CIRCULAR NO. A-130 Revised
Transmittal Memorandum No. 4 (November 28, 2000)
MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
SUBJECT: Management of Federal Information Resources
Appendix
I,
Federal Agency Responsibilities for Maintaining Records About
Individuals
Appendix
II,
Implementation of the Government Paperwork Elimination Act
Appendix
III,
Security of Federal Automated Information Resources
Appendix
IV,
Analysis of Key Sections
1. Purpose: This Circular establishes policy for the management of Federal information resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies as appendices.
2. Rescissions: This Circular rescinds OMB Memoranda M-96-20, "Implementation of the Information Technology Management Reform Act of 1996;" M-97-02, "Funding Information Systems Investments;" M-97-09, "Interagency Support for Information Technology;" M-97-15, "Local Telecommunications Services Policy;" M-97-16, "Information Technology Architectures".
3. Authorities: OMB issues this Circular pursuant to the Paperwork Reduction Act (PRA) of 1980, as amended by the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35); the Clinger-Cohen Act (also known as "Information Technology Management Reform Act of 1996") (Pub. L. 104-106, Division E); the Privacy Act, as amended (5 U.S.C. 552a); the Chief Financial Officers Act (31 U.S.C. 3512 et seq.); the Federal Property and Administrative Services Act, as amended (40 U.S.C. 487); the Computer Security Act of 1987 (Pub. L. 100-235); the Budget and Accounting Act, as amended (31 U.S.C. Chapter 11); the Government Performance and Results Act of 1993(GPRA); the Office of Federal Procurement Policy Act (41 U.S.C. Chapter 7); the Government Paperwork Elimination Act of 1998 (Pub. L. 105-277, Title XVII), Executive Order No. 12046 of March 27, 1978; Executive Order No. 12472 of April 3, 1984; and Executive Order No. 13011 of July 17, 1996.
a. The policies in this Circular apply to the information activities of all agencies of the executive branch of the Federal government.
b. Information classified for national security purposes should also be handled in accordance with the appropriate national security directives. National security emergency preparedness activities should be conducted in accordance with Executive Order No. 12472.
5. Background: The Clinger-Cohen Act supplements the information resources management policies contained in the PRA by establishing a comprehensive approach for executive agencies to improve the acquisition and management of their information resources, by:
focusing information resource planning to support their strategic missions;
implementing a capital planning and investment control process that links to budget formulation and execution; and
rethinking
and restructuring the way they do their work before investing in
information systems.
The PRA establishes a broad mandate
for agencies to perform their information resources management
activities in an efficient, effective, and economical manner. To
assist agencies in an integrated approach to information resources
management, the PRA requires that the Director of OMB develop and
implement uniform and consistent information resources management
policies; oversee the development and promote the use of information
management principles, standards, and guidelines; evaluate agency
information resources management practices in order to determine
their adequacy and efficiency; and determine compliance of such
practices with the policies, principles, standards, and guidelines
promulgated by the Director.
The
term "agency" means any executive department, military
department, government corporation, government controlled
corporation, or other establishment in the executive branch of the
Federal government, or any independent regulatory agency. Within the
Executive Office of the President, the term includes only OMB and
the Office of Administration.
The
term "audiovisual production" means a unified
presentation, developed according to a plan or script, containing
visual imagery, sound or both, and used to convey information.
The
term "capital planning and investment control process "
means a management process for ongoing identification, selection,
control, and evaluation of investments in information resources. The
process links budget formulation and execution, and is focused on
agency missions and achieving specific program outcomes.
The
term "Chief Information Officers Council" (CIO Council)
means the Council established in Section 3 of Executive Order
13011.
The
term "dissemination" means the government initiated
distribution of information to the public. Not considered
dissemination within the meaning of this Circular is distribution
limited to government employees or agency contractors or grantees,
intra- or inter-agency use or sharing of government information, and
responses to requests for agency records under the Freedom of
Information Act (5 U.S.C. 552) or Privacy Act.
The
term "executive agency" has the meaning defined in section
4(1) of the Office of Federal Procurement Policy Act (41 U.S.C.
403(1)).
The
term "full costs," when applied to the expenses incurred
in the operation of an information processing service organization
(IPSO), is comprised of all direct, indirect, general, and
administrative costs incurred in the operation of an IPSO. These
costs include, but are not limited to, personnel, equipment,
software, supplies, contracted services from private sector
providers, space occupancy, intra-agency services from within the
agency, inter-agency services from other Federal agencies, other
services that are provided by State and local governments, and
Judicial and Legislative branch organizations.
The
term "government information" means information created,
collected, processed, disseminated, or disposed of by or for the
Federal Government.
The
term "government publication" means information which is
published as an individual document at government expense, or as
required by law. (44 U.S.C. 1901)
The
term "information" means any communication or
representation of knowledge such as facts, data, or opinions in any
medium or form, including textual, numerical, graphic, cartographic,
narrative, or audiovisual forms.
The
term "information dissemination product" means any book,
paper, map, machine-readable material, audiovisual production, or
other documentary material, regardless of physical form or
characteristic, disseminated by an agency to the public.
The
term "information life cycle" means the stages through
which information passes, typically characterized as creation or
collection, processing, dissemination, use, storage, and
disposition.
The
term "information management" means the planning,
budgeting, manipulating, and controlling of information throughout
its life cycle.
The
term "information resources" includes both government
information and information technology.
The
term "information processing services organization" (IPSO)
means a discrete set of personnel, information technology, and
support equipment with the primary function of providing services to
more than one agency on a reimbursable basis.
The
term "information resources management" means the process
of managing information resources to accomplish agency missions. The
term encompasses both information itself and the related resources,
such as personnel, equipment, funds, and information technology.
