A-130 feedback urges more emphasis on commercial cloud in IT policy revisions

The A-130 is the foundational document for all federal information policy.  So when the Office of Management and Budget put out a draft of the first A-130 revision in 15 years in October, the proposed changes were parsed carefully. Comments filed on GitHub by the Dec. 5 deadline show that cloud vendors and trade groups are worried that the document doesn't adequately promote the government's avowed "cloud first" policy, and that it requires redundant levels of approval for agencies seeking to move development, operations, and data to a virtual environment.

Dave Wennergren of the Professional Services Council hoped that a revised A-130 would "more explicitly promote the importance of commercial cloud solutions as a means of replacing aging infrastructure, reducing operating costs, providing greater access to modern applications and improving agency cybersecurity posture."

In particular, industry reps were disappointed that the cloud authorization process FedRAMP was not enshrined in the revised A-130.

"As A-130 itself is being modernized to support the development and use of cutting edge IT and leading information policy approaches associated with its effective management," Microsoft argued in its comments, "it would be a stark remission not to integrate the Administration's Cloud First policy commitments, achievements and goals embodied through FedRAMP."

The IT Alliance for the Public Sector, a division of the Information Technology Industry Council, complained that the revised A-130 "creates parallel, but uncoordinated, authorization authorities for privacy and security. Such a condition will negatively impact companies seeking and sustaining authorizations to operate cloud computing services."

Customer service platform Salesforce agreed, urging OMB to "revise the Draft Circular to reaffirm the applicability of FedRAMP for Cloud based systems."

More generally, the Mitre Corporation worried that the A-130 lacks a stick to make agencies follow its rules. "Agencies may be reticent to comply with the guidance given that enforcement mechanisms penalties for non-compliance are not identified," they noted. Mitre also wanted some new clarity, in light of the Federal IT Acquisition Reform Act, about making sure that newly empowered agency CIOs maintain some boundaries between their areas of control and highly bespoke agency component missions.

Mitre's commenters suggested specifying that "responsibility for mission systems that are not implemented using commercially available IT shall be delineated," to avoid muddling authorities.

In addition, a host of government transparency groups and information associations banded together to protest deletions from the previous A-130 with regard to information policy. Comments submitted by Patrice McDermott of OpenTheGovernment.org on behalf of her group, along with (among others) the American Library Association, the Government Accountability Project, and the Project on Government Oversight pushed for the restoration of statements like, "the free flow of information between the government and the public is essential to a democratic society" and "the public disclosure of government information is essential to the operation of a democracy."

OMB plans to review these and many other comments outside the public glare of GitHub, and make any changes before publishing the final, canonical A-130.