Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Cybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and ResilienceCybersecurity & Infrastructure Security Agency logo America’s Cyber Security Defense Agency National Coordinator For Critical Infrastructure Security and Resilience
CISA Logo

Search

 

America's Cyber Defense Agency
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
    CISA Conferences
    CISA Live!
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
  • About
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    CISA GitHub
    CISA Central
    Contact Us
    Subscribe
    Transparency and Accountability
    Policies & Plans

Free Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber Issue

Breadcrumb
  1. Home
  2. News & Events
  3. Cybersecurity Directives
  4. BOD 16-03: 2016 Agency Cybersecurity Reporting Requirements
Share:

News & Events

  • News
  • Events
  • Cybersecurity Alerts & Advisories
  • Directives
  • Request a CISA Speaker
  • Congressional Testimony
  • CISA Conferences
  • CISA Live!
Binding Operational Directives

BOD 16-03: 2016 Agency Cybersecurity Reporting Requirements

October 17, 2016
Related topics:
Cybersecurity Best Practices

This page contains a web-friendly version of the Department of Homeland Security’s Binding Operational Directive 16-03, “2016 Agency Cybersecurity Reporting Requirements”.

A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information systems.

The Department of Homeland Security (DHS) develops and oversees the implementation of binding operational directives pursuant to the Federal Information Security Modernization Act of 2014.

Federal agencies are required to comply with DHS-developed directives.

DHS binding operational directives do not apply to statutorily defined “National Security Systems” nor to certain systems operated by the Department of Defense or the Intelligence Community. Id. § 3553(d)-(e).

Background

Providing a comprehensive framework for ensuring the effectiveness of information security controls over federal information and information systems requires centralized reporting of agency information security incidents and the general information security posture of agencies. Accordingly, FISMA requires agencies to report security incidents to the DHS Federal information security incident center. The United States Computer Emergency Readiness Team (US-CERT), part of DHS’s National Cybersecurity and Communications Integration Center (NCCIC), serves as the Federal information security incident center.1 FISMA further requires to provide annual reports to the Office of Management and Budget (OMB), DHS, and Congress on the adequacy and effectiveness of information security policies, procedures, and practices2. FISMA itself specifies some of the requirements of these reports.3 But it also requires DHS to issue Binding Operational Directives specifying additional requirements for those reports.4 This directive satisfies those requirements.

FISMA Reporting Requirements

All agencies shall comply with the following requirements.

Requirements for Reporting Security Incidents to DHS

  • Report security incidents to US-CERT in accordance with the current guidelines which are updated as necessary.

Requirements for the 2016 Annual FISMA Reports

  • Agency Fiscal Year 2016 Annual FISMA Reports shall include the Chief Information Officer (CIO), Inspector General (IG), and Senior Agency Official for Privacy (SAOP) metric information detailed in the annual FISMA metrics located here: FY16 FISMA Documents. This requires no additional action from federal agencies beyond the requirements stated in the OMB Memorandum 17-05, Fiscal Year 2016-2017 Guidance on Federal Information Security and Privacy Management Requirements.

    (NOTE: M-17-05 has been rescinded by M-18-02).

  • By November 10, 2016, the CIO, IG, and SAOP metrics shall be submitted to OMB and DHS via CyberScope.

Requirements in Preparation for the 2017 Annual FISMA Report

  • Agencies shall view the FY 2017 Annual FISMA CIO metrics available at FY17 FISMA Documents and plan accordingly so they can include these metrics in their FY 2017 FISMA Reports.

Progress Tracking

DHS will track submission of the reports required above and follow up with OMB or the relevant agency to address non-compliance as appropriate.

  1. Ibid. § 3554(b)(7)(c)(ii). 

  2. Ibid. § 3554(c)(1)(A). 

  3. Ibid. 

  4. Ibid. § 3553(b)(2)(A-B). 

Tags

Topics: Cybersecurity Best Practices

Related Directives

Dec 17, 2024

BOD 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services

Dec 17, 2024

BOD 25-01: Implementing Secure Practices for Cloud Services

Jun 13, 2023

BOD 23-02: Implementation Guidance for Mitigating the Risk from Internet-Exposed Management Interfaces

Jun 13, 2023

BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • X
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback