EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
906R96101
February 8,1996
CIRCULAR NO. A-130
Revised
(Transmittal Memorandum No. 3)
MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS
SUBJECT: Management of Federal Information Resources
Circular No. A-130 provides uniform government-wide
information resources management policies as required by the
Paperwork Reduction Act of 1980, as amended by the Paperwork
Reduction Act of 1995, 44 U.S.C. Chapter 35. This Transmittal
Memorandum contains updated guidance on the "Security of Federal
Automated Information Systems," Appendix III and makes minor
technical revisions to the Circular to reflect the Paperwork
Reduction Act of 1995 (P.L. 104-13). The Circular is reprinted
in its entirety for convenience.
Alice M. Rivlin
Director
Attachment
-------�
CIRCULAR NO. A-130
Revised
(Transmittal Memorandum No. 3)
MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND
ESTABLISHMENTS
SUBJECT: Management of Federal Information Resources
1. Purpose: This Circular establishes policy for the management of Federal information
resources. Procedural and analytic guidelines for implementing specific aspects of these policies
are included as appendices.
2. Rescissions: This Circular rescinds OMB Circulars No. A-3, A-71. A-90, A-l 08, A-l 14,
and A-121, and all Transmittal Memoranda to those circulars.
3. Authorities: This Circular is issued pursuant to the Paperwork Reduction Act (PRA) of
1980, as amended by the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35); the Privacy
Act, as amended (5 U.S.C. 552a); the Chief Financial Officers Act (31 U.S.C. 3512 et seq.); the
Federal Property and Administrative Services Act, as amended (40 U.S.C. 759 and 487); the
Computer Security Act (40 U.S.C. 759 note); the Budget and Accounting Act, as amended (31
U.S.C. Chapter 11); Executive Order No. 12046 of March 27,1978; and Executive Order No.
12472 of April 3,1984.
4. Applicability and Scope:
a. The policies in this Circular apply to the information activities of all agencies of the
executive branch of the Federal government.
b. Information classified for national security purposes should also be handled in accordance
with the appropriate national security directives. National security emergency preparedness
activities should be conducted in accordance with Executive Order No. 12472.
5. Background: The Paperwork Reduction Act establishes a broad mandate for agencies to
perform their information resources management activities in an efficient, effective, and
economical manner. To assist agencies in an integrated approach to information resources
management, the Act requires that the Director of OMB develop and implement uniform and
consistent information resources management policies; oversee the development and promote the
use of information management principles, standards, and guidelines; evaluate agency
information resources management practices in order to determine their adequacy and efficiency;
and determine compliance of such practices with the policies, principles, standards, and
guidelines promulgated by the Director.
-------�
6. Definitions:
a. The term "agency" means any executive department, military department, government
corporation, government controlled corporation, or other establishment in the executive branch
of the Federal government, or any independent regulatory agency. Within the Executive Office
of the President, the term includes only OMB and the Office of Administration.
b. The term "audiovisual production" means a unified presentation, developed according to a
plan or script, containing visual imagery, sound or both, and used to convey information.
c. The term "dissemination" means the government initiated distribution of information to
the public. Not considered dissemination within the meaning of this Circular is distribution
limited to government employees or agency contractors or grantees, intra- or inter-agency use or
sharing of government information, and responses to requests for agency records under the
Freedom of Information Act (5 U.S.C. 552) or Privacy Act.
d. The term "full costs," when applied to the expenses incurred in the operation of an
information processing service organization (IPSO), is comprised of all direct, indirect, general,
and administrative costs incurred in the operation of an IPSO. These costs include, but are not
limited to, personnel, equipment, software, supplies, contracted services from private sector
providers, space occupancy, intra-agency services from within the agency, inter-agency services
from other Federal agencies, other services that are provided by State and local governments, and
Judicial and Legislative branch organizations.
e. The term "government information" means information created, collected, processed,
disseminated, or disposed of by or for the Federal Government.
f. The term "government publication" means information which is published as an individual
document at government expense, or as required by law. (44 U.S.C. 1901)
g. The term "information" means any communication or representation of knowledge such as
facts, data, or opinions in any medium or form, including textual, numerical, graphic,
cartographic, narrative, or audiovisual forms.
h. The term "information dissemination product" means any book, paper, map,
machine-readable material, audiovisual production, or other documentary material, regardless of
physical form or characteristic, disseminated by an agency to the public.
i. The term "information life cycle" means the stages through which information passes,
typically characterized as creation or collection, processing, dissemination, use, storage, and
disposition.
-------�
j. The term "information management" means the planning, budgeting, manipulating, and
controlling of information throughout its life cycle.
k. The term "information resources" includes both government information and information
technology.
1. The term "information processing services organization" (IPSO) means a discrete set of
personnel, information technology, and support equipment with the primary function of
providing services to more than one agency on a reimbursable basis.
m. The term "information resources management" means the process of managing
information resources to accomplish agency missions. The term encompasses both information
itself and the related resources, such as personnel, equipment, funds, and information technology.
n. The term "information system" means a discrete set of information resources organized
for the collection, processing, maintenance, transmission, and dissemination of information, in
accordance with defined procedures, whether automated or manual.
o. The term "information system life cycle" means the phases through which an information
system passes, typically characterized as initiation, development, operation, and termination.
p. The term "information technology" means the hardware and software operated by a
Federal agency or by a contractor of a Federal agency or other organization that processes
information on behalf of the Federal government to accomplish a Federal function, regardless of
the technology involved, whether computers, telecommunications, or others. It includes
automatic data processing equipment as that term is defined in Section 11 l(a)(2) of the Federal
Property and Administrative Services Act of 1949. For the purposes of this Circular, automatic
data processing and telecommunications activities related to certain critical national security
missions, as defined in 44 U.S.C. 3502(2) and 10 U.S.C. 2315, are excluded.
q. The term "major information system" means an information system that requires special
management attention because of its importance to an agency mission; its high development,
operating, or-maintenance costs; or its significant role in the administration of agency programs,
finances, property, or other resources.
r. The term "records" means all books, papers, maps, photographs, machine-readable
materials, or other documentary materials, regardless of physical form or characteristics, made or
received by an agency of the United States Government under Federal law or in connection with
the transaction of public business and preserved or appropriate for preservation by that agency or
its legitimate successor as evidence of the organization, functions, policies, decisions,
procedures, operations, or other activities of the government or because of the informational
value of the data in them. Library and museum material made or acquired and preserved solely
for reference or exhibition purposes, extra copies of documents preserved only for convenience
-------�
of reference, and stocks of publications and of processed documents are not included. (44 U.S.C.
3301)
s. The term "records management" means the planning, controlling, directing, organizing,
training, promoting, and other managerial activities involved with respect to records creation,
records maintenance and use, and records disposition in order to achieve adequate and proper
documentation of the policies and transactions of the Federal Government and effective and
economical management of agency operations. (44 U.S.C. 2901(2))
t. The term "service recipient" means an agency organizational unit, programmatic entity, or
chargeable account that receives information processing services from an information processing
service organization (IPSO). A service recipient may be either internal or external to the
organization responsible for providing information resources services, but normally does not
report either to the manager or director of the IPSO or to the same immediate supervisor.
7. Basic Considerations and Assumptions:
a. The Federal Government is the largest single producer, collector, consumer, and
disseminator of information in the United States. Because of the extent of the government's
information activities, and the dependence of those activities upon public cooperation, the
management of Federal information resources is an issue of continuing importance to all Federal
agencies, State and local governments, and the public.
b. Government information is a valuable national resource. It provides the public with
knowledge of the government, society, and economy past, present, and future. It is a means to
ensure the accountability of government, to manage the government's operations, to maintain the
healthy performance of the economy, and is itself a commodity in the marketplace.
c. The free flow of information between the government and the public is essential to a
democratic society. It is also essential that the government minimize the Federal paperwork
burden on the public, minimize the cost of its information activities, and maximize the usefulness
of government information.
d. In order to minimize the cost and maximize the usefulness of government information, the
expected public and private benefits derived from government information should exceed the
public and private costs of the information, recognizing that the benefits to be derived from
government information may not always be quantifiable.
e. The nation can benefit from government information disseminated both by Federal
agencies and by diverse nonfederal parties, including State and local government agencies,
educational and other not-for-profit institutions, and for-profit organizations.
-------�
f. Because the public disclosure of government information is essential to the operation of a
democracy, the management of Federal information resources should protect the public's right of
access to government information.
g. The individual's right to privacy must be protected in Federal Government information
activities involving personal information.
h. Systematic attention to the management of government records is an essential component
of sound public resources management which ensures public accountability. Together with
records preservation, it protects the government's historical record and guards the legal and
financial rights of the government and the public.
i. Agency strategic planning can improve the operation of government programs. The
application of information resources should support an agency's strategic plan to fulfill its
mission. The integration of IRM planning with agency strategic planning promotes the
appropriate application of Federal information resources.
j. Because State and local governments are important producers of government information
for many areas such as health, social welfare, labor, transportation, and education, the Federal
Government must cooperate with these governments in the management of information
resources.
k. The open and efficient exchange of scientific and technical government information,
subject to applicable national security controls and the proprietary rights of others, fosters
excellence in scientific research and effective use of Federal research and development funds.
1. Information technology is not an end in itself. It is one set of resources that can improve
the effectiveness and efficiency of Federal program delivery.
m. Federal Government information resources management policies and activities can affect,
and be affected by, the information policies and activities of other nations.
n. Users of Federal information resources must have skills, knowledge, and training to
manage information resources, enabling the Federal government to effectively serve the public
through automated means.
o. The application of up-to-date information technology presents opportunities to promote
fundamental changes in agency structures, work processes, and ways of interacting with the
public that improve the effectiveness and efficiency of Federal agencies.
p. The availability of government information in diverse media, including electronic formats,
permits agencies and the public greater flexibility in using the information.
-------�
q. Federal managers with program delivery responsibilities should recognize the importance
of information resources management to mission performance.
8. Policy:
a. Information Management Policy
(1) Information Management Planning. Agencies shall plan in an integrated manner for
managing information throughout its life cycle. Agencies shall:
(a) Consider, at each stage of the information life cycle, the effects of decisions and actions
on other stages of the life cycle, particularly those concerning information dissemination;
(b) Consider the effects of their actions on members of the public and ensure consultation
with the public as appropriate;
(c) Consider the effects of their actions on State and local governments and ensure
consultation with those governments as appropriate;
(d) Seek to satisfy new information needs through interagency or intergovernmental sharing
of information, or through commercial sources, where appropriate, before creating or collecting
new information;
(e) Integrate planning for information systems with plans for resource allocation and use,
including budgeting, acquisition, and use of information technology;
(f) Train personnel in skills appropriate to management of information;
(g) Protect government information commensurate with the risk and magnitude of harm that
could result from the loss, misuse, or unauthorized access to or modification of such information;
(h) Use voluntary standards and Federal Information Processing Standards where appropriate
or required;
(i) Consider the effects of their actions on the privacy rights of individuals, and ensure that
appropriate legal and technical safeguards are implemented; »
(j) Record, preserve, and make accessible sufficient information to ensure the management
and accountability of agency programs, and to protect the legal and financial rights of the Federal
Government;
(k) Incorporate records management and archival functions into the design, development,
and implementation of information systems;
-------�
(1) Provide for public access to records where required or appropriate.
(2) Information Collection. Agencies shall collect or create only that information
necessary for the proper performance of agency functions and which has practical utility.
(3) Electronic Information Collection. Agencies shall use electronic collection techniques
where such techniques reduce burden on the public, increase efficiency of government programs,
reduce costs to the government and the public, and/or provide better service to the public.
Conditions favorable to electronic collection include:
(a) The information collection seeks a large volume of data and/or reaches a large
proportion of the public;
(b) The information collection recurs frequently;
(c) The structure, format, and/or definition of the information sought by the information
collection does not change significantly over several years;
(d) The agency routinely converts the information collected to electronic format;
(e) A substantial number of the affected public are known to have ready access to the
necessary information technology and to maintain the information in electronic form;
(f) Conversion to electronic reporting, if mandatory, will not impose substantial costs or
other adverse effects on the public, especially State and local governments and small business
entities.
(4) Records Management. Agencies shall:
(a) Ensure that records management programs provide adequate and proper documentation
of agency activities;
(b) Ensure the ability to access records regardless of form or medium;
(c) In a timely fashion, establish, and obtain the approval of the Archivist of the United
States for, retention schedules for Federal records; and
(d) Provide training and guidance as appropriate to all agency officials and employees and
contractors regarding their Federal records management responsibilities.
(5) Providing Information to the Public. Agencies have a responsibility to provide
information to the public consistent with their missions. Agencies shall discharge this
responsibility by:
-------�
(a) Providing information, as required by law, describing agency organization, activities,
programs, meetings, systems of records, and other information holdings, and how the public may
gain access to agency information resources;
(b) Providing access to agency records under provisions of the Freedom of Information Act
and the Privacy Act, subject to the protections and limitations provided for in these Acts;
(c) Providing such other information as is necessary or appropriate for the proper
performance of agency functions; and
(d) In determining whether and how to disseminate information to the public, agencies shall:
(i) Disseminate information in a manner that achieves the best balance between the goals
of maximizing the usefulness of the information and minimizing the cost to the government and
the public;
(ii) Disseminate information dissemination products on equitable and timely terms;
(iii) Take advantage of all dissemination channels, Federal and nonfederal, including
State and local governments, libraries and private sector entities, in discharging agency
information dissemination responsibilities;
(iv) Help the public locate government information maintained by or for the agency.
(6) Information Dissemination Management System. Agencies shall maintain and
implement a management system for all information dissemination products which shall, at a
minimum:
(a) Assure that information dissemination products are necessary for proper performance of
agency functions (44 U.S.C. 1108);
(b) Consider whether an information dissemination product available from other Federal or
nonfederal sources is equivalent to an agency information dissemination product and reasonably
fulfills the dissemination responsibilities of the agency;
(c) Establish and maintain inventories of all agency information dissemination products;
(d) Develop such other aids to locating agency information dissemination products including
catalogs and directories, as may reasonably achieve agency information dissemination
objectives;
(e) Identify in information dissemination products the source of the information, if from
another agency;
8
-------�
(f) Ensure that members of the public with disabilities whom the agency has a responsibility
to inform have a reasonable ability to access the information dissemination products;
(g) Ensure that government publications are made available to depository libraries through
the facilities of the Government Printing Office, as required by law (44 U.S.C. Part 19);
(h) Provide electronic information dissemination products to the Government Printing Office
for distribution to depository libraries;
(i) Establish and maintain communications with members of the public and with State and
local governments so that the agency creates information dissemination products that meet their
respective needs;
(j) Provide adequate notice when initiating, substantially modifying, or terminating
significant information dissemination products; and
(k) Ensure that, to the extent existing information dissemination policies or practices are
inconsistent with the requirements of this Circular, a prompt and orderly transition to compliance
with the requirements of this Circular is made.
(7) Avoiding Improperly Restrictive Practices. Agencies shall:
(a) Avoid establishing, or permitting others to establish on their behalf, exclusive, restricted,
or other distribution arrangements that interfere with the availability of information
dissemination products on a timely and equitable basis;
(b) Avoid establishing restrictions or regulations, including the charging of fees or royalties,
on the reuse, resale, or redissemination of Federal information dissemination products by the
public; and,
(c) Set user charges for information dissemination products at a level sufficient to recover
the cost of dissemination but no higher. They shall exclude from calculation of the charges costs
associated with original collection and processing of the information. Exceptions to this policy
are:
(i) Where statutory requirements are at variance with the policy;
(ii) Where the agency collects, processes, and disseminates the information for the
benefit of a specific identifiable group beyond the benefit to the general public;
(iii) Where the agency plans to establish user charges at less than cost of dissemination
because of a determination that higher charges would constitute a significant barrier to
-------�
properly performing the agency's functions, including reaching members of the public whom.
the agency has a responsibility to inform; or
(iv) Where the Director of OMB determines an exception is warranted.
(8) Electronic Information Dissemination. Agencies shall use electronic media and
formats, including public networks, as appropriate and within budgetary constraints, in order to
make government information more easily accessible and useful to the public. The use of
electronic media and formats for information dissemination is appropriate under the following
conditions:
(a) The agency develops and maintains the information electronically;
(b) Electronic media or formats are practical and cost effective ways to provide public access
to a large, highly detailed volume of information;
(c) The agency disseminates the product frequently;
(d) The agency knows a substantial portion of users have ready access to the necessary
information technology and training to use electronic information dissemination products;
(e) A change to electronic dissemination, as the sole means of disseminating the product,
will not impose substantial acquisition or training costs on users, especially State and local
governments and small business entities.
(9) Safeguards. Agencies shall:
(a) Ensure that information is protected commensurate with the risk and magnitude of the
harm that would result from the loss, misuse, or unauthorized access to or modification of such
information;
(b) Limit the collection of information which identifies individuals to that which is legally
authorized and necessary for the proper performance of agency functions;
(c) Limit the sharing of information that identifies individuals or contains proprietary
information to that which is legally authorized, and impose appropriate conditions on use where
a continuing obligation to ensure the confidentiality of the information exists;
(d) Provide individuals, upon request, access to records about them maintained in Privacy
Act systems of records, and permit them to amend such records as are in error consistent with the
provisions of the Privacy Act.