The
term "information system" means a discrete set of
information resources organized for the collection, processing,
maintenance, transmission, and dissemination of information, in
accordance with defined procedures, whether automated or manual.
The
term "information system life cycle" means the phases
through which an information system passes, typically characterized
as initiation, development, operation, and termination.
The
term "information technology" means any equipment or
interconnected system or subsystem of equipment, that is used in the
automatic acquisition, storage, manipulation, management, movement,
control, display, switching, interchange, transmission, or reception
of data or information by an executive agency. For purposes of the
preceding sentence, equipment is used by an executive agency if the
equipment is used by the executive agency directly or is used by a
contractor under a contract with the executive agency which (i)
requires the use of such equipment, or (ii) requires the use, to a
significant extent, of such equipment in the performance of a
service or the furnishing of a product. The term "information
technology" includes computers, ancillary equipment, software,
firmware and similar procedures, services (including support
services), and related resources. The term "information
technology" does not include any equipment that is acquired by
a Federal contractor incidental to a Federal contract. The term
"information technology" does not include national
security systems as defined in the Clinger-Cohen Act of 1996 (40
U.S.C. 1452).
The
term "Information Technology Resources Board" (Resources
Board) means the board established by Section 5 of Executive Order
13011.
The
term "major information system" means an information
system that requires special management attention because of its
importance to an agency mission; its high development, operating, or
maintenance costs; or its significant role in the administration of
agency programs, finances, property, or other resources.
The
term "national security system" means any
telecommunications or information system operated by the United
States Government, the function, operation, or use of which (1)
involves intelligence activities; (2) involves cryptologic
activities related to national security; (3) involves command and
control of military forces; (4) involves equipment that is an
integral part of a weapon or weapons system; or (5) is critical to
the direct fulfillment of military or intelligence missions, but
excluding any system that is to be administrative and business
applications (including payroll, finance, logistics, and personnel
management applications). The policies and procedures established in
this Circular will apply to national security systems in a manner
consistent with the applicability and related limitations regarding
such systems set out in Section 5141 of the Clinger-Cohen Act (Pub.
L. 104-106, 40 U.S.C. 1451). Applicability of Clinger-Cohen Act to
national security systems shall include budget document preparation
requirements set forth in OMB Circular A-11. The resultant budget
document may be classified in accordance with the provisions of
Executive Order 12958.
The
term "records" means all books, papers, maps, photographs,
machine-readable materials, or other documentary materials,
regardless of physical form or characteristics, made or received by
an agency of the United States Government under Federal law or in
connection with the transaction of public business and preserved or
appropriate for preservation by that agency or its legitimate
successoras evidence of the organization, functions, policies,
decisions, procedures, operations, or other activities of the
government or because of the informational value of the data in
them. Library and museum material made or acquired and preserved
solely for reference or exhibition purposes, extra copies of
documents preserved only for convenience of reference, and stocks of
publications and of processed documents are not included. (44 U.S.C.
3301)
The
term "records management" means the planning, controlling,
directing, organizing, training, promoting, and other managerial
activities involved with respect to records creation, records
maintenance and use, and records disposition in order to achieve
adequate and proper documentation of the policies and transactions
of the Federal Government and effective and economical management of
agency operations. (44 U.S.C. 2901(2))
The term "service recipient" means an agency organizational unit, programmatic entity, or chargeable account that receives information processing services from an information processing service organization (IPSO). A service recipient may be either internal or external to the organization responsible for providing information resources services, but normally does not report either to the manager or director of the IPSO or to the same immediate supervisor.
7. Basic Considerations and Assumptions:
The
Federal Government is the largest single producer, collector,
consumer, and disseminator of information in the United States.
Because of the extent of the government's information activities,
and the dependence of those activities upon public cooperation, the
management of Federal information resources is an issue of
continuing importance to all Federal agencies, State and local
governments, and the public.
Government
information is a valuable national resource. It provides the public
with knowledge of the government, society, and economy -- past,
present, and future. It is a means to ensure the accountability of
government, to manage the government's operations, to maintain the
healthy performance of the economy, and is itself a commodity in the
marketplace.
The
free flow of information between the government and the public is
essential to a democratic society. It is also essential that the
government minimize the Federal paperwork burden on the public,
minimize the cost of its information activities, and maximize the
usefulness of government information.
In
order to minimize the cost and maximize the usefulness of government
information, the expected public and private benefits derived from
government information should exceed the public and private costs of
the information, recognizing that the benefits to be derived from
government information may not always be quantifiable.
The
nation can benefit from government information disseminated both by
Federal agencies and by diverse nonfederal parties, including State
and local government agencies, educational and other not-for-profit
institutions, and for-profit organizations.
Because
the public disclosure of government information is essential to the
operation of a democracy, the management of Federal information
resources should protect the public's right of access to government
information.
The
individual's right to privacy must be protected in Federal
Government information activities involving personal information.
Systematic
attention to the management of government records is an essential
component of sound public resources management which ensures public
accountability. Together with records preservation, it protects the
government's historical record and guards the legal and financial
rights of the government and the public.
Strategic
planning improves the operation of government programs. The agency
strategic plan will shape the redesign of work processes and guide
the development and maintenance of an Enterprise Architecture and a
capital planning and investment control process. This management
approach promotes the appropriate application of Federal information
resources.
Because
State and local governments are important producers of government
information for many areas such as health, social welfare, labor,
transportation, and education, the Federal Government must cooperate
with these governments in the management of information resources.
The
open and efficient exchange of scientific and technical government
information, subject to applicable national security controls and
the proprietary rights of others, fosters excellence in scientific
research and effective use of Federal research and development
funds.
Information
technology is not an end in itself. It is one set of resources that
can improve the effectiveness and efficiency of Federal program
delivery.
