OMB Policy 7: Implement Security Controls

Policy

Your agency is already required to implement security policies in OMB Circular A–130, Appendix III; OMB memorandum M–04–25, "Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting"; National Institute of Standards and Technology (NIST) Special Publication 800–44, "Guidelines on Securing Public Web Servers"; and other associated guidance from NIST. For additional information see:

• Circular A-130 Revised: Management of Federal Information Resources
• Federal Information Security Management Act of 2002: FISMA Presentation to 2003 FISSEA Conference     
  (PDF, 62.5 KB, 17 pages, April 2003)
• FY 2004 Reporting Instructions for the Federal Information Security Management Act
  (PDF, 269 KB, 28 pages, August 2004)
• NIST Guidelines on Securing Public Web Servers
  (PDF, 2.13 MB, 142 pages, September 2002)

Your agency is already required to provide adequate security controls to ensure information is resistant to tampering to preserve accuracy, remains confidential as necessary, and the information or service is available as intended by the agency and expected by users. Agencies must also implement management controls to prevent the inappropriate disclosure of sensitive information.

From OMB Policies for Federal Agency Public Websites
(PDF, 55 KB, 5 pages, December 2004) 

Implementation Guidance

• Establish security protocols to protect information

Supporting Documents

• Implementation guidance from the National Institute of Standards and Technology (NIST)
• OMB memoranda on computer security and agency FISMA compliance
• Federal Information Security Management Act of 2002 (FISMA)

Content Lead: Rachel Flagg
Page Reviewed/Updated: July 23, 2012