10
-------�
b. Information Systems and Information Technology Management
(1) Evaluation and Performance Measurement. Agencies shall promote the appropriate
application of Federal information resources as follows:
(a) Seek opportunities to improve the effectiveness and efficiency of government programs
through work process redesign and the judicious application of information technology;
(b) Prepare, and update as necessary throughout the information system life cycle, a benefit-
cost analysis for each information system:
(i) at a level of detail appropriate to the size of the investment;
(ii) consistent with the methodology described in OMB Circular No. A-94, "Guidelines
and Discount Rates for Benefit-Cost Analysis of Federal Programs;" and
(iii) that relies on systematic measures of mission performance, including the:
(a) effectiveness of program delivery;
(b) efficiency of program administration; and
(c) reduction in burden, including information collection burden, imposed
on the public;
(c) Conduct benefit-cost analyses to support ongoing management oversight processes that
maximize return on investment and minimize financial and operational risk for investments in
major information systems on an agency-wide basis; and
(d) Conduct post-implementation reviews of information systems to validate estimated
benefits and document effective management practices for broader use.
(2) Strategic Information Resources Management (IRM) Planning. Agencies shall
establish and maintain strategic information resources management planning processes which
include the following components:
(a) Strategic IRM planning that addresses how the management of information resources
promotes the fulfillment of an agency's mission. This planning process should support the
development and maintenance of a strategic IRM plan that reflects and anticipates changes in the
agency's mission, policy direction, technological capabilities, or resource levels;
(b) Information planning that promotes the use of information throughout its life cycle to
maximize the usefulness of information, minimize the burden on the public, and preserve the
appropriate integrity, availability, and confidentiality of information. It shall specifically address
11
-------�
the planning and budgeting for the information collection burden imposed on the public as
defined by 5 C.F.R. 1320;
(c) Operational information technology planning that links information technology to
anticipated program and mission needs, reflects budget constraints, and forms the basis for
budget requests. This planning should result in the preparation and maintenance of an up-to-date
five-year plan, as required by 44 U.S.C. 3506, which includes:
(i) a listing of existing and planned major information systems;
(ii) a listing of planned information technology acquisitions;
(iii) an explanation of how the listed major information systems and planned information
technology acquisitions relate to each other and support the achievement of the agency's
mission; and
iv) a summary of computer security planning, as required by Section 6 of the Computer
Security Act of 1987 (40 U.S.C. 759 note); and
(d) Coordination with other agency planning processes including strategic, human resources,
and financial resources.
(3) Information Systems Management Oversight. Agencies shall establish information
system management oversight mechanisms that:
(a) Ensure that each information system meets agency mission requirements;
(b) Provide for periodic review of information systems to determine:
(i) how mission requirements might have changed;
(ii) whether the information system continues to fulfill ongoing and anticipated mission
requirements; and
(iii) what level of maintenance is needed to ensure the information system meets mission
requirements cost effectively;
(c) Ensure that the official who administers a program supported by an information system is
responsible and accountable for the management of that information system throughout its life
cycle;
(d) Provide for the appropriate training for users of Federal information resources;
12
-------�
(e) Prescribe Federal information system requirements that do not unduly restrict the
prerogatives of State, local, and tribal governments;
(f) Ensure that major information systems proceed in a timely fashion towards agreed-upon
milestones in an information system life cycle, meet user requirements, and deliver intended
benefits to the agency and affected publics through coordinated decision making about the
information, human, financial, and other supporting resources; and
(g) Ensure that financial management systems conform to the requirements'of OMB Circular
No. A-127, "Financial Management Systems."
(4) Use of Information Resources. Agencies shall create and maintain management and
technical frameworks for using information resources that document linkages between mission
needs, information content, and information technology capabilities. These frameworks should
guide both strategic and operational IRM planning. They should also address steps necessary to
create an open systems environment. Agencies shall implement the following principles:
(a) Develop information systems in a manner that facilitates necessary interoperability,
application portability, and scalability of computerized applications across networks of
heterogeneous hardware, software, and communications platforms;
(b) Ensure that improvements to existing information systems and the development of
planned information systems do not unnecessarily duplicate information systems available within
the same agency, from other agencies, offrom the private sector;
(c) Share available information systems with other agencies to the extent practicable and
legally permissible;
(d) Meet information technology needs through intra-agency and inter-agency sharing, when
it is cost effective, before acquiring new information technology resources;
(e) For Information Processing Service Organizations (IPSOs) that have costs in excess of $5
million per year, agencies shall:
(i) account for the full costs of operating all IPSOs;
(ii) recover the costs incurred for providing IPSO services to all service recipients on an
equitable basis commensurate with the costs required to provide those services; and
(iii) document sharing agreements between service recipients and IPSOs; and
13
-------�
(f) Establish a level of security for all information systems that is commensurate with the risk
and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or
modification of the information contained in these information systems.
(5) Acquisition of Information Technology. Agencies shall:
(a) Acquire information technology in a manner that makes use of full and open competition
and that maximizes return on investment;
(b) Acquire off-the-shelf software from commercial sources, unless the cost effectiveness of
developing custom software to meet mission needs is clear and has been documented;
(c) Acquire information technology in accordance with OMB Circular No. A-l 09,
"Acquisition of Major Systems," where appropriate; and
(d) Acquire information technology in a manner that considers the need for accommodations
of accessibility for individuals with disabilities to the extent that needs for such access exist.
9. Assignment of Responsibilities:
a. All Federal Agencies. The head of each agency shall:
(1) Have primary responsibility for managing agency information resources;
(2) Ensure that the information policies, principles, standards, guidelines, rules, and
regulations prescribed by OMB are implemented appropriately within the agency;
(3) Develop internal agency information policies and procedures and oversee, evaluate, and
otherwise periodically review agency information resources management activities for
conformity with the policies set forth in this Circular;
(4) Develop agency policies and procedures that provide for timely acquisition of required
information technology;
(5) Maintain an inventory of the agencies' major information systems, holdings and
information dissemination products, as required by 44 U.S.C. 3511.
(6) Implement and enforce applicable records management policies and procedures, including
requirements for archiving information maintained in electronic format, particularly in the
planning, design and operation of information systems.
14
-------�
(7) Identify to the Director, OMB, statutory, regulatory, and other impediments to efficient
management of Federal information resources and recommend to the Director legislation,
policies, procedures, and other guidance to improve such management;
(8) Assist OMB in the performance of its functions under the PRA including making
services, personnel, and facilities available to OMB for this purpose to the extent practicable;
(9) Appoint a senior official, as required by 44 U.S.C. 3506(a), who shall report directly to
the agency head to carry out the responsibilities of the agency under the PRA. The head of the
agency shall keep the Director, OMB, advised as to the name, title, authority, responsibilities,
and organizational resources of the senior official. For purposes of this paragraph, military
departments and the Office of the Secretary of Defense may each appoint one official.
(10) Direct the senior official appointed pursuant to 44 U.S.C. 3506(a) to monitor agency
compliance with the policies, procedures, and guidance in this Circular. Acting as an
ombudsman, the senior official shall consider alleged instances of agency failure to comply with
this Circular and recommend or take corrective action as appropriate. The senior official shall
report annually, not later than February 1st of each year, to the Director those instances of
alleged failure to comply with this Circular and their resolution.
b. Department of State. The Secretary of State shall:
(1) Advise the Director, OMB, on the development of United States positions and policies
on international information policy issues affecting Federal Government information activities
and ensure that such positions and policies are consistent with Federal information resources
management policy;
(2) Ensure, in consultation with the Secretary of Commerce, that the United States is
represented in the development of international information technology standards, and advise the
Director, OMB, of such activities.
c. Department of Commerce. The Secretary of Commerce shall:
(1) Develop and issue Federal Information Processing Standards and guidelines necessary to
ensure the efficient and effective acquisition, management, security, and use of information
technology;
(2) Advise the Director, OMB, on the development of policies relating to the procurement
and management of Federal telecommunications resources;
(3) Provide OMB and the agencies with scientific and technical advisory services relating to
the development and use of information technology;
15
-------�
(4) Conduct studies and evaluations concerning telecommunications technology, and
concerning the improvement, expansion, testing, operation, and use of Federal
telecommunications systems and advise the Director, OMB, and appropriate agencies of the
recommendations that result from such studies;
(5) Develop, in consultation with the Secretary of State and the Director of OMB, plans,
policies, and programs relating to international telecommunications issues affecting government
information activities;
(6) Identify needs for standardization of telecommunications and information processing
technology, and develop standards, in consultation with the Secretary of Defense and the
Administrator of General Services, to ensure efficient application of such technology;
(7) Ensure that the Federal Government is represented in the development of national and, in
consultation with the Secretary of State, international information technology standards, and
advise the Director, OMB, of such activities.
d. Department of Defense. The Secretary of Defense shall develop, in consultation with the
Administrator of General Services, uniform Federal telecommunications standards and
guidelines to ensure national security, emergency preparedness, and continuity of government.
e. General Services Administration. The Administrator of General Services shall:
(1) Advise the Director, OMB, and agency heads on matters affecting the procurement of
information technology;
(2) Coordinate and, when required, provide for the purchase, lease, and maintenance of
information technology required by Federal agencies;
(3) Develop criteria for timely procurement of information technology and delegate
procurement authority to agencies that comply with the criteria;
(4) Provide guidelines and regulations for Federal agencies, as authorized by law, on the
acquisition, maintenance, and disposition of information technology, and for implementation of
Federal Information Processing Standards;
(5) Develop policies and guidelines that facilitate the sharing of information technology
among agencies as required by this Circular;
(6) Manage the Information Technology Fund in accordance with the Federal Property and
Administrative Services Act as amended;
f. Office of Personnel Management. The Director, Office of Personnel Management, shall:
16
-------�
(1) Develop and conduct training programs for Federal personnel on information resources
management including end-user computing;
(2) Evaluate periodically future personnel management and staffing requirements for Federal
information resources management;
(3) Establish personnel security policies and develop training programs for Federal personnel
associated with the design, operation, or maintenance of information systems.
g. National Archives and Records Administration. The Archivist of the United States
shall:
(1) Administer the Federal records management program in accordance with the National
Archives and Records Act;
(2) Assist the Director, OMB, in developing standards and guidelines relating to the records
management program.
h. Office of Management and Budget. The Director of the Office of Management and
Budget shall:
(1) Provide overall leadership and coordination of Federal information resources
management within the executive branch;
(2) Serve as the President's principal adviser on procurement and management of Federal
telecommunications systems, and develop and establish policies for procurement and
management of such systems;
(3) Issue policies, procedures, and guidelines to assist agencies in achieving integrated,
effective, and efficient information resources management;
(4) Initiate and review proposals for changes in legislation, regulations, and agency
procedures te improve Federal information resources management;
(5) Review and approve or disapprove agency proposals for collection of information from
the public, as defined by 5 CFR 1320.3;
(6) Develop and maintain a Governmentwide strategic plan for information resources
management.
(7) Evaluate agencies' information resources management and identify cross-cutting
information policy issues through the review of agency information programs, information
collection budgets, information technology acquisition plans, fiscal budgets, and by other means;
17
-------�
(8) Provide policy oversight for the Federal records management function conducted by the
National Archives and Records Administration, coordinate records management policies and
programs with other information activities, and review compliance by agencies with records
management requirements;
(9) Review agencies' policies, practices, and programs pertaining to the security, protection,
sharing, and disclosure of information, in order to ensure compliance, with respect to privacy and
security, with the Privacy Act, the Freedom of Information Act, the Computer Security Act and
related statutes;
(10) Resolve information technology procurement disputes between agencies and the
General Services Administration pursuant to Section 111 of the Federal Property and
Administrative Services Act;
(11) Review proposed U.S. Government Position and Policy statements on international
issues affecting Federal Government information activities and advise the Secretary of State as to
their consistency with Federal information resources management policy.
(12) Coordinate the development and review by the Office of Information and Regulatory
Affairs of policy associated with Federal procurement and acquisition of information technology
with the Office of Federal Procurement Policy.
10. Oversight:
a. The Director, OMB, will use information technology planning reviews, fiscal budget
reviews, information collection budget reviews, management reviews, and such other measures
as the Director deems necessary to evaluate the adequacy and efficiency of each agency's
information resources management and compliance with this Circular.
b. The Director, OMB, may, consistent with statute and upon written request of an agency,
grant a waiver from particular requirements of this Circular. Requests for waivers must detail the
reasons why a particular waiver is sought, identify the duration of the waiver sought, and include
a plan for the prompt and orderly transition to full compliance with the requirements of this
Circular. Notice of each waiver request shall be published promptly by the agency in the
Federal Register, with a copy of the waiver request made available to the public on request.
11. Effectiveness: This Circular is effective upon issuance. Nothing in this Circular shall be
construed to confer a private right of action on any person.
12. Inquiries: All questions or inquiries should be addressed to the Office of Information and
Regulatory Affairs, Office of Management and Budget, Washington, D.C. 20503. Telephone:
(202) 395-3785.
18
-------�
13. Sunset Review Date: OMB will review this Circular three years from the date of issuance
to ascertain its effectiveness.
19
-------�
Appendix I to OMB Circular No. A-130 - Federal Agency Responsibilities for Maintaining
Records About Individuals
1. Purpose and Scope.
This Appendix describes agency responsibilities for implementing the reporting and publication
requirements of the Privacy Act of 1974, 5 U.S.C. 552a, as amended (hereinafter "the Act"). It
applies to all agencies subject to the Act. Note that this Appendix does not rescind other
guidance OMB has issued to help agencies interpret the Privacy Act's provisions, e.g., Privacy
Act Guidelines (40 FR 28949-28978, July 9,1975), or Final Guidance for Conducting Matching
Programs (54 FR at 25819, June 19,1989).
2. Definitions.
a. The terms "agency," "individual," "maintain," "matching program," "record," "system of
records," and "routine use," as used in this Appendix, are defined in the Act (5 U.S.C. 552a(a)).
b. Matching Agency. Generally, the Recipient Federal agency (or the Federal source agency in
a match conducted by a nonfederal agency) is the matching agency and is responsible for
meeting the reporting and publication requirements associated with the matching program.
However, in large, multi-agency matching programs, where the recipient agency is merely
performing the matches and the benefit accrues to the source agencies, the partners should assign
responsibility for compliance with the administrative requirements in a fair and reasonable way.
This may mean having the matching agency carry out these requirements for all parties, having
one participant designated to do so, or having each source agency do so for its own matching
program(s).
c. Nonfederal Agency. Nonfederal agencies are State or local governmental agencies receiving
or providing records in a matching program with a Federal agency.
d. Recipient Agency. Recipient agencies are Federal agencies or their contractors receiving
automated records from the Privacy Act systems of records of other Federal agencies, or from
State or local governments, to be used in a matching program, as defined in the Act.
e. Source Agency. A source agency is a Federal agency that discloses automated records from a
system of records to another Federal agency or to a State or local agency to be used in a matching
program. It is also a State or local agency that discloses records to a Federal agency for use in a
matching program.
3. Assignment of Responsibilities.
a. All Federal Agencies. In addition to meeting the agency requirements contained in the Act
and the specific reporting and publication requirements detailed in this Appendix, the head of
20
-------�
each agency shall ensure that the following reviews are conducted as often as specified below,
and be prepared to report to the Director, OMB, the results of such reviews and the corrective
action taken to resolve problems uncovered. The head of each agency shall:
(1) Section (m) Contracts. Review every two years a random sample of agency contracts that
provide for the maintenance of a system of records on behalf of the agency to accomplish an
agency function, in order to ensure that the wording of each contract makes the provisions of the
Act binding on the contractor and his or her employees. (See 5 U.S.C. 552a(m)(l))
(2) Recordkeeping Practices. Review biennially agency recordkeeping and disposal policies
and practices in order to assure compliance with the Act, paying particular attention to the
maintenance of automated records.
(3) Routine Use Disclosures. Review every four years the routine use disclosures associated
with each system of records in order to ensure that the recipient's use of such records continues to
be compatible with the purpose for which the disclosing agency collected the information.
(4) Exemption of Systems of Records. Review every four years each system of records for
which the agency has promulgated exemption rules pursuant to Section (j) or (k) of the Act in
order to determine whether such exemption is still needed.
(5) Matching Programs. Review annually each ongoing matching program in which the
agency has participated during the year in order to ensure that the requirements of the Act, the
OMB guidance, and any agency regulations, operating instructions, or guidelines have been met.
(6) Privacy Act Training. Review biennially agency training practices in order to ensure that
all agency personnel are familiar with the requirements of the Act, with the agency's
implementing regulation, and with any special requirements of their specific jobs.
(7) Violations. Review biennially the actions of agency personnel that have resulted either in
the agency being found civilly liable under Section (g) of the Act, or an employee being found
criminally liable under the provisions of Section (i) of the Act, in order to determine the extent of
the problem, and to find the most effective way to prevent recurrence of the problem.
(8) Systems of Records Notices. Review biennially each system of records notice to ensure that
it accurately describes the system of records. Where minor changes are needed, e.g., the name of
the system manager, ensure that an amended notice is published in the Federal Register.
Agencies may choose to make one annual comprehensive publication consolidating such minor
changes. This requirement is distinguished from and in addition to the requirement to report to
OMB and Congress significant changes to systems of records and to publish those changes in the
Federal Register (See paragraph 4c of this Appendix).
21
-------�
b. Department of Commerce. The Secretary of Commerce shall, consistent with guidelines
issued by the Director, OMB, develop and issue standards and guidelines for ensuring the
security of information protected by the Act in automated information systems.
c. The Department of Defense, General Services Administration, and National Aeronautics
and Space Administration. These agencies shall, consistent with guidelines issued by the
Director, OMB, ensure that instructions are issued on what agencies must do in order to comply
with the requirements of Section (m) of the Act when contracting for the operation of a system of
records to accomplish an agency purpose.
d. Office of Personnel Management. The Director of the Office of Personnel Management
shall, consistent with guidelines issued by the Director, OMB:
(1) Develop and maintain government-wide standards and procedures for civilian personnel
information processing and recordkeeping directives to assure conformance with the Act.
