OMB Releases Long-Awaited Update of Information Management Guidance

This story has been updated. 

Highlighting what it sees as a more dynamic approach to strategic information management, the White House on Wednesday unveiled the long-awaited update of Circular A-130, the governing document for management of information resources. The new guidelines are a bid to centralize policy in cybersecurity, privacy, records management, open government and acquisitions.

In a blog post and fact sheet, the Office of Management and Budget said the first update of the circular since 2000 “establishes general policy for IT planning and budgeting through governance, acquisition, and management of federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services.”

Work on Circular A-130 was announced last year, though delays prompted public pressure from senators concerned about weaknesses in federal cybersecurity.

Wednesday’s guidance, titled “Managing Federal Information as a Strategic Resource,” was described by Chief Information Officer Tony Scott, Office of Information and Regulatory Affairs Administrator Howard Shelanski, Chief Acquisition Officer Anne Rung, and White House privacy senior adviser Marc Groman.

“The way we manage information technology, security, data governance, and privacy has rapidly evolved since A-130 was last updated in 2000,” they wrote. “In today’s digital world, we are creating and collecting large volumes of data to carry out the federal government’s various missions to serve the American people. This data is duplicated, stored, processed, analyzed, and transferred with ease. As government continues to digitize, we must ensure we manage data to not only keep it secure, but also allow us to harness this information to provide the best possible service to our citizens.”

A-130 focuses on three elements that spur agency innovation, they said: real-time knowledge of the threat environment, proactive risk management and shared responsibility.

“In order to keep pace, we must move away from periodic, compliance-driven assessment exercises and, instead, continuously assess our systems and build-in security and privacy with every update and re-design,” they wrote. “Throughout the circular, we make clear the shift away from check-list exercises and toward the ongoing monitoring, assessment, and evaluation of Federal information resources.”

Specifically, the circular will help agencies comply consistently with presidential executive orders, counter insider threats and make secure use of such innovations as electronic signatures. It requires agencies to keep inventories of personally identifiable information and updates requirements for the National Institute of Standards and Technology to develop guidance leveraging its Cybersecurity Framework and Risk Management Framework to improve agency information security.

Each agency’s responsibilities include establishing and maintaining a comprehensive, strategic, agency-wide privacy program; designating senior agency officials for privacy; managing and training an effective privacy workforce; and conducting Privacy Impact Assessments.

Managing risks will mean constant innovation, and “repeated testing of agency solutions will help to proactively identify additional risks, starting the process anew” to assure both privacy and security, they said. The increased connectivity among citizens through social media, for example, makes A-130 a way to help “ensure everyone remains responsible and accountable for assuring privacy and security of information – from managers to employees to citizens interacting with government services.”

In a statement, Sen. Tom Carper, D-Del., encouraged agencies to implement the guidance as quickly as possible. "As the threats we face in cyberspace continue to evolve and grow every day, we must remain vigilant in efforts to insulate our networks and stay one step ahead of those wishing to do us harm," he stated. "I am pleased that OMB has released updated guidance for federal agencies that better reflects the evolving threats we face today."

The circular takes effect on July 28, 2016.