Binding Operational Directive 16-03

October 17, 2016

2016 Agency Cybersecurity Reporting Requirements

This page contains a web-friendly version of the Department of Homeland Security’s Binding Operational Directive 16-03, “2016 Agency Cybersecurity Reporting Requirements”.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014.

Federal agencies are required to comply with DHS-developed directives.

DHS binding operational directives do not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).

Background

Providing a comprehensive framework for ensuring the effectiveness of information security controls over federal information and information systems requires centralized reporting of agency information security incidents and the general information security posture of agencies. Accordingly, FISMA requires agencies to report security incidents to the DHS Federal information security incident center. The United States Computer Emergency Readiness Team (US-CERT), part of DHS’s National Cybersecurity and Communications Integration Center (NCCIC), serves as the Federal information security incident center.1 FISMA further requires to provide annual reports to the Office of Management and Budget (OMB), DHS, and Congress on the adequacy and effectiveness of information security policies, procedures, and practices2. FISMA itself specifies some of the requirements of these reports.3 But it also requires DHS to issue Binding Operational Directives specifying additional requirements for those reports.4 This directive satisfies those requirements.

FISMA Reporting Requirements

All agencies shall comply with the following requirements.

Requirements for Reporting Security Incidents to DHS

Requirements for the 2016 Annual FISMA Reports

Requirements in Preparation for the 2017 Annual FISMA Report

Progress Tracking

DHS will track submission of the reports required above and follow up with OMB or the relevant agency to address non-compliance as appropriate.

  1. Ibid. § 3554(b)(7)(c)(ii). 

  2. Ibid. § 3554(c)(1)(A). 

  3. Ibid. 

  4. Ibid. § 3553(b)(2)(A-B).