Binding Operational Directive 16-03
October 17, 2016
2016 Agency Cybersecurity Reporting Requirements
This page contains a web-friendly version of the Department of Homeland Security’s Binding Operational Directive 16-03, “2016 Agency Cybersecurity Reporting Requirements”, and provides technical guidance and best practices to assist in its implementation.
Providing a comprehensive framework for ensuring the effectiveness of information security controls over federal information and information systems requires centralized reporting of agency information security incidents and the general information security posture of agencies. Accordingly, FISMA requires agencies to report security incidents to the DHS Federal information security incident center. The United States Computer Emergency Readiness Team (US-CERT), part of DHS’s National Cybersecurity and Communications Integration Center (NCCIC), serves as the Federal information security incident center.1 FISMA further requires to provide annual reports to the Office of Management and Budget (OMB), DHS, and Congress on the adequacy and effectiveness of information security policies, procedures, and practices2. FISMA itself specifies some of the requirements of these reports.3 But it also requires DHS to issue Binding Operational Directives specifying additional requirements for those reports.4 This directive satisfies those requirements.
FISMA Reporting Requirements
All agencies shall comply with the following requirements.
Requirements for Reporting Security Incidents to DHS
- Report security incidents to US-CERT in accordance with the current guidelines found at https://www.us-cert.gov/incident-notification-guidelines which are updated as necessary.
Requirements for the 2016 Annual FISMA Reports
Agency Fiscal Year 2016 Annual FISMA Reports shall include the Chief Information Officer (CIO), Inspector General (IG), and Senior Agency Official for Privacy (SAOP) metric information detailed in the annual FISMA metrics located here: https://www.dhs.gov/publication/fy16-fisma-documents. This requires no additional action from federal agencies beyond the requirements stated in the OMB Memorandum 17-05, Fiscal Year 2016-2017 Guidance on Federal Information Security and Privacy Management Requirements.
(NOTE: M-17-05 has been rescinded by M-18-02).
By November 10, 2016, the CIO, IG, and SAOP metrics shall be submitted to OMB and DHS via CyberScope.
Requirements in Preparation for the 2017 Annual FISMA Report
- Agencies shall view the FY 2017 Annual FISMA CIO metrics available at https://www.dhs.gov/publication/fy17-fisma-documents and plan accordingly so they can include these metrics in their FY 2017 FISMA Reports.
DHS will track submission of the reports required above and follow up with OMB or the relevant agency to address non-compliance as appropriate.