19 FAM 100
CYBERSECURITY
19 FAM 101
GOVERNANCE
general information
(CT:CSG-1; 04-07-2025)
(Office of Origin: DT/E-CISO)
19 FAM 101.1-1 SUMMARY
(CT:CSG-1; 04-07-2025)
The 19 volume of the Foreign Affairs Manual (FAM) outlines the expected behavior of anyone performing cybersecurity functions or engaging in information technology activities that impact or are impacted by cybersecurity. This policy outlines roles and responsibilities of individuals involved in the protection of information stored, processed, and transmitted on information systems regardless of geographic location.
19 FAM 101.1-2 SCOPE
(CT:CSG-1; 04-07-2025)
a. 19 FAM serves as a consolidated volume to publish all relevant Department cybersecurity policy in concert with 5 FAM and 12 FAM.
b. The 19 FAM Cybersecurity policies apply to all Department information systems, services, applications, Operational Technologies (OT), Internet of Things (IoT) and any other technologies on, connected to, or supporting the Department enterprise.
c. This chapter consists of the following subchapters: Organizational Context; Roles and Responsibilities, Oversight; Policies, Risk Management Strategy; and Cybersecurity Supply Chain Risk Management.
d. Any bureau or office planning to publish internal Department cybersecurity policy should coordinate with the Policy, Liaison, and Training (DT/E-CISO/PLT) division.
19 FAM 101.1-3 References
(CT:CSG-1; 04-07-2025)
19 FAM 101.1-3(A) PRIMARY CYBER LAWS, REGULATIONS AND EXECUTIVE ORDERS
(CT:CSG-1; 04-07-2025)
The 19 FAM Cybersecurity policy establishes controls required to comply with federal laws and regulations. In addition, the 19 FAM Cybersecurity policy includes guidance to adequately protect U.S. Department of State information technology (IT) resources in supporting implementation of information security initiatives.
The following are the primary United States (U.S.) Laws, Regulations and Executive Orders (EOs) related to cyber:
a. Federal Information Security Modernization Act of 2014 (FISMA), Public Law 113-283, (44 U.S.C. 3551); dictates the requirement for federal agencies to incorporate information security measures and programs designed for the protection of sensitive information.
b. Strengthening American Cybersecurity Act of 2022 (SACA), (44 U.S.C. 3504);
c. Clinger-Cohen Act of 1996, Public Law 104-106 (formerly known as the Information Technology Reform Act of 1996, renamed by section 808, Public Law 104-208) (40 U.S.C. 1401, et seq.);
d. Cybersecurity and Infrastructure Security Agency (CISA) Act of 2018, signed into law by Congress on November 16, 2018, is a testament to the government's proactive stance on cybersecurity. This legislation rebranded the Department of Homeland Security's (DHS's) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA), a dedicated entity for cybersecurity. It also transferred the NPPD's resources and responsibilities to the new agency, strengthening our nation's cybersecurity framework.
e. Executive Order (EO) 14028 on Improving the Nation's Cybersecurity, issued on May 12, 2021, charges agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain and established guidance and timelines for implementing the National Security Systems (NSS).Cybersecurity Requirements of the EO as well as authorization of National Security Agency (NSA) to serve as the centralized agency for incident reporting, guidance and oversight of NSS.
f. The National Cybersecurity Protection Act of 2014, which created the National Cybersecurity and Communications Integration Center (NCCIC), which is responsible for coordinating responses to cyber threats affecting national security systems and critical infrastructure. This act mandates the establishment of a national cybersecurity strategy to protect government and private sector infrastructure from cyber threats.
g. National Strategy for the Protection of Critical Infrastructure and Key Resources (NIPP) identifies key sectors and assets critical to national security and outlines how to protect them. This strategy sets the framework for the protection of critical infrastructure, including national security systems, from natural disasters, terrorist attacks, and other risks.
h. Both agencies, CISA and NSA, are authorized to issue directives, which are written orders that require specific operational procedures and guidance or prohibit specific operations or types of operations. In the context of the federal executive branch, departments, and agencies, a directive (especially Binding Operational or Emergency Directive) is a compulsory direction for safeguarding federal information and information systems codified in federal law.
i. The FedRAMP Authorization Act of 2022 refers to legislation designed to improve the security of cloud services used by federal agencies. FedRAMP, which stands for the Federal Risk and Authorization Management Program, is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP Authorization Act is important because cloud services are critical to modernizing government IT systems, improving efficiency, and enabling the use of advanced technologies. FedRAMP requires continuous monitoring of authorized cloud services to ensure they maintain their security posture over time.
19 FAM 101.1-3(B) OTHER LAWS, REGULATIONS AND EXECUTIVE ORDERS
(CT:CSG-1; 04-07-2025)
Other applicable U.S. Laws, Regulations and Executive Orders:
a. E.O. 13403, (Federal Information Technology);
b. Federal Agency Responsibilities, (44 U.S.C 3554);
c. National Security Directive 42 (NSD-42);
d. Government Performance and Results Modernization Act of 2010, Public Law 111-352;
e. Paperwork Reduction Act of 1995, Public Law 104-13 (44 U.S.C. 3501, et seq.);
f. Federal Financial Management Improvement Act of 1996, Public Law 104-208, sections 802 and 803 (31 U.S.C. 3512 note);
g. Federal Information Technology Acquisition Reform Act (FITARA) is Title VIII Subtitle D Sections 831-837 of Public Law 113-291 - Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act for Fiscal Year 2015;
h. Omnibus Diplomatic Security and Anti-Terrorism Act of 1986, Public Law 99-399, as amended (22 U.S.C. 4802(a));
i. Privacy Act of 1974, 5 U.S.C. 552a;
j. Homeland Security Presidential Directive (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004;
k. Homeland Security Presidential Directive 7 (HSPD-7) mandates Federal departments and agencies to identify and prioritize critical infrastructure, protecting them against potential terrorist attacks. This directive underscores the government's commitment to safeguarding our nation's vital assets.
(1) HSPD-7 directs the Department of Homeland Security (DHS) to establish the National Protection and Programs Directorate (NPPD), which formulates uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across critical infrastructures and essential resource (CIKR) sectors.
19 FAM 101.2-3(C) FEDERAL STANDARDS AND GUIDANCE
(CT:CSG-1; 04-07-2025)
The following are applicable federal standards and guidance:
a. National Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF), version 2.0, February 26, 2024
b. NIST’s Special Publication (SP) 800 series on guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.
c. NIST SP 800-37 R2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, December 20, 2018.
d. Revision 2, Revision 5, Security and Privacy Controls for Revision 1, ;Federal Information Processing Standards (FIPS) Publication 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, February 25, 2005
e. FIPS 140-2 and 140-3, Security Requirements for Cryptographic Modules;
f. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems;
g. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems;
h. Office of Management and Budget (OMB) Memorandum M-21-30, Protecting Critical Software Through Enhanced Security Measures;
i. OMB Memorandum M-21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents;
j. OMB Memorandum M-22-01, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems through Endpoint Detection and Response;
k. OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
l. OMB Memorandum M-23-02, Migrating to Post-Quantum Cryptography
m. OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy
n. OMB Memorandum M-15-14, Management and Oversight of Federal Information Technology;
o. OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information;
p. OMB Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act (Dec. 2016);
q. OMB Circular A-130, Managing Information as a Strategic Resource.