(2) Develop and conduct Privacy Act training programs for agency personnel, including both the
conduct of courses in various substantive areas (e.g., administrative, information technology) and
the development of materials that agencies can use in their own courses. The assignment of this
responsibility to OPM does not affect the responsibility of individual agency heads for
developing and conducting training programs tailored to the specific needs of their own
personnel.
e. National Archives and Records Administration. The Archivist of the United States
through the Office of the Federal Register, shall, consistent with guidelines issued by the
Director, OMB:
(1) Issue instructions on the format of the agency notices and rules required to be published
under the Act.
(2) Compile and publish every two years, the rules promulgated under 5 U.S.C. 552a(f) and
agency notices published under 5 U.S.C. 552a(e)(4) in a form available to the public at low cost.
(3) Issue procedures governing the transfer of records to Federal Records Centers for storage,
processing, and servicing pursuant to 44 U.S.C. 3103. For purposes of the Act, such records are
considered to be maintained by the agency that deposited them. The Archivist may disclose
deposited records only according to the access rules established by the agency that deposited
them.
f. Office of Management and Budget The Director of the Office of Management and Budget
will:
(1) Issue guidelines and directives to the agencies to implement the Act.
22
-------�
(2) Assist the agencies, at their request, in implementing their Privacy Act programs.
(3) Review new and altered system of records and matching program reports submitted
pursuant to Section (o) of the Act.
(4) Compile the biennial report of the President to Congress in accordance with Section (s)
of the Act.
(5) Compile and issue a biennial report on the agencies' implementation of the computer
matching provisions of the Privacy Act, pursuant to Section (u)(6) of the Act.
23
-------�
4. Reporting Requirements. The Privacy Act requires agencies to make the following kinds
of reports:
Report
Biennial Privacy Act
Report
Biennial Matching
Activity Report
New System of Records
Report
Altered System of Records
Report
New Matching Program
Report
Renewal of Existing
Matching Program
Altered Matching Program
Matching Agreements
When Due
June 30, 1996, 1998, 2000, 2002
June 30, 1996, 1998, 2000, 2002
When establishing a system of
records - at least 40 days before
operating the system*
When adding a new routine use,
exemption, or otherwise
significantly altering an existing
system of records - at least 40
days before change to system takes
place*
When establishing a new matching
program - at least 40 days before
operating the program*
At least 40 days prior to
expiration of any one year
extension of the original program
- treat as a new program
When making a significant change
to an existing matching program -
at least 40 days before operating
an altered program*
At least 40 days prior to the
start of a matching program*
Recipient**
Administrator ,
OIRA
Administrator,
OIRA
Administrator ,
OIRA,
Congress
Administrator,
OIRA,
Congress
Administrator ,
OIRA,
Congress
Administrator ,
OIRA,
Congress
Administrator ,
OIRA,
Congress
Congress
* Review Period: Note that the statutory reporting requirement is 30 days prior; the additional
ten days will ensure that OMB and Congress have sufficient time to review the proposal.
Agencies should therefore ensure that reports are mailed expeditiously after being signed.
** Recipient Addresses: At bottom of envelope print "PRIVACY ACT REPORT"
House of Representatives:
The Chair of the House Committee on Government Reform and Oversight, 2157 RHOB,
Washington. D.C. 20515-6143.
24
-------�
Senate:
The Chair of the Senate Committee on Governmental Affairs, 340 SDOB, Washington, D.C.
20510-6250.
Office of Management and Budget:
The Administrator of the Office of Information and Regulatory Affairs, Office of Management
and Budget, ATTN: Docket Library, NEOB Room 10012, Washington, D.C. 20503.
a. Biennial Privacy Act Report. To provide the necessary information for the biennial
report of the President, agencies shall submit a biennial report to OMB, covering their Privacy
Act activities for the calendar years covered by the reporting period. The exact format of the
report will be established by OMB. At a minimum, however, agencies should collect and be
prepared to report the following data on a calendar year basis:
(1) A listing of publication activity during the year showing the following:
* Total Number of Systems of Records (Exempt/NonExempt)
* Number of New Systems of Records Added (Exempt/NonExempt)
* Number Routine Uses Added
* Number Exemptions Added to Existing Systems
* Number Exemptions Deleted from Existing Systems
* Total Number of Automated Systems of Records (Exempt/NonExempt)
The agency should provide a brief narrative describing those activities in detail, e.g., "the
Department added a (k)(l) exemption to an existing system of records entitled "Investigative
Records of the Office of Investigations;" or "the agency added a new routine use to a system of
records entitled "Employee Health Records" that would permit disclosure of health data to
researchers under contract to the agency to perform workplace risk analysis."
(2) A brief description of any public comments received on agency publication and
implementation activities, and agency response.
(3) Number of access and amendment requests from record subjects citing the Privacy
Act that were received during the calendar year of the report. Also the disposition of requests
from any year that were completed during the calendar year of the report:
* Total Number of Access Requests
Number Granted in Whole
Number Granted in Part
Number Wholly Denied
Number For Which No Record Found
* Total Amendment Requests
Number Granted in Whole
Number Granted in Part
25
-------�
Number Wholly Denied
* Number of Appeals of Denials of Access
Number Granted in Whole
Number Granted in Part
Number Wholly Denied
Number For Which No Record Found
* Number of Appeals of Denials of Amendment
Number Granted in Whole
Number Granted in Part
Number Wholly Denied
(4) Number of instances in which individuals brought suit under section (g) of the
Privacy Act against the agency and the results of any such litigation that resulted in a change to
agency practices or affected guidance issued by OMB.
(5) Results of the reviews undertaken in response to paragraph 3a of this Appendix.
(6) Description of agency Privacy Act training activities conducted in accordance with
paragraph 3a(6) of this Appendix.
b. Biennial Matching Activity Report (See 5 U.S.C. 552a(u)(3)(D)). At the end of each
calendar year, the Data Integrity Board of each agency that has participated in a matching
program will collect data summarizing that year's matching activity. The Act requires that such
activity be reported every two years. OMB will establish the exact format of the report, but
agencies' Data Integrity Boards should be prepared to report the data identified below both to the
agency head and to OMB:
(1) A listing of the names and positions of the members of the Data Integrity Board and
showing separately the name of the Board Secretary, his or her agency mailing address, and
telephone number. Also show and explain any changes in membership or structure occurring
during the reporting year.
(2) A listing ef each matching program, by title and purpose, in which the agency
participated during the reporting year. This listing should show names of participant agencies,
give a brief description of the program, and give a page citation and the date of the Federal
Register notice describing the program.
(3) For each matching program, an indication of whether the cost/benefit analysis
performed resulted in a favorable ratio. The Data Integrity Board should explain why the agency
proceeded with any matching program for which an unfavorable ratio was reached.
(4) For each program for which the Board waived a cost/benefit analysis, the reasons for
the waiver and the results of the match, if tabulated.
26
-------�
(5) A description of any matching agreement the Board rejected and an explanation of
the rejection.
(6) A listing of any violations of matching agreements that have been alleged or
identified, and a discussion of any action taken.
(7) A discussion of any litigation involving the agency's participation in any matching
program.
(8) For any litigation based on allegations of inaccurate records, an explanation of the
steps the agency used to ensure the integrity of its data as well as the verification process it used
in the matching program, including an assessment of the adequacy of each.
c. New and Altered System of Records Report. The Act requires agencies to publish
notices in the Federal Register describing new or altered systems of records, and to submit
reports to OMB, and to the Chair of the Committee on Government Reform and Oversight of the
House of Representatives, and the Chair of the Committee on Governmental Affairs of the
Senate. The reports must be transmitted at least-40 days prior to the operation of the new system
of records or the date on which the alteration to an existing system takes place.
(1) Which Alterations Require a Report. Minor changes to systems of records need
not be reported. For example, a change in the designation of the system manager due to a
reorganization would not require a report, so long as an individual's ability to gain access to his
or her records is not affected. Other examples include changing applicable safeguards as a result
of a risk analysis or deleting a routine use when there is no longer a need for the disclosure. The
following changes are those for which a report is required:
(a) A significant increase in the number, type, or category of individuals
about whom records are maintained. For example, a system covering physicians that has been
expanded to include other types of health care providers, e.g., nurses, technicians, etc., would
require a report. Increases attributable to normal growth should not be reported.
(b) A change that expands the types or categories of information
maintained. For example, a benefit system which originally included only earned income
information that has been expanded to include unearned income information.
(c) A change that alters the purpose for which the information is used.
(d) A change to equipment configuration (either hardware or software)
that creates substantially greater access to the records in the system of records. For example,
locating interactive terminals at regional offices for accessing a system formerly accessible only
at the headquarters would require a report.
27
-------�
(e) The addition of an exemption pursuant to Section (j) or (k) of the Act.
Note that, in examining a rulemaking for a Privacy Act exemption as part of a report of a new or
altered system of records, OMB will also review the rule under applicable regulatory review
procedures and agencies need not make a separate submission for that purpose.
(f) The addition of a routine use pursuant to 5 U.S.C. 552a(b)(3).
(2) Reporting Changes to Multiple Systems of Records. When an agency makes a
change to an information technology installation or a telecommunication network, or makes any
other general changes in information collection, processing, dissemination, or storage that affect
multiple systems of records, it may submit a single, consolidated report, with changes to existing
notices and supporting documentation included in the submission.
(3) Contents of the New or Altered System Report. The report for a new or altered
system has three elements: a transmittal letter, a narrative statement, and supporting
documentation.
(a) Transmittal Letter. The transmittal letter should be signed by the
senior agency official responsible for implementation of the Act within the agency and should
contain the name and telephone number of the individual who can best answer questions about
the system of records. The letter should contain the agency's assurance that the proposed system
does not duplicate any existing agency or government-wide systems of records. The letter sent to
OMB may also include a request for waiver of the time period for the review. The agency
should indicate why it cannot meet the established review period and the consequences of not
obtaining the waiver. (See paragraph 4e below.) There is no prescribed format for the letter.
(b) Narrative Statement. There is also no prescribed format for the
narrative statement, but it should be brief. It should make reference, as appropriate, to
information in the supporting documentation rather than restating such information. The
statement should:
1. Describe the purpose for which the agency is establishing the
system of records.
2. Identify the authority under which the system of records is
maintained. The agency should avoid citing housekeeping statutes, but rather cite the underlying
programmatic authority for collecting, maintaining, and using the information. When the system
is being operated to support an agency housekeeping program, e.g., a carpool locator, the agency
may, however, cite a general housekeeping statute that authorizes the agency head to keep such
records as necessary.
3. Provide the agency's evaluation of the probable or potential
effect of the proposal on the privacy of individuals.
28
-------�
4. Provide a brief description of the steps taken by the agency to
minimize the risk of unauthorized access to the system of records. A more detailed assessment
of the risks and specific administrative, technical, procedural, and physical safeguards
established shall be made available to OMB upon request.
5. Explain how each proposed routine use satisfies the
compatibility requirement of subsection (a)(7) of the Act. For altered systems, this requirement
pertains only to any newly proposed routine use.
6. Provide OMB Control Numbers, expiration dates, and titles of
any information collection requests (e.g., forms, surveys, etc.) contained in the system of records
and approved by OMB under the Paperwork Reduction Act. If the request for OMB clearance
of an information collection is pending, the agency may simply state the title of the collection
and the date it was submitted for OMB clearance.
(c) Supporting Documentation. Attach the following to all new or
altered system of records reports:
1. A copy of the new or altered system of records notice
consistent with the provisions of 5 U.S.C. 552a(e)(4). The notice must appear in the format
prescribed by the Office of the Federal Register's Document Drafting Handbook. For proposed
altered systems the agency should supply a copy of the original system of records notice to
ensure that reviewers can understand the changes proposed. If the sole change to an existing
system of records is to add a routine use, the agency should either republish the entire system of
records notice, a condensed description of the system of records, or a citation to the last full text
Federal Register publication.
2. A copy in Federal Register format of any new exemption rules
or changes to published rules (consistent with the provisions of 5 U.S.C. 552a(f),(j)» or (k)) that
the agency proposes to issue for the new or altered system.
(4) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide
comments if appropriate. Agencies may assume that OMB concurs in the Privacy Act aspects of
their proposal if OMB has not commented within 40 days from the date the transmittal letter was
signed. Agencies should ensure that letters are transmitted expeditiously after they are signed.
(5) Timing of Systems of Records Reports. Agencies may publish system of records
arid routine use notices as well as proposed exemption rules in the Federal Register at the same
time that they send the new or altered system report to OMB and Congress. The period for OMB
and congressional review and the notice and comment period for routine uses and exemptions
will then run concurrently. Note that exemptions must be published as final rules before they are
effective.
29
-------�
d. New or Altered Matching Program Report. The Act requires agencies to publish
notices in the Federal Register describing new or altered matching programs, and to submit
reports to OMB, and to Congress. The report must be received at least 40 days prior to the
initiation of any matching activity carried out under a new or substantially altered matching
program. For renewals of continuing programs, the report must be dated at least 40 days prior to
the expiration of any existing matching agreement.
(1) When to Report Altered Matching Programs. Agencies need not report minor
changes to matching programs. The term "minor change to a matching program" means a
change that does not significantly alter the terms of the agreement under which the program is
being carried out. Examples of significant changes include:
(a) Changing the purpose for which the program was established.
(b) Changing the matching population, either by including new categories
of record subjects or by greatly increasing the numbers of records matched.
(c) Changing the legal authority covering the matching program.
(d) Changing the source or recipient agencies involved in the matching
program.
(2) Contents of New or Altered Matching Program Report. The report for a new or
altered matching program has three elements: a transmittal letter, a narrative statement, and
supporting documentation that includes a copy of the proposed Federal Register notice.
(a) Transmittal Letter. The transmittal letter should be signed by the
senior agency official responsible for implementation of the Privacy Act within the agency and
should contain the name and telephone number of the individual who can best answer questions
about the matching program. The letter should state that a copy of the matching agreement has
been distributed to Congress as the Act requires. The letter to OMB may also include a request
for waiver of the review time period. (See 4e below.)
(b) Narrative Statement. There is no prescribed format for the narrative
statement, but it should be brief. It should make reference, as appropriate, to information in the
supporting documentation rather than restating such information. The statement should provide:
1. A description of the purpose of the matching program and the
authority under which it is being carried out.
2. A description of the security safeguards used to protect against
any unauthorized access or disclosure of records used in the match.
30
-------�
3. If the cost/benefit analysis required by Section (u)(4)(A)
indicated an unfavorable ratio or was waived pursuant to OMB guidance, an explanation of the
basis on which the agency justifies conducting the match.
(c) Supporting Documentation. Attach the following:
1. A copy of the Federal Register notice describing the matching
program. The notice must appear in the format prescribed by the Office of the Federal Register's
Document Drafting Handbook. (See 5b (3).)
2. For the Congressional report only, a copy of the matching
agreement.
(3) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide
comments if appropriate. Agencies may assume that OMB concurs in the Privacy Act aspects of
their proposal if OMB has not commented within 40 days from the date the transmittal letter was
signed.
(4) Timing of Matching Program Reports. Agencies should ensure that letters are
transmitted expeditiously after they are signed. Agencies may publish matching program notices
in the Federal Register at the same time that they send the matching program report to OMB
and Congress. The period for OMB and congressional review and the notice and comment
period will then run concurrently.
e. Expedited Review. The Director, OMB, may grant a waiver of the 40-day review period
for either systems of records or matching program reviews. The agency must ask for the waiver
in the transmittal letter and demonstrate compelling reasons. When a waiver is granted, the
agency is not thereby relieved of any other requirement of the Act. If no waiver is granted,
agencies may presume concurrence at the expiration of the 40 day review period if OMB has not
commented by that time. Note that OMB cannot waive time periods specifically established by
the Act-such as the 30 days notice and comment period required for the adoption of a routine use
proposal pursuant to Section (b)(3) of the Act.
5. Publication Requirements. The Privacy Act requires agencies to publish notices or rules in
the Federal Register in the following circumstances: when adopting a new or altered system of
records, when adopting a routine use, when adopting an exemption for a system of records, or
when proposing to carry out a new or altered matching program. (See paragraph 4c(l) and 4d(l)
above on what constitutes an alteration requiring a report to OMB and the Congress.)
a. Publishing New or Altered Systems of Records Notices and Exemption Rules.
(1) Who Publishes. The agency responsible for operating the system of records makes
the necessary publication. Publication should be carried out at the departmental or agency level.
31
-------�
Even where a system of records is to be operated exclusively by a component, the department
rather than the component should publish the notice. Thus, for example, the Department of the
Treasury would publish a system of records notice covering a system operated exclusively by the
Internal Revenue Service. Note that if the agency is proposing to exempt the system under
Section (j) or (k) of the Act, it must publish a rule in addition to the system of records notice.
(a) Government-wide Systems of Records. Certain agencies publish
systems of records containing records for which they have government-wide responsibilities.
The records may be located in other agencies, but they are being used under the authority of and
in conformance with the rules mandated by the publishing agency. The Office of Personnel
Management, for example, has published a number of government-wide systems of records
relating to the operation of the government's personnel program. Agencies should not publish
systems of records that wholly or partly duplicate existing government-wide systems of records.
(b) Section (m) Contract Provisions. When an agency provides by
contract for the operation of a system of records, it should ensure that a system of records notice
describing the system has been published. It should also review the notice to ensure that it
contains a routine use under Section (e)(4)(D) of the Act permitting disclosure to the contractor
and his or her personnel.
(2) When to Publish.
(a) System Notice. The system of records notice must appear in the
Federal Register before the agency begins to operate the system, e.g., collect and use the
information.
(b) Routine Use. A routine use must be published in the Federal
Register 30 days before the agency discloses records pursuant to its terms. (Note that the
addition of a routine use to an existing system of records requires a report to OMB and Congress,
and that the review period for this report is 40 days.)
