OFFICE OF MANAGEMENT AND BUDGET
Management of Federal Information Resources
AGENCY: Office of Management and Budget, Executive Office of the President
ACTION: Revision of OMB Circular No. A-130, Transmittal No. 4.
SUMMARY: The Office of Management and Budget issues a revision to Circular No. A-130, "Management of Federal Information Resources," to implement provisions of the Clinger-Cohen Act (also known as AInformation Technology Management Reform Act of 1996@) and for other purposes. The revision modifies sections of the Circular concerning information systems and information technology management to follow more closely provisions of the Clinger-Cohen Act and OMB Circular A-11. These sections involve the acquisition, use, and disposal of information technology as a capital asset by the Federal government to improve the productivity, efficiency, and effectiveness of Federal programs.
AVAILABILITY: You can find a full recompiled version of Circular A-130, including the changes made here along with the existing sections that have not changed on the Internet at the OMB web site, http://www.whitehouse.gov/OMB/circulars/index.html and at the CIO Council home page at http://www.cio.gov. You can also obtain a copy of OMB Circular No. A-11, including the supplement to Part 3, "The Programming Guide," at the OMB web site and the CIO Council web site, or by calling the Budget Review and Concepts Division at OMB at 202-395-3172.
FOR FURTHER INFORMATION CONTACT: Tony Frater, Information Policy and Technology Branch, Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10236, New Executive Office Building, Washington, D.C. 20503. Telephone: (202) 395-3785.
SUPPLEMENTARY INFORMATION:
Background: The Clinger-Cohen Act (also known as "Information Technology Management Reform Act of 1996") (Pub. L. 104-106, Division E, codified at 40 U.S.C. Chapter 25) grants to the Director of the Office of Management and Budget (OMB) authority to oversee the acquisition, use, and disposal of information technology by the Federal government, so as to improve the productivity, efficiency, and effectiveness of Federal programs. It supplements the information resources management (IRM) policies contained in the Paperwork Reduction Act (PRA) (44 U.S.C. Chapter 35) by establishing a comprehensive approach to improving the acquisition and management of agency information systems through work process redesign, and by linking planning and investment strategies to the budget process.
Comments on the Proposed Revision to Circular A-130
1. Comments regarding the IT Capital Plan
2. Comments on the relationship between the agency Enterprise Architecture and the agency capital planning and investment control process.
3. Comments on the threshold for a major information system
4. Comments on Data Quality concerns
5. Comments on Computer Security
6. Comments on information dissemination and information resources management
Jacob J. Lew
Director
2. Section 5, "Background," is revised to read as follows:
3. Section 6, "Definitions," is revised by adding five new definitions (c,d,f,t, and v, below); revising the definition of "information technology"; and redesignating the remaining definitions accordingly:
4. Section 7, "Basic Considerations and Assumptions," is amended by revising Section 7i, and by adding Section 7r, as follows:
5. Section 8b is revised to read as follows:
(ii) A component that addresses two other sections of OMB Circular A-11: a section for Information on Financial Management, including the Report on Financial Management Activities and the Agency's Financial Management Plan, and a section entitled Information Technology, including the Agency IT Investment Portfolio.
(iii) A component, derived from the agency's capital planning and investment control process, that demonstrates the criteria it will use to select the investments into the portfolio, how it will control and manage the investments, and how it will evaluate the investments based on planned performance versus actual accomplishments.
(iv) A component that includes a summary of the security plan from the agency's five-year plan as required by the PRA and Appendix III of this Circular. The plan must demonstrate that IT projects and the EA include security controls for components, applications, and systems that are consistent with the agency's Enterprise Architecture; include a plan to manage risk; protect privacy and confidentiality; and explain any planned or actual variance from National Institute of Standards and Technology (NIST) security guidance.
(b) What must an agency do as part of the selection component of the capital planning process?
