OMB Circular A-130 Managing Information as a Strategic Resource
The Office of Management and Budget (OMB) is proposing to revise Circular No. A-130, Managing Information as a Strategic Resource, (hereinafter, Circular A-130, or the Circular) to incorporate new statutory requirements and enhanced technological capabilities, as well as address current and evolving technical and personnel security threats.
Historically, it has been the policy of the United States Government to support the development and use of efficient and effective information technology and information policy approaches that, when adopted by Federal agencies, can address important administrative, regulatory, procurement, and policy objectives. Today, more than ever, individuals, groups, and organizations rely on information technology to carry out a wide range of missions and business functions. This reliance on information technology means that information systems developed and deployed to support Federal applications and operations must be dependable despite a growing number of threats including cybersecurity attacks, natural disasters, structural failures, and errors of omission and commission. To ensure that Federal agencies can successfully carry out their assigned missions and business operations in an environment of sophisticated and complex threats (including advanced persistent threats), they must deploy systems that are both trustworthy and resilient.
Trustworthy and resilient systems can help significantly reduce the susceptibility to threats and ensure mission/business continuity and survivability. While it is impossible to know all potential threats and to stop all anticipated threats, the architecture and design of information systems and use of commercial technologies can significantly increase the “built-in” protection capability of those systems and make them inherently less vulnerable. Moreover, the effects of many system attacks can be reduced by the application of the principles, concepts, and best practices that are proposed in this revised policy.
OMB is revising Circular A-130 to provide guidance to support agency missions and operations in a dynamic and increasingly interconnected, information-resources environment that must increasingly contend with IT vulnerabilities and information security and other threats that could put the confidentiality, integrity and availability of Federal information systems at risk. Agencies shall incorporate this guidance into their policies, understanding that the subject nature of this document will demand agencies continually reassess, reexamine, and reevaluate their information resources management policies and strategies.
This Circular establishes general policy for the acquisition and management of information technology equipment, funds, personnel, and other resources. In the appendices to the document, it also includes a discussion of agency responsibilities for managing personally identifiable information, provides guidance on the use of electronic transactions and related electronic documentation statutes, and provides guidance on the protection of Federal information resources. Although this Circular touches on many specific issues such as privacy, confidentiality, information quality, dissemination, and statistical policy, those topics are covered more fully in other OMB policies, which are available on the OMB website at https://www.whitehouse.gov/omb.
In this notice, OMB is seeking comment on proposed revisions to Circular A-130. These revisions reflect the experience gained by OMB and agencies in implementing the Circular since 2000. The revisions were undertaken by examining the Circular in its current form, and attempting to highlight any areas where guidance was no longer needed due to changing requirements, or the guidance failed to adequately address a specific issue that had developed since its previous publication. The Circular was examined concurrently with its appendices to ensure the broader direction of the Circular was complemented by the specificity of the appendices. The proposed revision is designed to maintain an enduring characteristic, and avoid immediately becoming outdated.
In the main body of the Circular, OMB has replaced the Background section of the main body with an Introduction section (Section 1) that discusses the importance of ensuring trustworthiness and resilience of information systems. OMB also proposes additional language on the purpose of the Circular (Section 2) and amends the Authorities section (now Section 9) to more fully cover existing statutes and Executive Orders.
In the Applicability section (Section 3) of the main body, OMB has simplified the reference to national security systems by removing “Information classified for national security purposes should also be handled in accordance with the appropriate national security directives. National security emergency preparedness activities should be conducted in accordance with Executive Order No. 12472” and replacing it with “For national security systems, agencies should follow applicable laws, Executive Orders, and directives.”
Section 4, Basic Considerations and Section 5, Policy have been revised to incorporate both policy and statute changes since the Circular was last revised.
Specific changes to the Policy section (Section 5) include the replacement of outdated requirements with new requirements covering planning and budgeting, governance, leadership and workforce, IT investment management, privacy and information security, next generation Internet, records management, and information management and access.
Section 6 of the Circular designates government-wide responsibilities for specific agencies. The section incorporates additional statutory requirements enacted since the last revision of the Circular in 2000.
