MEMORANDUM TO CHIEF INFORMATION OFFICERS AND PROGRAM OFFICIALS FROM: DAN CHENOK SUBJECT: GUIDANCE ON THE RELEASE OF SECURITY ACT REPORTS OMB has received inquiries from agency Inspectors General (IG) and Chief Information Officers (CIO) concerning the extent to which they may or should make their security report information to OMB (required under the Government Information Security Reform Act of 2000 (Security Act) and OMB Memorandum 01-24, "Reporting Instructions for the Government Information Security Reform Act") available to the public, Congress, and GAO. All materials from CIOs are considered pre-decisional and may not be released, while materials from the IGs are the responsibility of the IGs and may be disclosed per their customary practice. This approach is consistent with past practices on similar issues. Background On September 10th, agencies will send to OMB annual security reports as required by the Government Information Security Reform Act of 2000 and OMB implementing guidance. The Security Act directs OMB to compile this information and prepare a summary report to Congress. OMB's report will reflect the agency and IG reports, the results of any follow-up discussions, information gathered via capital planning and other meetings throughout the year, and pertinent information obtained from agency budget submissions. The agency security reports will include: 1) an executive summary consisting of two components - an IG response based on the results of their independent evaluation and a CIO/program official response based on the results of their program reviews; 2) copies of the independent security evaluations performed by agency IGs; and 3) limited supporting data from the CIOs and program officials. Agency CIO and program official information. The program reviews conducted by CIOs and program officials are predecisional and should not be released. Together with security information which OMB has gathered throughout the year and that provided with the agencies' funding requests, i.e., capital asset plans and justifications, OMB will use the agency security reports to: 1) inform the budget process; 2) evaluate agency security programs; and 3) develop OMB's report to Congress. For IG information, IGs may disclose information in a manner consistent with the way they would handle any other security review recognizing that some security information may be too sensitive for public release and should be redacted. We hope this information is helpful. Please email Glenn Schlarman at OMB, gschlarm@omb.eop.gov, if you have any questions.