Federal
Government information resources management policies and activities
can affect, and be affected by, the information policies and
activities of other nations.
Users
of Federal information resources must have skills, knowledge, and
training to manage information resources, enabling the Federal
government to effectively serve the public through automated
means.
The
application of up-to-date information technology presents
opportunities to promote fundamental changes in agency structures,
work processes, and ways of interacting with the public that improve
the effectiveness and efficiency of Federal agencies.
The
availability of government information in diverse media, including
electronic formats, permits agencies and the public greater
flexibility in using the information.
Federal
managers with program delivery responsibilities should recognize the
importance of information resources management to mission
performance.
The Chief Information Officers Council and the Information Technology Resources Board will help in the development and operation of interagency and interoperable shared information resources to support the performance of government missions.
Information Management Policy
How
will agencies conduct Information Management Planning?
Agencies
must plan in an integrated manner for managing information
throughout its life cycle. Agencies will:
(a) Consider,
at each stage of the information life cycle, the effects of
decisions and actions on other stages of the life cycle,
particularly those concerning information dissemination;
(b)
Consider the effects of their actions on members of the public and
ensure consultation with the public as appropriate;
(c)
Consider the effects of their actions on State and local
governments and ensure consultation with those governments as
appropriate;
(d) Seek to satisfy new information needs
through interagency or intergovernmental sharing of information, or
through commercial sources, where appropriate, before creating or
collecting new information;
(e) Integrate planning for
information systems with plans for resource allocation and use,
including budgeting, acquisition, and use of information
technology;
(f) Train personnel in skills appropriate to
management of information;
(g) Protect government
information commensurate with the risk and magnitude of harm that
could result from the loss, misuse, or unauthorized access to or
modification of such information;
(h) Use voluntary
standards and Federal Information Processing Standards where
appropriate or required;
(i) Consider the effects of
their actions on the privacy rights of individuals, and ensure that
appropriate legal and technical safeguards are implemented;
(j)
Record, preserve, and make accessible sufficient information to
ensure the management and accountability of agency programs, and to
protect the legal and financial rights of the Federal
Government;
(k) Incorporate records management and
archival functions into the design, development, and implementation
of information systems;
1. Provide for public access to records where required or appropriate.
What
are the guidelines for Information Collection?
Agencies
must collect or create only that information necessary for the
proper performance of agency functions and which has practical
utility.
What
are the guidelines for Electronic Information
Collection?
Executive agencies under Sections 1703 and
1705 of the Government Paperwork Elimination Act (GPEA), P. L.
105-277, Title XVII, are required to provide, by October 21, 2003,
the (1) option of the electronic maintenance, submission, or
disclosure of information, when practicable as a substitute for
paper; and (2) use and acceptance of electronic signatures, when
practicable. Agencies will follow the provisions in OMB Memorandum
M-00-10, "Procedures and Guidance on Implementing of the
Government Paperwork Elimination Act."
How
must agencies implement Records Management?
Agencies
will:
(a) Ensure that records management programs
provide adequate and proper documentation of agency
activities;
(b) Ensure the ability to access records
regardless of form or medium;
(c) In a timely fashion,
establish, and obtain the approval of the Archivist of the United
States for retention schedules for Federal records; and
(d)
Provide training and guidance as appropriate to all agency
officials and employees and contractors regarding their Federal
records management responsibilities.
How
must an agency provide information to the public?
Agencies
have a responsibility to provide information to the public
consistent with their missions. Agencies will discharge this
responsibility by:
(a) Providing information, as
required by law, describing agency organization, activities,
programs, meetings, systems of records, and other information
holdings, and how the public may gain access to agency information
resources;
(b) Providing access to agency records under
provisions of the Freedom of Information Act and the Privacy Act,
subject to the protections and limitations provided for in these
Acts;
(c) Providing such other information as is
necessary or appropriate for the proper performance of agency
functions; and
(d) In determining whether and how to
disseminate information to the public, agencies will:
(i) Disseminate information in a manner that achieves the best balance between the goals of maximizing the usefulness of the information and minimizing the cost to the government and the public;
(ii) Disseminate information dissemination products on equitable and timely terms;
(iii) Take advantage of all dissemination channels, Federal and nonfederal, including State and local governments, libraries and private sector entities, in discharging agency information dissemination responsibilities;
(iv)
Help the public locate government information maintained by or for
the agency.
What
is an Information Dissemination Management System?
Agencies
will maintain and implement a management system for all information
dissemination products which must, at a minimum:
(a)
Assure that information dissemination products are necessary for
proper performance of agency functions (44 U.S.C. 1108);
(b)
Consider whether an information dissemination product available from
other Federal or nonfederal sources is equivalent to an agency
information dissemination product and reasonably fulfills the
dissemination responsibilities of the agency;
(c)
Establish and maintain inventories of all agency information
dissemination products;
(d) Develop such other aids to
locating agency information dissemination products including catalogs
and directories, as may reasonably achieve agency information
dissemination objectives;
(e) Identify in information
dissemination products the source of the information, if from another
agency;
(f) Ensure that members of the public with
disabilities whom the agency has a responsibility to inform have a
reasonable ability to access the information dissemination
products;
(g) Ensure that government publications are made
available to depository libraries through the facilities of the
Government Printing Office, as required by law (44 U.S.C. Part
19);
(h) Provide electronic information dissemination
products to the Government Printing Office for distribution to
depository libraries;
(i) Establish and maintain
communications with members of the public and with State and local
governments so that the agency creates information dissemination
products that meet their respective needs;
(j) Provide
adequate notice when initiating, substantially modifying, or
terminating significant information dissemination products; and
(k)
Ensure that, to the extent existing information dissemination
policies or practices are inconsistent with the requirements of this
Circular, a prompt and orderly transition to compliance with the
requirements of this Circular is made.
