The Office of Management and Budget (“OMB”) recently issued updates to Circular A-130 covering the management of federal information resources. OMB revised Circular A-130 “to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy.” The revised policies are intended to transform how privacy is addressed across the branches of the federal government.
In its press release announcing the revised document, OMB noted that “as government continues to digitize, we must ensure we manage data not only to keep it secure, but also [to] allow us to harness this information to provide the best possible service to our citizens.” Thus, according to OMB, the updated Circular A-130 combines in one document “a wide range of policy updates for federal agencies” on issues relating to “cybersecurity, information governance, privacy, records management, open data, and acquisitions.” It also covers issues relating to IT planning and budgeting.
Specifically, Circular A-130 focuses on the following three elements “to help spur innovation throughout the government”:
- Real Time Knowledge of the Environment: Replacing periodic compliance-driven assessments with ongoing monitoring of federal information resources.
- Proactive Risk Management: Focusing on modernizing the way in which the government identifies, categorizes and handles privacy and security risks.
- Shared Responsibility: Focusing on shared responsibility and accountability for privacy and security among managers, employees and citizens.
According to OMB, the revised Circular A-130 “represents a shift from viewing security and privacy requirements as compliance exercises to understanding security and privacy as crucial components of a comprehensive, strategic, and continuous risk-based program.”
The fact sheet released with the press release indicates that the updated Circular A-130 “promotes innovation, enables information sharing, and fosters the wide-scale and rapid adoption of new technologies while protecting and enhancing security and privacy.”
Circular A-130 has two appendixes: Appendix I is titled Responsibilities for Protecting and Managing Federal Information Resources and Appendix II is titled Responsibilities for Managing Personally Identifiable Information (PII).
Appendix II, which is completely new, focuses on agency responsibilities for managing PII, applying the fair information practice principles, conducting privacy impact assessments, maintaining an inventory of PII, privacy training, privacy contracting and applying the NIST Risk Management Framework to manage privacy risks in the context of agency privacy programs.