February 8, 1996

(Accompanying Federal Register Materials - Feb. 1996)

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS

SUBJECT: Management of Federal Information Resources

Circular No. A-130 provides uniform government-wide information resources management policies as required by the Paperwork Reduction Act of 1980, as amended by the Paperwork Reduction Act of 1995, 44 U.S.C. Chapter 35. This Transmittal Memorandum contains updated guidance on the "Security of Federal Automated Information Systems," Appendix III and makes minor technical revisions to the Circular to reflect the Paperwork Reduction Act of 1995 (P.L. 104-13). The Circular is reprinted in its entirety for convenience.

Alice M. Rivlin
Director

Attachment

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS

SUBJECT: Management of Federal Information Resources

1. Purpose
2. Rescissions
3. Authorities
4. Applicability and Scope
5. Background
6. Definitions
7. Basic Considerations and Assumptions
8. Policy
9. Assignment of Responsibilities
10. Oversight
11. Effectiveness
12. Inquiries
13. Sunset Review Date

---

1. Purpose: This Circular establishes policy for the management of Federal information resources. Procedural and analytic guidelines for implementing specific aspects of these policies are included as appendices.

---

2. Rescissions: This Circular rescinds OMB Circulars No. A-3, A-71, A-90, A-108, A-114, and A-121, and all Transmittal Memoranda to those circulars.

---

3. Authorities: This Circular is issued pursuant to the Paperwork Reduction Act (PRA) of 1980, as amended by the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35); the Privacy Act, as amended (5 U.S.C. 552a); the Chief Financial Officers Act (31 U.S.C. 3512 et seq.); the Federal Property and Administrative Services Act, as amended (40 U.S.C. 759 and 487); the Computer Security Act (40 U.S.C. 759 note); the Budget and Accounting Act, as amended (31 U.S.C. Chapter 11); Executive Order No. 12046 of March 27, 1978; and Executive Order No. 12472 of April 3, 1984.

---

4. Applicability and Scope:

a. The policies in this Circular apply to the information activities of all agencies of the executive branch of the Federal government.

b. Information classified for national security purposes should also be handled in accordance with the appropriate national security directives. National security emergency preparedness activities should be conducted in accordance with Executive Order No. 12472.

---

5. Background: The Paperwork Reduction Act establishes a broad mandate for agencies to perform their information resources management activities in an efficient, effective, and economical manner. To assist agencies in an integrated approach to information resources management, the Act requires that the Director of OMB develop and implement uniform and consistent information resources management policies; oversee the development and promote the use of information management principles, standards, and guidelines; evaluate agency information resources management practices in order to determine their adequacy and efficiency; and determine compliance of such practices with the policies, principles, standards, and guidelines promulgated by the Director.

---

6. Definitions:

a. The term "agency" means any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the Federal government, or any independent regulatory agency. Within the Executive Office of the President, the term includes only OMB and the Office of Administration.

b. The term "audiovisual production" means a unified presentation, developed according to a plan or script, containing visual imagery, sound or both, and used to convey information.

c. The term "dissemination" means the government initiated distribution of information to the public. Not considered dissemination within the meaning of this Circular is distribution limited to government employees or agency contractors or grantees, intra- or inter-agency use or sharing of government information, and responses to requests for agency records under the Freedom of Information Act (5 U.S.C. 552) or Privacy Act.

d. The term "full costs," when applied to the expenses incurred in the operation of an information processing service organization (IPSO), is comprised of all direct, indirect, general, and administrative costs incurred in the operation of an IPSO. These costs include, but are not limited to, personnel, equipment, software, supplies, contracted services from private sector providers, space occupancy, intra-agency services from within the agency, inter-agency services from other Federal agencies, other services that are provided by State and local governments, and Judicial and Legislative branch organizations.

e. The term "government information" means information created, collected, processed, disseminated, or disposed of by or for the Federal Government.

f. The term "government publication" means information which is published as an individual document at government expense, or as required by law. (44 U.S.C. 1901)

g. The term "information" means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms.