How
must agencies avoid improperly restrictive practices?
Agencies
will:
(a) Avoid establishing, or permitting others to
establish on their behalf, exclusive, restricted, or other
distribution arrangements that interfere with the availability of
information dissemination products on a timely and equitable
basis;
(b) Avoid establishing restrictions or
regulations, including the charging of fees or royalties, on the
reuse, resale, or redissemination of Federal information
dissemination products by the public; and,
(c) Set user
charges for information dissemination products at a level sufficient
to recover the cost of dissemination but no higher. They must
exclude from calculation of the charges costs associated with
original collection and processing of the information. Exceptions to
this policy are:
(i)
Where statutory requirements are at variance with the policy;
(ii)
Where the agency collects, processes, and disseminates the
information for the benefit of a specific identifiable group beyond
the benefit to the general public;
(iii) Where the agency
plans to establish user charges at less than cost of dissemination
because of a determination that higher charges would constitute a
significant barrier to properly performing theagency's functions,
including reaching members of the public whom the agency has a
responsibility to inform; or
(iv) Where the Director of
OMB determines an exception is warranted.
How
will agencies carry out electronic information
dissemination?
Agencies will use electronic media and
formats, including public networks, as appropriate and within
budgetary constraints, in order to make government information more
easily accessible and useful to the public. The use of electronic
media and formats for information dissemination is appropriate under
the following conditions:
(a) The agency develops and
maintains the information electronically;
(b) Electronic
media or formats are practical and cost effective ways to provide
public access to a large, highly detailed volume of
information;
(c) The agency disseminates the product
frequently;
(d) The agency knows a substantial portion of
users have ready access to the necessary information technology and
training to use electronic information dissemination products;
(e)
A change to electronic dissemination, as the sole means of
disseminating the product, will not impose substantial acquisition
or training costs on users, especially State and local governments
and small business entities.
What
safeguards must agencies follow?
Agencies will:
(a)
Ensure that information is protected commensurate with the risk and
magnitude of the harm that would result from the loss, misuse, or
unauthorized access to or modification of such information;
(b)
Limit the collection of information which identifies individuals to
that which is legally authorized and necessary for the proper
performance of agency functions;
(c) Limit the sharing of
information that identifies individuals or contains proprietary
information to that which is legally authorized, and impose
appropriate conditions on use where a continuing obligation to
ensure the confidentiality of the information exists;
(d)
Provide individuals, upon request, access to records about them
maintained in Privacy Act systems of records, and permit them to
amend such records as are in error consistent with the provisions of
the Privacy Act.
How
Will Agencies Manage Information Systems and Information
Technology?
(1) How will agencies use capital planning
and investment control process?
Agencies must establish
and maintain a capital planning and investment control process that
links mission needs, information, and information technology in an
effective and efficient manner. The process will guide both
strategic and operational IRM, IT planning, and the Enterprise
Architecture by integrating the agency's IRM plans, strategic and
performance plans prepared pursuant to the Government Performance
and Results Act of 1993, financial management plans prepared
pursuant to the Chief Financial Officer Act of 1990 (31 U.S.C.
902a5), acquisition under the Federal Acquisition Streamlining Act
of 1994, and the agency's budget formulation and execution
processes. The capitalplanning and investment control process
includes all stages of capital programming, including planning,
budgeting, procurement, management, and assessment.
As
outlined below, the capital planning and investment control process
has three components: selection, control, and evaluation. The
process must be iterative, with inputs coming from all of the agency
plans and the outputs feeding into the budget and investment control
processes. The goal is to link resources to results (for further
guidance on Capital Planning refer to OMB Circular A-11). The
agency's capital planning and investment control process must build
from the agency's current Enterprise Architecture (EA) and its
transition from current architecture to target architecture. The
Capital Planning and Investment Control processes must be
documented, and provided to OMB consistent with the budget process.
The Enterprise Architecture must be documented and provided to OMB
as significant changes are incorporated.
(a)
What plans are associated with the capital planning and investment
control process?
In the capital planning and investment
control process, there are two separate and distinct plans that
address IRM and IT planning requirements for the agency. The IRM
Strategic Plan is strategic in nature and addresses all information
resources management of the agency. Agencies must develop and
maintain the agency Information Resource Management Strategic Plan
(IRM) as required by 44 U.S.C. 3506 (b) (2). IRM Strategic Plans
should support the agency Strategic Plan required in OMB Circular
A-11, provide a description of how information resources management
activities help accomplish agency missions, and ensure that IRM
decisions are integrated with organizational planning, budget,
procurement, financial management, human resources management, and
program decisions.
The IT Capital Plan is operational in
nature, supports the goals and missions identified in the IRM
Strategic Plan, is a living document, and must be updated twice
yearly. This IT Capital Plan is theimplementation plan for the budget
year. The IT Capital Plan should also reflect the goals of the
agency's Annual Performance Plan, the agency's Government Paperwork
Elimination Act (GPEA) Plan, the agency's EA, and agency's business
planning processes. The IT Capital Plan must be submitted annually to
OMB with the agency budget submission. annually. The IT Capital Plan
must include the following components:
(i) A component, derived from the agency's capital planning and investment control process under OMB Circular A-11, Section 300 and the OMB Capital Programming Guide, that specifically includes all IT Capital Asset Plans for major information systems or projects. This component must also demonstrate how the agency manages its other IT investments, as required by the Clinger-Cohen Act.
(ii)
A component that addresses two other sections of OMB Circular A-11: a
section for Information on Financial Management, including the Report
on Financial Management Activities and the Agency's Financial
Management Plan, and a section entitled Information Technology,
including the Agency IT Investment Portfolio.
