4.3.4  Federal Information Security Management Act (FISMA) Self-Assessment and Plan of Action and Milestones (POA&M).  FISMA requires the completion of an annual self-assessment to identify security deficiencies.  Many organizations have an automated tool to facilitate completion of the survey and tracking of deficiencies in the form of P0A&M that are submitted to OMB quarterly.  OMB guidance also requires POA&Ms to be addressed by system owners/program managers in order to obtain a security score of 4 in the Exhibit 300 process. 

4.3.5  Preliminary Security Risk Assessment.  The basic assessment of the confidentiality, integrity, and availability risks that help determine what security controls are necessary to protect the information contained in this information system.  Completing the FISMA self-assessment constitutes a preliminary risk assessment.

See Appendix I for Federal and VA-specific guidance on IT Security deliverables for this stage. 

The E-Government Act of 2001 (E-Gov) requires a Privacy Impact Assessment (PIA) to be conducted for any new information collections. Primarily, the PIA formalizes and documents how private data is to be protected. It must describe:

▲    What information is to be collected,

▲    Why the information is being collected,

▲    The intended use of the information,

▲    With whom the information will be shared,

▲    What notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared,

▲    How the information will be secured, and

▲    Whether a system of records is being created under the Privacy Act (5 U.S.C. 552a)

The PIA is to be initiated in the early stages of system development and completed as part of the required System Development Life Cycle reviews. Privacy must be considered when requirements are analyzed and decisions are made about data usage and system design.