(i) Evaluate each investment in information resources to determine whether the investment will support core mission functions that must be performed by the Federal government;
(ii) Ensure that decisions to improve existing information systems or develop new information systems are initiated only when no alternative private sector or governmental source can efficiently meet the need;
(iii) Support work processes that it has simplified or otherwise redesigned to reduce costs, improve effectiveness, and make maximum use of commercial, off-the-shelf technology;
(iv) Reduce risk by avoiding or isolating custom designed components, using components that can be fully tested or prototyped prior to production, and ensuring involvement and support of users;
(v) Demonstrate a projected return on the investment that is clearly equal to or better than alternative uses of available public resources. The return may include improved mission performance in accordance with GPRA measures, reduced cost, increased quality, speed, or flexibility; as well as increased customer and employee satisfaction. The return should reflect such risk factors as the project's technical complexity, the agency's management capacity, the likelihood of cost overruns, and the consequences of under- or non-performance. Return on investment should, where appropriate, reflect actual returns observed through pilot projects and prototypes;
(vi) Prepare and update a benefit-cost analysis (BCA) for each information system throughout its life cycle. A BCA will provide a level of detail proportionate to the size of the investment, rely on systematic measures of mission performance, and be consistent with the methodology described in OMB Circular No. A-94, "Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs";
(vii) Prepare and maintain a portfolio of major information systems that monitors investments and prevents redundancy of existing or shared IT capabilities. The portfolio will provide information demonstrating the impact of alternative IT investment strategies and funding levels, identify opportunities for sharing resources, and consider the agency's inventory of information resources;
(viii) Ensure consistency with Federal, agency, and bureau Enterprise architectures, demonstrating such consistency through compliance with agency business requirements and standards, as well as identification of milestones, as defined in the EA;
(ix) Ensure that improvements to existing information systems and the development of planned information systems do not unnecessarily duplicate IT capabilities within the same agency, from other agencies, or from the private sector;
(x) Ensure that the selected system or process maximizes the usefulness of information, minimizes the burden on the public, and preserves the appropriate integrity, usability, availability, and confidentiality of information throughout the life cycle of the information, as determined in accordance with the PRA and the Federal Records Act. This portion must specifically address the planning and budgeting for the information collection burden imposed on the public as defined by 5 CFR 1320;
(xi) Establish oversight mechanisms, consistent with Appendix III of this Circular, to evaluate systematically and ensure the continuing security, interoperability, and availability of systems and their data;
(xii) Ensure that Federal information system requirements do not unnecessarily restrict the prerogatives of state, local and tribal governments;
(xiii) Ensure that the selected system or process facilitates accessibility under the Rehabilitation Act of 1973, as amended.
(c) What must an agency do as part of the control component of the capital planning process?
(i) Institute performance measures and management processes that monitor actual performance compared to expected results. Agencies must use a performance based management system that provides timely information regarding the progress of an information technology investment. The system must also measure progress towards milestones in an independently verifiable basis, in terms of cost, capability of the investment to meet specified requirements, timeliness, and quality;
(ii) Establish oversight mechanisms that require periodic review of information systems to determine how mission requirements might have changed, and whether the information system continues to fulfill ongoing and anticipated mission requirements. These mechanisms must also require information regarding the future levels of performance, interoperability, and maintenance necessary to ensure the information system meets mission requirements cost effectively;
(iii) Ensure that major information systems proceed in a timely fashion towards agreed-upon milestones in an information system life cycle. Information systems must also continue to deliver intended benefits to the agency and customers, meet user requirements, and identify and offer security protections;
(iv) Prepare and update a strategy that identifies and mitigates risks associated with each information system;
(iv) Ensure that financial management systems conform to the requirements of OMB Circular No. A-127, "Financial Management Systems;"
(v) Provide for the appropriate management and disposition of records in accordance with the Federal Records Act.
(vi) Ensure that agency EA procedures are being followed. This includes ensuring that EA milestones are reached and documentation is updated as needed.
(d) What must an agency do as part of the evaluation component of the capital planning process?
(i) Conduct post-implementation reviews of information systems and information resource management processes to validate estimated benefits and costs, and document effective management practices for broader use;
(ii) Evaluate systems to ensure positive return on investment and decide whether continuation, modification, or termination of the systems is necessary to meet agency mission requirements.
(iii) Document lessons learned from the post-implementation reviews. Redesign oversight mechanisms and performance levels to incorporate acquired knowledge.
(iv) Re-assess an investment's business case, technical compliance, and compliance against the EA.
(v) Update the EA and IT capital planning processes as needed.
(ii) Meet information technology needs through cost effective intra-agency and interagency sharing, before acquiring new information technology resources; and
(iii) Establish a level of security for all information systems that is commensurate to the risk and magnitude of the harm resulting from the loss, misuse, unauthorized access to, or modification of the information stored or flowing through these systems.
(b) How do agencies create and maintain the EA?
(ii) Information Flow and Relationships - Agencies must analyze the information utilized by the agency in its business processes, identifying the information used and the movement of the information. These information flows indicate where the information is needed and how the information is shared to support mission functions.
(iii) Applications - Agencies must identify, define, and organize the activities that capture, manipulate, and manage the business information to support business processes. The EA also describes the logical dependencies and relationships among business activities.
(iv) Data Descriptions and Relationships - Agencies must identify how data is created, maintained, accessed, and used. At a high level, agencies must define the data and describe the relationships among data elements used in the agency's information systems.
(v) Technology Infrastructure - Agencies must describe and identify the functional characteristics, capabilities, and interconnections of the hardware, software, and telecommunications.
(c) What are the Technical Reference Model and Standards Profile?
(ii) The Standards Profile defines the set of IT standards that support the services articulated in the TRM. Agencies are expected to adopt standards necessary to support the entire EA, which must be enforced consistently throughout the agency.
(iii) As part of the Standards Profile, agencies must create a Security Standards Profile that is specific to the security services specified in the EA and covers such services as identification, authentication, and non-repudiation; audit trail creation and analysis; access controls; cryptography management; virus protection; fraud prevention; detection and mitigation; and intrusion prevention and detection.
