Describe the Office of Management and Budget Circular No. A-130

  • 3 minutes

OMB Circular A-130 title page

As a result of the passage of FITARA, the Office of Management and Budget (OMB), in July 2016, published Budget Circular NO. A-130.

The Circular, titled "Managing Information as a Strategic Resource," establishes general policy for planning and budgeting, information governance, leadership in the workforce, IT investment management, information management and access, privacy and information security, electronic signatures, records management, and the Internet.

It also identifies government-wide responsibilities, oversight, and authority.

In the appendices, the Circular provides specific responsibilities for protecting and managing Federal information resources as well as responsibilities for managing personally identifiable information, or PII.

Planning and budgeting

Some planning and budgeting requirements for agencies include:

  • Establish agency-wide planning and budgeting processes in accordance with OMB guidance, and maintain an Information Resource Management strategic plan
  • Maintain an inventory of all major information systems, as well as an inventory of those information systems that hold personally identifiable information (PII)
  • Facilitate adoption of new technologies, and evaluate how relevant current information systems are
  • Ensure contracts are in place to support the IRM strategic plan for each information system
  • Consider all factors to manage risks
  • Develop plans for information systems and components that can't be appropriate protected, and prioritize them for upgrade, replacement, or retirement
  • Review and address risk surrounding processes, people, and technology
  • Leverage NIST guidelines
  • Develop an Enterprise Architecture with baselines, targets, and a transition plan
  • Ensure that IT and non-IT resources are separated for planning and budgeting
  • Ensure the CFO, CAO, and CIO are involved in the budgeting process for all projects
  • Ensure the CIO has approved of all IT plans
  • Ensure that privacy requirements are address for all budget requests
  • Ensure that IT resource costs are substantiated
  • Ensure that the agency has in place a Business Continuity Plan (BCP) to ensure services may be made available to meet mission or organization needs

Governance

Governance requirements for agencies include:

  • Implement processes, standards, and policies for all information resources
  • Leverage agile development for projects in process
  • Use open data standards "to the maximum extent possible"
  • Put into place key performance indicators for cost, schedule, and performance variances of IT projects
  • Perform agency-wide IT investment reviews
  • Implement agency-wide data governance policies
  • Phase out unsupported information systems and system components
  • Ensure the CIO is included on all governance boards on IT resources
  • Require information security and privacy be a part of system development
  • Ensure the CIO regularly meets with Program Managers to ensure IT resources continue to deliver value

Leadership and workforce

Leadership and workforce requirements for agencies include:

  • Anticipate and respond to changing mission requirements
  • Maintain workforce skills
  • Recruit and retain IT talent to achieve hte mission
  • Ensure the workforce has the appropriate knowledge and skills to "facilitate the achievement of the portfolio's performance goals"
  • Implement innovative approaches and track performance of workforce development
  • Ensure that "critical elements" for the agency are part of all performance reviews
  • Ensure that the CIO is involved in the recruitment and hiring as well as performance reviews of bureau CIOs
  • Ensure that C-level functions take advantage of flexible hiring for specialized positions

IT investment management

IT investment management requirements for agencies include:

  • Make use of competition, while also assessing risks, and ensuring the government and contractors each share risk
  • Conduct technical, cost, and risk analyses of alternative designs
  • Consider existing solutions or shared services within the same agency or other agencies
  • Ensure that custom-developed solutions or new solutions are created when not alternatives can match the requirements, and prioritize sustainment and maintenance
  • Structure acquisitions "to reduce risk, promote flexibility and interoperability, increase accountability, and better match mission need with current technology"
  • Award contracts for segments of work within 180 days after solicitation, otherwise cancel the award
  • Require delivery of IT services within 18 months after solicitation
  • Promote innovation
  • Require privacy, security, accessibility, records management be a part of solicitations

The circular also sets forth specific direction on investment planning and control, agency approval, selection criteria and requirements, and IT investment design and management.

Information management and access

Information management and access requirements for agencies include:

  • Ensure federal information is properly managed throughout the entire life cycle
  • Make information accessible, discoverable, and usable by the public to the extent permitted by law
  • Manage federal information using records retention and disposition
  • Manage federal information and information systems to mitigate privacy and security risks
  • Manage federal information with clearly designated roles and responsibilities
  • Publish public information in the most accessible way possible
  • Avoid allowing other parties to distribute information itself
  • Avoid charging fees or royalties for public information
  • Make government publications available through the Government Publishing Office
  • Take advantage of all dissemination channels, including Federal, State, local, tribal, and territorial governments
  • Ensure that information is not only made available over the Internet
  • Ensure information collected and created is consumable by downstream systems using metadata
  • Maximize re-use of investments of existing data in solicitations
  • Ensure that the public can provide feedback about public information
  • Manage information according to a set of eight principles

Privacy and information security

Privacy and information security requirements for agencies include:

  • Establish and maintain a privacy program
  • Designate a Senior Agency Official for Privacy who has the agency-wide responsibility and accountability for the privacy program
  • Monitor federal privacy laws
  • limit the creation, collection, and use of personally identifiable information (PII)
  • Ensure that PII is accurate, relevant, timely and complete
  • Eliminate unnecessary collection of social security numbers and explore alternative personal identifiers
  • Comply with all applicable privacy-related laws
  • Maintain PII records according to NARA standards
  • Conduct privacy impact assessments through a system's lifecycle
  • Maintain and post privacy policies on agency digital estates
  • Ensure alignment with FISMA
  • Protect information
  • Implement security policies issued by the Department of Commerce, DHS, GSA, OPM, and NIST

Electronic signatures

Electronic signature requirements for agencies include:

  • Provide the option to submit or transact with an agency electronically rather than through paperwork
  • Promote the use of electronic contracts and recordkeeping
  • Develop processes to support electronic signatures

Records management

Records management requirements include:

  • Designate a senior agency official for records management (SAORM) who has agency-wide responsibility for records management
  • Implement a records management program
  • Manage all permanent electronic records electronically
  • Manage all emails electronically and retain them in an electronic system that supports records management
  • Ensure access to records throughout their life cycle regardless of form or medium
  • Ensure "proper and timely disposition" of Federal records based upon the Archivist of the United States
  • Provide training and guidance to all agency employees

Leveraging the evolving Internet

Leveraging the evolving Internet requirements for agencies include:

  • Usage of of Internet Protocol Version 6 (IPv6)

Importance

The Circular represents a shift from viewing security and privacy requirements as compliance exercises to understanding security and privacy as crucial elements of a comprehensive, strategic, and continuous risk-based program at Federal agencies.