Which legislation requires Federal agencies to develop and implement an agency-wide information security program?

The requirement to develop and implement an agency-wide information security program is established by federal information security legislation that modernized and strengthened how agencies manage security. This law mandates that each agency create a formal, agency-wide information security program, implement appropriate security controls, conduct risk-based assessments, perform continuous monitoring, and report on security status to oversight bodies. It also ties security into the overall risk management framework and relies on standardized controls and annual assessments guided by NIST standards. In contrast, the Clinger-Cohen Act focuses on IT investment management and performance-based governance of IT programs rather than a standing agency-wide security program. The Privacy Act governs the privacy rights of individuals and how agencies handle and disclose personal information. The Federal IT Acquisition Reform Act (FITARA) centers on improving IT governance, procurement, and oversight, with security considerations as part of broader IT management but not the core requirement to establish a comprehensive agency-wide security program. Therefore, the correct legislation is the Federal Information Security Modernization Act.