The White House’s Office of Management and Budget has released a long-awaited proposed revision of its information management policy, bringing circular A-130 up to date for the first time since 2000.
The updated circular imposes new privacy and security requirements, a new structure for obtaining the fabled “authority to operate” that all federal IT systems need and attempts to continue the shift away from static, paper-based security documentation towards a more dynamic ongoing process.
In a blog post on the White House’s website, federal CIO Tony Scott and Office of Federal Procurement Policy Administrator Anne Rung wrote the revised document “provides general policy for the planning, budgeting, governance, acquisition, and management of federal information resources,” taking into account the “new statutory requirements and enhanced technological capabilities” that have developed over the past 15 years.
“The proposed circular reflects a rapidly evolving digital economy where more than ever, individuals, groups, and organizations rely on information technology to carry out a wide range of missions and business functions,” the blog post reads.
The OMB website says the agency will accept comments on the proposed revised circular until Nov. 30, and will then “analyze all submitted feedback and revise the policy as necessary.”
The circular, which can be viewed at a130.cio.gov, goes into detail on how IT should be managed, budgeted and bought, and contains provisions on how to protect and safeguard the privacy associated with personally identifiable information.
The biggest changes come in Appendix III, which establishes new requirements for information security and privacy management, and incorporates new mandates contained in FISMA.
“To be effective, information security and privacy considerations must be part of the day-to-day operations of agencies,” the document reads. “This is best accomplished by planning for the requisite security and privacy capabilities as an integral part of the agency strategic planning and risk management processes, not as a separate activity.”
As reported by FedScoop earlier this year, the new guidance also creates a parallel authorization authority and gives privacy officers the ability to deny authorizations. That language has remained in the circular that was posted Wednesday.
“That by itself is problematic. There’s a designated authorizing authority or there’s not,” said an official who saw the proposed changes earlier this summer but was not authorized to comment on them publicly. “You’re making the security and privacy bifurcation even worse. It should just say the authorizing authority has to take into consideration security and privacy and there should be one plan that covers both.”
The A-130 also pushes for moving security checks from a static, point-in-time authorization process to a dynamic, near real-time ongoing process. The circular also states that systems will need to be reauthorized if changes occur in a number of different areas, including new threats and vulnerabilities, new business functions or new statutes from NIST or OMB, among others.
The circular’s release comes as OMB prepares to release its Cyber Security Implementation Plan, which builds on the Cybersecurity Sprint launched by Scott in the wake of the data breach at the Office of Personnel Management. Multiple officials have told FedScoop that plan will be released “very soon.”