The Office of Management and Budget has released a memorandum to provide agencies with fiscal year 2025 reporting guidance and deadlines in compliance with the Federal Information Security Modernization Act of 2014, or FISMA.

The document dated Wednesday was signed by OMB Director Shalanda Young.

CISA’s Responsibilities

The memo seeks to ensure that the Cybersecurity and Infrastructure Security Agency works closely with federal agencies to establish a coordinated incident response infrastructure.

To advance this effort, CISA will continue to provide OMB with monthly data on federal agencies’ progress in implementing the Continuous Diagnostics and Mitigation program, which is designed to help agencies monitor vulnerabilities in their IT systems in near real-time.

Beginning in FY 2025, CISA will start assessing the capabilities outlined in a 2021 memo to capture the number of endpoints running endpoint detection and response tools and facilitate comparison with manually reported data in CyberScope.

IoT and OT Inventory

To improve the U.S. government’s cybersecurity posture, agency chief information officers should work with asset operators and owners to maintain an enterprise-wide inventory of Internet of Things and operational technology assets.

Inventories should include details about the make, model and specifications of OT and IoT systems, vendor or manufacturer information, network connectivity, software and firmware versions, and security controls.

The memo also includes sections addressing cybersecurity logging, requirements for FISMA reporting to OMB and the Department of Homeland Security, CIO reporting, and other incident reporting requirements.