layout: page title: Policy permalink: /policy/
Agencies are required to establish a comprehensive approach to improve the acquisition and management of their information resources, by: performing information resources management activities in an efficient, effective, economical, secure, and privacy-enhancing manner; focusing information resources planning to support their strategic missions; implementing a IT investment management process that links to and supports budget formulation and execution; and rethinking and restructuring the way work is performed before investing in new information systems.
Agencies shall establish agency-wide planning and budgeting processes in accordance with OMB guidance. As discussed below, important components of planning and budgeting consist of developing and maintaining an Agency Information Strategy, as well as ensuring effective collaboration between agency leadership on budget activities.
1) Strategic Planning
In support of agency missions and business needs, and as part of the agency's overall strategic and performance planning processes, agencies shall develop and maintain an Agency Information Strategy that describes the agency's technology and information resources goals, including but not limited to the processes described in this Circular. The Agency Information Strategy shall support the goals of the Agency Strategic Plan required by the Government Performance and Results Modernization Act of 2010 (GPRA Modernization Act). The Agency Information Strategy shall demonstrate how these goals map to the agency's mission and organizational priorities. These goals should be specific, verifiable, and measurable, so that progress against these goals can be tracked. The agency should review its Agency Information Strategy annually alongside the Annual Performance Plan reviews, required by the GPRA Modernization Act, to determine if there are any performance gaps or changes to mission needs, priorities, or goals. As part of the planning and maintenance of an effective Information Strategy, agencies shall consider the following, in addition to all other requirements in this Circular:
a) Taking explicit account of information resources and information technology (IT) assets, personnel, and policies when planning, budgeting, and executing Federal programs and services;
b) Maintaining an inventory of the agency's major information systems, holdings, and dissemination products; a description of the agency's major information and record locator systems; an inventory of the agency's other information resources, such as personnel and funding (at the level of detail that the agency determines is most appropriate for its use in managing the agency's information resources); and an online resource for persons to obtain public information from the agency;2
c) Regularly assess throughout the life of each information system, the inventory of the physical and software assets associated with the system, the maintainability and supportability of the information resources and infrastructure supporting the system, and actively determine when significant upgrades, replacements and/or disposition is required to effectively support agency missions or business functions and/or adequately protect agency assets;
d) Ensuring the terms and conditions of contracts involving the processing, storage, access to, transmission, and destruction of Federal information are sufficient to enable agencies to meet their policy and legal requirements;
e) Ensuring that all resources planning and management activities consider information security, privacy, and supply chain security issues throughout the system development life cycle and that the risks associated with those issues are appropriately managed; and
f) Ensuring that CIOs are made aware of information systems and components that cannot be appropriately protected or secured and that such systems are given a high priority for upgrade, replacement, or retirement.3
2) Business Continuity Planning
Agencies shall develop a Business Continuity Plan.4 A Business Continuity plan to continue agency operations during times of services disruption is essential. Therefore, recovery strategies should be developed so services and/or access can be restored in time to meet the mission needs. Manual workarounds should be part of the plan so business can continue while information systems are being restored. For additional information on business continuity planning, refer to Ready.gov.
3) Planning, Programming, and Budgeting
Agencies shall, in accordance with FITARA and related OMB policy:
a) Ensure that information technology resources are distinctly identified and separated from non-information technology resources during the planning, programming, and budgeting process in a manner that affords agency CIOs appropriate visibility and specificity to provide effective management and oversight of information technology resources. The manner should be jointly determined by Program leadership, the Chief Financial Officer (CFO) and Chief Information Officer (CIO).
b) Ensure the agency-wide budget development process includes the CFO, Chief Acquisition Officer (CAO), and CIO in the planning, programming, and budgeting stages for programs that include IT resources (not just programs that are primarily IT oriented). The agency head, in consultation with the CFO, CIO, and program leadership, shall define the processes by which program leadership works with the CIO to plan an overall portfolio of IT resources that achieve program and business objectives efficiently and effectively by:
i. Weighing potential and ongoing investments and their underlying capabilities against other proposed and ongoing investments in the portfolio; and
ii.Identifying gaps between planned and actual cost, schedule, and performance goals for IT investments and identifying strategies and time frames to close such gaps.