(c) Exemption Rule. A rule exempting a system of records under (j) or
(k) or the Act must be established through informal rulemaking pursuant to the Administrative
Procedure Act. This process generally requires publication of a proposed rule, a period during
which the public may comment, publication of a final rule, and the adoption of the final rule.
Agencies may not withhold records under an exemption until these requirements have been met.
(3) Format. Agencies should follow the publication format contained in the Office of
the Federal Register's Document Drafting Handbook which may be obtained from the
Government Printing Office.
b. Publishing Matching Notices.
32
-------�
(1) Who Publishes. Generally, the recipient Federal agency (or the Federal source
agency in a match conducted by a nonfederal agency) is responsible for publishing in the
Federal Register a notice describing the new or altered matching program. However, in large,
multi-agency matching programs, where the recipient agency is merely performing the matches,
and the benefit accrues to the source agencies, the partners should assign responsibility for
compliance with the administrative requirements in a fair and reasonable way. This may mean
having the matching agency carry out these requirements for all parties, having one participant
designated to do so, or having each source agency do so for its own matching program(s).
(2) Timing. Publication must occur at least 30 days prior to the initiation of any
matching activity carried out under a new or substantially altered matching program. For
renewals of programs agencies wish to continue past the 30 month period of initial eligibility
(i.e., the initial 18 months plus a one year extension), publication must occur at least 30 days
prior to the expiration of the existing matching agreement. (But note that a report to OMB and
the Congress is also required with a 40 day review period).
(3) Format. The matching notice shall be in the format prescribed by the Office of the
Federal Register's Document Drafting Handbook and contain the following information:
(a) The name of the Recipient Agency.
(b) The Name(s) of the Source Agencies.
(c) The beginning and ending dates of the match.
(d) A brief description of the matching program, including its purpose; the
legal authorities authorizing its operation; categories of individuals involved; and identification
of records used, including name(s) of Privacy Act Systems of records.
(e) The identification, address, and telephone number of a Recipient
Agency official who will answer public inquiries about the program.
Appendix II to OMB Circular No. A-130 - Cost Accounting, Cost Recovery, and
Interagency Sharing of Information Technology Facilities [ The guidance formerly found in
Appendix II has been revised and placed in Section 8b. See, Transmittal No. 2, 59 FR 37906.
Appendix II has been deleted and is reserved for future topics.]
33
-------�
Appendix III to OMB Circular No. A-130 - Security of Federal Automated Information
Resources
A. Requirements.
1. Purpose
This Appendix establishes a minimum set of controls to be included in Federal automated
information security programs; assigns Federal agency responsibilities for the security of
automated information; and links agency automated information security programs and agency
management control systems established in accordance with OMB Circular No. A-123. The
Appendix revises procedures formerly contained in Appendix III to OMB Circular No. A-130
(50 FR 52730; December 24,1985), and incorporates requirements of the Computer Security Act
of 1987 (P.L. 100-235) and responsibilities assigned in applicable national security directives.
2. Definitions
The term:
a. "adequate security" means security commensurate with the risk and magnitude of the harm
resulting from the loss, misuse, or unauthorized access to or modification of information.
This includes assuring that systems and applications used by the agency operate effectively
and provide appropriate confidentiality, integrity, and availability, through the use of cost-
effective management, personnel, operational, and technical controls.
b. "application" means the use of information resources (information and information
technology) to satisfy a specific set of user requirements.
c. "general support system" or "system" means an interconnected set of information resources
under the same direct management control which shares common functionality. A system
normally includes hardware, software, information, data, applications, communications, and
people. A system can be, for example, a local area network (LAN) including smart terminals
that supports a branch office, an agency-wide backbone, a communications network, a
departmental data processing center including its operating system and utilities, a tactical
radio network, or a shared information processing service organization (IPSO).
d. "major application" means an application that requires special attention to security due to
the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to
or modification of the information in the application. Note: All Federal applications require
some level of protection. Certain applications, because of the information in them, however,
require special management oversight and should be treated as major. Adequate security for
other applications should be provided by security of the systems in which they operate.
34
-------�
3. Automated Information Security Programs. Agencies shall implement and maintain a
program to assure that adequate security is provided for all agency information collected,
processed, transmitted, stored, or disseminated in general support systems and major
applications.
Each agency's program shall implement policies, standards and procedures which are consistent
with government-wide policies, standards, and procedures issued by the Office of Management
and Budget, the Department of Commerce, the General Services Administration and the Office
of Personnel Management (0PM). Different or more stringent requirements for securing
national security information should be incorporated into agency programs as required by
appropriate national security directives. At a minimum, agency programs shall include the
following controls in their general support systems and major applications:
a. Controls for general support systems.
1) Assign Responsibility for Security. Assign responsibility for security in each system
to an individual knowledgeable in the information technology used in the system and in
providing security for such technology.
2) System Security Plan. Plan for adequate security of each general support system as
part of the organization's information resources management (IRM) planning process.
The security plan shall be consistent with guidance issued by the National Institute of
Standards and Technology (NIST). Independent advice and comment on the security
plan shall be solicited prior to the plan's implementation. A summary of the security
plans shall be incorporated into the strategic IRM plan required by the Paperwork
Reduction Act (44 U.S.C. Chapter 35) and Section 8(b) of this circular. Security plans
shall include:
a) Rules of the System. Establish a set of rules of behavior concerning use
of, security in, and the acceptable level of risk for, the system. The rules
shall be based on the needs of the various users of the system. The
security required by the rules shall be only as stringent as necessary to
provide adequate security for information in the system. Such rules shall
clearly delineate responsibilities and expected behavior of all individuals
with access to the system. They shall also include appropriate limits on
interconnections to other systems and shall define service provision and
restoration priorities. Finally, they shall be clear about the consequences
of behavior not consistent with the rules.
b) Training. Ensure that all individuals are appropriately trained in how to
fulfill their security responsibilities before allowing them access to the
system. Such training shall assure that employees are versed in the rules
of the system, be consistent with guidance issued by NIST and 0PM, and
35
-------�
apprise them about available assistance and technical security products
and techniques. Behavior consistent with the rules of the system and
periodic refresher training shall be required for continued access to the
system.
c) Personnel Controls. Screen individuals who are authorized to bypass
significant technical and operational security controls of the system
commensurate with the risk and magnitude of harm they could cause.
Such screening shall occur prior to an individual being authorized to
bypass controls and periodically thereafter.
d) Incident Response Capability. Ensure that there is a capability to
provide help to users when a security incident occurs in the system and to
share information concerning common vulnerabilities and threats. This
capability shall share information with other organizations, consistent with
NIST coordination, and should assist the agency in pursuing appropriate
legal action, consistent with Department of Justice guidance.
e) Continuity of Support. Establish and periodically test the capability to
continue providing service within a system based upon the needs and
priorities of the participants of the system.
f) Technical Security. Ensure that cost-effective security products and
techniques are appropriately used within the system.
g) System Interconnection. Obtain written management authorization,
based upon the acceptance of risk to the system, prior to connecting with
other systems. Where connection is authorized, controls shall be
established which are consistent with the rules of the system and in
accordance with guidance from NIST.
3) Review of Security Controls. Review the security controls in each system when
significant modifications are made to the system, but at least every three years. The
scope and frequency of the review should be commensurate with the acceptable level of
risk for the system. Depending on the potential risk and magnitude of harm that could
occur, consider identifying a deficiency pursuant to OMB Circular No. A-123,
"Management Accountability and Control" and the Federal Managers' Financial Integrity
Act (FMFIA), if there is no assignment of security responsibility, no security plan, or no
authorization to process for a system.
4) Authorize Processing. Ensure that a management official authorizes in writing the use
of each general support system based on implementation of its security plan before
36
-------�
beginning or significantly changing processing in the system. Use of the system shall be
re-authorized at least every three years.
b. Controls for Major Applications.
1) Assign Responsibility for Security. Assign responsibility for security of each major
application to a management official knowledgeable in the nature of the information and
process supported by the application and in the management, personnel, operational, and
technical controls used to protect it. This official shall assure that effective security
products and techniques are appropriately used in the application and shall be contacted
when a security incident occurs concerning the application.
2) Application Security Plan. Plan for the adequate security of each major application,
taking into account the security of all systems in which the application will operate. The
plan shall be consistent with guidance issued by NIST. Advice and comment on the plan
shall be solicited from the official responsible for security in the primary system in which
the application will operate prior to the plan's implementation. A summary of the
security plans shall be incorporated into the strategic IRM plan required by the
Paperwork Reduction Act. Application security plans shall include:
a) Application Rules. Establish a set of rules concerning use of and
behavior within the application. The rules shall be as stringent as
necessary to provide adequate security for the application and the
information in it. Such rules shall clearly delineate responsibilities and
expected behavior of all individuals with access to the application. In
addition, the rules shall be clear about the consequences of behavior not
consistent with the rules.
b) Specialized Training. Before allowing individuals access to the
application, ensure that all individuals receive specialized training focused
on their responsibilities and the application rules. This may be in addition
to the training required for access to a system. Such training may vary
from a notification at the time of access (e.g., for members of the public
using an information retrieval application) to formal training (e.g., for an
employee that works with a high-risk application).
c) Personnel Security. Incorporate controls such as separation of duties,
least privilege and individual accountability into the application and
application rules as appropriate. In cases where such controls cannot
adequately protect the application or information in it, screen individuals
commensurate with the risk and magnitude of the harm they could cause.
Such screening shall be done prior to the individuals' being authorized to
access the application and periodically thereafter.
37
-------�
d) Contingency Planning. Establish and periodically test the capability to
perform the agency function supported by the application in the event of
failure of its automated support.
e) Technical Controls. Ensure that appropriate security controls are
specified, designed into, tested, and accepted in the application in
accordance with appropriate guidance issued by NIST.
f) Information Sharing. Ensure that information shared Irom the
application is protected appropriately, comparable to the protection
provided when information is within the application.
g) Public Access Controls. Where an agency's application promotes or
permits public access, additional security controls shall be added to p'rotect
the integrity of the application and the confidence the public has in the
application. Such controls shall include segregating information made
directly accessible to the public from official agency records.
3) Review of Application Controls. Perform an independent review or audit of the
security controls in each application at least every three years. Consider identifying a
deficiency pursuant to OMB Circular No. A-123, "Management Accountability and
Control" and the Federal Managers' Financial Integrity Act if there is no assignment of
responsibility for security, no security plan, or no authorization to process for the
application.
4) Authorize Processing. Ensure that a management official authorizes in writing use of
the application by confirming that its security plan as implemented adequately secures the
application. Results of the most recent review or audit of controls shall be a factor in
management authorizations. The application must be authorized prior to operating and
re-authorized at least every three years thereafter. Management authorization implies
accepting the risk of each system used by the application.
4. Assignment of Responsibilities
a. Department of Commerce. The Secretary of Commerce shall:
1) Develop and issue appropriate standards and guidance for the security of sensitive
information in Federal computer systems.
2) Review and update guidelines for training in computer security awareness and
accepted computer security practice, with assistance from OPM.
38
-------�
3) Provide agencies guidance for security planning to assist in their development of
application and system security plans.
4) Provide guidance and assistance, as appropriate, to agencies concerning cost-effective
controls when interconnecting with other systems.
5) Coordinate agency incident response activities to promote sharing of incident response
information and related vulnerabilities.
6) Evaluate new information technologies to assess their security vulnerabilities, with
technical assistance from the Department of Defense, and apprise Federal agencies of
such vulnerabilities as soon as they are known.
b. Department of Defense. The Secretary of Defense shall:
1) Provide appropriate technical advice and assistance (including work products) to the
Department of Commerce.
2) Assist the Department of Commerce in evaluating the vulnerabilities of emerging
information technologies.
c. Department of Justice. The Attorney General shall:
1) Provide appropriate guidance to agencies on legal remedies regarding security
incidents and ways to report and work with law enforcement concerning such incidents.
2) Pursue appropriate legal actions when security incidents occur.
d. General Services Administration. The Administrator of General Services shall:
1) Provide guidance to agencies on addressing security considerations when acquiring
automated data processing equipment (as defined in section 11 l(a)(2) of the Federal
Property and Administrative Services Act of 1949, as amended).
2) Facilitate the development of contract vehicles for agencies to use in the acquisition of
cost-effective security products and services (e.g., back-up services).
3) Provide appropriate security services to meet the needs of Federal agencies to the
extent that such services are cost-effective.
e. Office of Personnel Management. The Director of the Office of Personnel Management
shall:
39
-------�
1) Assure that its regulations concerning computer security training for Federal civilian
employees are effective.
2) Assist the Department of Commerce in updating and maintaining guidelines for
training in computer security awareness and accepted computer security practice.
f. Security Policy Board. The Security Policy Board shall coordinate the activities of the
Federal government regarding the security of information technology that processes
classified information in accordance with applicable national security directives;
5. Correction of Deficiencies and Reports
a. Correction of Deficiencies. Agencies shall correct deficiencies which are identified
through the reviews of security for systems and major applications described above.
b. Reports on Deficiencies. In accordance with OMB Circular No. A-123, "Management
Accountability and Control", if a deficiency in controls is judged by the agency head to be
material when weighed against other agency deficiencies, it shall be included in the annual
FMFIA report. Less significant deficiencies shall be reported and progress on corrective
actions tracked at the appropriate agency level.
c. Summaries of Security Plans. Agencies shall include a summary of their system security
plans and major application plans in the strategic plan required by the Paperwork Reduction
Act (44 U.S.C. 3506).
B. Descriptive Information.
The following descriptive language is explanatory. It is included to assist in understanding the
requirements of the Appendix.
The Appendix re-orients the Federal computer security program to better respond to a rapidly
changing technological environment. It establishes government-wide responsibilities for Federal
computer security and requires Federal agencies to adopt a minimum set of management
controls. These management controls are directed at individual information technology users in
order to reflect the distributed nature of today's technology.
For security to be most effective, the controls must be part of day-to-day operations. This is best
accomplished by planning for security not as a separate activity, but as an integral part of overall
planning.
"Adequate security" is defined as "security commensurate with the risk and magnitude of harm
resulting from the loss, misuse, or unauthorized access to or modification of information." This
40
-------�
definition explicitly emphasizes the risk-based policy for cost-effective security established by
the Computer Security Act.
The Appendix no longer requires the preparation of formal risk analyses. In the past, substantial
resources have been expended doing complex analyses of specific risks to systems, with limited
tangible benefit in terms of improved security for the systems. Rather than continue to try to
precisely measure risk, security efforts are better served by generally assessing risks and taking
actions to manage them. While formal risk analyses need not be performed, the need to
determine adequate security will require that a risk-based approach be used. This'risk assessment
approach should include a consideration of the major factors in risk management: the value of
the system or application, threats, vulnerabilities, and the effectiveness of current or proposed
safeguards. Additional guidance on effective risk assessment is available in "An Introduction to
Computer Security: The NIST Handbook" (March 16,1995).
Discussion of the Appendix's Major Provisions. The following discussion is provided to aid
reviewers in understanding the changes in emphasis in the Appendix.
Automated Information Security Programs. Agencies are required to establish controls to assure
adequate security for all information processed, transmitted, or stored in Federal automated
information systems. This Appendix emphasizes management controls affecting individual users
of information technology. Technical and operational controls support management controls. To
be effective, all must interrelate. For example, authentication of individual users is an important
management control, for which password protection is a technical control. However, password
protection will only be effective if both a'strong technology is employed, and it is managed to
assure that it is used correctly.
Four controls are set forth: assigning responsibility for security, security planning, periodic
review of security controls, and management authorization. The Appendix requires that these
management controls be applied in two areas of management responsibility: one for general
support systems and one for major applications.
The terms "general support system" and "major application" were used in OMB Bulletins Nos.
88-16 and 90-08. A general support system is "an interconnected set of information resources
under the same direct management control which shares common functionality." Such a system
can be, for example, a local area network (LAN) including smart terminals that supports a branch
office, an agency-wide backbone, a communications network, a departmental data processing
center including its operating system and utilities, a tactical radio network, or a shared
information processing service organization. Normally, the purpose of a general support system
is to provide processing or communications support.
A major application is a use of information and information technology to satisfy a specific set of
user requirements that requires special management attention to security due to the risk and
magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of
41
-------�
the information in the application. All applications require some level of security, and adequate
security for most of them should be provided by security of the general support systems in which
they operate. However, certain applications, because of the nature of the information in them,
require special management oversight and should be treated as major. Agencies are expected to
exercise management judgement in determining which of their applications are major.
The focus of OMB Bulletins Nos. 88-16 and 90-08 was on identifying and securing both general
support systems and applications which contained sensitive information. The Appendix requires
the establishment of security controls in all general support systems, under the presumption that
all contain some sensitive information, and focuses extra security controls on a limited number of
particularly high-risk or major applications.
a. General Support Systems. The following controls are required in all general support systems:
1) Assign Responsibility for Security. For each system, an individual should be a focal point
for assuring there is adequate security within the system, including ways to prevent, detect,
and recover from security problems. That responsibility should be assigned in writing to an
individual trained in the technology used in the system and in providing security for such
technology, including the management of security controls such as user identification and
authentication.
2) Security Plan. The Computer Security Act requires that security plans be developed for all
Federal computer systems that contain sensitive information. Given the expansion of
distributed processing since passage of the Act, the presumption in the Appendix is that all
general support systems contain some sensitive information which requires protection to
assure its integrity, availability, or confidentiality, and therefore all systems require security
plans.
Previous guidance on security planning was contained in OMB Bulletin No. 90-08. This
Appendix supersedes OMB Bulletin 90-08 and expands the coverage of security plans from
Bulletin 90-08 to include rules of individual behavior as well as technical security.
