OFFICE OF MANAGEMENT AND BUDGET
Management of Federal Information Resources
AGENCY: Office of Management and Budget, Executive Office of the President
ACTION: Revision of OMB Circular No. A-130, Transmittal No. 3, Appendix III,
"Security of Federal Automated Information Resources."
SUMMARY: The Office of Management and Budget (OMB) is revising Appendix III,
"Security of Federal Automated Information Systems," of Circular No. A-130,
"Management of Federal Information Resources." This is the third stage of planned
revisions to Circular A-130. Enactment of the Information Technology Management
Reform Act of 1996 (Division E of the National Defense Authorization Act for Fiscal
Year 1996) will require OMB to issue additional guidance on capital planning, investment
control, and the management of information technology. A plan for those revisions will be
announced in the Spring.
Transmittal 1 to Circular A-130, effective June 25, 1993, and published on July 2, 1993
(58 FR 36068) addressed the Information Management Policy section of the Circular
(Section 8a), as well as Appendix I, "Federal Agency Responsibilities for Maintaining
Records About Individuals." That issuance dealt primarily with how the Federal
government manages its information holdings, particularly information exchange with the
public.
Transmittal 2 to Circular A-130, effective July 15, 1994, and published on July 25, 1994
(59 FR 37906) addressed agency management practices for information systems and
information technology (Section 8b) That issuance was intended to (1) promote agency
investments in information technology that improve service delivery to the public, reduce
burden on the public, and lower the cost of Federal programs administration, and (2)
encourage agencies to use information technology as a strategic resource to improve
Federal work processes and organization.
This Transmittal 3 is intended to guide agencies in securing government information
resources as they increasingly rely on an open and interconnected National Information
Infrastructure. It stresses management controls, such as individual responsibility,
awareness and training, and accountability, and explains how they can be supported by
technical controls. Among other things, it requires agencies to assure that risk-based rules
of behavior are established, that employees are trained in them, and that the rules are
enforced. The revision also integrates security into program and mission goals, reduces
the centralized reporting of security plans, emphasizes the management of risk rather than
its measurement, and revises government-wide security responsibilities to be consistent
with the Computer Security Act and the Paperwork Reduction Act of 1995.
This transmittal also makes minor technical revisions to Section 9 ("Assignment of
Responsibilities") and Section 10 ("Oversight") to reflect the Paperwork Reduction Act of
1995 (P.L. 104-13). One substantive change has been made to Appendix I in Section 3.a.
changing the annual requirement to review recordkeeping practices, training, violations,
and notices to a biennial review, in accordance with other regular agency reviews not
required by statute. Several minor changes have been made, none of which are intended
to be substantive. In Section 2.c., a portion of the definition of "nonfederal agency" which
had been inadvertently omitted has been added to reflect the current practice in
state-federal matching programs. In Section 3.a., extraneous and confusing language referring
to source or matching agencies was removed because the provision applies to any agency
that participates in a matching program. The examples in 4.c.(1) were updated for clarity.
Other editorial and organizational changes were made throughout the appendix.
Appendix IV has been changed to include material from OMB Memorandum M-95-22,
"Implementing the Information Dissemination Provisions of the Paperwork Reduction Act
of 1995" (September 29, 1995), and to delete some outdated or otherwise already
implemented guidance from the discussion of Sections 9 and 10.
ELECTRONIC AVAILABILITY: This document is available on the OMB Home page
of Welcome to the White House World Wide Web site (http://www.whitehouse.gov) as
/OMB/circulars/a130/a130pre.html. This
document is also available on the Internet via anonymous File Transfer Protocol (FTP)
from the National Institute of Standards and Technology (NIST) Computer Security
Resource Clearinghouse at csrc.ncsl.nist.gov as /pub/secplcy/a130.txt (do not use any
capital letters in the file name) or via the World Wide Web from
http://csrc.ncsl.nist.gov/secplcy as a130.txt. Appendix III, "Security of Federal
Automated Information Resources" can be separately obtained as a130app3.txt. The
clearinghouse can also be reached using dial-in access at 301-948-5717. For those who
do not have file transfer capability, the document can be retrieved via mail query by
sending an electronic mail message to docserver@csrc.ncsl.nist.gov with no subject and
with send a130.txt (or a130app3.txt for only the security appendix) as the first line of the
body of the message. Paper copies may also be obtained by writing to the Publications
Office, Office of Management and Budget, Room 2200 NEOB, Washington D.C. 20503
or by telephone at (202) 395-7332.
FOR FURTHER INFORMATION CONTACT: Information Policy and Technology
Branch, Office of Information and Regulatory Affairs, Office of Management and Budget,
Room 10236, New Executive Office Building, Washington, D.C. 20503. Telephone:
(202) 395-3785.
SUPPLEMENTARY INFORMATION:
Since December 30, 1985, Appendix III of Office of Management and Budget (OMB)
Circular No. A-130, "Security of Federal Automated Information Systems," has defined a
minimum set of controls for the security of Federal automated information systems (50 FR
52730). That Appendix, and its predecessor, Transmittal Memorandum No. 1 to OMB
Circular No. A-71, (July 27, 1978), defined controls that were considered effective in a
centralized processing environment which ran primarily custom-developed application
software.