c) Ensure the CIO approves the IT components of any plans, through a process defined by the agency head that balances IT investments with other uses of agency funding. Agencies shall also ensure the CIO is included in the internal planning processes for how the agency uses IT resources to achieve its objectives at all points in their lifecycle, including operations and disposition or migration.
d) Ensure that agency budget justification materials, in their initial budget submission to OMB, include a statement that affirms:
i.The CIO has reviewed and approves the major IT investments portion of the budget request;
ii.The CFO and CIO jointly affirm that the CIO had a significant role in reviewing planned IT support for major program objectives and significant increases and decreases in IT resources; and
iii.The IT Portfolio (formerly Exhibit 53) includes appropriate estimates of all IT resources included in the budget request.
e) Ensure the CFO, CAO, and CIO define agency-wide policy for the level of detail of planned expenditure reporting for all transactions that include IT resources.
In support of agency missions and business needs, and in coordination with program managers, agencies shall:
1) Define, implement, and maintain processes, standards, and policies applied to all information resources at the agency, in accordance with OMB guidance.
2) Ensure that the CIO defines the development processes, milestones, review gates, and the overall policies for all strategy, business alignment, and investment planning, enterprise architecture, project management and reporting for information technology resources. The CIO should ensure that such processes and policies address IT resources appropriately. At a minimum, these processes and policies shall ensure:
a) The CIO certifies that IT systems are appropriately implementing incremental development;
b) IT resources across the portfolio use appropriate measurements to evaluate the cost variance, schedule variance, and overall performance of their activities as a part of portfolio-wide processes such as IT investment management, enterprise architecture, and other agency information technology or performance management processes. When an Earned Value Management System (EVMS) or other budgeting practices are used, the standard definitions of cost variance and schedule variance will be used to measure progress;5
c) There are agency-wide policies and procedures for conducting investment reviews, operational analyses, or other applicable performance reviews to evaluate IT resources, including projects in development and ongoing activities;
d) Data and information needs are met through agency-wide data governance policies which clearly establish the roles, responsibilities, and processes by which agency personnel manage information as an asset and the relationships between IT strategy, data strategy, and agency programs and business objectives; and
e) All IT systems and services operate only vendor-supported solutions, and planning and budgeting activities incorporate migration planning and resourcing to accomplish this requirement.
3) Ensure the CIO is a member of governance boards that inform investment decisions that include an IT component, including bureau Investment Review Boards (IRBs) to ensure early matching of appropriate IT with program objectives. The CIO may, in consultation with other senior agency officials, designate other agency officials to act as his or her representative to fulfill aspects of this responsibility in a rules-based manner - such as by a dollar threshold, type of planned IT activity, or by bureau - so long as the CIO retains accountability for the responsibility.
4) Ensure the CIO conducts TechStat reviews or uses other applicable performance measurements to evaluate the use of agency IT resources. The CIO may recommend to the agency head the modification, pause, or termination of any acquisition, investment, or activity that includes a significant IT component based on the CIO's evaluation, within the terms of the relevant contracts and applicable regulations.
5) Ensure that the CIO establishes and maintains a process to regularly engage with program managers to evaluate IT resources supporting each agency strategic objective. It should be the CIO and program managers' shared responsibility to ensure that legacy and on-going IT investments are appropriately delivering customer value and meeting the business objectives of programs.
Agencies shall:
1) Ensure the CIO and CHCO develop a set of competency requirements for IT staff, including information security and IT leadership positions, and develop and maintain a current workforce planning process to ensure the agency can:
a) Anticipate and respond to changing mission requirements,
b) Maintain workforce skills in a rapidly developing IT environment, and
c) Recruit and retain the IT talent needed to accomplish the mission.