Consistent with OMB Bulletin 90-08, the Appendix directs NIST to update and expand
security planning guidance and issue it as a Federal Information Processing Standard (FIPS).
In the interim, agencies should continue to use the Appendix of OMB Bulletin No. 90-08 as
guidance for the technical portion of their security plans.
The Appendix continues the requirement that independent advice and comment on the
security plan for each system be sought. The intent of this requirement is to improve the
plans, foster communication between managers of different systems, and promote the sharing
of security expertise.
This Appendix also continues the requirement from the Computer Security Act that
summaries of security plans be included in agency strategic information resources
42
-------�
management plans. OMB will provide additional guidance about the contents of those
strategic plans, pursuant to the Paperwork Reduction Act of 1995.
The following specific security controls should be included in the security plan for a general
support system:
a) Rules. An important new requirement for security plans is the establishment of a set of
rules of behavior for individual users of each general support system. These rules should
clearly delineate responsibilities of and expectations for all individuals with access to the
system. They should be consistent with system-specific policy as described in "An
Introduction to Computer Security: The NIST Handbook" (March 16,1995). In
addition, they should state the consequences of non-compliance. The rules should be in
writing and will form the basis for security awareness and training.
The development of rules for a system must take into consideration the needs of all
parties who use the system. Rules should be as stringent as necessary to provide adequate
security. Therefore, the acceptable level of risk for the system must be established and
should form the basis for determining the rules.
Rules should cover such matters as work at home, dial-in access, connection to the
Internet, use of copyrighted works, unofficial use of government equipment, the
assignment and limitation of system privileges, and individual accountability. Often
rules should reflect technical security controls in the system. For example, rules
regarding password use should be consistent with technical password features in the
system. Rules may be enforced through administrative sanctions specifically related to
the system (e.g. loss of system privileges) or through more general sanctions as are
imposed for violating other rules of conduct. In addition, the rules should specifically
address restoration of service as a concern of all users of the system.
b) Training. The Computer Security Act requires Federal agencies to provide for the
mandatory periodic training in computer security awareness and accepted computer
security practice of all employees who are involved with the management, use or
operation of a Federal computer system within or under the supervision of the Federal
agency. This includes contractors as well as employees of the agency. Access provided
to members of the public should be constrained by controls in the applications through
which access is allowed, and training should be within the context of those controls. The
Appendix enforces such mandatory training by requiring its completion prior to granting
access to the system. Each new user of a general support system in some sense
introduces a risk to all other users. Therefore, each user should be versed in acceptable
behavior - the rules of the system - before being allowed to use the system. Training
should also inform the individual how to get help in the event of difficulty with using or
security of the system.
43
-------�
Training should be tailored to what a user needs to know to use the system securely,
given the nature of that use. Training may be presented in stages, for example as more
access is granted. In some cases, the training should be in the form of classroom
instruction. In other cases, interactive computer sessions or well-written and
understandable brochures may be sufficient, depending on the risk and magnitude of
harm.
Over time, attention to security tends to dissipate. In addition, changes to a system may
necessitate a change in the rules or user procedures. Therefore, individuals should
periodically have refresher training to assure that they continue to understand and abide
by the applicable rules.
To assist agencies, the Appendix requires NIST, with assistance from the Office of
Personnel Management (0PM), to update its existing guidance. It also proposes that
OPM assure that its rules for computer security training for Federal civilian employees
are effective.
c) Personnel Controls. It has long been recognized that the greatest harm has come from
.authorized individuals engaged in improper activities, whether intentional or accidental.
In every general support system, a number of technical, operational, and management
controls are used to prevent and detect harm. Such controls include individual
accountability, "least privilege," and separation of duties.
Individual accountability consists of holding someone responsible for his or her actions.
In a general support system, accountability is normally accomplished by identifying and
authenticating users of the system and subsequently tracing actions on the system to the
user who initiated them. This may be done, for example, by looking for patterns of
behavior by users.
Least privilege is the practice of restricting a user's access (to data files, to processing
capability, or to peripherals) or type of access (read, write, execute, delete) to the
minimum necessary to perform his or her job.
Separation of duties is the practice of dividing the steps in a critical function among
different individuals. For example, one system programmer can create a critical piece of
operating system code, while another authorizes its implementation. Such a control
keeps a single individual from subverting a critical process.
Nevertheless, in some instances, individuals may be given the ability to bypass some
significant technical and operational controls in order to perform system administration
and maintenance functions (e.g., LAN administrators or systems programmers).
Screening such individuals in positions of trust will supplement technical, operational,
and management controls, particularly where the risk and magnitude of harm is high.
44
-------�
d) Incident Response Capability. Security incidents, whether caused by viruses, hackers,
or software bugs, are becoming more common. When faced with a security incident, an
agency should be able to respond in a manner that both protects its own information and
helps to protect the information of others who might be affected by the incident. To
address this concern, agencies should establish formal incident response mechanisms.
Awareness and training for individuals with access to the system should include how to
use the system's incident response capability.
To be fully effective, incident handling must also include sharing information concerning
common vulnerabilities and threats with those in other systems and other agencies. The
Appendix directs agencies to effectuate such sharing, and tasks NIST to coordinate those
agency activities government-wide.
The Appendix also directs the Department of Justice to provide appropriate guidance on
pursuing legal remedies in the case of serious incidents.
e) Continuity of Support. Inevitably, there will be service interruptions. Agency plans
should assure that there is an ability to recover and provide service sufficient to meet the
minimal needs of users of the system. Manual procedures are generally NOT a viable
back-up option. When automated support is not available, many functions of the
organization will effectively cease. Therefore, it is important to take cost-effective steps
to manage any disruption of service.
Decisions on the level of service needed at any particular time and on priorities in service
restoration should be made in consultation with the users of the system and incorporated
in the system rules. Experience has shown that recovery plans that are periodically tested
are substantially more viable than those that-are not. Moreover, untested plans may
actually create a false sense of security.
f) Technical Security. Agencies should assure that each system appropriately uses
effective security products and techniques, consistent with standards and guidance from
NIST. Often such techniques will correspond with system rules of behavior, such as in
the proper use of password protection.
The Appendix directs NIST to continue to issue computer security guidance to assist
agencies in planning for and using technical security products and techniques. Until such
guidance is issued, however, the planning guidance included in OMB Bulletin 90-08 can
assist in determining techniques for effective security in a system and in addressing
technical controls in the security plan.
g) System Interconnection. In order for a community to effectively manage risk, it must
control access to and from other systems. The degree of such control should be
established in the rules of the system and all participants should be made aware of any
45
-------�
limitations on outside access. Technical controls to accomplish this should be put in
place in accordance with guidance issued by NIST.
There are varying degrees of how connected a system is. For example, some systems will
choose to isolate themselves, others will restrict access such as allowing only e-mail
connections or remote access only with sophisticated authentication, and others will be
fully open. The management decision to interconnect should be based on the availability
and use of technical and non-technical safeguards and consistent with the acceptable level
of risk defined in the system rules.
3) Review of Security Controls. The security of a system will degrade over time, as the
technology evolves and as people and procedures change. Reviews should assure that
management, operational, personnel, and technical controls are functioning effectively.
Security controls may be reviewed by an independent audit or a self review. The type and
rigor of review or audit should be commensurate with the acceptable level of risk that is
established in the rules for the system and the likelihood of learning useful information to
improve security. Technical tools such as virus scanners, vulnerability assessment products
(which look for known security problems, configuration errors, and the installation of the
latest patches), and penetration testing can assist in the on-going review of different facets of
systems. However, these tools are no substitute for a formal management review at least
every three years. Indeed, for some high-risk systems with rapidly changing technology,
three years will be too long.
Depending upon the risk and magnitude of harm that could result, weaknesses identified
during the review of security controls should be reported as deficiencies in accordance with
OMB Circular No. A-123, "Management Accountability and Control" and the Federal
Managers' Financial Integrity Act. In particular, if a basic management control such as
assignment of responsibility, a workable security plan, or management authorization are
missing, then consideration should be given to identifying a deficiency.
4) Authorize Processing. The authorization of a system to process information, granted by a
management official, provides an important quality control (some agencies refer to this
authorization as accreditation). By authorizing processing in a system, a manager accepts the
risk associated with it. Authorization is not a decision that should be made by the security
staff.
Both the security official and the authorizing management official have security
responsibilities. In general, the security official is closer to the day-to-day operation of the
system and will direct or perform security tasks. The authorizing official will normally have
general responsibility for the organization supported by the system.
Management authorization should be based on an assessment of management, operational,
and technical controls. Since the security plan establishes the security controls, it should
46
-------�
form the basis for the authorization, supplemented by more specific studies as needed. In
addition, the periodic review of controls should also contribute to future authorizations.
Some agencies perform "certification reviews" of their systems periodically. These formal
technical evaluations lead to a management accreditation, or "authorization to process." Such
certifications (such as those using the methodology in FIPS Pub 102 "Guideline for
Computer Security Certification and Accreditation") can provide useful information to assist
management in authorizing a system, particularly when combined with a review of the broad
behavioral controls envisioned in the security plan required by the Appendix.
Re-authorization should occur prior to a significant change in processing, but at least every
three years. It should be done more often where there is a high risk and potential magnitude
of harm.
b. Controls in Major Applications. Certain applications require special management attention
due to the risk and magnitude of harm that could occur. For such applications, the controls of the
support system(s) in which they operate are likely to be insufficient. Therefore, additional
controls specific to the application are required. Since the function of applications is the direct
manipulation and use of information, controls for securing applications should emphasize
protection of information and the way it is manipulated.
1) Assign Responsibility for Security. By definition, major applications are high risk and
require special management attention. Major applications usually support a single agency
function and often are supported by more than one general support system. It is important,
therefore, that an individual be assigned responsibility in writing to assure that the particular
application has adequate security. To be effective, this individual should be knowledgeable
in the information and process supported by the application and in the management,
personnel, operational, and technical controls used to protect the application.
2) Application Security Plans. Security for each major application should be addressed by a
security plan specific to the application. The plan should include controls specific to
protecting information and should be developed from the application manager's perspective.
To assist in assuring its viability, the plan should be provided to the manager of the primary
support system which the application uses for advice and comment. This recognizes the
critical dependence of the security of major applications on the underlying support systems
they use. Summaries of application security plans should be included in strategic
information resource management plans in accordance with this Circular.
a) Application Rules. Rules of behavior should be established which delineate the
responsibilities and expected behavior of all individuals with access to the application.
The rules should state the consequences of inconsistent behavior. Often the rules will be
associated with technical controls implemented in the application. Such rules should
include, for example, limitations on changing data, searching databases, or divulging
information.
47
-------�
b) Specialized Training. Training is required for all individuals given access to the
application, including members of the public. It should vary depending on the type of
access allowed and the risk that access represents to the security of the application and
information in it. This training will be in addition to that required for access to a support
system.
c) Personnel Security. For most major applications, management controls such as
individual accountability requirements, separation of duties enforced by access controls,
or limitations on the processing privileges of individuals, are generally more cost-
effective personnel security controls than background screening. Such controls should be
implemented as both technical controls and as application rules. For example, technical
controls to ensure individual accountability, such as looking for patterns of user behavior,
are most effective if users are aware that there is such a technical control. If adequate
audit or access controls (through both technical and non-technical methods) cannot be
established, then it may be cost-effective to screen personnel, commensurate with the risk
and magnitude of harm they could cause. The change in emphasis on screening in the
Appendix should not affect background screening deemed necessary because of other
duties that an individual may perform.
d) Contingency Planning. Normally the Federal mission supported by a major
application is critically dependent on the application. Manual processing is generally
NOT a viable back-up option. Managers should plan for how they will perform their
mission and/or recover from the loss of existing application support, whether the loss is
due to the inability of the application to function or a general support system failure.
Experience has demonstrated that testing a contingency plan significantly improves its
viability. Indeed, untested plans or plans not tested for a long period of time may create a
false sense of ability to recover in a timely manner.
e) Technical Controls. Technical security controls, for example tests to filter invalid
entries, should be built into each application. Often these controls will correspond with
the rules of behavior for the application. Under the previous Appendix, application
security was focused on the process by which sensitive, custom applications were
developed. While that process is not addressed in detail in this Appendix, it remains an
effective method for assuring that security controls are built into applications.
Additionally, the technical security controls defined in OMB Bulletin No. 90-08 will
continue, until that guidance is replaced by NISTs security planning guidance.
f) Information Sharing. Assure that information which is shared with Federal
organizations, State and local governments, and the private sector is appropriately
protected comparable to the protection provided when the information is within the
application. Controls on the information may stay the same or vary when the information
is shared with another entity. For example, the primary user of the information may
require a high level of availability while the secondary user does not, and can therefore
48
-------�
relax some of the controls designed to maintain the availability of the information. At the
same time, however, the information shared may require a level of confidentiality that
should be extended to the secondary user. This normally requires notification and
agreement to protect the information prior to its being shared.
g) Public Access Controls. Permitting public access to a Federal application is an
important method of improving information exchange with the public. At the same time,
it introduces risks to the Federal application. To mitigate these risks, additional controls
should be in place as appropriate. These controls are in addition to controls such as
"firewalls" that are put in place for security of the general support system.
In general, it is more difficult to apply conventional controls to public access systems,
because many of the users of the system may not be subject to individual accountability
policies. In addition, public access systems may be a target for mischief because of their
higher visibility and published access methods.
Official records need to be protected against loss or alteration. Official records in
electronic form are particularly susceptible since they can be relatively easy to change or
destroy. Therefore, official records should be segregated from information made directly
accessible to the public. There are different ways to segregate records. Some agencies
and organizations are creating dedicated information dissemination systems (such as
bulletin boards or World Wide Web servers) to support this function. These systems can
be on the outside of secure gateways which protect internal agency records from outside
access.
In order to secure applications that allow direct public access, conventional techniques
such as least privilege (limiting the processing capability as well as access to data) and
integrity assurances (such as checking for viruses, clearly labeling the age of data, or
periodically spot checking data) should also be used. Additional guidance on securing
public access systems is available from NIST Computer Systems Laboratory Bulletin
"Security Issues in Public Access Systems" (May, 1993).
3) Review of Application Controls. At least every three years, an independent review or
audit of the security controls for each major application should be performed. Because of the
higher risk involved in major applications, the review or audit should be independent of the
manager responsible for the application. Such reviews should verify that responsibility for
the security of the application has been assigned, that a viable security plan for the
application is in place, and that a manager has authorized the processing of the application.
A deficiency in any of these controls should be considered a deficiency pursuant to the
Federal Manager's Financial Integrity Act and OMB Circular No. A-123, "Management
Accountability and Control."
49
-------�
The review envisioned here is different from the system test and certification process
required in the current Appendix. That process, however, remains useful for assuring that
technical security features are built into custom-developed software applications. While the
controls in that process are not specifically called for in this Appendix, they remain in
Bulletin No. 90-08, and are recommended in appropriate circumstances as technical controls.
4) Authorize Processing. A major application should be authorized by the management
official responsible for the function supported by the application at least every three years,
but more often where the risk and magnitude of harm is high. The intent of this requirement
is to assure that the senior official whose mission will be adversely affected by security
weaknesses in the application periodically assesses and accepts the risk of operating the
application. The authorization should be based on the application security plan and any
review(s) performed on the application. It should also take into account the risks from the
general support systems used by the application.
4. Assignment of Responsibilities. The Appendix assigns government-wide responsibilities to
agencies that are consistent with their missions and the Computer Security Act.
a. Department of Commerce. The Department of Commerce, through NIST, is assigned the
following responsibilities consistent with the Computer Security Act.
1) Develop and issue security standards and guidance.
2) Review and update, with assistance from 0PM, the guidelines for security training
issued in 1988 pursuant to the Computer Security Act to assure they are effective.
3) Replace and update the technical planning guidance in the appendix to OMB Bulletin
90-08 This should include guidance on effective risk-based security absent a formal risk
analysis.
4) Provide agencies with guidance and assistance concerning effective controls for
systems when interconnecting with other systems, including the Internet. Such guidance
on, for example, so-called "firewalls" is becoming widely available and is critical to
agencies as they consider how to interconnect their communications capabilities.
5) Coordinate agency incident response activities. Coordination of agency incident
response activities should address both threats and vulnerabilities as well as improve the
ability of the Federal government for rapid and effective cooperation in response to
serious security breaches.
6) Assess security vulnerabilities in new information technologies and apprise Federal
agencies of such vulnerabilities. The intent of this new requirement is to help agencies
understand the security implications of technology before they purchase and field it. In
50
-------�
the past, there have been too many instances where agencies have acquired and
implemented technology, then found out about vulnerabilities in the technology and had
to retrofit security measures. This activity is intended to help avoid such difficulties in
the future.
b. Department of Defense. The Department, through the National Security Agency, should
provide technical advice and assistance to NIST, including work products such as technical
security guidelines, which NIST can draw upon for developing standards and guidelines for
protecting sensitive information in Federal computers.
Also, the Department, through the National Security Agency, should assist NIST in
evaluating vulnerabilities in emerging technologies. Such vulnerabilities may present a risk
to national security information as well as to unclassified information.
c. Department of Justice. The Department of Justice should provide appropriate guidance to
Federal agencies on legal remedies available to them when serious security incidents occur.
Such guidance should include ways to report incidents and cooperate with law enforcement.
In addition, the Department should pursue appropriate legal actions on behalf of the Federal
government when serious security incidents occur.
d. General Services Administration. The General Services Administration should provide
agencies guidance for addressing security considerations when acquiring information
technology products or services. This continues the current requirement.
In addition, where cost-effective to do so, GSA should establish government-wide contract
vehicles for agencies to use to acquire certain security services. Such vehicles already exist
for providing system back-up support and conducting security analyses.
