THE DIRECTOR

M-10-28

MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

This memorandum outlines and clarifies the respective responsibilities and activities of the Office of Management and Budget (OMB), the Cybersecurity Coordinator, and DHS, in particular with respect to the Federal Government's implementation of the Federal Information Security Management Act of 2002 (FISMA; 44 U.S.C. §§ 3541-3549).

Under various national security and homeland security Presidential directives, and pursuant to its statutory authorities, DHS oversees critical infrastructure protection, operates the United States Computer Emergency Readiness Team (US-CERT), oversees implementation of the Trusted Internet Connection initiative, and takes other actions to help secure both the Federal civilian government systems and the private sector. At the same time, OMB has a number of cybersecurity responsibilities, principally in connection with FISMA. The Cybersecurity Coordinator leads the interagency process for cybersecurity strategy and policy development.

To clarify and avoid confusion, effective immediately, OMB will be responsible for the submission of the annual FISMA report to Congress, for the development and approval of the cybersecurity portions of the President's Budget, for the traditional OMB budgetary and fiscal oversight of the agencies' use of funds, and for coordination with the Cybersecurity Coordinator on all policy issues related to the prior three responsibilities. The Cybersecurity Coordinator will have visibility into DHS efforts to ensure Federal agency compliance with FISMA and will serve as the principal White House official to coordinate interagency cooperation with DHS cybersecurity efforts.

Effective immediately, DHS will exercise primary responsibility within the executive branch for the operational aspects of Federal agency cybersecurity with respect to the Federal information systems that fall within FISMA under 44 U.S.C. §3543. In carrying out this responsibility and the accompanying activities, DHS shall be subject to general OMB oversight in accordance with Section 3543(a), and DHS shall be subject to the limitations and requirements that apply to OMB under Section 3543(b)-(c). DHS activities will include (but will not be limited to):

• overseeing the government-wide and agency-specific implementation of and reporting on cybersecurity policies and guidance;
• overseeing and assisting government-wide and agency-specific efforts to provide adequate, risk-based and cost-effective cybersecurity;
• overseeing the agencies' compliance with FISMA and developing analyses for OMB to assist in the development of the FISMA annual report;
• overseeing the agencies' cybersecurity operations and incident response and providing appropriate assistance; and
• annually reviewing the agencies' cybersecurity programs.

All departments and agencies shall coordinate and cooperate with DHS as it carries out its cybersecurity responsibility and activities as noted here.

Thank you for your assistance in the implementation of this memorandum.

Source

• M-10-28 Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS) (PDF)