Today's computing environment is significantly different. It is characterized by open,
widely distributed processing systems which frequently operate with commercial
off-the-shelf software. While effective use of information technology often reduces risks to the
Federal program being administered (e.g., risks from fraud or errors), the risk to and
vulnerability of Federal information resources has increased. Greater risks result from
increasing quantities of valuable information being committed to Federal systems, and
from agencies being critically dependent on those systems to perform their missions.
Greater vulnerabilities exist because virtually every Federal employee has access to
Federal systems, and because these systems now interconnect with outside systems.
In part because of these trends, Congress enacted the Computer Security Act of 1987
(P.L. 100-235). That Act requires agencies to improve the security of Federal computer
systems, plan for the security of sensitive systems, and provide mandatory awareness and
training in security for all individuals with access to computer systems.
To assist agencies in implementing the Computer Security Act, OMB issued Bulletin No.
88-16, "Guidance for Preparation and Submission of Security Plans for Federal Computer
Systems Containing Sensitive Information" (July 6, 1988), and OMB Bulletin No. 90-08,
"Guidance for Preparation of Security Plans for Federal Computer Systems that Contain
Sensitive Information" (July 9, 1990). This revision of Appendix III to OMB Circular
A-130 incorporates and updates the policies set out in those Bulletins and supersedes them.
The report of the National Performance Review, "Creating a Government that Works
Better & Costs Less: Reengineering through Information Technology" (September 1993),
recommended that Circular A-130 be revised to: 1) require an information security plan
to be part of each agency's strategic information technology (IT) plan; 2) require that if
computer security does not meet established thresholds, it be identified as a material
weakness in the Federal Managers' Financial Integrity Act report; 3) require awareness
and training of employees and contractors; 4) require that agencies improve planning for
contingencies; and 5) establish and employ formal emergency response capabilities. Those
recommendations are incorporated in this revision.
Since its establishment by the Computer Security Act, the Computer System Security and
Privacy Advisory Board has recommended changes in Circular A-130 to: 1) require that
agencies establish computer emergency response teams; and 2) link oversight of Federal
computer security activities more closely to the oversight established pursuant to the
Federal Manager's Financial Integrity Act (FMFIA), P.L. 97-255. This revision
incorporates both of those recommendations.
Subsequent to issuance of Bulletin 90-08, OMB, the National Institute of Standards and
Technology (NIST), and the National Security Agency (NSA) met with 28 Federal
departments and agencies to review their computer security programs. In February 1993,
OMB, NIST and NSA issued a report ("Observations of Agency Computer Security
Practices and Implementation of OMB Bulletin No. 90-08") which summarized those
meetings and proposed several changes in OMB Circular A-130 as next steps to
improving the Federal computer security program. Those proposed changes are
incorporated in this revision.
The revised Appendix clarifies the relationship between requirements to protect
information classified pursuant to an Executive Order and the requirements in this
Appendix. Where an agency processes information which is controlled for national
security reasons pursuant to an Executive Order or statute, security measures required by
appropriate directives should be included in agency systems. Those policies, procedures,
and practices will be coordinated with the U.S. Security Policy Board as directed by the
President.
On May 22, 1995, the President signed into law the Paperwork Reduction Act of 1995,
P.L. 104-13. That Act, in 44 U.S.C. 3505 and 3506, requires agencies to establish
computer security programs, and it tasks OMB to develop and oversee the implementation
of policies, principles, standards and guidelines on security. It also to requires Federal
agencies to identify and provide security protection consistent with the Computer Security
Act of 1987 (40 U.S.C. 759 note). This revision is intended to implement those OMB
responsibilities.
Comments on the Proposed Appendix
On April 3, 1995, the revised Appendix was proposed for public comment (60 FR 16970).
It was also sent directly to Federal agencies for comment and made available for comment
via the Internet. Thirty-two comments were received. The comments supported the
approach proposed in the revised Appendix. They also made a number of suggestions to
improve it. The principal issues raised in comments and our response to them are set forth
below.
1. Most of the comments stated that the preamble accompanying the proposed Appendix
was useful in their understanding of the Appendix itself. They suggested that the
information in the preamble be incorporated in the final Appendix for improved future
understanding.
We agree with this suggestion, and have incorporated the preamble, as revised to
accommodate changes made to the proposed Appendix, as part B of the final Appendix.
2. Many comments suggested that the terminology of the Appendix should be more
directive.
We generally agree with this comment, and have changed part A of the Appendix to be
directive, while leaving the descriptive material in part B as explanatory.
3. A number of comments noted that there is a difference between making individuals
aware of security needs and training them. They suggested that the Appendix should
clarify this distinction and the requirements associated with each.
We agree, and have made changes in the Appendix and the descriptive information in part
B to clarify that the requirements for training are consistent with the Computer Security
Act (i.e., for increasing computer security awareness and training in accepted security
practice).
We have also added a clarification that training for members of the public who are given
access to general support systems should normally be accomplished in the context of the
application to which they are given access. As was pointed out in comments, members of
the public should not be given direct access to general support systems, except through
authorized use of an application. We have also added descriptive language in part B to
address the need to train members of the public with access to major applications.