GSA should also provide appropriate security services to assist Federal agencies to the extent
that provision of such services is cost-effective. This includes providing, in conjunction with
the Department of Defense and the Department of Commerce, appropriate services which
support Federal use of the National Information Infrastructure (e.g., use of digital signature
technology).
e. Office of Personnel Management. In accordance with the Computer Security Act, OPM
should review its regulations concerning computer security training and assure that they are
effective.
In addition, OPM should assist the Department of Commerce in the review and update of its
computer security awareness and training guidelines. OPM worked closely with NIST in
developing the current guidelines and should work with NIST in revising those guidelines.
51
-------�
f. Security Policy Board. The Security Policy Board is assigned responsibility for national
security policy coordination in accordance with the appropriate Presidential directive. This
includes policy for the security of information technology used to process classified
information.
Circular A-130 and this Appendix do not apply to information technology that supports
certain critical national security missions, as defined in 44 U.S.C. 3502(9) and 10 U.S.C.
2315. Policy and procedural requirements for the security of national security systems
(telecommunications and information systems that contain classified information or that
support those critical national security missions (44 U.S.C. 3502(9) and 10 U.S.C. 2315)) is
assigned to the Department of Defense pursuant to Presidential directive. The Circular
clarifies that information classified for national security purposes should also be handled in
accordance with appropriate national security directives. Where classified information is
required to be protected by more stringent security requirements, those requirements should
be followed rather than the requirements of this Appendix.
5. Reports. The Appendix requires agencies to provide two reports to OMB:
The first is a requirement that agencies report security deficiencies and material weaknesses
within their FMFIA reporting mechanisms as defined by OMB Circular No. A-123,
"Management Accountability and Control," and take corrective actions in accordance with that
directive.
The second, defined by the Computer Security Act, requires that a summary of agency security
plans be included in the information resources management plan required by the Paperwork
Reduction Act.
52
-------�
Appendix IV to OMB Circular No. A-130 - Analysis of Key Sections
1. Purpose
The purpose of this Appendix is to provide a general context and explanation for the contents of
the key Sections of the Circular.
2. Background
The Paperwork Reduction Act (PRA) of 1980, Public Law 96-511, as amended by the Paperwork
Reduction Act of 1995, Public Law 104-13, codified at Chapter 35 of Title 44 of the United
States Code, establishes a broad mandate for agencies to perform their information activities in
an efficient, effective, and economical manner. Section 3504 of the Act provides authority to the
Director, OMB, to develop and implement uniform and consistent information resources
management policies; oversee the development and promote the use of information management
principles, standards, and guidelines; evaluate agency information management practices in order
to determine their adequacy and efficiency, and determine compliance of such practices with the
policies, principles, standards, and guidelines promulgated by the Director.
The Circular implements OMB authority under the PRA with respect to Section 3504(b), general
information resources management policy, Section 3504(d), information dissemination, Section
3504(f), records management, Section 3504(g), privacy and security, and Section 3504(h),
information technology. The Circular also implements certain provisions of the Privacy Act of
1974 (5 U.S.C. 552a); the Chief Financial Officers Act (31 U.S.C. 3512 et seq.); Sections 111
and 206 of the Federal Property and Administrative Services Act of 1949, as amended (40 U.S.C.
759 and 487, respectively); the Computer Security Act (40 U.S.C. 759 note); the Budget and
Accounting Act of 1921 (31 U.S.C. 1 et seq.); and Executive Order No. 12046 of March 27,
1978, and Executive Order No. 12472 of April 3,1984, Assignment of National Security and
Emergency Telecommunications Functions. The Circular complements 5 CFR Part 1320,
Controlling Paperwork Burden on the Public, which implements other Sections of the PRA
dealing with controlling the reporting and recordkeeping burden placed on the public.
In addition, the Circular revises and consolidates policy and procedures in seven previous OMB
directives and rescinds those directives, as follows:
A-3 - Government Publications
A-71 - Responsibilities for the Administration and Management of Automatic Data Processing
Activities Transmittal Memorandum No. 1 to Circular No. A-71 - Security of Federal Automated
Information Systems
A-90 - Cooperating with State and Local Governments to Coordinate and Improve Information
Systems
53
-------�
A-108 - Responsibilities for the Maintenance of Records about Individuals by Federal Agencies
A-l 14 - Management of Federal Audiovisual Activities
A-121 - Cost Accounting, Cost Recovery, and Interagency Sharing of Data Processing Facilities
3. Analysis
Section 6, Definitions. Access and Dissemination. The original Circular No. A-130
distinguished between the terms "access to information" and "dissemination of information" in
order to separate statutory requirements from policy considerations. The first term means giving
members of the public, at their request, information to which they are entitled by a law such as
the FOIA. The latter means actively distributing information to the public at the initiative of the
agency. The distinction appeared useful at the time Circular No. A-l30 was written, because it
allowed OMB to focus discussion on Federal agencies' responsibilities for actively distributing
information. However, popular usage and evolving technology have blurred differences between
the terms "access" and "dissemination" and readers of the Circular were confused by the
distinction. For example, if an agency "disseminates" information via an on-line computer
system, one speaks of permitting users to "access" the information, and on-line "access" becomes
a form of "dissemination."
Thus, the revision defines only the term "dissemination." Special considerations based on access
statutes such as the Privacy Act and the FOIA are explained in context.
Government Information. The definition of "government information" includes information
created, collected, processed, disseminated, or disposed of both by and for the Federal
Government. This recognizes the increasingly distributed nature of information in electronic
environments. Many agencies, in addition to collecting information for government use and for
dissemination to the public, require members of the public to maintain information or to disclose
it to the public. Sound information resources management dictates that agencies consider the
costs and benefits of a full range of alternatives to meet government objectives. In some cases,
there is no need for the government actually to collect the information itself, only to assure that it
is made publicly available. For example, banks insured by the FDIC must provide statements of
financial condition to bank customers on request. Particularly when information is available in
electronic form, networks make the physical location of information increasingly irrelevant.
The inclusion of information created, collected, processed, disseminated, or disposed of for the
Federal Government in the definition of "government information" does not imply that
responsibility for implementing the provisions of the Circular itself extends beyond the executive
agencies to other entities. Such an interpretation would be inconsistent with Section 4,
Applicability, and with existing law. For example, the courts have held that requests to Federal
agencies for release of information under the FOIA do not always extend to those performing
information activities under grant or contract to a Federal agency. Similarly, grantees may
54
-------�
copyright information where the government may not. Thus the information responsibilities of
grantees and contractors are not identical to those of Federal agencies except to the extent that
the agencies make them so in the underlying grants or contracts. Similarly, agency information
resources management responsibilities do not extend to other entities.
Information Dissemination Product. This notice defines the term "information dissemination
product" to include all information that is disseminated by Federal agencies. While the provision
of access to on-line databases and search software included on compact disk, read-only memory
(CD-ROM) are often called information services rather than products, there is no clear
distinction and, moreover, no real difference for policy purposes between the two. Thus, the
term "information dissemination product" applies to both products and services, and makes no
distinction based on how the information is delivered.
Section 8a(l). Information Management Planning. Parallel to new Section 7, Basic
Considerations and Assumptions, Section 8a begins with information resources management
planning. Planning is the process of establishing a course of action to achieve desired results
with available resources. Planners translate organizational missions into specific goals and, in
turn, into measurable objectives.
The PRA introduced the concept of information resources management and the principle of
information as an institutional resource which has both value and associated costs. Information
resources management is a tool that managers use to achieve agency objectives. Information
resources management is successful if it enables managers to achieve agency objectives
efficiently and effectively.
Information resources management planning is an integral part of overall mission planning.
Agencies need to plan from the outset for the steps in the information life cycle. When creating
or collecting information, agencies must plan how they will process and transmit the information,
how they will use it, how they will protect its integrity, what provisions they will make for access
to it, whether and how they will disseminate it, how they will store and retrieve it, and finally,
how the information will ultimately be disposed of. They must also plan for the effects their
actions and programs will have on the public and State and local governments.
The Role of State and Local Governments. OMB made additions at Sections 7a, 7e, and 7j,
Basic Considerations and Assumptions, concerning State and local governments, and also in
policy statements at Sections 8a(l)(c), (3)(f), (5)(d)(iii), and (8)(e).
State and local governments, and tribal governments, cooperate as major partners with the
Federal Government in the collection, processing, and dissemination of information. For
example, State governments are the principal collectors and/or producers of information in the
areas of health, welfare, education, labor markets, transportation, the environment, and criminal
justice. The States supply the Federal Government with data on aid to families with dependent
children; medicare; school enrollments, staffing, and financing; statistics on births, deaths, and
55
-------�
infectious diseases; population related data that form the basis for national estimates;
employment and labor market data; and data used for census geography. National information
resources are greatly enhanced through these major cooperating efforts.
Federal agencies need to be sensitive to the role of State and local governments, and tribal
governments, in managing information and in managing information technology. When
planning, designing, and carrying out information collections, agencies should systematically
consider what effect their activities will have on cities, counties, and States, and take steps to
involve these governments as appropriate. Agencies should ensure that their information
collections impose the minimum burden and do not duplicate or conflict with local efforts or
other Federal agency requirements or mandates. The goal is that Federal agencies routinely
integrate State and local government concerns into Federal information resources management
practices. This goal is consistent with standards for State and local government review of
Federal policies and programs.
Training. Training is particularly important in view of the changing nature of information
resources management. Decentralization of information technology has placed the management
of automated information and information technology directly in the hands of nearly all agency
personnel rather than in the hands of a few employees at centralized facilities. Agencies must
plan for incorporating policies and procedures regarding computer security, records management,
protection of privacy, and other safeguards into the training of every employee and contractor.
Section 8a(2). Information Collection. The PRA requires that the creation or collection of
information be carried out in an efficient7effective, and economical manner. When Federal
agencies create or collect information just as when they perform any other program functions
- they consume scarce resources. Such activities must be continually evaluated for their
relevance to agency missions.
Agencies must justify the creation or collection of information based on their statutory functions.
Policy statement 8a(2) uses the justification standard "necessary for the proper performance of
the functions of the agency" - established by the PRA (44 U.S.C. 3508). Furthermore, the
policy statement includes the requirement that the information have practical utility, as defined in
the PRA (44 U.S.C. 3502(11)) and elaborated in 5 CFR Part 1320. Practical utility includes such
qualities of information as accuracy, adequacy, and reliability. In the case of general purpose
statistics or recordkeeping, practical utility means that actual tises can be demonstrated (5 CFR
1320.3(1)). It should be noted that OMB's intent in placing emphasis on reducing unjustified
burden in collecting information, an emphasis consistent with the Act, is not to diminish the
importance of collecting information whenever agencies have legitimate program reasons for
doing so. Rather, the concern is that the burdens imposed should not exceed the benefits to be
derived from the information. Moreover, if the same benefit can be obtained by alternative
means that impose a lesser burden, that alternative should be adopted.
56
-------�
Section 8a(3). Electronic Information Collection. Section 71 articulates a basic assumption of
the Circular that modern information technology can help the government provide better service
to the public through improved management of government programs. One potentially useful
application of information technology is in the government's collection of information. While
some information collections may not be good candidates for electronic techniques, many are.
Agencies with major electronic information collection programs have found that automated
information collections allow them to meet program objectives more efficiently and effectively.
Electronic data interchange (EDI) and related standards for the electronic exchange of
information will ease transmission and processing of routine business transaction information
such as invoices, purchase orders, price information, bills of lading, health insurance claims, and
other common commercial documents. EDI holds similar promise for the routine filing of
regulatory information such as tariffs, customs declarations, license applications, tax information,
and environmental reports.
Benefits to the public and agencies from electronic information collection appear substantial.
Electronic methods of collection reduce paperwork burden, reduce errors, facilitate validation,
and provide increased convenience and more timely receipt of benefits.
The policy in Section 8a(3) encourages agencies to explore the use of automated techniques for
collection of information, and sets forth conditions conducive to the use of those techniques.
Section 8a(4). Records Management. Section 8a(4) begins with the fundamental requirement
for Federal records management, namely, that agencies create and keep adequate and proper
documentation of their activities. Federal agencies cannot carry out their missions in a
responsible and responsive manner without adequate recordkeeping. Section 7h articulates the
basic considerations concerning records management. Policy statements concerning records
management are also interwoven throughout Section 8a, particularly in subsections on planning
(8a(l)(j)), information dissemination (8a(6)), and safeguards (8a(9)).
Records support the immediate needs of government administrative, legal, fiscal ~ and ensure
its continuity. Records are essential for protecting the rights and interests of the public, and for
monitoring the work of public servants. The government needs records to ensure accountability
to the public which includes making the information available to the public.
Each stage of the information life cycle carries with it records management responsibilities.
Agencies need to record their plans, carefully document the content and procedures of
information collection, ensure proper documentation as a feature of every information system,
keep records of dissemination programs, and, finally, ensure that records of permanent value are
preserved.
Preserving records for future generations is the archival mission. Advances in technology affect
the amount of information that can be created and saved, and the ways this information can be
made available. Technological advances can ease the task of records management; however, the
57
-------�
rapid pace of change in modern technology makes decisions about the appropriate application of
technology critical to records management. Increasingly the records manager must be concerned
with preserving valuable electronic records in the context of a constantly changing technological
environment.
Records schedules are essential for the appropriate maintenance and disposition of records.
Records schedules must be prepared in a timely fashion, implement the General Records
Schedules issued by the National Archives and Records Administration, be approved by the
Archivist of the United States, and be kept accurate and current. (See 44 LJ.S.C. 3301 et seq.)
The National Archives and Records Administration and the General Services Administration
provide guidance and assistance to agencies in implementing records management
responsibilities. They also evaluate agencies' records management programs to determine the
extent to which they are appropriately implementing their records management responsibilities.
Sections 8a(5) and 8a(6). Information Dissemination Policy. Section 8a(5). Every agency has
a responsibility to inform the public within the context of its mission. This responsibility
requires that agencies distribute information at the agency's initiative, rather than merely
responding when the public requests information.
The FOIA requires each agency to publish in the Federal Register current descriptions of
agency organization, where and how the public may obtain information, the general methods and
procedural requirements by which agency functions are determined, rules of procedure,
descriptions of forms and how to obtain them, substantive regulations, statements of general
policy, and revisions to all the foregoing (5 U.S.C. 552(a)(l)). The Privacy Act also requires
publication of information concerning "systems of records" which are records retrieved by
individual identifier such as name, Social Security Number, or fingerprint. The Government in
the Sunshine Act requires agencies to publish meeting announcements (5 U.S.C. 552b (e)(l)).
The PRA (44 U.S.C. 3507(a)(2)) and its implementing regulations (5 CFR Part 1320) require
agencies to publish notices when they submit information collection requests for OMB approval.
The public's right of access to government information under these statutes is balanced against
other concerns, such as an individual's right to privacy and protection of the government's
deliberative process.
As agencies satisfy these requirements, they provide the public basic information about
government activities. Other statutes direct specific agencies to issue specific information
dissemination products or to conduct information dissemination programs. Beyond generic and
specific statutory requirements, agencies have responsibilities to disseminate information as a
necessary part of performing their functions. For some agencies the responsibility is made
explicit and sweeping; for example, the Agriculture Department is directed to "...diffuse among
people of the United States, useful information on subjects connected with agriculture...." (7
U.S.C. 2201) For other agencies, the responsibility may be much more narrowly drawn.
58
-------�
Information dissemination is also a consequence of other agency activities. Agency programs
normally include an organized effort to inform the public about the program. Most agencies
carry out programs that create or collect information with the explicit or implicit intent that the
information will be made public. Disseminating information is in many cases the logical
extension of information creation or collection.
In other cases, agencies may have information that is not meant for public dissemination but
which may be the subject of requests from the public. When the agency establishes that there is
public demand for the information and that it is in the public interest to disseminate the
information, the agency may decide to disseminate it automatically.
The policy in Section 8a(5)(d) sets forth several factors for agencies to take into account in
conducting their information dissemination programs. First, agencies must balance two goals:
maximizing the usefulness of the information to the government and the public, and minimizing
the cost to both. Deriving from the basic purposes of the PRA (44 U.S.C. 3501), the two goals
are frequently in tension because increasing usefulness usually costs more. Second, Section
8a(S)(d)(ii) requires agencies to conduct information dissemination programs equitably and in a
timely manner. The word "equal" was removed from this Section since there may be instances
where, for example, an agency determines that its mission includes disseminating information to
certain specific groups or members of the public, and the agency determines that user charges
will constitute a significant barrier to carrying out this responsibility.
Section 8a(5)(d)(iii), requiring agencies to take advantage of all dissemination channels,
recognizes that information reaches the public in many ways. Few persons may read a Federal
Register notice describing an agency action, but those few may be major secondary
disseminators of the information. They may be affiliated with publishers of newspapers,
newsletters, periodicals, or books; affiliated with en-line database providers; or specialists in
certain information fields. While millions of information users in the public may be affected by
the agency's action, only a handful may have direct contact with the agency's own information
dissemination products. As a deliberate strategy, therefore, agencies should cooperate with the
information's original creators, as well as with secondary disseminators, in order to further
information dissemination goals and foster a diversity of information sources. An adjunct
responsibility to this strategy is reflected in Section 8a(5)(d)(iv), which directs agencies to assist
the public in finding government information. Agencies may accomplish this, for example, by
specifying and disseminating "locator" information, including information about content, format,
uses and limitations, location, and means of access.
Section 8a(6). Information Dissemination Management System. This Section requires
agencies to maintain an information dissemination management system which can ensure the
routine performance of certain functions, including the essential functions previously required by
Circular No. A-3. Smaller agencies need not establish elaborate formal systems, so long as the
heads of the agencies can ensure that the functions are-being performed.