(iii) A
component, derived from the agency's capital planning and investment
control process, that demonstrates the criteria it will use to select
the investments into the portfolio, how it will control and manage
the investments, and how it will evaluate the investments based on
planned performance versus actual accomplishments.
(iv) A
component that includes a summary of the security plan from the
agency's five-year plan as required by the PRA and Appendix III of
this Circular. The plan must demonstrate that IT projects and the EA
include security controls for components, applications, and systems
that are consistent with the agency's Enterprise Architecture;
include a plan to manage risk; protect privacy and confidentiality;
and explain any planned or actual variance from National Institute of
Standards and Technology(NIST) security guidance.
(b)
What must an agency do as part of the selection component of the
capital planning process?
It must:
(i)
Evaluate each investment in information resources to determine
whether the investment will support core mission functions that must
be performed by the Federal government;
(ii) Ensure that
decisions to improve existing information systems or develop new
information systems are initiated only when no alternative private
sector or governmental source can efficiently meet the need;
(iii)
Support work processes that it has simplified or otherwise redesigned
to reduce costs, improve effectiveness, and make maximum use of
commercial, off-the-shelf technology;
(iv) Reduce risk by
avoiding or isolating custom designed components, using components
that can be fully tested or prototyped prior to production, and
ensuring involvement and support of users;
(v) Demonstrate
a projected return on the investment that is clearly equal to or
better than alternative uses of available public resources. The
return may include improved mission performance in accordance with
GPRA measures, reduced cost, increased quality, speed, or
flexibility; as well as increased customer and employee satisfaction.
The return should reflect such risk factors as the project's
technical complexity, the agency's management capacity, the
likelihood of cost overruns, and the consequences of under- or
non-performance. Return on investment should, where appropriate,
reflect actual returns observed through pilot projects and
prototypes;
(vi) Prepare and update a benefit-cost
analysis (BCA) for each information system throughout its life cycle.
A BCA will provide a level of detail proportionate to the size of the
investment, rely onsystematic measures of mission performance, and be
consistent with the methodology described in OMB Circular No. A-94,
"Guidelines and Discount Rates for Benefit-Cost Analysis of
Federal Programs";
(vii) Prepare and maintain a
portfolio of major information systems that monitors investments and
prevents redundancy of existing or shared IT capabilities. The
portfolio will provide information demonstrating the impact of
alternative IT investment strategies and funding levels, identify
opportunities for sharing resources, and consider the agency's
inventory of information resources;
(viii) Ensure
consistency with Federal, agency, and bureau Enterprise
architectures, demonstrating such consistency through compliance with
agency business requirements and standards, as well as identification
of milestones, as defined in the EA;
(ix) Ensure that
improvements to existing information systems and the development of
planned information systems do not unnecessarily duplicate IT
capabilities within the same agency, from other agencies, or from the
private sector;
(x) Ensure that the selected system or
process maximizes the usefulness of information, minimizes the burden
on the public, and preserves the appropriate integrity, usability,
availability, and confidentiality of information throughout the life
cycle of the information, as determined in accordance with the PRA
and the Federal Records Act. This portion must specifically address
the planning and budgeting for the information collection burden
imposed on the public as defined by 5 CFR 1320;
(xi)
Establish oversight mechanisms, consistent with Appendix III of this
Circular, to evaluate systematically and ensure the continuing
security, interoperability, and availability of systems and their
data;
(xii) Ensure that Federal information system
requirements do not unnecessarily restrict theprerogatives of state,
local and tribal governments;
(xiii) Ensure that the
selected system or process facilitates accessibility under the
Rehabilitation Act of 1973, as amended.
(c)
What must an agency do as part of the control component of the
capital planning process?
It must:
(i)
Institute performance measures and management processes that monitor
actual performance compared to expected results. Agencies must use a
performance based management system that provides timely information
regarding the progress of an information technology investment. The
system must also measure progress towards milestones in an
independently verifiable basis, in terms of cost, capability of the
investment to meet specified requirements, timeliness, and
quality;
(ii) Establish oversight mechanisms that require
periodic review of information systems to determine how mission
requirements might have changed, and whether the information system
continues to fulfill ongoing and anticipated mission requirements.
These mechanisms must also require information regarding the future
levels of performance, interoperability, and maintenance necessary to
ensure the information system meets mission requirements cost
effectively;
(iii) Ensure that major information systems
proceed in a timely fashion towards agreed-upon milestones in an
information system life cycle. Information systems must also continue
to deliver intended benefits to the agency and customers, meet user
requirements, and identify and offer security protections;
(iv)
Prepare and update a strategy that identifies and mitigates risks
associated with each information system;
(iv) Ensure that
financial management systems conform to the requirements of OMB
Circular No. A-127, "Financial Management Systems;"
(v)
Provide for the appropriate management and disposition of records in
accordance with the Federal Records Act.
(vi) Ensure that
agency EA procedures are being followed. This includes ensuring that
EA milestones are reached and documentation is updated as needed.
(d)
What must an agency do as part of the evaluation component of the
capital planning process?
It must:
(i) Conduct post-implementation reviews of information systems and information resource management processes to validate estimated benefits and costs, and document effective management practices for broader use;
(ii) Evaluate systems to ensure positive return on investment and decide whether continuation, modification, or termination of the systems is necessary to meet agency mission requirements.
(iii) Document lessons learned from the post-implementation reviews. Redesign oversight mechanisms and performance levels to incorporate acquired knowledge.
(iv) Re-assess an investment's business case, technical compliance, and compliance against the EA.
(v) Update the EA and IT capital planning processes as needed.
(2) The Enterprise Architecture
Agencies
must document and submit their initial EA to OMB. Agencies must
submit updates when significant changes to the Enterprise
Architecture occur.
(a) What is the Enterprise Architecture?
