After more than 15 years of advancement passed it by, the Office of Management and Budget released an update to Circular A-130, the government's guiding policy for managing and maintaining IT resources.
Along with more emphasis on cybersecurity and treating data assets, the policy has been updated to reference new legislation — like the Federal IT Acquisition Reform Act (FITARA) and the Digital Accountability and Transparency Act (DATA Act) — as well as presidential directives, executive orders and new standards in technology.
Circular A-130: Managing Information as a Strategic Resource
The document was last updated in 2000, which itself came 15 years after the policy was established in 1985. (There were revisions to the policy within that first 15-year window.) OMB published a draft revision in October 2015 and has spent the last year going through comments and polishing the final version.
"As government continues to digitize, we must ensure we manage data to not only keep it secure, but also allow us to harness this information to provide the best possible service to our citizens," Federal CIO Tony Scott, Office of Information and Regulatory Affairs Administrator Howard Shelanski, U.S. Chief Acquisition Officer Anne Rung and OMB Senior Advisor for Privacy Marc Groman said in a July 17 blog post announcing the final revisions.
"Today's update to Circular A-130 gathers in one resource a wide range of policy updates for federal agencies regarding cybersecurity, information governance, privacy, records management, open data and acquisitions," they wrote. "It also establishes general policy for IT planning and budgeting through governance, acquisition and management of federal information, personnel, equipment, funds, IT resources and supporting infrastructure and services."
A significant part of managing digital assets in the modern day revolves around securing that data from hacks, leaks and other breaches. The updated A-130 comes with a new Appendix I focused on the cybersecurity problem.
The revised appendix sets the minimum security standards and requires agencies to take a number of steps to maintain a level of protection and awareness:
- Perform ongoing reauthorization of systems (replacing the triennial reauthorization process) to better protect agency information systems.
- Continuously monitor, log and audit user activity to protect against insider threats.
- Periodically test response procedures and document lessons learned to improve incident response.
- Encrypt moderate and high impact information at rest and in transit.
- Ensure terms in contracts are sufficient to protect federal information.
- Implement measures to protect against supply chain threats.
- Provide identity assurance for secure government services.
- Ensure agency personnel are accountable for following security and privacy policies and procedures.
The former Appendix I, concerning how agencies should comply with the Privacy Act has been cut from A-130 and will be folded later this year into Circular A-108, which covers the handling and reporting of sensitive information.
However, some of that is covered under A-130's new Appendix II: Responsibilities for managing personally identifiable information (PII) — data which, if leaked, could be significantly damaging to the citizens affected. The policy requires agencies to take several steps, including:
- Establishing and maintaining a comprehensive, strategic, agency-wide privacy program.
- Designating a senior agency official for privacy.
- Managing and training an effective privacy workforce.
- Conducting privacy impact assessments.
- Applying NIST’s Risk Management Framework to manage privacy risks in the information system development life cycle.
- Using the fair information practice principles when evaluating information systems, processes, programs and activities that affect privacy.
- Maintaining an inventory of PII and reducing PII usage to the minimum necessary for the proper performance of authorized agency functions.
- Limiting the creation, collection, use, processing, storage, maintenance, dissemination and disclosure of PII to that which is legally authorized, relevant and reasonably deemed necessary for the proper performance of agency functions.
While this is the final revision for cycle of updates, Circular A-130 isn't going away anytime soon and will likely see another update before some new innovation comes through to upend the way we handle information.