Responses to Questions Raised in OMB's Fiscal Year 2004 FISMA Reporting Instructions
(Report No. 04-047, September 30, 2004)
Summary
The Office of Management and Budget's (OMB) August 23, 2004 memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act directs agency Chief Information Officers (CIO) and Inspectors General to answer a series of questions related to the performance of their respective agency's information security program. The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General's (OIG) responses to the OMB questions were based on the results of our recently completed independent security evaluation required by the Federal Information Security Management Act (FISMA). We issued a separate evaluation report on September 30, 2004, entitled Independent Evaluation of the FDIC's Information Security Program-2004 (Report No. 04-046), detailing our FISMA evaluation results. Generally, the independent security evaluation report provided a more comprehensive and qualitative assessment of the FDIC's information security program and practices than our responses to the OMB questions. Our responses to the OMB questions, together with our independent security evaluation report, satisfy our 2004 FISMA reporting requirements.
The objective of the audit was to answer specific questions raised in OMB's fiscal year 2004 FISMA reporting instructions. Consistent with the results of our independent security evaluation, our responses to the OMB questions indicate that the FDIC has taken positive actions in a number of key security program areas. Our work did not identify any significant deficiencies in the FDIC's information security program that warrant consideration as a potential material weakness as defined by the OMB. However, additional control improvements and associated implementation activities were needed.
Management Comments
We provided the Division of Information Resources Management (DIRM) with a draft report summarizing our responses to the OMB questions on September 24, 2004. We also discussed our responses to the OMB questions with DIRM information security staff and made a number of changes to address their concerns and comments. Because the draft report did not contain formal recommendations, no written response was required from the Corporation.
