Under which legislation must agencies with an OIG perform annual evaluations of their information security program?

The Federal Information Security Management Act (FISMA) mandates that federal agencies, including those with an Office of Inspector General (OIG), conduct annual evaluations of their information security programs. FISMA was enacted in 2002 and aims to improve the security of federal information systems by requiring agencies to develop, document, and implement an information security program. This includes annual assessments to ensure compliance with established security standards and policies.

Under FISMA, agencies must assess the effectiveness of their security implementations, management principles, and the overall capabilities of their information systems. This not only helps to protect sensitive data but also strengthens the agency's accountability and security posture. The requirement for these evaluations is a crucial step in maintaining the integrity and confidentiality of federal information, ensuring that agencies can mitigate risks and respond effectively to potential security threats.