59
-------�
Subsection (6)(a) carries over a requirement from OMB Circular No. A-3 that agencies'
information dissemination products are to be, in the words of 44 U.S.C. 1108, "necessary in the
transaction of the public business required by law of the agency." (Circular No. A-130 uses the
expression "necessary for the proper performance of agency functions," which OMB considers to
be equivalent to the expression in 44 U.S.C. 1108.) The point is that agencies should determine
systematically the need for each information dissemination product.
Section 8a(6)(b) recognizes that to carry out effective information dissemination programs,
agencies need knowledge of the marketplace in which their information dissemination products
are placed. They need to know what other information dissemination products users have
available in order to design the best agency product. As agencies are constrained by finite
budgets, when there are several alternatives from which to choose, they should not expend public
resources filling needs which have already been met by others in the public or private sector.
Agencies have a responsibility not to undermine the existing diversity of information sources.
At the same time, an agency's responsibility to inform the public may be independent of the
availability or potential availability of a similar information dissemination product. That is, even
when another governmental or private entity has offered an information dissemination product
identical or similar to what the agency would produce, the agency may conclude that it
nonetheless has a responsibility to disseminate its own product. Agencies should minimize such
instances of duplication but could reach such a conclusion because legal considerations require
an official government information dissemination product.
Section 8a(6)(c) makes the Circular consistent with current practice (See OMB Bulletins 88-15,
89-15,90-09, and 91-16), by requiring agencies to establish and maintain inventories of
information dissemination products. (These bulletins eliminated annual reporting to OMB of
title-by-title listings of publications and the requirement for agencies to obtain OMB approval for
each new periodical. Publications are now reviewed as necessary during the normal budget
review process.) Inventories help other agencies and the public identify information which is
available. This serves both to increase the efficiency of the dissemination function and to avoid
unnecessary burdens of duplicative information collections. A corollary, enunciated in Section
8a(6)(d), is that agencies can better serve public information needs by developing finding aids for
locating information produced by the agencies. Finally, Section 8a(6)(f) recognizes that there
will be situations where agencies may have to take appropriate steps to ensure that members of
the public with disabilities whom the agency has a responsibility to inform have a reasonable
ability to access the information dissemination products.
Depository Library Program. Sections 8a(6)(g) and (h) pertain to the Federal Depository
Library Program. Agencies are to establish procedures to ensure compliance with 44 U.S.C.
1902, which requires that government publications (defined in 44 U.S.C. 1901 and repeated in
Section 6 of the Circular) be made available to depository libraries through the Government
Printing Office (GPO).
60
-------�
Depository libraries are major partners with the Federal Government in the dissemination of
information and contribute significantly to the diversity of information sources available to the
public. They provide a mechanism for wide distribution of government information that
guarantees basic availability to the public. Executive branch agencies support the depository
library program both as a matter of law and on its merits as a means of informing the public
about the government. On the other hand, the law places the administration of depository
libraries with GPO. Agency responsibility for the depository libraries is limited to supplying
government, publications through GPO.
Agencies can improve their performance in providing government publications as well as
electronic information dissemination products to the depository library program. For example,
the proliferation of "desktop publishing" technology in recent years has afforded the opportunity
for many agencies to produce their own printed documents. Many such documents may properly
belong in the depository libraries but are not sent because they are not printed at GPO. The
policy requires agencies to establish management controls to ensure that the appropriate
documents reach the GPO for inclusion in the depository library program.
At present, few agencies provide electronic information dissemination products to the depository
libraries. At the same time, a small but growing number of information dissemination products
are disseminated only in electronic format.
OMB believes that, as a matter of policy, electronic information dissemination products
generally should be provided to the depository libraries. Given that production and supply of
information dissemination products to the depository libraries is primarily the responsibility of
GPO, agencies should provide appropriate electronic information dissemination products to GPO
for inclusion in the depository library program.
While cost may be a consideration, agencies should not conclude without investigation that it
would be prohibitively expensive to place their electronic information dissemination products in
the depository libraries. For electronic information dissemination products other than on-line
services, agencies may have the option of having GPO produce the information dissemination
product for them, in which case GPO would pay for depository library costs. Agencies should
consider this option if it would be a cost effective alternative to the agency making its own
arrangements for production of the information dissemination product. Using GPO's services in
this manner is voluntary and at the agency's discretion. Agencies could also consider negotiating
other terms, such as inviting GPO to participate in agency procurement orders in order to
distribute the necessary copies for the depository libraries. With adequate advance planning,
agencies should be able to provide electronic information dissemination products to the
depository libraries at nominal cost.
In a particular case, substantial cost may be a legitimate reason for not providing an electronic
information dissemination product to the depository library program. For example, for an
agency with a substantial number of existing titles of electronic information dissemination
61
-------�
products, furnishing copies of each to the depository libraries could be prohibitively expensive.
In that situation, the agency should endeavor to make available those titles with the greatest
general interest, value, and utility to the public. Substantial cost could also be an impediment in
the case of some on-line information services where the costs associated with operating
centralized databases would make provision of unlimited direct access to numerous users
prohibitively expensive. In both cases, agencies should consult with the GPO, in order to
identify those information dissemination products with the greatest public interest and utility for
dissemination. In all cases, however, where an agency discontinues publication of an
information dissemination product in paper format in favor of electronic formats, the agency
should work with the GPO to ensure availability of the information dissemination product to
depository libraries.
Notice to the Public. Sections 8a(6)(i) and (j) present new practices for agencies to observe in
communicating with the public about information dissemination. Among agencies'
responsibilities for dissemination is an active knowledge of, and regular consultation with, the
users of their information dissemination products. A primary reason for communication with
users is to gain their contribution to improving the quality and relevance of government
information how it is created, collected, and disseminated. Consultations with users might
include participation at conferences and workshops, careful attention to correspondence and
telephone communications (e.g., logging and analyzing inquiries), or formalized user surveys.
A key part of communicating with the public is providing adequate notice of agency information
dissemination plans. Because agencies' information dissemination actions affect other agencies
as well as the public, agencies must forewarn other agencies of significant actions. The decision
to initiate, terminate, or substantially modify the content, form, frequency, or availability of
significant products should also trigger appropriate advance public notice. Where appropriate,
the Government Printing Office should be notified directly. Information dissemination products
deemed not to be significant require no advance notice.
Examples of significant products (or changes to them) might be those that:
(a) are required by law; e.g., a statutorily mandated report to Congress;
(b) involve expenditure of substantial funds;
(c) by reason of the nature of the information, are matters of continuing public interest; e.g., a
key economic indicator;
(d) by reason of the time value of the information, command public interest; e.g., monthly crop
reports on the day of their release;
(e)will be disseminated in a new format or medium; e.g., disseminating a printed product in
electronic medium, or disseminating a machine-readablejdata file via on-line access.
62
-------�
Where members of the public might consider a proposed new agency product unnecessary or
duplicative, the agency should solicit and evaluate public comments. Where users of an agency
information dissemination product may be seriously affected by the introduction of a change in
medium or format, the agency should notify users and consider their views before instituting the
change. Where members of the public consider an existing agency product important and
necessary, the agency should consider these views before deciding to terminate the product. In
all cases, however, determination of what is a significant information dissemination product and
what constitutes adequate notice are matters of agency judgment.
Achieving Compliance with the Circular's Requirements. Section 8a(6)(k) requires that the
agency information dissemination management system ensure that, to the extent existing
information dissemination policies or practices are inconsistent with the requirements of this
Circular, an orderly transition to compliance with the requirements of this Circular is made. For
example, some agency information dissemination products may be priced at a level which
exceeds the cost of dissemination, or the agency may be engaged in practices which are
otherwise unduly restrictive. In these instances, agencies must plan for an orderly transition to
the substantive policy requirements of the Circular. The information dissemination management
system must be capable of identifying these situations and planning for a reasonably prompt
transition. Instances of existing ajgency practices which cannot immediately be brought into
conformance with the requirements of the Circular are to be addressed through the waiver
procedures of Section 10(b).
Section 8a(7). Avoiding Improperly Restrictive Practices. Federal agencies are often the sole
suppliers of the information they hold. The agencies have either created or collected the
information using public funds, usually in furtherance of unique governmental functions, and no
one else has it. Hence agencies need to take care that their behavior does not inappropriately
constrain public access to government information.
When agencies use private contractors to accomplish dissemination, they must take care that they
do not permit contractors to impose restrictions that undercut the agencies' discharge of their
information dissemination responsibilities. The contractual terms should assure that, with respect
to dissemination, the contractor behaves as though the contractor were the agency. For example,
an agency practice of selling, through a contractor, on-line access to a database but refusing to
sell copies of the database itself may be improperly restrictive because it precludes the possibility
of another firm making the same service available to the public at a lower price. If an agency is
willing to provide public access to a database, the agency should be willing to sell copies of the
database itself.
By the same reasoning, agencies should behave in an even-handed manner in handling
information dissemination products. If an agency is willing to sell a database or database
services to some members of the public, the agency should sell the same products under similar
terms to other members of the public, unless prohibited by statute. When an agency decides it
63
-------�
has public policy reasons for offering different terms of sale to different groups in the public, the
agency should provide a clear statement of the policy and its basis.
Agencies should not attempt to exert control over the secondary uses of their information
dissemination products. In particular, agencies should not establish exclusive, restricted, or other
distribution arrangements which interfere with timely and equitable availability of information
dissemination products, and should not charge fees or royalties for the resale or redissemination
of government information. These principles follow from the fact that the law prohibits the
Federal Government from exercising copyright.
Agencies, should inform the public as to the limitations inherent in the information dissemination
product (e.g., possibility of errors, degree of reliability, and validity) so that users are fully aware
of the quality and integrity of the information. If circumstances warrant, an agency may wish to
establish a procedure by which disseminators of the agency's information may at their option
have the data and/or value-added processing checked for accuracy and certified by the agency.
Using this method, redisseminators of the data would be able to respond to the demand for
integrity from purchasers and users. This approach could be enhanced by the agency using its
authority to trademark its information dissemination product, and requiring that redisseminators
who wish to use the trademark agree to appropriate integrity procedures. These methods have
the possibility of promoting diversity, user responsiveness, and efficiency as well as integrity.
However, an agency's responsibility to protect against misuse of a government information
dissemination product does not extend to restricting or regulating how the public actually uses
the information.
The Lanham Trademark Act of 1946,15 U.S.C. 1055, 1125,1127, provides an efficient method
to address legitimate agency concerns regarding public safety. Specifically, the Act permits a
trademark owner to license the mark, and to demand that the user maintain appropriate quality
controls over products reaching consumers under the mark. See generally. McCarthy on
Trademarks, Sec. 18.13. When a trademark owner licenses the trademark to another, it may
retain the right to control the quality of goods sold under the trademark by the licensee.
Furthermore, if a licensee sells goods under the licensed trademark in breach of the licensor's
quality specifications, the licensee may be liable for breach of contract as well as for trademark
infringement. This technique is increasingly being used to assure the integrity of digital
information dissemination products. For example, the Census Bureau has trademarked its
topologically integrated geographic encoding and referencing data product ("TIGER/Line"),
which is used as official source data for legislative districting and other sensitive applications.
Whenever a need for special quality control procedures is identified, agencies should adopt the
least burdensome methods and ensure that the methods chosen do not establish an exclusive,
restricted, or other distribution arrangement that interferes with timely and equitable availability
of public information to the public. Agencies should not attempt to condition the resale or
redissemination of its information dissemination products by members of the public.
64
-------�
User charges. Title 5 of the Independent Offices Appropriations Act of 1952 (31 U.S.C. 9701)
establishes Federal policy regarding fees assessed for government services, and for sale or use of
government property or resources. OMB Circular No. A-25, User Charges, implements the
statute. It provides for charges for government goods and services that convey special benefits to
recipients beyond those accruing to the general public. It also establishes that user charges
should be set at a level sufficient to recover the full cost of providing the service, resource, or
property. Since Circular No. A-25 is silent as to the extent of its application to government
information dissemination products, full cost recovery for information dissemination products
might be interpreted to include the cost of collecting and processing information rather than just
the cost of dissemination. The policy in Section 8a(7)(c) clarifies the policy of Circular No.
A-25 as it applies to information dissemination products. This policy was codified by the
Paperwork Reduction Act of 1995 at 35 U.S.C. Section 3506(d)(4)(D).
Statutes such as FOIA and the Government in the Sunshine Act establish a broad and general
obligation on the part of Federal agencies to make government information available to the
public and to avoid erecting barriers that impede public access. User charges higher than the cost
of dissemination may be a barrier to public access. The economic benefit to society is
maximized when government information is publicly disseminated at the cost of dissemination.
Absent statutory requirements to the contrary, the general standard for user charges for
government information dissemination products should be to recover no more than the cost of
dissemination. It should be noted in this connection that the government has already incurred the
costs of creating and processing the information for governmental purposes in order to carry out
its mission.
Underpinning this standard is the FOIA fee structure which establishes limits on what agencies
can charge for access to Federal records. That Act permits agencies to charge only the direct
reasonable cost of search, reproduction and, in certain cases, review of requested records. In the
case of FOIA requests for information dissemination products, charges would be limited to
reasonable direct reproduction costs alone. No search would be needed to find the product, thus
no search fees would be charged. Neither would the record need to be reviewed to determine if it
could be withheld under one of the Act's exemptions since the agency has already decided to
release it. Thus, FOIA provides an information "safety net" for the public.
While OMB does not intend to prescribe procedures for pricing government information
dissemination products, the cost of dissemination may generally be thought of as the sum of all
costs specifically associated with preparing a product for dissemination and actually
disseminating it to the public. When an agency prepares an information product for its own
internal use, costs associated with such production would not generally be recoverable as user
charges on subsequent dissemination. When the agency prepares the product for public
dissemination, and disseminates it, costs associated with preparation and actual dissemination
would be recoverable as user charges.
65
-------�
In the case of government databases which are made available to the public on-line, the costs
associated with initial database development, including the costs of the necessary hardware and
software, would not be included in the cost of dissemination. Once a decision is made to
disseminate the data, additional costs logically associated with dissemination can be included in
the user fee. These may include costs associated with modification of the database to make it
suitable for dissemination, any hardware or software enhancements necessary for dissemination,
and costs associated with providing customer service or telecommunications capacity.
In the case of information disseminated via cd-rom, the costs associated with initial database
development would likewise not be included in the cost of dissemination. However, a portion of
the costs associated with formatting the data for cd-rom dissemination and the costs of mastering
the cd-rom, could logically be included as part of the dissemination cost, as would the cost
associated with licensing appropriate search software.
Determining the appropriate user fee is the responsibility of each agency, and involves the
exercise of judgment and reliance on reasonable estimates. Agencies should be able to explain
how they arrive at user fees which represent average prices and which, given the likely demand
for the product, can be expected to recover the costs associated with dissemination.
When agencies provide custom tailored information services to specific individuals or groups,
full cost recovery, including the cost of collection and processing, is appropriate. For example, if
an agency prepares special tabulations or similar services from its databases in answer to a
specific request from the public, all costs associated with fulfilling the request would be charged,
and the requester should be so informed before work is begun.
In a few cases, agencies engaging in information collection activities augment the information
collection at the request of, and with funds provided by, private sector groups. Since the 1920's,
the Bureau of the Census has carried out, on request, surveys of certain industries at greater
frequency or at a greater level of detail than Federal funding would permit, because gathering the
additional information is consistent with Federal purposes and industry groups have paid the
additional information collection and processing costs. While the results of these surveys are
disseminated to the public at the cost of dissemination, the existence and availability of the
additional government data are special benefits to certain recipients beyond those accruing to the
public. It is appropriate that those recipients should bear the full costs of information collection
and processing, in addition to the normal costs of dissemination.
Agencies must balance the requirement to establish user charges and the level of fees charged
against other policies, specifically, the proper performance of agency functions and the need to
ensure that information dissemination products reach the public for whom they are intended. If
an agency mission includes disseminating information to certain specific groups or members of
the public and the agency determines that user charges will constitute a significant barrier to
carrying out this responsibility, the agency may have grounds for reducing or eliminating its user
charges for the information dissemination product, or for exempting some recipients from the
66
-------�
charge. Such reductions or eliminations should be the subject of agency determinations on a case
by case basis and justified in terms of agency policies.
Section 8a(8). Electronic Information Dissemination. Advances in information technology
have changed government information dissemination. Agencies now have available new media
and formats for dissemination, including CD-ROM, electronic bulletin boards, and public
networks. The growing public acceptance of electronic data interchange (EDI) and similar
standards enhances their attractiveness as methods for government information dissemination.
For example, experiments with the use of electronic bulletin boards to advertise Federal
contracting opportunities and to receive vendor quotes have achieved wider dissemination of
information about business opportunities with the Federal Government than has been the case
with traditional notices and advertisements. Improved information dissemination has increased
the number of firms expressing interest in participating in the government market and decreased
prices to the government due to expanded competition. In addition, the development of public
electronic information networks, such as the Internet, provides an additional way for agencies to
increase the diversity of information sources available to the public. Emerging applications such
as Wide Area Information Servers and the World-wide Web (using the NISO Z39.50 standard)
will be used increasingly to facilitate dissemination of government information such as
environmental data, international trade information, and economic statistics in a networked
environment.
A basic purpose of the PRA is to "provide for the dissemination of public information on a
timely basis, on equitable terms, and in a manner that promotes the utility of the information to
the public and makes effective use of information technology." (44 U.S.C. 3501(7)) Agencies
can frequently enhance the value, practical utility, and timeliness of government information as a
national resource by disseminating information in electronic media. Electronic collection and
dissemination may substantially increase the usefulness of government information
dissemination products for three reasons. First, information disseminated electronically is likely
to be more timely and accurate because it does not require data re-entry. Second, electronic
records often contain more complete and current information because, unlike paper, it is
relatively easy to make frequent changes. Finally, because electronic information is more easily
manipulated by the user and can be tailored to a wide variety of needs, electronic information
dissemination products are more useful to the recipients.