An
EA is the explicit description and documentation of the current and
desired relationships among business and management processes and
information technology. It describes the "current architecture"
and "target architecture" to include the rules and
standards and systems life cycle information to optimize and maintain
the environment which the agency wishes to create and maintain by
managing its IT portfolio. The EA must also provide a strategy that
will enable the agency to support its current state and also act as
the roadmap for transition to its target environment. These
transition processes will include an agency's capital planning and
investment control processes, agency EA planning processes, and
agency systems life cycle methodologies. The EA will define
principles and goals and set direction on such issues as the
promotion of interoperability, open systems, public access,
compliance with GPEA, end user satisfaction, and IT security. The
agency must support the EA with a complete inventory of agency
information resources, including personnel, equipment, and funds
devoted to information resources management and information
technology, at an appropriate level of detail. Agencies must
implement the EA consistent with following principles:
(i) Develop information systems that facilitate interoperability, application portability, and scalability of electronic applications across networks of heterogeneous hardware, software, and telecommunications platforms;
(ii) Meet information technology needs through cost effective intra-agency and interagency sharing, before acquiring new information technology resources; and
(iii) Establish a level of security for all information systems that is commensurate to the risk and magnitude of the harm resulting from the loss, misuse, unauthorized access to, or modification of the information stored or flowing through these systems.
(b) How do agencies create and maintain the EA?
As part of the EA effort, agencies must use or create an Enterprise Architecture Framework. The Framework must document linkages between mission needs, information content, and information technology capabilities. The Framework must also guide both strategic and operational IRM planning.
Once
a framework is established, an agency must create the EA. In the
creation of an EA, agencies must identify and document:
(i) Business Processes - Agencies must identify the work performed to support its mission, vision and performance goals. Agencies must also document change agents, such as legislation or new technologies that will drive changes in the EA.
(ii) Information Flow and Relationships - Agencies must analyze the information utilized by the agency in its business processes, identifying the information used and the movement of the information. These information flows indicate where the information is needed and how the information is shared to support mission functions.
(iii) Applications - Agencies must identify, define, and organize the activities that capture, manipulate, and manage the business information to support business processes. The EA also describes the logical dependencies and relationships among business activities.
(iv) Data Descriptions and Relationships - Agencies must identify how data is created, maintained, accessed, and used. At a high level, agencies must define the data and describe the relationships among data elements used in the agency's information systems.
(v) Technology Infrastructure - Agencies must describe and identify the functional characteristics, capabilities, and interconnections of the hardware, software, and telecommunications.
(c) What are the Technical Reference Model and Standards Profile?
The
EA must also include a Technical Reference Model (TRM) and Standards
Profile.
(i) The TRM identifies and describes the information services (such as database, communications, intranet, etc.) used throughout the agency.
(ii) The Standards Profile defines the set of IT standards that support the services articulated in the TRM. Agencies are expected to adopt standards necessary to support the entire EA, which must be enforced consistently throughout the agency.
(iii) As part of the Standards Profile, agencies must create a Security Standards Profile that is specific to the security services specified in the EA and covers such services as identification, authentication, and non-repudiation; audit trail creation and analysis; access controls; cryptography management; virus protection; fraud prevention; detection and mitigation; and intrusion prevention and detection.
(3) How Will Agencies Ensure Security in Information Systems?
Agencies
must incorporate security into the architecture of their information
and systems to ensure that security supports agency business
operations and that plans to fund and manage security are built into
life-cycle budgets for information systems.
(a) To support more effective agency implementation of both agency computer security and critical infrastructure protection programs, agencies must implement the following:
(i) Prioritize key systems (including those that are most critical to agency operations);
(ii) Apply OMB policies and, for non-national security applications, NIST guidance to achieve adequate security commensurate with the level of risk and magnitude of harm;
(b)
Agencies must make security's role explicit in information technology
investments and capital programming. Investments in the development
of new or the continued operation of existing informationsystems,
both general support systems and major applications must:
(i) Demonstrate that the security controls for components, applications, and systems are consistent with, and an integral part of, the EA of the agency;
(ii) Demonstrate that the costs of security controls are understood and are explicitly incorporated into the life-cycle planning of the overall system in a manner consistent with OMB guidance for capital programming;
(iii) Incorporate a security plan that complies with Appendix III of this Circular and in a manner that is consistent with NIST guidance on security planning;
(iv) Demonstrate specific methods used to ensure that risks and the potential for loss are understood and continually assessed, that steps are taken to maintain risk at an acceptable level, and that procedures are in place to ensure that controls are implemented effectively and remain effective over time;
(v) Demonstrate specific methods used to ensure that the security controls are commensurate with the risk and magnitude of harm that may result from the loss, misuse, or unauthorized access to or modification of the system itself or the information it manages;
(vi) Identify additional security controls that are necessary to minimize risk to and potential loss from those systems that promote or permit public access, other externally accessible systems, and those systems that are interconnected with systems over which program officials have little or no control;
(vii) Deploy effective security controls and authentication tools consistent with the protection of privacy, such as public-key based digital signatures, for those systems that promote or permit public access;
(viii) Ensure that the handling of personal information is consistent with relevant government-wide and agency policies;
(ix) Describe each occasion the agency decides to employ standards and guidance that are more stringent than those promulgated by NIST to ensure the use of risk-based cost-effective security controls for non-national security applications;
(c) OMB will consider for new or continued funding only those system investments that satisfy these criteria. New information technology investments must demonstrate that existing agency systems also meet these criteria in order to qualify for funding.
(4)
How Will Agencies Acquire Information Technology?