4. Several comments raised a concern about the proposed requirement to limit access to
systems until a new employee has been trained in security responsibilities. They suggested
that training be required to be completed within a certain amount of time after access is
granted (e.g., 60 days).
We disagree. Understanding the security requirements that are integral to a system is a
fundamental responsibility of each individual who accesses the system. It should not be
delayed for administrative convenience. Furthermore, security training should be included
as part of general training in use of the system for an employee. Initial awareness and
training need not be accomplished through formal classroom training; in some cases it may
be through interactive sessions or reading well-written and understandable rules. The
critical factor is for the initial and subsequent awareness and training to be commensurate
with the risk and magnitude of harm that could occur. Therefore, new employees can and
should be trained in their security responsibilities before access is granted. The final
Appendix includes this requirement.
5. Several comments expressed concern about the proposed removal of the requirement
for agencies to prepare formal risk analyses. They point out that such analyses assist in
identifying threats, vulnerabilities, and risks to a system. They expressed a concern that
without such analyses it would be difficult to convince senior management of the need for
security. Other comments said that without risk analysis as the basis of decisions, security
measures will not be effective. On the other hand, several comments supported the
removal of this requirement, which they found not cost-effective.
We agree that security measures must be risk-based. The Computer Security Act requires
that security controls be commensurate with the risk and magnitude of harm that could
occur. Implicit in that approach is a need to assess the risk to each system. However,
given the complexity and detail such formal analyses often entail, a formal risk analysis is
not appropriate for every system. Therefore, the Appendix does not require that a formal
risk analysis be performed.
At the same time, risk assessment is an essential element in ensuring adequate security.
NIST recently issued a handbook, "An Introduction to Computer Security: The NIST
Handbook" (March 16, 1995), which contains guidance on computer security risk
management and provides a flexible framework for performing meaningful risk
assessments. Part B references the NIST handbook.
6. Several comments asked about the relation between the rules of behavior required in the
Appendix and operating policies prescribed in the NIST Handbook. Other comments
made suggestions about the kind and scope of rules that should be included in the security
plan.
We have added language to part B to describe the kinds of rules we believe are
appropriate and to clarify that rules of behavior in the Appendix should be consistent with
the system-specific policies described in the NIST handbook.
7. Several comments raised a concern about the effectiveness of reviews of security
controls unless they are performed by independent reviewers.
An independent review can improve the objectivity of the review, as well as its value to
top management in assessing the need for corrective action. Therefore, we have added
language to the discussion in part B of the Appendix that clarifies that reviews of major
applications, because of their higher risk, should be independent. We have not, however,
required that reviews of all general support systems be independent. Nevertheless, given
the value of an independent review, agencies may elect to use this approach, particularly
where a system supports a high-risk agency function.
In addition, we understand that the U.S. General Accounting Office is developing
guidance which provides a structured approach for performing reviews. We have also
revised the Appendix to be consistent with OMB Circular No. A-123, "Management
Accountability and Control" (June 21, 1995).
8. Several comments requested additional guidance on enforcement of the rules of
behavior, either from the Department of Justice or the Office of Personnel Management
(OPM).
The presumption in requiring rules of behavior is that they would be enforced as are other
behavioral rules within an agency. Therefore, we are not proposing to have central
guidance developed by either Justice or OPM. However, we expect that agencies will
share their various approaches through inter-agency forums, such as the Computer
Security Program Managers' Forum. We have added a brief discussion of this point to
part B.
9. Several comments concerned the protection of shared information and requested that
additional guidance be provided. We have clarified our intent in the discussion in part B.
10. One comment raised a concern about the Appendix's apparent subordination of
technical controls to management controls. While we are stressing the importance of
management controls, we have added preamble language to clarify that both types of
controls must be in place to be effective.
11. A number of comments raised a concern about whether adequate funding would be
forthcoming to implement the requirements of the Appendix.
Implicit in issuing the Appendix is our presumption that a system is created and maintained
with adequate security or it should not be created or maintained. Security costs should
therefore be factored into the normal capital planning and investment controls process for
information technology, consistent with the information systems and information
technology management requirements in Section 8b of this circular.
12. A number of comments concerned the government-wide role of the Security Policy
Board. Several favored expanding that role, others proposed that it be more limited. Still
others said the Appendix should be silent on national security directives.
We have revised the language in the Appendix to clarify the role of the Security Policy
Board regarding security of information technology used to process classified information.
We have also added language to the preamble which clarifies that Circular No. A-130 and
the Appendix exclude certain mission critical systems, the so-called "Warner systems"
from coverage, and to describe the Department of Defense's responsibilities pursuant to
existing Presidential directives. The Appendix does not attempt to interpret the language
of the directives. Rather, it clarifies that requirements issued pursuant to those directives
should be used in place of the requirements of the Appendix with respect to the protection
of classified information. The discussion of national security directives is included to
assist in the coordination of security activities among various security communities.
Accordingly, Circular A-130 is revised as set forth below.
Sally Katzen
Administrator
Office of Information
and Regulatory Affairs