2) Ensure the workforce related to acquiring, managing, maintaining, and using information resources has the appropriate knowledge and skill for facilitating the achievement of the performance goals established for the portfolio and evaluate the extent to which the executive-level workforce of the agency has appropriate information and technology related knowledge and skills.
3) Ensure the Chief Human Capital Officer (CHCO) and CIO jointly establish an agency-wide critical element (or elements) to be included in all bureau CIOs' performance evaluations. In addition, the CIO shall identify "key bureau CIOs" and provide input to the rating official for at least all "key bureau CIOs" at the time of the initial summary rating and for any required progress reviews. The rating official will consider the input from the CIO when determining the initial summary rating and discuss it with the bureau CIO during progress reviews.
4) Ensure the CIO is involved in the recruitment and approves the selection of any new bureau CIO (includes bureau leadership with CIO duties but not title). The title and responsibilities of current bureau CIOs may be designated or transferred to other agency personnel by the agency head or his or her designee as appropriate, and such decisions may take into consideration recommendations from the agency CIO.
5) Ensure the CIO, CHCO, and other hiring managers capitalize on flexible hiring authorities for specialized positions, as established by the Office of Personnel Management.
1) Acquisition of Information Technology and Services
Agencies shall: a) Consistent with applicable Federal acquisition requirements, make use of adequate competition, analyze risks (including supply chain risks), associated with potential awards, allocate risk between government and contractor, and maximize return on investment (ROI) when acquiring information technology;
b) Conduct definitive technical, cost, and risk analyses of alternative design implementations, including consideration of the full lifecycle costs of IT products and services, including but not limited to planning, analysis, design, implementation, sustainment, maintenance, re-competition, and retraining costs, scaled to the size and complexity of individual requirements;6
c) Consider existing Federal contract solutions available to meet agency needs to avoid duplicative investments;
d) Structure acquisitions for major IT investments into useful segments with a narrow scope and brief duration in order to reduce risk, promote flexibility and interoperability, increase accountability, and better match mission need with current technology and market conditions;
e) To the extent practicable, award all contracts which include IT within 180 days after the solicitation is issued and, if this deadline is not reached, consider the cancellation of the work related to the contract, and the IT acquired should be delivered within 18 months after the solicitation resulting in award of the contract was issued (41 U.S.C. § 2308);
f) Ensure all acquisition strategies or acquisition plans (as described in FAR Part 7) or interagency agreements (such as those used to support purchases through another agency) that include IT are reviewed and approved by the agency CIO. The CIO shall consider the following factors when reviewing acquisition strategies and acquisition plans:
i. Alignment with mission and program objectives in coordination with program leadership;
ii. Appropriateness with respect to the mission and business objectives supported by the IT strategic plan;
iii. Appropriateness of contract type for IT-related resources;
iv. Appropriateness of IT-related portions of statement of needs or statement of work;
v. Ability to deliver functionality in short increments; and
vi. Opportunities to migrate from end-of-life software and systems, and to retire those systems.
