The Office of Management and Budget kicked off its post-cyber sprint marathon Oct. 21 to fix systemic vulnerabilities across federal networks and systems.
OMB issued the long-awaited and much-needed update to Circular A-130. The draft document is out for public comment for the next 30 days.
“Circular A-130 provides general policy for the planning, budgeting, governance, acquisition, and management of federal information resources,” wrote Tony Scott, the federal chief information officer, Anne Rung, the administrator in the Office of Federal Procurement Policy, and Howard Shelanski, the administrator in the Office of Information and Regulatory Affairs, in a blog post released Wednesday. “It also includes appendices outlining agency responsibilities for managing information, supporting use of electronic transactions, and protecting federal information resources.”
This is the first update of A-130 since 2000 so it addresses a long list of changes to technology, laws and policies, including the recently passed Federal IT Acquisition Reform Act (FITARA).
While the draft document updates everything from the definition of agency to capital planning and investment control to interagency agreement to enterprise architecture, by far the biggest changes may be focused on cybersecurity.
“In short, the revised Appendix III provides guidance on how agencies should take a coordinated approach to information security and privacy when protecting federal information resources,” OMB wrote in the draft document. “As a result, the title of the Appendix has been changed to Responsibilities for Protecting Federal Information Resources. The proposed revisions provide guidance on agency information security and privacy management, including the transition from the current periodic point-in-time authorization process to a more dynamic continuous monitoring and ongoing authorization process for information systems and common controls.”
This is a major change from the previous A-130, which required agencies to focus on what many believed was compliance activities and at least three-year reauthorizations.
“To be effective, information security and privacy considerations must be part of the day-to-day operations of agencies,” OMB wrote in the draft. “This is best accomplished by planning for the requisite security and privacy capabilities as an integral part of the agency strategic planning and risk management processes, not as a separate activity. This includes, but is not limited to, the integration of federal information security and privacy requirements (and security and privacy controls) into the enterprise architecture, system development life cycle activities, systems engineering processes, and acquisition processes.”
Scott said Tuesday at the Federal IT Acquisition Summit in Washington that OMB would be releasing more details of the post-cyber sprint strategy. This includes updated Federal Information Security Management Act (FISMA) metrics and guidance.
Scott said OMB also is “days away” from releasing new guidance or a strategy to continue the progress made with the 30-day sprint over the summer.
“Basically, it lays out what we are expecting to be able to do with some requests from Congress and others over next 18 months or so,” Scott said at the conference sponsored by 1105 Government Information Group. “As part of the plan, we have Einstein acceleration and implementation details. We also have ideas about people and resources in the federal government and how we get more trained cyber people. You will see a whole bunch of output of different work streams.”
While OMB finalizes these other documents, the draft A-130 is the underlying framework for some of the most basic changes needed across the government.
“The proposed circular reflects a rapidly evolving digital economy where more than ever, individuals, groups, and organizations rely on information technology to carry out a wide range of missions and business functions,” Scott, Rung and Shelanski wrote in the blog post. “Information technology changes rapidly and the federal workforce managing IT must have the flexibility to address known and emerging threats while implementing continuous improvements. This update acknowledges the pace of change and the need to increase capabilities provided by 21st century technology while recognizing the need for strong governance and safeguarding of taxpayer funded assets and information.”
The draft document calls on agencies to deploy systems that are both “trustworthy and resilient,” through the use of advanced security architectures and system engineering concepts.
OMB highlights the importance of taking risk based approaches to technology implementation.
“Ultimately, agency heads remain responsible and accountable for ensuring that information management practices comply with all federal requirements, and that federal information is adequately protected commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of such information,” the draft stated.
The cyber section details 19 general requirements, such as establishing the responsibilities and accountability for the implementation of information and information security programs under FITARA and implementing supply chain risk management principles to protect against counterfeit products or products with malicious software as well as poor manufacturing and development practices throughout the system development lifecycle.
The section also includes more than 100 specific requirements covering areas such as continuous monitoring, planning and budgeting and incident detection, response and recovery.
“This appendix establishes minimum requirements for federal information security programs, assigns federal agency responsibilities for the security of information and information systems, and links agency information security programs and agency management control systems established in accordance with OMB Circular No. A-123, Management’s Responsibility for Internal Control,” the draft document stated. “This appendix also establishes requirements for federal privacy programs, assigns responsibilities for privacy program management, and describes how agencies should take a coordinated approach to implementing information security and privacy controls.”
Scott also highlighted another big change in A-130 beyond cyber.
“We specifically provide guidance…buy commercial service before you build, leverage existing shared resources and a whole bunch of things like that,” he said. “It will not only shorten the [buying] cycle, but also take cost out and get us out of some of this crazy annual rhythm we get into with annual continuing resolutions.”
The draft document establishes a priority and process for agencies when they need new IT systems.
“Priority in the selection of information system technologies and services, should be given in the following order: First, to the use of available and suitable existing federal information systems, software, technologies, and shared services and/or information processing facilities; Second, to the acquisition of commercially available off-the-shelf components and/or software-as-a-service solutions; and Third, to custom developed software and technologies,” the draft document stated. “All proposed solutions should be merit-based and consider factors such as performance, cost, security, interoperability, ability to share or re-use, and availability of quality support. Decisions to acquire or develop custom or duplicative solutions must be justified based on comparative analysis conducted in a technology neutral manner that is merit-based and considers factors such as performance, cost, security, interoperability, ability to share or re-use, and availability of quality support, analysis of overall cost-effectiveness of the solution throughout the life cycle, the ability to meet acceptable levels of security, and the ability to meet specific and high-priority mission or operational requirements.”
Should an agency have to build a custom IT system, OMB says they should ensure they own the rights to the software so it could possibly be reused throughout the government.
Related to the acquisition of commercial services, the draft A-130 calls for agencies to award contracts within 180 days or consider cancelling the acquisition. Additionally, the document says all IT deliveries should be completed within 18 months of award.
“Structure acquisitions for major IT investments into useful segments with a narrow scope and brief duration in order to reduce risk, promote flexibility and interoperability, increase accountability, and better match mission need with current technology and market conditions,” the draft document stated.
OMB also is adding elements of FITARA to the leadership and workforce section.
For example, A-130 now would include the requirement for CIOs to be involved in the recruitment and approves the selection of any new bureau CIOs or their equivalents.
CIOs should also work with agency chief human capital officers to develop performance metrics for bureau level CIOs.