h. The term "information dissemination product" means any book, paper, map, machine-readable material, audiovisual production, or other documentary material, regardless of physical form or characteristic, disseminated by an agency to the public.

i. The term "information life cycle" means the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition.

j. The term "information management" means the planning, budgeting, manipulating, and controlling of information throughout its life cycle.

k. The term "information resources" includes both government information and information technology.

l. The term "information processing services organization" (IPSO) means a discrete set of personnel, information technology, and support equipment with the primary function of providing services to more than one agency on a reimbursable basis.

m. The term "information resources management" means the process of managing information resources to accomplish agency missions. The term encompasses both information itself and the related resources, such as personnel, equipment, funds, and information technology.

n. The term "information system" means a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual.

o. The term "information system life cycle" means the phases through which an information system passes, typically characterized as initiation, development, operation, and termination.

p. The term "information technology" means the hardware and software operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information on behalf of the Federal government to accomplish a Federal function, regardless of the technology involved, whether computers, telecommunications, or others. It includes automatic data processing equipment as that term is defined in Section 111(a)(2) of the Federal Property and Administrative Services Act of 1949. For the purposes of this Circular, automatic data processing and telecommunications activities related to certain critical national security missions, as defined in 44 U.S.C. 3502(2) and 10 U.S.C. 2315, are excluded.

q. The term "major information system" means an information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.

r. The term "records" means all books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the government or because of the informational value of the data in them. Library and museum material made or acquired and preserved solely for reference or exhibition purposes, extra copies of documents preserved only for convenience of reference, and stocks of publications and of processed documents are not included. (44 U.S.C. 3301)

s. The term "records management" means the planning, controlling, directing, organizing, training, promoting, and other managerial activities involved with respect to records creation, records maintenance and use, and records disposition in order to achieve adequate and proper documentation of the policies and transactions of the Federal Government and effective and economical management of agency operations. (44 U.S.C. 2901(2))

t. The term "service recipient" means an agency organizational unit, programmatic entity, or chargeable account that receives information processing services from an information processing service organization (IPSO). A service recipient may be either internal or external to the organization responsible for providing information resources services, but normally does not report either to the manager or director of the IPSO or to the same immediate supervisor.

---

7. Basic Considerations and Assumptions:

a. The Federal Government is the largest single producer, collector, consumer, and disseminator of information in the United States. Because of the extent of the government's information activities, and the dependence of those activities upon public cooperation, the management of Federal information resources is an issue of continuing importance to all Federal agencies, State and local governments, and the public.

b. Government information is a valuable national resource. It provides the public with knowledge of the government, society, and economy -- past, present, and future. It is a means to ensure the accountability of government, to manage the government's operations, to maintain the healthy performance of the economy, and is itself a commodity in the marketplace.

c. The free flow of information between the government and the public is essential to a democratic society. It is also essential that the government minimize the Federal paperwork burden on the public, minimize the cost of its information activities, and maximize the usefulness of government information.

d. In order to minimize the cost and maximize the usefulness of government information, the expected public and private benefits derived from government information should exceed the public and private costs of the information, recognizing that the benefits to be derived from government information may not always be quantifiable.

e. The nation can benefit from government information disseminated both by Federal agencies and by diverse nonfederal parties, including State and local government agencies, educational and other not-for-profit institutions, and for-profit organizations.

f. Because the public disclosure of government information is essential to the operation of a democracy, the management of Federal information resources should protect the public's right of access to government information.

g. The individual's right to privacy must be protected in Federal Government information activities involving personal information.

h. Systematic attention to the management of government records is an essential component of sound public resources management which ensures public accountability. Together with records preservation, it protects the government's historical record and guards the legal and financial rights of the government and the public.

i. Agency strategic planning can improve the operation of government programs. The application of information resources should support an agency's strategic plan to fulfill its mission. The integration of IRM planning with agency strategic planning promotes the appropriate application of Federal information resources.

j. Because State and local governments are important producers of government information for many areas such as health, social welfare, labor, transportation, and education, the Federal Government must cooperate with these governments in the management of information resources.