2) Investment Planning and Control
Agencies are responsible for establishing a decision-making process that provides for analyzing, tracking, and evaluating the risks, including information security and privacy risks, and results of all major investments made by an agency for information systems. The process shall cover the life of each system and shall include explicit criteria for analyzing the projected and actual costs, benefits, and risks, including information security and privacy risks, associated with the investments. Agencies shall designate IT investments as major or non-major investments, or other categories, according to relevant statute, regulations and guidance in OMB Circular A-11, and execute processes commensurate with the size, scope, duration, and delivery risk of the investment. The investment processes shall encompass planning, budgeting, procurement, management, and assessment. For further guidance related to investment planning, refer to OMB Circular A-11, including the Capital Programming Guide. At a minimum, agencies shall ensure that: a) All IT resources (see "Information Technology Resources" definition) are included in IT investment planning documents or artifacts;
b) Significant decisions related to major IT investments are supported by business cases with appropriate evidence;
c) All IT investments appropriately implement incremental development and modular approaches as defined in OMB guidance;
d) IT investments support and enable core mission and operational functions and processes related to the agency's missions and business requirements;
e) Decisions to improve, enhance, or modernize existing information technology investments or to develop new information technology investments are made only after conducting an alternatives analysis that includes both government-provided (internal, interagency, and intra-agency where applicable) and commercially available options and the most advantageous option to the government has been selected;
f) Qualitative and quantitative research methods are used to determine the goals, needs, and behaviors of current and prospective managers and users of the service to strengthen the understanding of requirements;
g) Priority in the selection of information system technologies and services, should be given in the following order: First, to the use of available and suitable existing Federal information systems, software, technologies, and shared services and/or information processing facilities; Second, to the acquisition of commercially available off-the-shelf components and/or software-as-a-service solutions; and Third, to custom developed software and technologies. All proposed solutions should be merit-based and consider factors such as performance, cost, security, interoperability, ability to share or re-use, and availability of quality support. Decisions to acquire or develop custom or duplicative solutions must be justified based on comparative analysis conducted in a technology neutral manner that is merit-based and considers factors such as performance, cost, security, interoperability, ability to share or re-use, and availability of quality support, analysis of overall cost-effectiveness of the solution throughout the life cycle, the ability to meet acceptable levels of security, and the ability to meet specific and high-priority mission or operational requirements. To the degree possible, any custom software development activity or custom software acquisition should include contractual rights for re-use throughout the Federal government;
h) Information technology needs are met through acquiring scalable, provisioned IT services7 when it is cost-effective to do so rather than the agency developing its own information system or equipment;
i) Information systems security levels are commensurate with the impact that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of such information consistent with NIST 800-series guidelines;
j) Information systems should be built in a way that maximizes interoperability and in a manner that provides access to information through documented, scalable, and continuously available application programming interfaces (APIs). Agencies should maintain data asset inventories, and provide for active and inactive data governance within the agency with attention focused on maintaining appropriate information safeguards;
k) Information technology investments must facilitate interoperability, application portability, and scalability across networks of heterogeneous hardware, software, and telecommunications platforms;
l) Information systems and processes must support interoperability and access to information, maximize the usefulness of information, minimize the burden on the public, and preserve the appropriate integrity, usability, availability, confidentiality, and disposition of information throughout the life cycle of the information.8
m) Information systems and processes must facilitate accessibility under the Rehabilitation Act of 1973, as amended; in particular, see specific electronic and information technology accessibility requirements commonly known as "section 508" requirements (29 U.S.C. § 794d);
n) Records management functions and retention requirements are incorporated into the design, development, and implementation of information systems, particularly Internet resources to include storage solutions and cloud-based services such as software as a service, platform as a service, and infrastructure as a service; and
o) Investments use an EVMS and Integrated Baseline Review (IBR), when appropriate, as required by Federal Acquisition Regulation Subpart 34.2 or, when an EVMS is not required, implement a baseline validation process as part of an overall investment risk management strategy consistent with OMB guidance.
3) Enterprise Architecture
Agencies shall develop an actionable enterprise architecture (EA) that describes the baseline architecture, target architecture, and a plan to get to the target architecture. The EA shall also address agency plans for significant upgrades, replacements and/or disposition of information systems when the systems can no longer effectively support missions or business functions or adequately protect agency needs. The intent is to align business and technology resources to achieve strategic outcomes. The process of describing the current and future state of the agency, and laying out a plan for transitioning from the current state to the desired future state, helps agencies eliminate waste and duplication, increase shared services, close performance gaps, and promote engagement among government, industry, and citizens.
Although this section includes requirements for protecting Federal information resources, this area is covered more fully in the Appendices to this Circular.
