GENCY-WIDE INFORMATION SECURITY TASKS
While FISMA requires agencies to delegate information security tasks to their respective CISOs, those tasks are not organized in the same manner at each agency. FISMA does not instruct agencies on how to develop or maintain their information security programs; it simply lists agencies’ information security responsibilities. Agencies are encouraged to approach compliance with government-wide requirements in a manner that fits their respective missions and resource capabilities. Because no two agency missions are exactly the same, no two CISO roles are exactly the same. Some CISOs are responsible for all information security tasks at their agency, while others work with separate operations centres or take on tasks outside of information security to help with organizational priories.
Although FISMA allows for these nuances, CIOs and CISOs are ultimately statutorily responsible for information security, so they must be aware of the range of information security responsibilities assigned to agencies. The following are some of the key information security responsibilities assigned to agencies as a whole. Depending on the agency, these tasks may or may not fall entirely or exclusively to the CISO.