Cybersecurity Impacts in OMBs Updated IT Acquisition and Management Policy

Against the backdrop of a summer slowdown that traditionally comes to Washington during July and August, the Office of Management and Budget (OMB) released an update to their Circular A-130, Managing Information as a Strategic Resource, the governing document for the management of federal information resources.

Last updated in 2000, OMB revised the Circular “to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy,” according to a blog post announcing the revision.

The first 37 pages of the 85-page document address multiple aspects of strategic management of federal information resources, including IT policy and governance, investment management and budget, acquisitions, and roles and responsibilities. The remaining 48 pages focus specifically on information security, privacy and personally identifiable information (PII)

Three overarching elements are emphasized by OMB:

• Real Time Situational Awareness and Monitoring of the IT Environment – Moving away from periodic, compliance-driven assessments toward continuous system assessments, with built-in security and privacy elements with system updates and re-designs.  Throughout the Circular, OMB emphasizes a shift away from check-list exercises and toward ongoing monitoring, assessment, and evaluation.
• Proactive Risk Management – Modernizing the way each agency identifies, categorizes, and handles IT risk to ensure privacy and security. The Circular encourages strong data governance and proactive risk management approaches with continual evaluation of their effectiveness.
• Shared Responsibility and Accountability – Helping to ensure everyone who interacts with government services – from government managers and employees to individual citizens – remains responsible and accountable for assuring privacy and security of information.

Focus on IT Security and Privacy

In addition to broad IT security and privacy-related provisions peppered throughout main body of the Circular, specific and detailed requirements are include in two appendices that account for more than half of the document:

• Protecting and Managing Information Resources – Appendix I of the Circular establishes minimum requirements for agency information security programs and privacy programs, including assigning related responsibilities. Requirements include performing ongoing system reauthorizations; continuously assessing insider threats; improving security incident response; encrypting moderate and high impact information; ensuring terms in awarded contracts sufficiently protect government information (emphasis added); protecting against supply chain threats; providing identity assurance for secure government services; and, ensuring agency personnel follow security and privacy policies and procedures.
• Managing Personally Identifiable Information (PII) – Appendix II outlines requirements and responsibilities for agencies managing PII. Agency requirements include establishing a comprehensive agency-wide privacy program; designating Senior Agency Officials for Privacy and an effective privacy workforce; conducting Privacy Impact Assessments (PIA) and applying NIST’s Risk Management Framework to manage privacy risks; using the fair information practice principles when evaluating information systems, processes, programs, and activities that affect privacy; and limiting the creation, use, and storage of PII to its minimum and effectively managing PII.

Implications

Clearly, these themes of security and privacy permeate nearly every aspect of OMB’s guidance for how agencies create and manage their IT systems and information resources, including how they acquire IT solutions and services from industry – and that impacts specific provisions and terms with the contracts that agencies award.

Some of OMB’s requirements create contract opportunities in the areas mentioned above, but they also continue to place requirements upon contracting firms to ensure their internal systems and processes meet expanding federal demands. This is not particularly new to firms who have worked with the Defense Department, but it continues to expand government-wide, potentially impacting every federal contractor, whether or not they do business specifically within the cybersecurity market segment.