1) Privacy
To ensure proper safeguards, agencies shall:
a) Designate a senior agency official for privacy (SAOP) who has overall agency-wide responsibility and accountability for developing, implementing, and maintaining an agency-wide governance and privacy program to ensure compliance with all applicable statutes, regulations, and policies regarding the collection, use maintenance, dissemination, and disposal of PII by programs and information systems;
b) Limit the collection of information such as personally identifiable information, to that which is legally authorized and reasonably deemed necessary for the proper performance of agency functions;
c) Only maintain personally identifiable information that is relevant and reasonably deemed necessary to accomplish a legally authorized purpose;
d) Limit the disclosure of personally identifiable information to that which is legally authorized, and impose appropriate conditions on use where a continuing obligation to ensure the confidentiality of the information exists;
e) Comply with all applicable requirements of the Privacy Act9 and ensure that system of records notices are published, revised, and rescinded, as required;
f) Ensure that all records with personally identifiable information are maintained in accordance with applicable records retention or disposition schedules approved by the National Archives and Records Administration;
g) Conduct privacy impact assessments when developing, procuring, or using information technology, in accordance with the E-Government Act,10 and make the assessments available to the public in accordance with OMB policy; and
h) Maintain and post privacy policies on all agency websites, in accordance with OMB policy.
2) Information Security
To ensure proper safeguards, agencies shall:
a) Ensure the CIO designates a senior agency information security officer to develop and maintain an agency-wide information security program in accordance with the Federal Information Security Modernization Act of 2014;
b) Ensure that information is protected commensurate with the risk that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of such information;
c) Implement security policies issued by the Office of Management and Budget (OMB) and Office of Personnel Management, as well as requirements issued by the Department of Commerce, Department of Homeland Security, and General Services Administration. This includes applying the standards and guidelines contained in the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS), NIST Special Publications (SPs) (e.g., 800 series guidelines), and where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).11
In a global and connected economy it is essential for the U.S. and the U.S. Government to ensure that Internet based technologies remain competitive. The Internet and our network infrastructure need to continue to lead in innovation, contribute to the free flow of information, participate an open and available market and do this in a scalable, secure and, when necessary, private Internet. Networking demands, escalating with the continued emergence of connecting technologies has grown well beyond initial capabilities. The use of IPv6 is an essential part of accomplishing these goals and to ensure the network infrastructure can meet our needs for growing capacity, security and privacy and keep the U.S. competitive in the ever escalating global electronic economy. Therefore, agencies shall implement agency-wide processes requiring that Internet Protocol Version 6 (IPv6) compliant products be included in all new information technology acquisitions using Internet Protocol (IP).12 Agencies must also ensure that all public facing Internet services and enterprise networks fully support the next generation Internet protocol, IPv6, as required by OMB policy.
Agencies shall:
1) Designate a senior agency official for records management (SAORM) who has overall agency-wide responsibility for records management.
2) Ensure that records management programs provide adequate and proper documentation of agency activities.
3) Ensure the ability to access, retrieve, and manage records throughout their life cycle regardless of form or medium.
4) Establish and obtain the approval of the Archivist of the United States for retention schedules for Federal records in a timely fashion.
5) Ensure the proper and timely disposition of Federal records in accordance with a retention schedule approved by the Archivist of the United States.
6) Provide training and guidance, as appropriate, to all agency officials and employees and contractors regarding their Federal records management responsibilities.
1) Agencies shall incorporate in planning, budgeting, governance, and other policies appropriate steps to ensure that:
a) Information is managed throughout its life cycle to promote openness and interoperability, and to safeguard systems and information; this includes all stages through which the information passes, including: creating or collection, processing, maintenance, storage, use, sharing, dissemination, and disposition; and
b) Information is managed with a presumption in favor of proactively making information accessible, discoverable, and usable by the public to the extent permitted by statute and subject to existing terms and conditions, privacy, security, and other valid restrictions pertaining to access, use, and dissemination; and
c) Information is managed with clearly designated roles and responsibilities to promote effective and efficient design and operation of information resources management processes within their agency.
