The Federal Information Security Management Act (FISMA) requires:

FISMA requires all federal agencies to develop, document, and implement an agency-wide information security program to protect the information and information systems that support government operations. This program includes conducting risk assessments, applying appropriate security controls based on standards (like the NIST SPs), developing and enforcing security policies and procedures, providing security awareness training, monitoring and responding to incidents, and regularly reporting on the program’s effectiveness to oversight bodies such as OMB and Congress. The requirement targets government agencies, not private companies or individuals, and it does not mandate DHS quarterly threat reports. So, describing the obligation as all federal agencies developing methods to protect their information systems aligns with FISMA.