OMB has proposed revisions to its policies for federal information technology (IT) acquisition and management, found in Circular A-130. These revisions come just days in advance of the anticipated release of OMB’s forthcoming plan to extend the “Cybersecurity Sprint” instituted in the wake of the Office of Personnel Management (OPM) hack this summer and perhaps offers a preview as to the focus of the new plan. The proposed A-130 revisions incorporate the Congressional mandates reflected in the Federal Information Technology Acquisition Reform Act (FITARA) and also address ever-present and increasing cybersecurity risks. They are also designed to ensure that federal agencies have access to the most up-to-date technology.
In terms of acquisition policy, some of the specific proposals include recommendations for quicker IT acquisitions, with a goal of 180 days from solicitation to award and delivery of IT systems within at least 18 months. The revised Circular also calls for greater coordination and consideration of the use of existing contracts before issuance of new solicitations. Pre-acquisition, the Circular suggests better advance planning, particularly requiring agencies to think through security requirements, interoperability concerns, and their business cases for IT purchases in advance of acquiring new IT.
The revisions to the Circular also provide guidance to agencies on how best to secure IT systems consistent with the NIST Risk Management Framework, and more generally include (in a series of appendices) new requirements for information security and privacy management. For example, each agency is now to identify a designated information security officer and agency-wide information security policies. Of course, to the extent such policies are not coordinated, this could lead to even greater confusion and inconsistency in federal cybersecurity policy.
In pursuit of coordination, the new A-130 distinguishes the IT management, policy, and security roles of OMB, the Department of Homeland Security, the Department of Commerce/NIST, the General Services Administration, the OPM, and the National Archives and Records Administration. The new circular also describes the role of agency Chief Information Officers in assessing vulnerabilities, establishing IT priorities, and recruiting and training qualified IT personnel.
Circular A-130 has not been revised since 2000. Comments on the proposed changes, which can be found here: https://a130.cio.gov, are due by November 20, 2015.