CIOs are responsible for establishing, implementing, and ensuring compliance with an agency-wide information security program. This section lists the statutory responsibilities of CIOs related to information security and privacy. The statutory language is directly pulled from applicable laws and executive orders. These statutory responsibilities are then implemented through OMB guidance and guidance from other government-wide organizations. This language, along with the language in other sections under the heading “CIO Responsibilities - Laws and Executive Orders,” defines the CIO role and gives the CIO their statutory mandate.
Federal Information Security Modernization Act
Under the Federal Information Security Modernization Act (FISMA), (Federal Information Security Modernization Act of 2014 (FISMA)) the CIO must designate a senior official in charge of information security. In most cases, that official is the agency’s Chief Information Security Officer (CISO) and works closely with the CIO to protect and secure the information resources of the agency.
Privacy Act Implementation
The publication of appropriate routine uses is required under the Privacy Act and thus would be necessary in order to disclose information for the purpose of executing an agency’s obligations to effectively manage and report a breach under FISMA. Disclosures pursuant to a routine use are permissive, not mandatory. (5 U.S.C. § 552a(b)(3). The Privacy Act of 1974.)