Appendix I, previously titled Federal Agency Responsibilities for Maintaining Records About Individuals, is being revised to provide guidance to Federal agencies on their responsibilities for managing information resources that involve personally identifiable information (PII). The previous version of Appendix I described agency responsibilities for implementing the reporting and publication requirements of the Privacy Act of 1974, as amended (5 U.S.C. § 552a). This information is being revised and reconstituted as OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act. The revised Appendix I, titled Responsibilities for Management of Personally Identifiable Information, provides guidance on Federal agencies' responsibilities for protecting personally identifiable information (PII) – including PII collected for statistical purposes under a pledge of confidentiality – and describes a set of fair information practice principles (FIPPs) that Federal agencies should incorporate when managing information resources that involve PII. It also discusses requirements for designating a Senior Agency Official for Privacy,(SAOP) and conducting Privacy Impact Assessments. Finally, Appendix I requires Federal agencies to implement the privacy controls in National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Additional guidance on implementing the NIST SP 800-53 privacy controls is provided in Appendix III, Responsibilities for Protecting Federal Information Resources.
Appendix II, previously titled Implementation of the Government Paperwork Elimination Act, is being revised to reference requirements of the Electronic Signatures in Global and National Commerce Act (E-Sign Act). The Government Paperwork Elimination Act (GPEA) and E-Sign Act are both important tools to improve customer service and governmental efficiency through the use of information technology. In addition to highlighting the E-Sign Act and more recent guidance, such as the “Federal Chief Information Officers' Council Use of Electronic Signatures in Federal Organization Transactions” (dated January 2013), this appendix has been significantly pared down. For example, the OMB M-00-10 attachment entitled “OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act” has been removed and included as a reference. The Background section has been revised to make the information more current and remove historical information not relevant to the current update. For example, summaries of public comments received on OMB’s draft GPEA guidance of 2000 have been removed, as well as outdated references to GAO and NIST publications.
Appendix III, previously titled Security of Federal Automated Information Resources, is being revised to establish new requirements for information security and privacy management, to incorporate new mandates in the Federal Information Security Modernization Act of 2014, and to ensure consistency with OMB policies and NIST Federal Information Processing Standards and 800-series publications. In short, the revised Appendix III provides guidance on how agencies should take a coordinated approach to information security and privacy when protecting Federal information resources. As a result, the title of the Appendix has been changed to Responsibilities for Protecting Federal Information Resources. The proposed revisions provide guidance on agency information security and privacy management, including the transition from the current periodic point-in-time authorization process to a more dynamic continuous monitoring and ongoing authorization process for information systems and common controls. Examples of additional requirements included in the revised Appendix III focus on incident response, encryption, inclusion of security requirements in contracts, oversight of contractors, protecting against insider threats, protecting against supply chain risks, prohibiting unsupported software and system components, and holding personnel accountable. A number of new definitions, consistent with definitions in NIST standards and guidelines, have also been included.
In addition, the revised Appendix III clarifies the role of the SAOP in the NIST Risk Management Framework. In accordance with existing OMB policies, the Appendix explains that the SAOP has overall responsibility and accountability for implementing privacy protections and ensuring that all privacy requirements are met. Accordingly, the SAOP is responsible for developing and implementing a privacy continuous monitoring strategy, reviewing and approving the categorization of information systems, designating privacy controls, reviewing and approving the privacy plan, conducting privacy control assessments, and reviewing authorization packages for information systems.
In the Definitions Section, OMB has proposed several changes.
OMB is proposing to delete the following definitions – “audiovisual production,” “full costs,” “Information Technology Resources Board,” “information processing services organization,” and “service recipient,” as they are no longer needed for the purposes of this Circular.
The term “government information” has been removed because it is not used in this Circular. The term “Federal information” has been added to the Definitions section because it is a commonly used term in statute and is used throughout this Circular.
Several new definitions are proposed for inclusion in the main body of the Circular including – “digital services,” “enterprise architecture,” “Federal information system,” “information security,” “information technology resources,” “interagency agreement,” “major information technology investment,” “open data,” “personally identifiable information,” “senior agency official for privacy,” and “senior agency official for records.”
The Circular also proposes to modify the definitions for “agency,” “capital planning and investment control process,” “information resources,” “information resources management,” “information system,” “information system life cycle,” “information technology,” “the CIO Council,” “dissemination,” and “major information system” to be consistent with current guidance and statute.
CIRCULAR NO. A-130
Proposed
TO THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
SUBJECT: Managing Information as a Strategic Resource
- Introduction
- Purpose
- Applicability
- Basic Considerations
- Policy a. Planning and Budgeting b. Governance c. Leadership and Workforce d. IT Investment Management e. Privacy and Information Security f. Next Generation Internet g. Records Management h. Information Management and Access
- Government-wide Responsibilities
- Effectiveness
- Oversight
- Authorities
- Definitions
- Inquiries
- Appendix I: Responsibilities for Management of Personally Identifiable Information
- Appendix II: Guidance on Electronic Transactions
- Appendix III: Responsibilities for Protecting Federal Information Resources