2) Agencies shall use these practices to:
a) Collect or create information in a way that supports downstream interoperability among information systems and streamlines dissemination to the public, where appropriate, by:
i. Creating or collecting all new information electronically by default, in machine-readable open formats, using relevant data standards, that upon creation includes standard extensible metadata identifying any restrictions to access, use, and dissemination in accordance with OMB guidance; and
ii. For all instances where new Federal information creation or collection does not fall squarely within the public domain as U.S. government work, agencies shall include appropriate provisions in contracts to meet objectives of open data while recognizing that contractors may have proprietary interests in such information, and that protection of such information may be necessary to encourage qualified contractors to participate in and apply innovative concepts to government programs.
b) Ensure that the public has timely and equitable online access to the agency's public information using a manner that is informed directly by public engagement and balanced against the costs of dissemination or accessibility improvements and demonstrate usefulness of the information.
3) Agencies shall ensure that the public can appropriately discover, and provide feedback about disseminated information and unreleased information by:
a) Ensuring that data, wherever possible and legally permissible, are released to the public in ways that make the data easy to find, accessible, and usable; and
b) Developing other aids as necessary to assist the public in locating agency information including catalogs and directories, site maps, search functions, and other means.
4) Agencies shall ensure that the public can appropriately use disseminated information by:
a) Publishing information online in a, machine-readable open format that can be retrieved, downloaded, indexed, and searched by commonly used web search applications and is public, accessible, described, reusable, complete, timely. This includes providing such information in a format(s) accessible to employees and members of the public with disabilities.13
b) Avoid establishing, or permitting others to establish on their behalf, exclusive, restricted, or other distribution arrangements that interfere with allowing the agency to disseminate its information on a timely and equitable basis. In certain cases, it may be appropriate to engage in time-limited restrictions or exclusively in cases where the agency, due to resource constraints, would otherwise be unable to provide the information to the public on its own;
c) Avoid establishing unnecessary restrictions, including charging of fees or royalties, on the reuse, resale, or re-dissemination of Federal information by the public;14
d) Recovering only the cost of dissemination if fee and user charges are necessary. They must exclude from calculation the costs associated with original collection and processing of the information. Exceptions to this policy are: i. Where statutory requirements are at variance with the policy;
ii. Where the agency collects, processes, and disseminates the information for the benefit of a specific identifiable group beyond the benefit to the general public;
iii. Where the agency plans to establish user charges at less than cost of dissemination because of a determination that higher charges would constitute a significant barrier to properly performing the agency's functions, including reaching members of the public whom the agency has a responsibility to inform; or
iv. Where the Director of OMB determines an exception is warranted.
e) Ensuring that government publications are made available to depository libraries through the Government Publishing Office.15
f) Taking advantage of all dissemination channels, including Federal, State, local, tribal, territorial governments, libraries, nonprofit, and private sector entities, in discharging agency information dissemination responsibilities.
5) Agencies shall manage information in accordance with the following principles:
a) Providing notice of Federal agency practices for the collection, use, maintenance, disclosure, dissemination, and destruction of records, as appropriate;
b) Providing adequate notice when initiating, substantially modifying, or terminating dissemination of significant information that the public may be using;
c) Identifying the source of the information disseminated to the public, if from outside the agency where practicable;
d) Considering target audiences of Federal information when determining format, frequency of update, and other information management decisions;
e) Considering the impact of decisions and actions in each stage of the information life cycle on other stages;
f) Considering the effects of information management actions on members of the public and State, local, tribal and territorial governments and their access to Federal information and ensure consultation with the public and those governments as appropriate;
g) Ensuring that, to the extent existing information dissemination policies or practices are inconsistent with the requirements of this Circular, a prompt and orderly transition to compliance with the requirements of this Circular is made;
h) Seeking to satisfy new information needs through interagency or intergovernmental sharing of information, or through nongovernmental sources, where lawful and appropriate, before creating or collecting new information;
i) Complying with all applicable statutes governing the disclosure of information, including those related to the quality, privacy, confidentiality, security, and other valid access, use, and dissemination restrictions; and
j) If not public domain, provide details on the license status to potential data users to help these potential users understand whether there are any restrictions on copying, publishing, distributing, transmitting, adapting, or otherwise using the information for commercial or non-commercial purposes.