As stated at Section 8a(l)(h), agencies should use voluntary standards and Federal Information
Processing Standards to the extent appropriate in order to ensure the most cost effective and
widespread dissemination of information in electronic formats.
Agencies can frequently make government information more accessible to the public and
enhance the utility of government information as a national resource by disseminating
information in electronic media. Agencies generally do not utilize data in raw form, but edit,
refine, and organize the data in order to make it more accessible and useful for their own
purposes. Information is made more accessible to users by aggregating data into logical
67
-------�
groupings, tagging data with descriptive and other identifiers, and developing indexing and
retrieval systems to facilitate access to particular data within a larger file. As a general matter,
and subject to budgetary, security or legal constraints, agencies should make available such
features developed for internal agency use as part of their information dissemination products.
There will also be situations where the agency determines that its mission will be furthered by
providing enhancements beyond those needed for its own use, particularly those that will
improve the public availability of government information over the long term. In these
instances, the agency should evaluate the expected usefulness of the enhanced information in
light of its mission, and where appropriate construct partnerships with the private sector to add
these elements of value. This approach may be particularly appropriate as part of a strategy to
utilize new technology enhancements, such as graphic images, as part of a particular
dissemination program.
Section 8a(9). Information Safeguards. The basic premise of this Section is that agencies
should provide an appropriate level of protection to government information, given an
assessment of the risks associated with its maintenance and use. Among the factors to be
considered include meeting the specific requirements of the Privacy Act of 1974 and the
Computer Security Act of 1987.
In particular, agencies are to ensure that they meet the requirements of the Privacy Act regarding
information retrievable by individual identifier. Such information is to be collected, maintained,
and protected so as to preclude intrusion into the privacy of individuals and the unwarranted
disclosure of personal information. Individuals must be accorded access and amendment rights
to records, as provided in the Privacy Act. To the extent that agencies share information which
they have a continuing obligation to protect, agencies should see that appropriate safeguards are
instituted. Appendix I prescribes agency procedures for the maintenance of records about
individuals, reporting requirements to OMB and Congress, and other special requirements of
specific agencies, in accordance with the Privacy Act.
This Section also incorporates the requirement of the Computer Security Act of 1987 that
agencies plan to secure their systems commensurate with the risk and magnitude of loss or harm
that could result from the loss, misuse, or unauthorized access to information contained in those
systems. It includes assuring the integrity, availability, and appropriate confidentiality of
information. It also involves protection against the harm that could occur to individuals or
entities outside of the Federal Government as well as the harm to the Federal Government.
Appendix III prescribes a minimum set of controls to be included in Federal automated
information resources security programs and assigns Federal agency responsibilities for the
security of automated information resources. The Section also includes limits on collection and
sharing of information and procedures to assure the integrity of information as well as
requirements to adequately secure the information.
68
-------�
Incorporation of Circular No. A-114. OMB Circular No. A-l 14, Management of Federal
Audiovisual Activities, last revised on March 20,1985, prescribed policies and procedures to
improve Federal audiovisual management. Although OMB has rescinded Circular No. A-114, its
essential policies and procedures continue. This revision provides information resources
management policies and principles independent of medium, including paper, electronic, or
audiovisual. By including the term "audiovisual" in the definition of "information," audiovisual
materials are incorporated into all policies of this Circular.
The requirement in Circular No. A-114 that the head of each agency designate an office with
responsibility for the management oversight of an agency's audiovisual productions and that an
appropriate program for the management of audiovisual productions in conformance with 36
CFR 1232.4 is incorporated into this Circular at Section 9a(10). The requirement that
audiovisual activities be obtained consistent with OMB Circular No. A-76 is covered by Sections
8a(l)(d), 8a(5)(d)(i) and 8a(6)(b).
The National Archives and Records Administration will continue to prescribe the records
management and archiving practices of agencies with respect to audiovisual productions at 36
CFR 1232.4, "Audiovisual Records Management."
69
-------�
Section 8b. Information Systems and Information Technology Management
Section 8b(l). Evaluation and Performance Measurement. OMB encourages agencies to
stress several types of evaluation in their oversight of information systems. As a first step,
agencies must assess the continuing need for the mission function. If the agency determines there
is a continuing need for a function, agencies should reevaluate existing work processes prior to
creating new or updating existing information systems. Without this analysis, agencies tend to
develop information systems that improve the efficiency of traditional paper-based processes
which may be no longer needed. The application of information technology presents an
opportunity to reevaluate existing organizational structures, work processes, and ways of
interacting with the public to see whether they still efficiently and effectively support the
agency's mission.
Benefit-cost analyses provide vital management information on the most efficient allocation of
human, financial, and information resources to support agency missions. Agencies should
conduct a benefit-cost analysis for each information system to support management decision
making to ensure: (a) alignment of the planned information system with the agency's mission
needs; (b) acceptability of information system implementation to users inside the Government;
(c) accessibility to clientele outside the Government; and (d) realization of projected benefits.
When preparing benefit-cost analyses to support investments in information technology, agencies
should seek to quantify the improvements in agency performance results through the
measurement of program outputs.
The requirement to conduct a benefit-cost analysis need not become a burdensome activity for
agencies. The level of detail necessary for such analyses varies greatly and depends on the
nature of the proposed investment. Proposed investments in "major information systems" as
defined in this Circular require detailed and rigorous analysis. This analysis should not merely
serve as budget justification material, but should be part of the ongoing management oversight
process to ensure prudent allocation of scarce resources. Proposed investments for information
systems that are not considered "major information systems" should be analyzed and
documented more informally.
While it is not necessary to create a new benefit-cost analysis at each stage of the information
system life cycle, it is useful to refresh these analyses with up-to-date information to ensure the
continued viability of an information system prior to and during implementation. Reasons for
updating a benefit-cost analysis may include such factors as significant changes in projected
costs and benefits, significant changes in information technology capabilities, major changes in
requirements (including legislative or regulatory changes), or empirical data based on
performance measurement gained through prototype results or pilot experience.
Agencies should also weigh the relative benefits of proposed investments in information
technology across the agency. Given the fiscal constraints facing the Federal government in the
upcoming years, agencies should fund a portfolio of investments across the agency that
maximizes return on investment for the agency as a whole. Agencies should also emphasize
70
-------�
those proposed investments that show the greatest probability (i.e., display the lowest financial
and operational risk) of achieving anticipated benefits for the organization. OMB and GAO are
creating a publication that will provide agencies with reference materials for setting up such
evaluation processes.
Agencies should complete a retrospective evaluation of information systems once operational to
validate projected savings, changes in practices, and effectiveness in serving affected publics.
These post-implementation reviews may also serve as the basis for agency-wide learning about
effective management practices.
Section 8b(2). Strategic Information Resources Management (IRM) Planning. Agencies
should link to, and to the extent possible, integrate IRM planning with the agency strategic
planning required by the Government Performance and Results Act (P.L. 103-62). Such a
linkage ensures that agencies apply information resources to programs that support the
achievement of agreed-upon mission goals. Additionally, strategic IRM planning by agencies
may help avoid automating out-of-date, ineffective, or inefficient procedures and work processes.
Agencies should also devote management attention to operational information resources
management planning. This operational IRM planning should provide a one to five year focus to
agency IRM activities and projects. Agency operational IRM plans should also provide a listing
of the major information systems covered by the management oversight processes described in
Section 8b(3). Agency operational planning for IRM should also communicate to the public how
the agency's application of information resources might affect them. For the contractor
community, this includes articulating the agency's intent to acquire information technology from
the private sector. These data should not be considered acquisition sensitive, so that they can be
distributed as widely as possible to the vendor community in order to promote competition.
Agencies should make these acquisition plans available to the public through government-wide
information dissemination mechanisms, including electronic means.
Operational planning should also include initiatives to reduce the burden, including information
collection burden, an agency imposes on the public. Too often, for example, agencies require
personal visits to government offices during office hours inconvenient to the public. Instead,
agencies should plan to use information technology in ways that make the public's dealing with
the Federal government as "user-friendly" as possible.
Each year, OMB issues a bulletin requesting copies of agencies' latest strategic IRM plans and
annual updates to operational plans for information and information technology.
Section 8b(3). Information Systems Management Oversight. Agencies should consider what
constitutes a "major information system" for purposes of this Circular when determining the
appropriate level of management attention for an information system. The anticipated dollar size
of an information system or a supporting acquisition is only one determinant of the level of
management attention an information system requires. Additional criteria to assess include the
71
-------�
maturity and stability of the technology under consideration, how well defined user requirements
are, the level of stability of program and user requirements, and security concerns.
For instance, certain risky or "cutting-edge" information systems require closer scrutiny and
more points of review and evaluation. This is particularly true when an agency uses an
evolutionary life cycle strategy that requires a technical and financial evaluation of the project's
viability at prototype and pilot testing phases. Projects relying on commercial off-the-shelf
technology and applications will generally require less oversight than those using custom-
designed software.
While each phase of an information system life cycle may have unique characteristics, the
dividing line between the phases may not always be distinct. For instance, both planning and
evaluation should continue throughout the information system life cycle. In fact, during any
phase, it may be necessary to revisit the previous stages based on new information or changes in
the environment in which the system is being developed.
The policy statements in this Circular describe an information system life cycle. It does not,
however, make a definitive statement that there must be four versus five phases of a life cycle
because the life cycle varies by the nature of the information system. Only two phases are
common to all information systems - a beginning and an end. As a result, life cycle management
techniques that agencies can use may vary depending onjhe complexity and risk inherent in the
project.
One element of this management oversight policy is the recognition of imbedded and/or parallel
life cycles. Within an information system's life cycle there may be other subsidiary life cycles.
For instance, most Federal information systems projects include an acquisition of goods and
services that have life cycle characteristics. Some projects include software development
components, which also have life cycles. Effective management oversight of major information
systems requires a recognition of all these various life cycles and an integrated information
systems management oversight with the budget and human resource management cycles that
exist in the agency.
Section 8b(2) of the Circular underscores the need for agencies to bring an agency-wide
perspective to a number of information resources management issues. These issues include
policy formulation, planning, management and technical frameworks for using information
resources, and management oversight of major information systems. Agencies should also
provide for coordinated decision making (Section 8b(3)(f)) in order to bring together the
perspectives from across an agency, and outside if appropriate. Such coordination may take
place in an agency-wide management or IRM committee. Interested groups typically include
functional users, managers of financial and human resources, information resources management
specialists, and, as appropriate, the affected public.
Section 8b(4). Use of Information Resources. Agency management of information resources
should be guided by management and technical frameworks for agency-wide information and
72
-------�
information technology needs. The technical framework should serve as a reference for updates
to existing and new information systems. The management framework should assure the
integration of proposed information systems projects into the technical framework in a manner
that will ensure progress towards achieving an open systems environment. Agency strategic
IRM planning should describe the parameters (e.g., technical standards) of such a technical
framework. The management framework should drive operational planning and should describe
how the agency intends to use information and information technology consistent with the
technical framework.
Agency management and technical, frameworks for information resources should address agency
strategies to move toward an open systems environment. These strategies should consist of one
or multiple profiles (an internally consistent set of standards), based on the current version of the
NISPs Application Portability Profile. These profiles should satisfy user requirements,
accommodate officially recognized or de facto standards, and promote interoperability,
application portability, and scalability by defining interfaces, services, protocols, and data
formats favoring the use of nonproprietary specifications.
Agencies should focus on how to better utilize the data they currently collect from the public.
Because agencies generally do not share information, the public often must respond to
duplicative information collections from various agencies or their components. Sharing of
information about individuals should be consistent with the Privacy Act of 1974, as amended,
and Appendix I of this Circular.
Services provided by IPSOs to components of their own agency are often perceived to be "free"
by the service recipients because their costs are budgeted as an "overhead" charge. Service
recipients typically do not pay for IPSO services based on actual usage. Since the services are
perceived to be free, there is very little incentive far either the service recipients or the IPSO
managers to be watchful for opportunities to improve productivity or to reduce costs. Agencies
are encouraged to institute chargeback mechanisms for IPSOs that provide common information
processing services across a number of agency components when the resulting economies are
expected to exceed the cost of administration.
Section 8b(5). Acquisition of Information Technology. Consistent with the requirements of
the Brooks Act and the Paperwork Reduction Act, agencies should acquire information
technology to improve service delivery, reduce the cost of Federal program administration, and
minimize burden of dealing with the Federal government. Agencies may wish to ask potential
offerers to propose different technical solutions and approaches to fulfilling agency mission
requirements. Evaluating acquisitions of information technology must assess both the benefits
and costs of applying technology to meet such requirements.
The distinction between information system life cycles and acquisition life cycles is
important when considering the implications of OMB Circular A-109, Acquisition of Major
Systems, to the acquisition of information resources. Circular A-109 presents one strategy for
acquiring information technology when:
73
-------�
i) The agency intends to fund operational tests and demonstrations of system design;
ii) The risk is high due to the unproven integration of custom designed software and/or hardware
components;
iii) The estimated cost savings or operational improvements from such a demonstration will
further improve the return on investment; or
iv) The agency wants to acquire a solution based on state-of-the-art, unproven technology.
Agencies should comply with OMB Circular A-76, Performance of Commercial Activities, when
considering conversion to or from in-house or contract performance.
Agencies should ensure that acquisitions for new information technology comply with GSA
regulations concerning information technology accessibility for individuals with disabilities [41
C.F.R. 201-20.103-7].
Section 9a(l 1). Ombudsman. The senior agency official designated by the head of each agency
under 44 U.S.C. 3506(a) is charged with carrying out the responsibilities of the agency under the
PRA. Agency senior information resources management officials are responsible for ensuring
that their agency practices are in compliance with OMB policies. It is envisioned that the agency
senior information resources management official will work as an ombudsman to investigate
alleged instances of agency failure to adhere to the policies set forth in the Circular and to
recommend or take corrective action as appropriate. Agency heads should continue to use
existing mechanisms to ensure compliance with laws and policies.
Section 9b. International Relationships. The information policies contained in the PRA and
Circular A-130 are based on the premise that government information is a valuable national
resource, and that the economic benefits to society are maximized when government information
is available in a timely and equitable manner to all. Maximizing the benefits of government
information to society depends, in turn, on fostering diversity among the entities involved in
disseminating it. These include for-profit and not-for-profit entities, such as information vendors
and libraries, as well as State, local and tribal governments. The policies on charging the cost of
dissemination and against restrictive practices contained in the PRA and Circular A-130 are
aimed at achieving this goal.
Other nations do not necessarily share these values. Although an increasing number are
embracing the concept of equitable and unrestricted access to public information - particularly
scientific, environmental, and geographic information of great public benefit - other nations are
treating their information as a commodity to be "commercialized". Whereas the Copyright Act,
17 U.S.C. 105, has long provided that "[c]opyright protection under this title is not available for
any work of the United States Government," some other nations take advantage of their domestic
copyright laws that do permit government copyright and assert a monopoly on certain categories
of information in order to maximize revenues. Such arrangements tend to preclude other entities
74
-------�
from developing markets for the information or otherwise disseminating the information in the
public interest.
Thus, Federal agencies involved in international data exchanges are sometimes faced with
problems in disseminating data stemming from differing national treatment of government
copyright. For example, one country may attempt to condition the sharing of data with a Federal
agency on an agreement that the agency will withhold release of the information or otherwise
restrict its availability to the public. Since the Freedom of Information Act does not provide a
categorical exemption for copyrighted information, and Federal agencies have neither the
authority nor capability to enforce restrictions on behalf of other nations, agencies faced with
such restrictive conditions lack clear guidance as to how to respond.
The results of the July 1995 Congress of the World Meteorological Organization, which sought
to strike a balance of interests in this area, are instructive. Faced with a resolution which would
have essentially required member nations to enforce restrictions on certain categories of
information for the commercial benefit of other nations, the United States proposed a
compromise which was ultimately accepted. The compromise explicitly affirmed the general
principle that government meteorological information ~ like all other scientific, technical and
environmental information ~ should be shared globally without restriction; but recognized that
individual nations may in particular cases apply their own domestic copyright and similar laws to
prevent what they deem to be unfair or inappropriate competition within their own territories.
This compromise leaves open the door for further consultation as to whether the future of
government information policy in a global information infrastructure should follow the "open
and unrestricted access" model embraced by the United States and a number of other nations, or
if it should follow the "government commercialization" model of others.
Accordingly, since the PRA and Circular A-130 are silent as to how agencies should respond to
similar situations, we are providing the following suggestions. They are intended to foster
globally the open and unrestricted information policy embraced by the United States and like
minded nations, while permitting agencies to have access to data provided by foreign
governments with restrictive conditions.
Release by a Federal agency of copyrighted information, whether under a FOIA request or
otherwise, does not affect any rights the copyright holder might otherwise possess. Accordingly,
agencies should inform any concerned foreign governments that their copyright claims may be
enforceable under United States law, but that the agency is not authorized to prosecute any such
claim on behalf of the foreign government.
Whenever an agency seeks to negotiate an international agreement in which a foreign party seeks
to impose restrictive practices on information to be exchanged, the agency should first coordinate
with the State Department. The State Department will work with the agency to develop the least
restrictive terms consistent with United States policy, and ensure that those terms receive full
interagency clearance through the established process for granting agencies authority to negotiate
and conclude international agreements.
75
-------�
Finally, whenever an agency is attending meetings of international or multilateral organizations
where restrictive practices are being proposed as binding on member states, the agency should
coordinate with the State Department, the Office of Management and Budget, the Office of
Science and Technology Policy, or the U.S. Trade Representative, as appropriate, before
expressing a position on behalf of the United States.
76
-------� |