Why the A-130 Update is a Huge Deal for Government

In July the Office of Management and Budget updated Circular A-130,  the federal government’s go-to foundational guide for managing federal information resources.

The circular hadn’t been updated since 2000, an era ruled by desktop computers. The document now consolidates policy updates for federal agencies in important categories like cybersecurity, information governance, privacy, records management, open data and acquisitions.

The lengthy time between updates alone made headlines when the White House unveiled a rewrite last year after the Office of Personnel Management hack forced government to take a more proactive approach to cybersecurity. The real significance of A-130’s update is in the policy itself, according to Trevor Rudolph, chief of OMB’s Cyber and National Security Unit.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

A-130 broadly emphasizes three key elements: real-time knowledge of the environment, proactive risk management and shared responsibility. Speaking Thursday at an event hosted by Nextgov, Rudolph used slides to contrast old A-130 policy language with the new.

A few examples:

• A-130 in 2000: “Use of the system shall be reauthorized at least every three years.”
• A-130 updated: “Reauthorize information systems and common controls as needed, on a time- or event-driven basis in accordance with agency risk tolerance.”
• A-130 in 2000: “Agencies should assure that each system appropriately uses effective security products and techniques…Often such techniques will correspond with system rules of behavior, such as in the proper use of password protection.”
• A-130 updated: “Deploy effective security controls to provide…multifactor authentication, digital signature and encryption capabilities that provide assurance of identity and are interoperable governmentwide and accepted across all Executive Branch agencies.”

From a cybersecurity standpoint, the new policy ushers out box-checking exercises and outdated protocols in favor of a more nuanced policy guide designed to evolve with the times.

Rudolph said the A-130 update has added importance because it addresses the three main “structural challenges to sustained progress” for the Cybersecurity National Action Plan released earlier this year. Those challenges include legacy IT, fragmented governance of IT across the federal landscape and cyber workforce vacancies.

New guidance within A-130 helps agencies tag-team those challenges, although Rudolph said OMB will continue to promote additional policies that address them, too.

Recently, OMB released the Federal Cybersecurity Workforce Strategy to address hiring 3,500 additional “critical cybersecurity and IT positions” by January 2017 and has promoted the IT Modernization Fund, which would create a $3.1 billion pot agencies could borrow from to modernize increasingly outdated systems.

“Legacy IT is bad,” Rudolph said when asked by a reporter to endorse either ITMF or competing IT modernization legislation introduced last month by Rep. Will Hurd, R-Texas.

Rudolph said additional recommendations from President Obama’s Commission on Enhancing National Cybersecurity are due out “late this fall.”

How will the fallout from these policies and others in the future affect A-130? It’s impossible to know, but one thing that seems certain is a higher frequency of updates.

“We had the first A-130 cake in the office and we ate it," Rudolph said. "Let’s hope we don’t go another 16 years until the next update. We should probably be updating it every four to five years.”