Agencies
must:
(a) Make use of adequate competition, allocate risk between government and contractor, and maximize return on investment when acquiring information technology;
(b) Structure major information systems into useful segments with a narrow scope and brief duration. This should reduce risk, promote flexibility and interoperability, increase accountability, and better match mission need with current technology and market conditions;
(c) Acquire off-the-shelf software from commercial sources, unless the cost effectiveness of developing custom software is clear and has been documented through pilot projects or prototypes; and
(d) Ensure accessibility of acquired information technology pursuant to the Rehabilitation Act of 1973, as amended (Pub. Law 105-220, 29 U.S.C.794d).
9. Assignment of Responsibilities:
All Federal Agencies. The head of each agency must:
Have
primary responsibility for managing agency information resources;
Ensure
that the agency implements appropriately all of the information
policies, principles, standards, guidelines, rules, and regulations
prescribed by OMB;
Appoint a Chief Information Officer, as required by 44 U.S.C. 3506(a), who must report directly to the agency head to carry out the responsibilities of the agencies listed in the Paperwork Reduction Act (44 U.S.C. 3506), the Clinger Cohen Act (40 U.S.C. 1425(b) & (c)), as well as Executive Order 13011. The head of the agency must consult with the Director of OMB prior to appointing a Chief Information Officer, and will advise the Director on matters regarding the authority, responsibilities, and organizational resources of the Chief Information Officer. For purposes of this paragraph, military departments and the Office of the Secretary of Defense may each appoint one official. The Chief Information Officer must, among other things:
(a)
Be an active participant during all agency strategic management
activities, including the development, implementation, and
maintenance of agency strategic and operational plans;
(b)
Advise the agency head on information resource implications of
strategic planning decisions;
(c) Advise the agency head
on the design, development, and implementation of information
resources.
(i) Monitor and evaluate the performance of information resource investments through a capital planning and investment control process, and advise the agency head on whether to continue, modify, or terminate a program or project;
(ii) Advise the agency head on budgetary implications of information resource decisions; and
(d) Be an active participant throughout the annual agency budget process in establishing investment priorities for agency information resources;
Direct
the Chief Information Officer to monitor agency compliance with the
policies, procedures, and guidance in this Circular. Acting as an
ombudsman, the Chief Information Officer must consider alleged
instances of agency failure to comply with this Circular, and
recommend or take appropriate corrective action. The Chief
Information Officer will report instances of alleged failure and
their resolution annually to the Director of OMB, by February 1st
of each year.
Develop
internal agency information policies and procedures and oversee,
evaluate, and otherwise periodically review agency information
resources management activities for conformity with the policies
set forth in this Circular;
Develop
agency policies and procedures that provide for timely acquisition
of required information technology;
Maintain
the following, as required by the Paperwork Reduction Act (44
U.S.C. 3506(b)(4) and 3511) and the Freedom of Information Act (5
U.S.C. 552(g)): an inventory of the agency's major information
systems, holdings, and dissemination products; an agency
information locator service; a description of the agency's major
information and record locator systems; an inventory of the
agency's other information resources, such as personnel and funding
(at the level of detail that the agency determines is most
appropriate for its use in managing the agency's information
resources); and a handbook for persons to obtain public information
from the agency pursuant to these Acts.
Implement
and enforce applicable records management policies and procedures,
including requirements for archiving information maintained in
electronic format, particularly in the planning, design and
operation of information systems.
Identify
to the Director of OMB any statutory, regulatory, and other
impediments to efficient management of Federal information
resources, and recommend to the Director legislation, policies,
procedures, and other guidance to improve such management;
Assist
OMB in the performance of its functions under the PRA, including
making services, personnel, and facilities available to OMB for
this purpose to the extent practicable;
Ensure
that the agency:
(a) cooperates with other agencies in
the use of information technology to improve the productivity,
effectiveness, and efficiency of Federal programs;
(b)
promotes a coordinated, interoperable, secure, and shared
government wide infrastructure that is provided and supported by a
diversity of private sector suppliers; and
(c) develops
a well-trained corps of information resource professionals.
Use
the guidance provided in OMB Circular A-11, "Planning,
Budgeting, and Acquisition of Fixed Assets," to promote
effective and efficient capital planning within the organization;
Ensure
that the agency provides budget data pertaining to information
resources to OMB, consistent with the requirements of OMB Circular
A-11,
Ensure, to the extent reasonable, that in the design of information systems with the purpose of disseminating information to the public, an index of information disseminated by the system will be included in the directory created by the Superintendent of Documents pursuant to 41 U.S.C. 4101.(Nothing in this paragraph authorizes the dissemination of information to the public unless otherwise authorized.)
Permit, to the extent practicable, the use of one agency's contract by another agency or the award of multi-agency contracts, provided the action is within the scope of the contract and consistent with OMB guidance; and
As designated by the Director of OMB, act as executive agent for the government-wide acquisition of information technology.
Department of State. The Secretary of State must:
Advise the Director of OMB on the development of United States positions and policies on international information policy and technology issues affecting Federal government activities and the development of international information technology standards; and
Be
responsible for liaison, consultation, and negotiation with foreign
governments and intergovernmental organizations on all matters
related to information resources management, including federal
information technology. The Secretary must also ensure, in
consultation with the Secretary of Commerce, that the United States
is represented in the development of international standards and
recommendations affecting information technology. These
responsibilities may also require the Secretary to consult, as
appropriate, with affected domestic agencies, organizations, and
other members of the public.