k. The open and efficient exchange of scientific and technical government information, subject to applicable national security controls and the proprietary rights of others, fosters excellence in scientific research and effective use of Federal research and development funds.

l. Information technology is not an end in itself. It is one set of resources that can improve the effectiveness and efficiency of Federal program delivery.

m. Federal Government information resources management policies and activities can affect, and be affected by, the information policies and activities of other nations.

n. Users of Federal information resources must have skills, knowledge, and training to manage information resources, enabling the Federal government to effectively serve the public through automated means.

o. The application of up-to-date information technology presents opportunities to promote fundamental changes in agency structures, work processes, and ways of interacting with the public that improve the effectiveness and efficiency of Federal agencies.

p. The availability of government information in diverse media, including electronic formats, permits agencies and the public greater flexibility in using the information.

q. Federal managers with program delivery responsibilities should recognize the importance of information resources management to mission performance.

---

8. Policy:

a. Information Management Policy

Information Management Planning. Agencies shall plan in an integrated manner for managing information throughout its life cycle. Agencies shall:

(a) Consider, at each stage of the information life cycle, the effects of decisions and actions on other stages of the life cycle, particularly those concerning information dissemination;

(b) Consider the effects of their actions on members of the public and ensure consultation with the public as appropriate;

(c) Consider the effects of their actions on State and local governments and ensure consultation with those governments as appropriate;

(d) Seek to satisfy new information needs through interagency or intergovernmental sharing of information, or through commercial sources, where appropriate, before creating or collecting new information;

(e) Integrate planning for information systems with plans for resource allocation and use, including budgeting, acquisition, and use of information technology;

(f) Train personnel in skills appropriate to management of information;

(g) Protect government information commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information;

(h) Use voluntary standards and Federal Information Processing Standards where appropriate or required;

(i) Consider the effects of their actions on the privacy rights of individuals, and ensure that appropriate legal and technical safeguards are implemented;

(j) Record, preserve, and make accessible sufficient information to ensure the management and accountability of agency programs, and to protect the legal and financial rights of the Federal Government;

(k) Incorporate records management and archival functions into the design, development, and implementation of information systems;

Provide for public access to records where required or appropriate.

Information Collection. Agencies shall collect or create only that information necessary for the proper performance of agency functions and which has practical utility.

Electronic Information Collection. Agencies shall use electronic collection techniques where such techniques reduce burden on the public, increase efficiency of government programs, reduce costs to the government and the public, and/or provide better service to the public. Conditions favorable to electronic collection include:

(a) The information collection seeks a large volume of data and/or reaches a large proportion of the public;

(b) The information collection recurs frequently;

(c) The structure, format, and/or definition of the information sought by the information collection does not change significantly over several years;

(d) The agency routinely converts the information collected to electronic format;

(e) A substantial number of the affected public are known to have ready access to the necessary information technology and to maintain the information in electronic form;

(f) Conversion to electronic reporting, if mandatory, will not impose substantial costs or other adverse effects on the public, especially State and local governments and small business entities.

Records Management. Agencies shall:

(a) Ensure that records management programs provide adequate and proper documentation of agency activities;

(b) Ensure the ability to access records regardless of form or medium;

(c) In a timely fashion, establish, and obtain the approval of the Archivist of the United States for, retention schedules for Federal records; and

(d) Provide training and guidance as appropriate to all agency officials and employees and contractors regarding their Federal records management responsibilities.

Providing Information to the Public. Agencies have a responsibility to provide information to the public consistent with their missions. Agencies shall discharge this responsibility by:

(a) Providing information, as required by law, describing agency organization, activities, programs, meetings, systems of records, and other information holdings, and how the public may gain access to agency information resources;

(b) Providing access to agency records under provisions of the Freedom of Information Act and the Privacy Act, subject to the protections and limitations provided for in these Acts;

(c) Providing such other information as is necessary or appropriate for the proper performance of agency functions; and

(d) In determining whether and how to disseminate information to the public, agencies shall:

(i) Disseminate information in a manner that achieves the best balance between the goals of maximizing the usefulness of the information and minimizing the cost to the government and the public;

(ii) Disseminate information dissemination products on equitable and timely terms;

(iii) Take advantage of all dissemination channels, Federal and nonfederal, including State and local governments, libraries and private sector entities, in discharging agency information dissemination responsibilities;

(iv) Help the public locate government information maintained by or for the agency.

