Circular A-130

Background

The White House Office of Management and Budget (OMB) is proposing for the first time in fifteen years revisions to the Federal Government's governing document establishing policies for the management of Federal information resources: Circular No. A-130, Managing Information as a Strategic Resource. More specifically, Circular A-130 provides general policy for the planning, budgeting, governance, acquisition, and management of Federal information resources. It also includes appendices outlining agency responsibilities for managing information, supporting use of electronic transactions, and protecting Federal information resources.

The proposed revisions to the Circular are the result of new statutory requirements and enhanced technological capabilities since the last update to the Circular in 2000. Modernizing this policy will enable OMB to provide timely and relevant guidance to agencies and will ensure that the Federal IT ecosystem operates more securely and more efficiently while saving tax dollars and serving the needs of the American people.

The proposed Circular reflects a rapidly evolving digital economy, where more than ever, individuals, groups, and organizations rely on information technology to carry out a wide range of missions and business functions. Information technology changes rapidly and the Federal workforce managing IT must have the flexibility to address known and emerging threats while implementing continuous improvements. This update acknowledges the pace of change and the need to increase capabilities provided by 21st century technology while recognizing the need for strong governance and safeguarding of taxpayer funded assets and information.

The public comment period has ended. Thank you for your comments. The proposed guidance is now open for public comment on this page. The public feedback period will be 30 days, closing on November 20, 2015. The public feedback period has been extended by 15 days. The new deadline for public feedback is December 5, 2015. Following the public feedback period, OMB will analyze all submitted feedback and revise the policy as necessary.

Instructions for Public Comment

You may provide feedback in three ways:

1. Content suggestions and discussions are welcome via GitHub “issues.” Each issue is a conversation initiated by a member of the public. We encourage you to browse and join in on discussions in existing issues, or start a new conversation by opening a new issue.
2. Direct changes and line edits to the content may be submitted through a "pull request" by clicking "Edit this page". You do not need to install any software to suggest a change. You can use GitHub's in-browser editor to edit files and submit a pull request for your changes to be merged into the document. Directions on how to submit a pull request can be found here. Open pull requests for the proposed guidance can be found here.
3. Send your content suggestions or proposed revisions to the OMB Office of the Federal Chief Information Officer via email to a130@omb.eop.gov. Please note that all comments received will be posted publicly on this page.

Introduction

Information and information technology resources are widely recognized as one of the engines that drives the U.S. economy—giving industry a competitive advantage in the global marketplace, enabling the Federal government to provide quality services to citizens, and facilitating greater productivity as a nation. The deeply embedded nature of information technology in all Federal agency missions and business processes reflects the rapid transformation to a fully "digital" world. This transformation has provided significant opportunities for agencies through modern computing architectures, cloud technologies, and agile development techniques, to acquire and rapidly deploy highly efficient and cost-effective applications, services, and solutions. Today, agencies depend heavily on information technology to successfully carry out their missions and business functions, thus the information technology environment, including the information systems, system components, and supporting business processes must be dependable and survivable. Information systems must have the necessary levels of trustworthiness and resilience to be able to process, store, manage access to, and transmit Federal information in a timely, efficient, and secure manner and to be able to operate under adverse conditions, when necessary, to provide essential services.

To provide the necessary levels of trustworthiness and resilience while maximizing advanced computing technologies, Federal information systems must be built to anticipate the modern threat space—that is, the systems should employ technologies that can significantly increase the "built-in" protection capability of those systems and make them inherently less vulnerable. This requires building trustworthiness and resilience in all layers of the information technology "stack" including the networks, systems, applications, and data, as well as hardware, firmware, operating systems, middleware, and software that comprise them. Increasing trustworthiness and resilience is a significant undertaking that requires a substantial investment in architectural design and development. The ultimate objective is to acquire and deploy more trustworthy, and resilient applications, systems, and services that are fully capable of supporting the Federal government's missions and business operations commensurate with its risk tolerance.

Summary of Changes

In the main body of the Circular, OMB has replaced the Background section of the main body with an Introduction section (Section 1) that discusses the importance of ensuring trustworthiness and resilience of information systems. OMB also proposes additional language on the purpose of the Circular (Section 2) and amends the Authorities section (now Section 9) to more fully cover existing statutes.

In the Applicability section (Section 3) of the main body, OMB has simplified the reference to national security systems by removing “Information classified for national security purposes should also be handled in accordance with the appropriate national security directives. National security emergency preparedness activities should be conducted in accordance with Executive Order No. 12472” and replacing it with “For national security systems, agencies should follow applicable statutes, Executive Orders, and directives.”

