIO Questions
Annual FISMA Reporting Chief Information Officer Questions
Question 1: System Inventory
Identify the number of agency and contractors systems by component and FIPS 199 impact level (low, moderate, high). Please also identify the number of systems that are used by your agency but owned by another federal agency (i.e., ePayroll, etc.) by component and FIPS 199 impact level."
Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing
For the Total Number of Systems identified by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested within in accordance with policy.
Please identify all systems reported as not having a C&A. You will need to provide the System Name, and UPI.
Question 3: Annual Testing and Continuous Monitoring
What tools and techniques do you use for continuous monitoring?
Question 4: Incident Detection, Monitoring, and Response Capabilities
What tools, techniques, technologies, etc., does the agency use for incident detection?
How many systems (or networks of systems) are protected using the tools, techniques and technologies described in above?
How often does the agency log and monitor activities involving access to and modification of critical information? (Answer will be a range in percentages)
What percentage of systems maintain audit trails that provide a trace of user actions?
Does the agency maintain an incident handling and response capability?
If the answer to 4 (e) is yes, what percentage of systems are operated within the agency’s incident handling and response capability?
What tools, techniques, technologies, etc. does the agency use for incident handling and response?
Questions 5: Security Awareness Training
Total number of people with log in privileges to agency systems
Number of people with log in privileges to agency systems that received information security awareness training during the past fiscal year, as described in NIST Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program" (October 2003).
Number of people with log in privileges to agency systems that received information security awareness training using an ISSLOB shared service center. (Breakout total for b)
Total number of employees with significant information security responsibilities
Number of employees with significant security responsibilities that received specialized training, as described in NIST Special Publication 800-16, “Information Technology Security Training Requirements: A Role- and Performance-Based Model” (April 1998)
Total costs for providing information security training in the past fiscal year
Briefly describe the training provided and how you measure its effectiveness.
Question 6: Peer-to-Peer File Sharing
Does the agency explain policies regarding the use of peer-to-peer file sharing in information security awareness training, ethics training, or any other agency-wide training?
Question 7: Configuration Management
Is there an agency wide security configuration policy? Yes or No.
If "Yes" is selected, then agency will enter systems/platforms/applications for which configuration policies exist and give status of implementation of policies.
What tools, techniques is your agency using for monitoring compliance?
Indicate the status of the implementation of FDCC at your agency
Agency has documented deviations from FDCC standard configuration. Yes/No
New Federal Acquisition Regulation 2007-004 language, which modified "Part 39—Acquisition of Information Technology", is included in all contracts related to common security settings. Yes or No.7c.3 will be eliminated
Question 8: Incident Reporting
How often does the agency follow documented policies and procedures for identifying and reporting incidents internally? Answer is a percentage range
How often does the agency comply with documented policies and procedures for timelines of reporting to US-CERT? Answer is a percentage range
How often does the agency follow documented policies and procedures for reporting to law enforcement? Answer is a percentage range
Question 9: Performance Metrics for Security Policies and Procedures
Please provide three (3) outcome/output-based performance metrics your agency uses to measure the effectiveness or efficiency of security policies and procedures. The metrics must be different than the ones used in these FISMA reporting instructions, and can be tailored from NIST's Special Publication 800-55 "Performance Measurement Guide for Information Security."
Question 10: HSPD-12
Number of FISMA applications in which federal employees and contractors are using HSPD-12 Personal Identity Verification credentials for access.
