For the first time in 15 years, the White House is circulating major changes to the policy document that governs the management and security of federal IT systems and data. A copy of the document, obtained exclusively by FedScoop, reveals a significant effort to enhance the role of agency privacy officials in IT system authorizations and underscores the mandatory nature of certain security and privacy controls.
The revised draft of Office of Management and Budget Circular A-130 — Management of Federal Information Resources — is the first significant effort to update the circular since it was last changed in 2000. A limited number of drafts are circulating now for comment by agency IT leaders. Several agency IT officials, who spoke to FedScoop on condition of anonymity because they were not authorized to discuss the draft document publicly, expressed concerns about the impact the changes could have on agency IT acquisition and management.
“The revised A-130 will definitely affect all of our programs,” an agency IT official said. “In the revision, OMB includes the [National Institute of Standards and Technology] privacy controls; incorporates the new mandates stipulated in the Federal Information Modernization Act of 2014; and it provides guidance to agencies on how to incorporate information security and privacy when protecting federal information resources. Additionally, it redefines the [Senior Agency Official for Privacy] and the responsibilities associated.”
The changes have been circulating for some time and were originally scheduled to be released in final draft in December. However, the recent massive hack of personnel records at the Office of Personnel Management and revelations that dozens of agencies have reported major security gaps in their annual Federal Information Security Management Act, or FISMA, reports that, in many cases, have gone uncorrected have created new pressures to get stricter guidance out faster.
The new document seeks to clarify the relationship between FISMA and the detailed technical guidance provided by NIST.
Making A-130 timeless
The draft would incorporate revised and new statutory policy, technological advancements and enhanced technological capabilities, as well as current and evolving technical and personnel security threats.
“These revisions reflect the experience gained by OMB and agencies in implementing the Circular since 2000,” the document states. “The document’s language is designed for the guidance to maintain a timeless characteristic, not immediately becoming outdated or irrelevant.” The goal of the new language is to “provide guidance that is timely and relevant to agency operations in a current, interconnected, ever-changing information resources environment,” the draft document states.
“Agencies are asked to incorporate this guidance into their policies, understanding that the subject nature of this document will demand agencies continually reassess, reexamine, and reevaluate their information resources management policies and strategies.”
Making A-130 mandatory
Many of the most significant changes are incorporated into Appendix III, which has been renamed “Responsibilities for Protecting Federal Information Resources.”
When directing agency actions, the word “must” is mentioned 51 times throughout Appendix III — compared to just seven times in the existing circular.
The proposed changes to Appendix III establish new requirements for information security and privacy management, and incorporate new mandates contained in FISMA. The changes also seek to ensure consistency with OMB policies, and NIST Federal Information Processing Standards and 800-series publications. “In short, the revised Appendix III provides guidance on how agencies should take a coordinated approach to information security and privacy when protecting Federal information resources,” the draft document states.
Part of that coordinated approach requires agency heads to appoint a senior agency official for privacy, or SAOP. Under the revised Appendix III, the SAOP is charged with instituting privacy protections and ensuring that all privacy requirements are met. “Accordingly, the SAOP is responsible for developing and implementing a privacy continuous monitoring strategy, reviewing and approving the categorization of information systems, designating privacy controls, reviewing and approving the privacy plan, conducting privacy control assessments, and reviewing authorization packages for information systems,” the document states.
As reported by FedScoop, the new guidance also creates a parallel authorization authority and gives privacy officers the ability to deny authorizations. “The authorizing official should consult with the SAOP prior to making risk determination and risk acceptance decisions,” the document states. “The SAOP should review authorization packages and determine that all applicable privacy requirements are met and the risk to [personally identifiable information] is sufficiently addressed before authorizing officials make risk determination and risk acceptance decisions. In situations where the authorizing official and SAOP cannot reach a final resolution regarding the appropriate protection for the organizational information and information system, the head of the agency must review the associated risks and requirements and makes a final determination regarding the issuance of the authorization to operate.”
Another proposed change allows for the separation of security and privacy control plans. Those plans can be contained in the same plan or in separate plans, according to officials.
“That by itself is problematic. There’s a designated authorizing authority or there’s not,” said an official who’s seen the proposed changes but was not authorized to comment on them publicly. “You’re making the security and privacy bifurcation even worse. It should just say the authorizing authority has to take into consideration security and privacy and there should be one plan that covers both.”
One area where the proposed changes could have a significant impact is on the Federal Risk and Authorization Management Program, known as FedRAMP. At least two agency officials familiar with the revisions told FedScoop the idea of taking a cloud certification to a Cabinet secretary for final approval was absurd. “Yeah right,” said one agency official, laughing. “OMB just doesn’t get it.”
Under the FedRAMP process, agencies are responsible for conducting privacy assessments once the data that is being moved to the cloud has been identified. But in interviews, officials said even the privacy committee of the CIO Council has been slow to act on critical issues, taking nearly six months to decide which privacy controls should be the responsibility of the cloud provider and which should be the responsibility of the agency.
According to the agency officials interviewed by FedScoop, the technical aspects of agency privacy controls can already be mapped to the National Institute of Standards and Technology 800-53 baseline security controls. What is missing, the officials said, is a privacy impact assessment and policies governing agency procedures for when data is breached.
“Privacy should definitely be part of the process, and OMB should clarify that it should be,” said an official who reviewed the draft revisions. “But by creating a dual lane structure with two authorizing officials rather than one could lead to a more complex, time-consuming and costly process.”
One of the proposed changes to Circular A-130 would be moving agencies from a static, point-in-time authorization process to a dynamic, near real-time ongoing authorization process for information systems and common controls.
It would also change the way agencies use authorizations obtained by other agencies — one of the main benefits of the FedRAMP process for cloud services. “To the extent that a leveraged authorization includes an information system that collects, processes, stores, maintains, transmits, or disseminates PII, leveraging organizations must consult their SAOP,” the draft states. “The SAOP may determine that additional measures are required to protect PII prior to leveraging the authorization.”
At the quarterly meeting of NIST’s Information Security and Privacy Advisory Board on Thursday, OMB Policy Analyst Carol Bales told FedScoop that only “two or three” comments from agencies addressed the authority given to privacy officers. Bales said there were “no big showstoppers.”
As to the issues raised, Bales referred to NIST’s 800-53 document, specifically Appendix J, which is used to set parameters in the circular.
Appendix J of 800-53 sets up a framework for integrating the work of chief privacy officers into the overall security assessment process. One of the core objectives of Appendix J, according to the document, is to promote “closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance.”
However, the NIST document makes a point to say the privacy suggestions are not mandatory. The image above, taken from the document, shows how NIST suggests the privacy part should work.
However, with the rules set forth in Appendix J included in OMB circular, the privacy controls now become a mandatory part of the agency’s security process.
As to the idea of taking a cloud certification to a Cabinet secretary for final approval, Bales said it would be no different than how agencies are already conducting business, regardless of how long the FedRAMP process takes.
Download a PDF copy of the proposed revisions to OMB circular A-130.