OMB plans updates for A-130 circular

GAITHERSBURG, Md. — The Office of Management and Budget plans massive updates to the rules overseeing federal information technology management, a senior official said this week.

In addition to standing policies, OMB officials have introduced new guidance in a number of areas — including security and privacy — under new mandates from the E-Government Act of 2002. Those directions will be the basis for a major rewrite of OMB Circular A-130, said Kamela White, a senior policy analyst within OMB's Office of Information and Regulatory Affairs and Office of E-Government and IT.

The last revision to A-130 came in 2000 to bring the regulation in line with the Clinger-Cohen Act of 1996, which set IT management policy and created the position of chief information officer for agencies. The upcoming changes will not take much time, but the review will have many opportunities for agencies and the public to comment, White said, speaking Dec. 16 at a meeting of the Information Security and Privacy Advisory Board.

The standardization of OMB guidance will address many issues, including timelines for agencies to submit e-government reports and privacy impact assessments, White said. OMB officials will issue their report to Congress on both on March 1, 2004.

Agencies' first e-government reports and impact assessments were due Dec. 15, a date that is late in the budget process since agencies received their initial budget passbacks for fiscal 2005 last month. Advisory board Chairman Franklin Reeder expressed concern that could mean critical information on major IT programs and systems would not be included in the budget OMB will release in February.

OMB officials are also reviewing agencies' security assessments, submitted last month under the Federal Information Security Management Act (FISMA), part of the E-Government Act. This latest round is the third set of agency security reports, and marks the second year that OMB has collected standard security performance information from the agencies.

"It's a very telling picture," White said. "There are unfortunately a group of agencies that have made little, if any, progress in the last three years."

That lack of change will be reflected in agencies' President's Management Agenda scorecards, which gets the attention of agency heads and the President, White said. In fact, it will likely be the reason that many agencies stay at red in the e-government score, she said.

"It's starting to get to a point now where agencies are really making improvements on [the other e-gov scorecard items], but not on security, so they're not going anywhere," she said.

OMB officials added one major performance measure to this year's reports, which requires the inspector general for an agency to focus on the quality of their remediation processes. "We want to move from factual reporting and get into quality," White said.

The March 1 FISMA report to Congress will provide a look at what policies and procedures are working, what aren't, why not and an updated strategy for addressing those problems, she said.

The basic assessments of agencies' progress in that report will likely be quite similar to those in the security grades that Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, issued last week, White said. And it is good to see that for the first time the security grades were based on the same methodology as the previous year, she said.