The White House on Wednesday unveiled a broad rewrite of the federal government’s strategy for buying, managing and securing agency IT systems.
The Office of Management and Budget Circular A-130, as it’s known, hasn’t been significantly update since the pre-smartphone days of 2000. A 2014 update to federal cybersecurity legislation mandated an A-130 update.
Federal Chief Information Officer Tony Scott and other federal officials announced the new policy Wednesday on the OMB blog.
The updated guidance aims to “ensure that the federal IT ecosystem operates more securely and more efficiently while saving tax dollars and serving the needs of the American people,” the post stated. Scott, Office of Federal Procurement Policy Administrator Anne Rung, and Office of Information and Regulatory Affairs Howard Shelanski signed off on the draft of the new plan.
The new policy lays out guidance for managing IT investments, improving information security practices and streamlining the process for acquiring new technology.
The administration is taking comments on the plan for the next 30 days. A final version of the new policy is expected to released in December.
Managing IT Investments
When it comes to the managing IT investments, the new guidance hews closely to the outlines of the 2014 Federal Information Technology Acquisition Reform, which mandated broader responsibilities for agency-level CIOs, including the power to approve IT spending.
The policy also directs CIOs to keep track of aging information systems and others that “cannot be appropriately protected or secured” and that such systems “should be given a high priority for upgrade, replacement or retirement.”
Speaking Tuesday at an event on federal IT acquisition, Scott, the federal CIO, lamented the lack of strong agency planning for replacing legacy systems.
“We don't have a regular plan for replacement or upgrade . . . We wait until we have a little extra money left over,” he said. “Or, there's a crisis, and then we panic and react and it's very expensive.”
The updated information security requirements spelled out in the new policy continue a longstanding shift away from “the current periodic point-in-time authorization process” in favor of “a more dynamic continuous monitoring,” according to the draft.
The original 2000s-era policy dictated a review of security policies only every three years or when major changes were made to a system, a policy that became increasingly out of step with the administration’s efforts to inculcate continuous monitoring of agency networks.
Separately, the White House is preparing to specific new guidelines for securing agency computer networks, building on the the 30-day “cybersecurity sprint,” mandated by OMB in the wake of the massive breach of background investigation files at the Office of Personnel Management.
Scott said Tuesday his office is “days away” from releasing the new cyber implementation plan.
Speeding up the Acquisition Process
The new policy also takes steps to streamline the federal acquisition process.
The guidance calls on agency contracting shops to structure procurements for major IT projects into smaller segments and award all contracts within six months of issuing a solicitation. If that deadline isn’t met, agencies should consider canceling the contract. The technology being sought from vendors, meanwhile, should be delivered within 18 months of the solicitation, according to the draft.
When seeking new technology or services, agencies should first consider using another agencies’ existing resources, the shared services, as it’s known. Barring that, the policy privileges the acquisition of commercially available, off-the-shelf technology or software-as-a-service solutions.
"Custom-developed software and technology should be considered last and should include contractual rights for re-use throughout the federal government,” the draft policy stated.
If provisioned IT services, such as cloud services, provide a more cost-effective option, agencies should opt for those, according to the draft.