Information Dissemination Management System. Agencies shall maintain and implement a management system for all information dissemination products which shall, at a minimum:

(a) Assure that information dissemination products are necessary for proper performance of agency functions (44 U.S.C. 1108);

(b) Consider whether an information dissemination product available from other Federal or nonfederal sources is equivalent to an agency information dissemination product and reasonably fulfills the dissemination responsibilities of the agency;

(c) Establish and maintain inventories of all agency information dissemination products;

(d) Develop such other aids to locating agency information dissemination products including catalogs and directories, as may reasonably achieve agency information dissemination objectives;

(e) Identify in information dissemination products the source of the information, if from another agency;

(f) Ensure that members of the public with disabilities whom the agency has a responsibility to inform have a reasonable ability to access the information dissemination products;

(g) Ensure that government publications are made available to depository libraries through the facilities of the Government Printing Office, as required by law (44 U.S.C. Part 19);

(h) Provide electronic information dissemination products to the Government Printing Office for distribution to depository libraries;

(i) Establish and maintain communications with members of the public and with State and local governments so that the agency creates information dissemination products that meet their respective needs;

(j) Provide adequate notice when initiating, substantially modifying, or terminating significant information dissemination products; and

(k) Ensure that, to the extent existing information dissemination policies or practices are inconsistent with the requirements of this Circular, a prompt and orderly transition to compliance with the requirements of this Circular is made.

Avoiding Improperly Restrictive Practices. Agencies shall:

(a) Avoid establishing, or permitting others to establish on their behalf, exclusive, restricted, or other distribution arrangements that interfere with the availability of information dissemination products on a timely and equitable basis;

(b) Avoid establishing restrictions or regulations, including the charging of fees or royalties, on the reuse, resale, or redissemination of Federal information dissemination products by the public; and,

(c) Set user charges for information dissemination products at a level sufficient to recover the cost of dissemination but no higher. They shall exclude from calculation of the charges costs associated with original collection and processing of the information. Exceptions to this policy are:

(i) Where statutory requirements are at variance with the policy;

(ii) Where the agency collects, processes, and disseminates the information for the benefit of a specific identifiable group beyond the benefit to the general public;

(iii) Where the agency plans to establish user charges at less than cost of dissemination because of a determination that higher charges would constitute a significant barrier to properly performing the agency's functions, including reaching members of the public whom the agency has a responsibility to inform; or

(iv) Where the Director of OMB determines an exception is warranted.

Electronic Information Dissemination. Agencies shall use electronic media and formats, including public networks, as appropriate and within budgetary constraints, in order to make government information more easily accessible and useful to the public. The use of electronic media and formats for information dissemination is appropriate under the following conditions:

(a) The agency develops and maintains the information electronically;

(b) Electronic media or formats are practical and cost effective ways to provide public access to a large, highly detailed volume of information;

(c) The agency disseminates the product frequently;

(d) The agency knows a substantial portion of users have ready access to the necessary information technology and training to use electronic information dissemination products;

(e) A change to electronic dissemination, as the sole means of disseminating the product, will not impose substantial acquisition or training costs on users, especially State and local governments and small business entities.

Safeguards. Agencies shall:

(a) Ensure that information is protected commensurate with the risk and magnitude of the harm that would result from the loss, misuse, or unauthorized access to or modification of such information;

(b) Limit the collection of information which identifies individuals to that which is legally authorized and necessary for the proper performance of agency functions;

(c) Limit the sharing of information that identifies individuals or contains proprietary information to that which is legally authorized, and impose appropriate conditions on use where a continuing obligation to ensure the confidentiality of the information exists;

(d) Provide individuals, upon request, access to records about them maintained in Privacy Act systems of records, and permit them to amend such records as are in error consistent with the provisions of the Privacy Act.

