OMB rolls out proposed A-130 changes

Shutterstock image: government access keyboard.

Federal technology managers' go-to rulebook for computer and information security is woefully behind the times. The A-130 circular from the Office of Management and Budget got its most recent overhaul in November 2000, back in the days of dial-up Internet connections.

A long-awaited updated, ordered by Congress, is almost in its final form. The Office of Management and Budget released the revised A-130 on Oct. 21, with a 30-day comment period for the public to weigh in.

"Modernizing this policy will enable OMB to provide timely and relevant guidance to agencies and will ensure that the Federal IT ecosystem operates more securely and more efficiently while saving tax dollars and serving the needs of the American people," wrote U.S. Chief Acquisition Officer Anne Rung, U.S. CIO Tony Scott, and Administrator of the Office of Information and Regulatory Affairs Howard Shelanski in a blog post.

The new A-130 centralizes a wide range of policy updates that have come down on acquisitions, cybersecurity, information governance, records management, open data and privacy -- either administratively or in recent legislation. It incorporates the new CIO authorities in the Federal IT Acquisition Reform Act, for example, and replaces the exhibit 53 format which CIOs used to document IT projects with an IT Portfolio that includes estimates of technology in agency budget requests.

The new policy replaces a federated procurement approach, which supported the "timely acquisition" of IT, with more-directed guidance to award contracts within 180 days after a solicitation goes out, and a declaration that IT should be delivered within 18 months.

The revised A-130 also delineates the responsibilities of OMB, the Department of Homeland Security and National Institute of Standards and Technology when it comes to securing federal systems, and requires continuous diagnostics and mitigation to be part of the government's defensive arsenal. 

It also puts CIOs on notice that the buck stops with them when it comes to obsolete technology. Under the new policy, CIOs must be "made aware of information systems and components that cannot be appropriately protected or secured and that such systems are given a high priority for upgrade, replacement, or retirement."

The new document also covers the new focus on data, mandating that government data that is public facing be accessible, discoverable and of usable quality. And agencies are instructed to designate a "senior agency official for privacy" to make sure that the laws and policies governing personally identifiable information stored on federal systems are maintained.

The government is accepting public comments via GitHub, and allows for suggested edits to be made in the form of pull requests. The federal IT community has already weighed in; OMB received about 500 comments during an inter-agency review period during April and May of 2015.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

  • Workforce
    online collaboration (elenabsl/

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

Stay Connected