(3) How Will Agencies Ensure Security in Information Systems?
(ii) Apply OMB policies and, for non-national security applications, NIST guidance to achieve adequate security commensurate with the level of risk and magnitude of harm;
(ii) Demonstrate that the costs of security controls are understood and are explicitly incorporated into the life-cycle planning of the overall system in a manner consistent with OMB guidance for capital programming;
(iii) Incorporate a security plan that complies with Appendix III of this Circular and in a manner that is consistent with NIST guidance on security planning;
(iv) Demonstrate specific methods used to ensure that risks and the potential for loss are understood and continually assessed, that steps are taken to maintain risk at an acceptable level, and that procedures are in place to ensure that controls are implemented effectively and remain effective over time;
(v) Demonstrate specific methods used to ensure that the security controls are commensurate with the risk and magnitude of harm that may result from the loss, misuse, or unauthorized access to or modification of the system itself or the information it manages;
(vi) Identify additional security controls that are necessary to minimize risk to and potential loss from those systems that promote or permit public access, other externally accessible systems, and those systems that are interconnected with systems over which program officials have little or no control;
(vii) Deploy effective security controls and authentication tools consistent with the protection of privacy, such as public-key based digital signatures, for those systems that promote or permit public access;
(viii) Ensure that the handling of personal information is consistent with relevant government-wide and agency policies;
(ix) Describe each occasion the agency decides to employ standards and guidance that are more stringent than those promulgated by NIST to ensure the use of risk-based cost-effective security controls for non-national security applications;
(b) Structure major information systems into useful segments with a narrow scope and brief duration. This should reduce risk, promote flexibility and interoperability, increase accountability, and better match mission need with current technology and market conditions;
(c) Acquire off-the-shelf software from commercial sources, unless the cost effectiveness of developing custom software is clear and has been documented through pilot projects or prototypes; and
(d) Ensure accessibility of acquired information technology pursuant to the Rehabilitation Act of 1973, as amended (Pub. Law 105-220, 29 U.S.C.794d).
6. Section 9a is revised to read as follows:
(b) Advise the agency head on information resource implications of strategic planning decisions;
(c) Advise the agency head on the design, development, and implementation of information resources.
(ii) Advise the agency head on budgetary implications of information resource decisions; and
(d) Be an active participant throughout the annual agency budget process in establishing investment priorities for agency information resources;
(b) promotes a coordinated, interoperable, secure, and shared government wide infrastructure that is provided and supported by a diversity of private sector suppliers; and
(c) develops a well-trained corps of information resource professionals.
7. Section 9b is revised to read as follows:
8. Section 9c is revised by revising subparagraph 1, as follows:
9. Section 9e is revised to read as follows:
10. Section 9h is revised by deleting subparagraph (10), renumbering subparagraphs (11) and (12) as (10) and (11), and adding the following new subparagraphs:
11. Appendix II to Circular A-130, which was formerly reserved, now incorporates OMB's guidance on the Government Paperwork Elimination Act (OMB Memorandum M-00-10; April 25, 2000); published at 65 FR 25508-21 (May 2, 2000).
12. Appendix IV of Circular A-130, is revised by revising section 1 and 2, and by adding supplemental discussions regarding Section 8(a)(5), 8(b), 9(a)(3), and 9(a)(4) of the Circular, as follows:
1. Purpose
2. Background
3. Analysis
Section 8b. Information Systems and Information Technology Management
Section 8b(1). Capital planning and investment control.
What is the capital planning and investment control process?
What will happen if I don't maintain an IT Capital Plan?
As part of the agency IT Capital Plan, do I need to report on both development, modernization and enhancement (DME) as well as Steady State investments?
As part of the portfolio view of the agency IT Capital Plan, do I only need to report on major investments?
Where can I get more information about return on investment (ROI)?
Why do agencies need to conduct a Benefit-Cost Analysis?
How will portfolio management aid in the selection of investments?
Is there a preferred model for information life cycles?
Why are post-implementation reviews necessary?
Section 8b(2). Enterprise Architectures.
How will the EA guide the agency?
Where can I get more information describing the EA?
What is an open systems environment?
What Enterprise Architecture issues must an agency consider that have government-wide or multiple agency implications?
Where can I get more information on Federal EA efforts?
Section 8b(3) Securing Agency Information Systems
How should agencies incorporate security into management of information resources?
Ultimately, who determines the acceptable level of security for a system?
Section 8b(4) Acquiring Information Technology
What should agencies consider before acquiring a COTS solution?
Section 9a(3). Chief Information Officer (CIO).
To whom does the CIO report?
What is the CIO's role in the capital planning process?
What is the CIO's role in the annual budget process?
Section 9a(4).
Why is the CIO considered an Ombudsman?
The Budget Legislative Information Management Reform/GPRA Grants Management Financial Management Procurement Policy Information & Regulatory Policy Contact the White House Web Master