Managing Federal Information as a Strategic Resource

Today the Office of Management and Budget (OMB) is releasing an update to the Federal Government’s governing document for the management of Federal information resources: Circular A-130, Managing Information as a Strategic Resource.

The way we manage information technology(IT), security, data governance, and privacy has rapidly evolved since A-130 was last updated in 2000.  In today’s digital world, we are creating and collecting large volumes of data to carry out the Federal Government’s various missions to serve the American people.  This data is duplicated, stored, processed, analyzed, and transferred with ease.  As government continues to digitize, we must ensure we manage data to not only keep it secure, but also allow us to harness this information to provide the best possible service to our citizens.

Today’s update to Circular A-130 gathers in one resource a wide range of policy updates for Federal agencies regarding cybersecurity, information governance, privacy, records management, open data, and acquisitions.  It also establishes general policy for IT planning and budgeting through governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services.  In particular, A-130 focuses on three key elements to help spur innovation throughout the government:

• Real Time Knowledge of the Environment.  In today’s rapidly changing environment, threats and technology are evolving at previously unimagined speeds.  In such a setting, the Government cannot afford to authorize a system and not look at it again for years at a time.  In order to keep pace, we must move away from periodic, compliance-driven assessment exercises and, instead, continuously assess our systems and build-in security and privacy with every update and re-design.  Throughout the Circular, we make clear the shift away from check-list exercises and toward the ongoing monitoring, assessment, and evaluation of Federal information resources.
• Proactive Risk Management.  To keep pace with the needs of citizens, we must constantly innovate.  As part of such efforts, however, the Federal Government must modernize the way it identifies, categorizes, and handles risk to ensure both privacy and security.  Significant increases in the volume of data processed and utilized by Federal resources requires new ways of storing, transferring, and managing it Circular A-130 emphasizes the need for strong data governance that encourages agencies to proactively identify risks, determine practical and implementable solutions to address said risks, and implement and continually test the solutions.  This repeated testing of agency solutions will help to proactively identify additional risks, starting the process anew.
• Shared Responsibility.  Citizens are connecting with each other in ways never before imagined.  From social media to email, the connectivity we have with one another can lead to tremendous advances.  The updated A-130 helps to ensure everyone remains responsible and accountable for assuring privacy and security of information – from managers to employees to citizens interacting with government services. 

This update to Circular A-130 underpins many of the policies and technological advances the Federal Government has undergone thus far.  And it reflects the extensive thoughts and feedback of the public and stakeholders across government and industry.  Going forward, A-130 will continue to be the foundation for government’s ability to innovate, service its citizens, and further secure our nation’s valuable data and information. 

Find out more about the revised and updated A-130 Circular via the fact sheet below.
 

Tony Scott is the U.S. Chief Information Officer.

Howard Shelanski is the Administrator of the Office of Information and Regulatory Affairs.

Anne Rung is the U.S. Chief Acquisition Officer.

Marc Groman is the Senior Advisor for Privacy at the Office of Management and Budget.

***

OMB Circular A-130 provides guidance to Federal agencies on general policy for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, information technology (IT) resources and supporting infrastructure and services. OMB has revised Circular A-130 to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy.

The revised Circular consolidates in one guidance document a wide range of policy updates in information governance, acquisitions, records management, open data, workforce, security, and privacy.  In particular, the revisions highlight requirements from the Federal Information Technology Acquisition Reform Act to improve the acquisition and management of information resources.  Also discussed are electronic signature requirements in accordance with the Government Paperwork Elimination Act and Electronic Signatures in Global and National Commerce Act.

The revised Circular also emphasizes and clarifies the role of both privacy and security in the Federal information lifecycle.  Importantly, the revised Circular represents a shift from viewing security and privacy requirements as compliance exercises to understanding security and privacy as crucial components of a comprehensive, strategic, and continuous risk-based program. 

The updated Circular promotes innovation, enables information sharing, and fosters the wide-scale and rapid adoption of new technologies while protecting and enhancing security and privacy.  The Circular can be previewed HERE and is effective July 28, 2016.

Appendix I:  Responsibilities for Protecting and Managing Federal Information Resources

This Appendix establishes minimum requirements for Federal information security programs and assigns responsibilities for the security of information and information systems.  It also establishes minimum requirements for Federal privacy programs, assigns responsibilities for privacy program management, and describes how agencies should take a coordinated approach to implementing information security and privacy controls. 

Among other things, these revisions require agencies to:

• Perform ongoing reauthorization of systems (replacing the triennial reauthorization process) to better protect agency information systems; 
• Continuously monitor, log, and audit user activity to protect against insider threats;
• Periodically test response procedures and document lessons learned to improve incident response;
• Encrypt moderate and high impact information at rest and in transit;
• Ensure terms in contracts are sufficient to protect Federal information;
• Implement measures to protect against supply chain threats;
• Provide identity assurance for secure government services; and,
• Ensure agency personnel are accountable for following security and privacy policies and procedures.

The revised Appendix I also requires the National Institute of Standards and Technology (NIST) to develop guidance leveraging its Cybersecurity Framework and Risk Management Framework to improve agency information security.

Appendix II:  Responsibilities for Managing Personally Identifiable Information (PII)

Appendix II outlines some of general responsibilities for Federal agencies managing personally identifiable information (PII) – including PII collected for statistical purposes under a pledge of confidentiality.  While Appendix I focuses on both security and privacy, Appendix II is devoted to summarizing the responsibilities for Federal agencies managing information resources involving PII. 

Among other things, Appendix II summarizes requirements for Federal agencies in the following areas:

• Establishing and maintaining a comprehensive, strategic, agency-wide privacy program;
• Designating Senior Agency Officials for Privacy;
• Managing and training an effective privacy workforce;
• Conducting Privacy Impact Assessments(PIA);  
• Applying NIST’s Risk Management Framework to manage privacy risks in the information system development life cycle;
• Using the fair information practice principles when evaluating information systems, processes, programs, and activities that affect privacy;
• Maintaining an inventory of PII and reducing PII usage to the minimum necessary for the proper performance of authorized agency functions; and,
• Limiting the creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PII to that which is legally authorized, relevant, and reasonably deemed necessary for the proper performance of agency functions.

The prior version of Appendix II (which was historically issued as Appendix I) described agency responsibilities for reporting and publication under the Privacy Act of 1974.  This OMB guidance is being revised and will be issued as OMB Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, to be released this year 

***