OMB rolls out proposed A-130 changes

Federal technology managers' go-to rulebook for computer and information security is woefully behind the times. The A-130 circular from the Office of Management and Budget got its most recent overhaul in November 2000, back in the days of dial-up Internet connections.

A long-awaited updated, ordered by Congress, is almost in its final form. The Office of Management and Budget released the revised A-130 on Oct. 21, with a 30-day comment period for the public to weigh in.

"Modernizing this policy will enable OMB to provide timely and relevant guidance to agencies and will ensure that the Federal IT ecosystem operates more securely and more efficiently while saving tax dollars and serving the needs of the American people," wrote U.S. Chief Acquisition Officer Anne Rung, U.S. CIO Tony Scott, and Administrator of the Office of Information and Regulatory Affairs Howard Shelanski in a blog post.

The new A-130 centralizes a wide range of policy updates that have come down on acquisitions, cybersecurity, information governance, records management, open data and privacy -- either administratively or in recent legislation. It incorporates the new CIO authorities in the Federal IT Acquisition Reform Act, for example, and replaces the exhibit 53 format which CIOs used to document IT projects with an IT Portfolio that includes estimates of technology in agency budget requests.

The new policy replaces a federated procurement approach, which supported the "timely acquisition" of IT, with more-directed guidance to award contracts within 180 days after a solicitation goes out, and a declaration that IT should be delivered within 18 months.

The revised A-130 also delineates the responsibilities of OMB, the Department of Homeland Security and National Institute of Standards and Technology when it comes to securing federal systems, and requires continuous diagnostics and mitigation to be part of the government's defensive arsenal. 

It also puts CIOs on notice that the buck stops with them when it comes to obsolete technology. Under the new policy, CIOs must be "made aware of information systems and components that cannot be appropriately protected or secured and that such systems are given a high priority for upgrade, replacement, or retirement."

The new document also covers the new focus on data, mandating that government data that is public facing be accessible, discoverable and of usable quality. And agencies are instructed to designate a "senior agency official for privacy" to make sure that the laws and policies governing personally identifiable information stored on federal systems are maintained.

The government is accepting public comments via GitHub, and allows for suggested edits to be made in the form of pull requests. The federal IT community has already weighed in; OMB received about 500 comments during an inter-agency review period during April and May of 2015.