Do the DOD and ODNI follow OMB policy and NIST guidelines for reporting instructions?

Federal agencies, including the Department of Defense and the Office of the Director of National Intelligence, follow Office of Management and Budget policy for reporting instructions and rely on NIST guidelines for how to implement and report cybersecurity controls. OMB policy sets standardized reporting requirements, timelines, and formats across agencies to ensure consistent oversight and accountability. NIST provides the technical framework that defines which controls are needed and how to assess and document them, as well as how to handle incident reporting. In practice, DoD and ODNI align their procedures with these directives to maintain compatibility with other agencies and comply with federal governance. Because there is established policy and a recognized framework governing reporting, the correct stance is that they follow OMB policy and NIST guidelines for reporting instructions. Saying they sometimes follow or that it’s not specified would ignore the federal policy environment, and saying no would contradict these requirements.