Doc:M-09-29 Attachment Microagency Questions
Annual FISMA Reporting MicroAgency Questions
Microagencies are defined as agencies employing 100 or fewer Full Time Equivelent positions (FTEs). Microagencies must report to OMB annually on FIMSA and Information Privacy Management. While quarterly reports/updates are not required, microagencies should be prepared to provide information or to begin submitting quarterly reports to OMB upon request.
Question 1: Information Security Systems
- Total Number of agency and contractor systems
- Number of agency and contractor systems certified and accredited
- Number of agency and contractor systems for which security controls have been tested and reviewed in the past year
- Was an independent assessment conducted in the last year?
- Number of employees
- Number of contractors
- Number of employees and contractors who received IT security awareness training in the last year
Question 2: Information Privacy
- Breach Notification: Agencies are required by OMB memorandum (M-07-16) of May 22, 2007, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information” to develop and implement a breach notification policy within 120 days.
- Agencies must complete:
- A breach notification policy
- An implementation plan to eliminate unnecessary use of Social Security Numbers (SSN)
- An implementation plan and progress update on review and reduction of holdings of personally identifiable information (PII)
- Policy outlining rules of behavior and identifying consequences and corrective actions available for failure to follow these rules
- Privacy Impact Assessments (PIAs) and Systems of Record Notices (SORNs): Please provide the URL to a centrally located web page on the agency web site on which the agency lists working links to all of its PIAs and working links to all of its SORNs published in the Federal Register. Agencies must maintain all documentation supporting this certification and make it available in a timely manner upon request by OMB or other oversight authorities. By submitting the template the agency certifies that to the best of agency's knowledge the quarterly report accounts for all of the agency’s systems to which the privacy requirements of the E-Government Act and Privacy Act are applicable. If the agency does not have any PIAs or SORNS, enter "NA." Agency must provide:
- the URL of the centrally located page on the agency web site listing working links to agency PIAs
- the URL of the centrally located page on the agency web site listing working links to the published SORNs