Department of Commerce. The Secretary of Commerce must:
Develop
and issue Federal Information Processing Standards and guidelines
necessary to ensure the efficient and effective acquisition,
management, security, and use of information technology,
whiletaking into consideration the recommendations of the agencies
and the CIO Council;
Advise
the Director of OMB on the development of policies relating to the
procurement and management of Federal telecommunications
resources;
Provide
OMB and the agencies with scientific and technical advisory
services relating to the development and use of information
technology;
Conduct
studies and evaluations concerning telecommunications technology,
and concerning the improvement, expansion, testing, operation, and
use of Federal telecommunications systems, and advise the Director
of OMB and appropriate agencies of the recommendations that result
from such studies;
Develop,
in consultation with the Secretary of State and the Director of
OMB, plans, policies, and programs relating to international
telecommunications issues affecting government information
activities;
Identify
needs for standardization of telecommunications and information
processing technology, and develop standards, in consultation with
the Secretary of Defense and the Administrator of General Services,
to ensure efficient application of such technology;
Ensure
that the Federal Government is represented in the development of
national and, in consultation with the Secretary of State,
international information technology standards, and advise the
Director of OMB on such activities.
Department
of Defense. The Secretary of Defense will develop, in consultation
with the Administrator of General Services, uniform Federal
telecommunications standards and guidelines to ensure national
security, emergency preparedness, and continuity of government.
General Services Administration. The Administrator of General Services must:
Continue
to manage the FTS2001 program and coordinate the follow-up to that
program, on behalf of and with the advice of agencies;
Develop,
maintain, and disseminate for the use of the Federal community (as
requested by OMB or the agencies) recommended methods and
strategies for the development and acquisition of information
technology;
Conduct
and manage outreach programs in cooperation with agency managers;
Be
a liaison on information resources management (including Federal
information technology) with State and local governments. GSA must
also be a liaison with non-governmental international
organizations, subject to prior consultation with the Secretary of
State to ensure consistency with the overall United States foreign
policy objectives;
Support
the activities of the Secretary of State for liaison, consultation,
and negotiation with intergovernmental organizations on information
resource management matters;
Provide
support and assistance to the CIO Council and the Information
Technology Resources Board.
Manage
the Information Technology Fund in accordance with the Federal
Property and Administrative Services Act, as amended;
Office of Personnel Management. The Director, Office of Personnel Management, will:
Develop
and conduct training programs for Federal personnel on information
resources management, including end-user computing;
Evaluate
periodically future personnel management and staffing requirements
for Federal information resources management;
Establish
personnel security policies and develop training programs for
Federal personnel associated with the design, operation, or
maintenance of information systems.
National Archives and Records Administration. The Archivist of the United States will:
Administer
the Federal records management program in accordance with the
National Archives and Records Act;
Assist
the Director of OMB in developing standards and guidelines relating
to the records management program.
Office of Management and Budget. The Director of the Office of Management and Budget will:
Provide
overall leadership and coordination of Federal information
resources management within the executive branch;
Serve
as the President's principal adviser on procurement and management
of Federal telecommunications systems, and develop and establish
policies for procurement and management of such systems;
Issue
policies, procedures, and guidelines to assist agencies in
achieving integrated, effective, and efficient information
resources management;
Initiate
and review proposals for changes in legislation, regulations, and
agency rocedures to improve Federal information resources
management;
Review
and approve or disapprove agency proposals for collection of
information from the public, as defined by 5 CFR 1320.3;
Develop
and maintain a Governmentwide strategic plan for information
resources management.
Evaluate
agencies' information resources management and identify
cross-cutting information policy issues through the review of
agency information programs, information collection budgets,
information technology acquisition plans, fiscal budgets, and by
other means;
Provide
policy oversight for the Federal records management function
conducted by the National Archives and Records Administration,
coordinate records management policies and programs with other
information activities, and review compliance by agencies with
records management requirements;
Review
agencies' policies, practices, and programs pertaining to the
security, protection, sharing, and disclosure of information, in
order to ensure compliance, with respect to privacy and security,
with the Privacy Act, the Freedom of Information Act, the Computer
Security Act, the GPEA, and related statutes;
Review
proposed U.S. Government Position and Policy statements on
international issues affecting Federal Government information
activities, and advise the Secretary of State as to their
consistency with Federal information resources management policy.
Coordinate
the development and review by the Office of Information and
Regulatory Affairs of policy associated with Federal procurement
and acquisition of information technology with the Office of
Federal Procurement Policy, and policies regarding management of
financial management systems with the Office of Federal Financial
Management.
Evaluate
agency information resources management practices and programs and,
as part of the budget process, oversee agency capital planning and
investment control processes to analyze, track, and evaluate the
risks and results of major capital investments in information
systems;
Notify
an agency if OMB believes that a major information system project
requires outside assistance;
Provide
guidance on the implementation of the Clinger-Cohen Act and on the
management of information resources to the executive agencies, to
the CIO Council, and to the Information Technology Resources Board;
and
Designate one or more heads of executive agencies as executive agent for government-wide acquisitions of information technology.
The
Director of OMB will use information technology planning reviews,
fiscal budget reviews, information collection budget reviews,
management reviews, and such other measures as the Director deems
necessary to evaluate the adequacy and efficiency of each agency's
information resources management and compliance with this
Circular.
The Director of OMB may, consistent with statute and upon written request of an agency, grant a waiver from particular requirements of this Circular. Requests for waivers must detail the reasons why a particular waiver is sought, identify the duration of the waiver sought, and include a plan for the prompt and orderly transition to full compliance with the requirements of this Circular. Notice of each waiver request must be published promptly by the agency in the Federal Register, with a copy of the waiver request made available to the public on request.
11. Effectiveness: This Circular is effective upon issuance. Nothing in this Circular will be construed to confer a private right of action on any person.
12. Inquiries: All questions or inquiries should be addressed to the Office of Information and Regulatory Affairs, Office of Management and Budget, Washington, D.C. 20503. Telephone: (202) 395-3785.
13. Sunset Review Date: OMB will review this Circular three years from the date of issuance to ascertain its effectiveness.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | OCIO PRA Branch |
File Modified | 0000-00-00 |
File Created | 2021-01-24 |