Cybersecurity at the Center of OMB’s Gov-wide IT Management Policy

Published: November 17, 2015

CybersecurityInformation TechnologyIT ReformOMBPolicy and Legislation

Cybersecurity concerns are driving numerous government-wide efforts at multiple levels, including governance policy, IT processes and technical approaches. It is even a major driver behind a recent revision in OMB IT management and acquisition policy that last saw an update more than a decade ago.

For the first time in 15 years, OMB is revising its Circular A-130, Managing Information as a Strategic Resource, the policy for the acquisition and management of information technology equipment, funds, personnel, and other resources. The proposed revision was announced last month in a White House blog post by Federal CIO Tony Scott and others. Their aim, in part, is to “incorporate new statutory requirements and enhanced technological capabilities, as well as address current and evolving technical and personnel security threats.”

Proposed new cybersecurity requirements in the revised A-130 focus on:

  • Incident response
  • Encryption
  • Inclusion of security requirements in contracts
  • Oversight of contractors
  • Protecting against insider threats
  • Protecting against supply chain risks
  • Prohibiting unsupported software and system components
  • Personnel accountability

The revised Appendix III – Responsibilities for Protecting Federal Information Resources – provides guidance on how agencies should take a coordinated approach to information security and privacy when protecting federal information resources.

The high-level list of new security concentrations could have far-reaching and lasting impacts on the federal IT landscape, including contracted support services and products. Cybersecurity riders in new contracts, including supply chain assurances and greater transparency on the part of contractor firms into their internal cybersecurity practices, have been inching forward in several forms over the last few years and the new A-130 would further codify these efforts.

The new cyber- provisions could also have the effect of reenergizing some agencies’ legacy system modernization efforts that may have stalled under budget pressure in recent years. The new OMB A-130 would have agencies flag legacy systems that need updates or modernization in order to be secure (e.g. OPM), so cybersecurity concerns will add fuel to agency modernization priorities and may garner budget increases from OMB.

In the end, the revised policy could bolster the market for both cybersecurity-related products and services as well as have ripple effects through systems integration and IT infrastructure areas. The proposed A-130 revision is currently in the middle of a 30-day public comment period, so interested parties should take advantage of the opportunity to weigh in on the policy and its implications.