Section 4, Basic Considerations and Section 5, Policy have been revised to incorporate both policy and statute changes since the Circular was last revised. Specific changes to the Policy section (Section 5) include the replacement of outdated requirements with new requirements covering planning and budgeting, governance, leadership and workforce, information technology management, privacy and information security, next generation Internet, records management, and information management and access.

Section 6 of the Circular designates government-wide responsibilities for specific agencies. The section incorporates additional statutory requirements enacted since the last revision of the Circular in 2000.

In the Definitions Section of the main body (Section 10), OMB has proposed several changes.

OMB is proposing to delete the following definitions – “audiovisual production,” “full costs,” “Information Technology Resources Board,” “information processing services organization,” and “service recipient,” as they are no longer needed for the purposes of this Circular.

The term “government information” has been removed because it is not used in this Circular. The term “Federal information” has been added to the Definitions section because it is a commonly used term in statute and is used throughout this Circular. Several new definitions are proposed for inclusion in the main body of the Circular including – “enterprise architecture,” “Federal information system,” “information security,” “information technology resources,” “interagency agreement,” “major information technology investment,” “open data,” “personally identifiable information,” “senior agency official for privacy,” and “senior agency official for records.”

The Circular also proposes to modify the definitions for “agency,” “capital planning and investment control process,” “information,” “information resources,” “information resources Page 2 management,” “information system,” “information system life cycle,” “information technology,” “the CIO Council,” “dissemination,” and “major information system” to be consistent with current OMB policy and Federal statute.

Appendix I, previously titled Federal Agency Responsibilities for Maintaining Records About Individuals, is being revised to provide guidance to Federal agencies on their responsibilities for managing information resources that involve personally identifiable information (PII). The previous version of Appendix I described agency responsibilities for implementing the reporting and publication requirements of the Privacy Act of 1974, as amended (5 U.S.C. § 552a). This information is being revised and reconstituted as OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act. The revised Appendix I, titled Responsibilities for Management of Personally Identifiable Information, provides guidance on Federal agencies’ responsibilities for protecting personally identifiable information (PII) – including PII collected for statistical purposes under a pledge of confidentiality – and describes a set of fair information practice principles (FIPPs) that Federal agencies should incorporate when managing information resources that involve PII. It also discusses requirements for designating a Senior Agency Official for Privacy (SAOP) and conducting Privacy Impact Assessments. Finally, Appendix I requires Federal agencies to implement the privacy controls in National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Additional guidance on implementing the NIST SP 800-53 privacy controls is provided in Appendix III, Responsibilities for Protecting Federal Information Resources.

Appendix II, previously titled Implementation of the Government Paperwork Elimination Act, is being revised to reference requirements of the Electronic Signatures in Global and National Commerce Act (E-Sign Act). The Government Paperwork Elimination Act (GPEA) and E-Sign Act are both important tools to improve customer service and governmental efficiency through the use of information technology. In addition to highlighting the E-Sign Act and more recent guidance, such as the “Federal Chief Information Officers’ Council Use of Electronic Signatures in Federal Organization Transactions” (dated January 2013), this appendix has been significantly pared down. For example, the OMB M-00-10 attachment entitled “OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act” has been removed and included as a reference. The Background section has been revised to make the information more current and remove historical information not relevant to the current update. For example, summaries of public comments received on OMB’s draft GPEA guidance of 2000 have been removed, as well as outdated references to GAO and NIST publications.

Appendix III, previously titled Security of Federal Automated Information Resources, is being revised to establish new requirements for information security and privacy management, to incorporate new mandates in the Federal Information Security Modernization Act of 2014, and to ensure consistency with OMB policies and NIST Federal Information Processing Standards and 800-series publications. In short, the revised Appendix III provides guidance on how agencies should take a coordinated approach to information security and privacy when protecting Federal information resources. As a result, the title of the Appendix has been changed to Responsibilities for Protecting Federal Information Resources. The proposed revisions provide guidance on agency information security and privacy management, including the transition from the current periodic point-in-time authorization process to a more dynamic continuous monitoring and ongoing authorization process for information systems and common controls. Examples of additional requirements included in the revised Appendix III focus on incident response, encryption, inclusion of security requirements in contracts, oversight of contractors, protecting against insider threats, protecting against supply chain risks, prohibiting unsupported software and system components, and holding personnel accountable. A number of new definitions, consistent with definitions in NIST standards and guidelines, have also been included.

In addition, the revised Appendix III clarifies the role of the SAOP in the NIST Risk Management Framework. In accordance with existing OMB policies, the Appendix explains that the SAOP has overall responsibility and accountability for implementing privacy protections and ensuring that all privacy requirements are met. Accordingly, the SAOP is responsible for developing and implementing a privacy continuous monitoring strategy, reviewing and approving the categorization of information systems, designating privacy controls, reviewing and approving the privacy plan, conducting privacy control assessments, and reviewing authorization packages for information systems.