The White House released the finalized revisions to the Office of Management and Budget’s Circular A-130 Wednesday, the first significant update to the policy since 2000.
The document now underscores the mandatory nature of certain security and privacy controls while also enhancing the role of agency privacy officials in IT system authorizations, according to a blog post co-authored by several officials.
“In today’s digital world, we are creating and collecting large volumes of data to carry out the federal government’s various missions to serve the American people,” the blog post reads. “This data is duplicated, stored, processed, analyzed and transferred with ease. As government continues to digitize, we must ensure we manage data to not only keep it secure, but also allow us to harness this information to provide the best possible service to our citizens.”
The revised circular covers a wide range of policy updates in information governance, acquisitions, records management, open data, workforce, security and privacy. The new policy requires agencies to:
- Perform ongoing reauthorization of systems, replacing the triennial reauthorization process;
- Continuously monitor, log and audit user activity to protect against insider threats;
- Periodically improve incident response;
- Encrypt moderate and high impact information at rest and in transit;
- Implement measures to protect against supply chain threats; and
- Provide identity assurance for secure government services.
Additionally, an updated appendix outlines some of general requirements and responsibilities for agencies managing personally identifiable information. They include:
- Establishing and maintaining a comprehensive, strategic, agencywide privacy program;
- Designating senior agency officials for privacy;
- Managing and training an effective privacy workforce;
- Conducting privacy impact assessments; and
- Applying the National Institute of Standards and Technology’s Risk Management Framework to manage privacy risks in the information system development life cycle.
Another OMB circular, A-108 — which handles agency responsibilities under the Privacy Act — is also under revision, with plans for release later this year.
The updates to A-130 have been in the works for a long time. FedScoop first reported in June 2015 that the White House had wanted to circulate draft revisions the December prior, but certain events — such as the Office of Personnel Management breach, the passage of the Federal IT Acquisition Reform Act and security gaps in FISMA reports — caused the administration to take their time with the revision.
OMB released a draft version of A-130 in October 2015, garnering so much public feedback that it extended the comment period well beyond the original deadline. Trade groups, private companies, and current and former government employees pointed to gaps where they felt the document fell short.
It’s not clear if the White House made any edits based on that feedback it received during the comment period.
The revised document is viewable at a130.cio.gov.
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to CyberScoop for stories like this in your inbox by signing up here.