OMB Issues New Website and Digital Services Rules

Published: November 17, 2016

CybersecurityDigital GovernmentPolicy and Legislation

In the final weeks of the Obama Administration the Office of Management and Budget has instructed federal departments and agencies to implement some changes to their publicly-facing websites and digital services.

Recently, the Office of Management and Budget (OMB) issued a new guidance document instructing federal agencies on actions they must take to ensure that their publicly-facing websites and related digital services are more functionally effective, accessible, and secure.

The new policy and the included requirements support “building effective and user-centric digital services” within the government based upon the 2012 Digital Government Strategy and the 2014 Digital Services Playbook.

Agencies are expected to comply with its requirements within 180 days of publication, unless already required by existing law or policy. The memo further states that the General Service Administration’s (GSA) Office of Government-wide Policy will stand up a new “Council of agency Web/Digital Directors” within 30 days to aid in enforcement of the guidance and GSA will regularly report agency progress at implementing the new policies on their DotGov Dashboard.

Key Provisions

Several elements of the 18-point policy refer to or build upon earlier guidance on topics like privacy and security. Here are some of the elements included in the latest memo:

  • IT Governance – Agencies must manage their websites and digital services not as discrete individual IT projects, but under a comprehensive strategy covering all their digital information and services, including websites and data. Each agency is to publicly post and maintain their current governance plan on their agency’s Digital Strategy page.
  • Analytics – Agencies are to use qualitative and quantitative data and feedback to determine if they are meeting user needs and to inform management and development decisions. This includes mandatory participation in the GSA’s Digital Analytics Program (DAP) and use the DAP tracking code, and agencies are encouraged to use other tools and methods as well.
  • Searchable and Discoverable – Agency websites are to contain a search function and be set up to be indexed and searchable by commercial search engines
  • Open Data – Agencies must disseminate information to the public, structured in a way that enables the data to be fully discoverable and usable, including a machine-readable Public Data Listing, web APIs and open source documentation, and a continually updated data publication process.
  • Device-neutral Access – Agency information and services should be readily available regardless of device, including mobile phones and tablets. Legacy website optimization will be driven by user analytics and feedback.
  • Protect Privacy – Agencies are to build privacy protections into their policies, plans, and IT. They are also to maintain a Privacy Program Page posting information about the agency’s use and handling of personally identifiable information (PII) and contact information for the agency’s Senior Agency Official for Privacy (SAOP) for inquiry and complaints.
  • Information Security and Privacy – FISMA and OMB’s Circular A-130 require each agency to implement an agency-wide information security program for the information and systems that support their operations and assets, including those provided or managed by another agency, contractor, or other source. The same rules require a privacy program implement privacy controls and assessments.
  • Approved Domains – While each agency must use only an approved .gov or .mil domain for its official public-facing websites this does not apply in circumstances where the agency is a user or a customer of a third-party website or service that resides on a non-governmental domain. For those situations agencies must update and maintain their list of non-governmental URLs that they operate within 60 days. Further, agencies must migrate all official public facing websites not currently residing on a .gov or .mil domain (excluding agency third-party services), to a .gov or .mil domain within 180 days.
  • Third-Party Websites and Applications – Agencies must register their public-facing digital services such as social media, collaboration accounts, mobile apps and mobile websites, with the U.S. Digital Registry within 60 days. Use of a third-party website or application must also directly support agency mission and comply with all federal laws and policies.


Agencies have been given the directive to update these areas at the same time they are going through the transition to a new administration. That may stretch their capacity and they may require some help from supporting contractors to get the work done or to support other areas while in-house staff address these needs.

These directives also give further visibility into in-flight areas of agency IT governance, operations and maintenance that will likely persist into the next administration. If you are not already doing so, you can track your favorite agency’s governance plan and other areas on its Digital Strategy page under the following standardized URL convention: www.[agency].gov/digitalstrategy/ (or .mil for defense sites.)