New Policy Compels Agencies to Guard Data Privacy, Security

By Cheryl Bolen

July 27 — The first revision in 16 years to the government's information management policy requires federal agencies to maintain the privacy and security of the information they collect, the Office of Management and Budget said.

OMB Circular A-130 is the policy document that guides federal agencies in the planning, budgeting, governance, acquisition and management of federal information, supporting infrastructure and services.

Periodically, the OMB revises its circular to reflect changes in law and advances in technology, as well as to ensure consistency with executive orders, presidential directives and other OMB policies.

This revision, scheduled to be published in the July 28 Federal Register, directs federal agencies to handle security and privacy requirements as a crucial component of a comprehensive, strategic and continuous risk-based program, administration officials said.

Risk of Attack

Analysts have long expressed concern about the threats that cyberattacks pose to information technology systems operated by the federal government and its contractors (97 DER 97, 5/20/15).

In a blog post on the OMB website, senior administration officials said that the way the government manages information technology, security, data governance and privacy has rapidly evolved since Circular A-130 was last updated in 2000.

As the government continues to digitize, agencies must manage data to keep it secure and to allow them to provide the best possible service to the public, the officials said.

Minimum Standards

The revised circular establishes minimum requirements for federal information security programs and assigns responsibilities for the security of information and systems.

Among other responsibilities, the revisions require agencies to continuously monitor, log and audit user activity to protect against insider threats. It also requires agencies to encrypt moderate and high-impact information at rest and in transit.

The circular requires agencies to ensure terms in contracts are sufficient to protect federal information, implement measures to protect against supply chain threats and provide identity assurance for secure government services.

Privacy Responsibilities

The circular also outlines some general responsibilities for federal agencies when managing personally identifiable information.

Among the requirements for federal agencies is establishing and maintaining a comprehensive, strategic, agency-wide privacy program and designating senior agency officials for privacy.

The circular also requires agencies to conduct privacy impact assessments and to apply the National Institute of Standards and Technology risk management framework to manage privacy risks.

To contact the reporter on this story: Cheryl Bolen in Washington at

To contact the editor responsible for this story: Heather Rothman at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.