Which of the following US Acts emphasized a “risk-based policy for cost-effective security” and
makes mandatory for agency program officials, chief information officers, and inspectors general
(IGs) to conduct annual reviews of the agency’s information security program and report the
results to Office of Management and Budget?

A.
Federal Information Security Management Act of 2002 (FISMA)

B.
The Electronic Communications Privacy Act of 1986 (ECPA)

C.
The Equal Credit Opportunity Act (ECOA)

D.
The Fair Credit Reporting Act (FCRA)

Explanation:
The Federal Information Security Management Act of 2002 (“FISMA”, 44 U.S.C.
3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act
of 2002 (Pub.L. 107-347, 116 Stat. 2899). The act recognized the importance of information
security to the economic and national security interests of the United States. The act requires each
federal agency to develop, document, and implement an agency-wide program to provide
information security for the information and information systems that support the operations and

assets of the agency, including those provided or managed by another agency, contractor, or
other source. FISMA has brought attention within the federal government to cybersecurity and
explicitly emphasized a “risk-based policy for cost-effective security”. FISMA requires agency
program officials, chief information officers, and inspectors general (IGs) to conduct annual
reviews of the agency’s information security program and report the results to Office of
Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and
incorrect. The Equal Credit Opportunity Act (ECOA) is a United States law (codified at 15 U.S.C.
1691 et seq.), enacted in 1974, that makes it unlawful for any creditor to discriminate against any
applicant, with respect to any aspect of a credit transaction, on the basis of race, color, religion,
national origin, sex, marital status, or age; to the fact that all or part of the applicant’s income
derives from a public assistance program; or to the fact that the applicant has in good faith
exercised any right under the Consumer Credit Protection Act. The law applies to any person who,
in the ordinary course of business, regularly participates in a credit decision, including banks,
Electronic Communications Privacy Act of 1986 (ECPA Pub. L. 99-508, Oct. 21, 1986, 100 Stat.
1848, 18 U.S.C. 2510) was enacted by the United States Congress to extend government
restrictions on wire taps from telephone calls to include transmissions of electronic data by
computer. Specifically, ECPA was an amendment to Title III of the Omnibus Crime Control and
Safe Streets Act of 1968 (the Wiretap Statute), which was primarily designed to prevent
unauthorized government access to private electronic communications. The ECPA also added
new provisions prohibiting access to stored electronic communications, i.e., the Stored
(FCRA) is an American federal law (codified at 15 U.S.C. 1681 et seq.) that regulates the
collection, dissemination, and use of consumer information, including consumer credit information.
Along with the Fair Debt Collection Practices Act (FDCPA), it forms the base of consumer credit
rights in the United States. It was originally passed in 1970, and is enforced by the US Federal
Trade Commission.