b. Information Systems and Information Technology Management

Evaluation and Performance Measurement. Agencies shall promote the appropriate application of Federal information resources as follows:

(a) Seek opportunities to improve the effectiveness and efficiency of government programs through work process redesign and the judicious application of information technology;

(b) Prepare, and update as necessary throughout the information system life cycle, a benefit-cost analysis for each information system:

(i) at a level of detail appropriate to the size of the investment;

(ii) consistent with the methodology described in OMB Circular No. A-94, "Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs;" and

(iii) that relies on systematic measures of mission performance, including the:

(a) effectiveness of program delivery; (b) efficiency of program administration; and (c) reduction in burden, including information collection burden, imposed on the public;

(c) Conduct benefit-cost analyses to support ongoing management oversight processes that maximize return on investment and minimize financial and operational risk for investments in major information systems on an agency-wide basis; and

(d) Conduct post-implementation reviews of information systems to validate estimated benefits and document effective management practices for broader use.

Strategic Information Resources Management (IRM) Planning. Agencies shall establish and maintain strategic information resources management planning processes which include the following components:

(a) Strategic IRM planning that addresses how the management of information resources promotes the fulfillment of an agency's mission. This planning process should support the development and maintenance of a strategic IRM plan that reflects and anticipates changes in the agency's mission, policy direction, technological capabilities, or resource levels;

(b) Information planning that promotes the use of information throughout its life cycle to maximize the usefulness of information, minimize the burden on the public, and preserve the appropriate integrity, availability, and confidentiality of information. It shall specifically address the planning and budgeting for the information collection burden imposed on the public as defined by 5 C.F.R. 1320;

(c) Operational information technology planning that links information technology to anticipated program and mission needs, reflects budget constraints, and forms the basis for budget requests. This planning should result in the preparation and maintenance of an up-to-date five-year plan, as required by 44 U.S.C. 3506, which includes:

(i) a listing of existing and planned major information systems;

(ii) a listing of planned information technology acquisitions;

(iii) an explanation of how the listed major information systems and planned information technology acquisitions relate to each other and support the achievement of the agency's mission; and

iv) a summary of computer security planning, as required by Section 6 of the Computer Security Act of 1987 (40 U.S.C. 759 note); and

(d) Coordination with other agency planning processes including strategic, human resources, and financial resources.

Information Systems Management Oversight. Agencies shall establish information system management oversight mechanisms that:

(a) Ensure that each information system meets agency mission requirements;

(b) Provide for periodic review of information systems to determine:

(i) how mission requirements might have changed;

(ii) whether the information system continues to fulfill ongoing and anticipated mission requirements; and

(iii) what level of maintenance is needed to ensure the information system meets mission requirements cost effectively;

(c) Ensure that the official who administers a program supported by an information system is responsible and accountable for the management of that information system throughout its life cycle;

(d) Provide for the appropriate training for users of Federal information resources;

(e) Prescribe Federal information system requirements that do not unduly restrict the prerogatives of State, local, and tribal governments;

(f) Ensure that major information systems proceed in a timely fashion towards agreed-upon milestones in an information system life cycle, meet user requirements, and deliver intended benefits to the agency and affected publics through coordinated decision making about the information, human, financial, and other supporting resources; and

(g) Ensure that financial management systems conform to the requirements of OMB Circular No. A-127, "Financial Management Systems."

Use of Information Resources. Agencies shall create and maintain management and technical frameworks for using information resources that document linkages between mission needs, information content, and information technology capabilities. These frameworks should guide both strategic and operational IRM planning. They should also address steps necessary to create an open systems environment. Agencies shall implement the following principles:

(a) Develop information systems in a manner that facilitates necessary interoperability, application portability, and scalability of computerized applications across networks of heterogeneous hardware, software, and communications platforms;

(b) Ensure that improvements to existing information systems and the development of planned information systems do not unnecessarily duplicate information systems available within the same agency, from other agencies, or from the private sector;

(c) Share available information systems with other agencies to the extent practicable and legally permissible;

(d) Meet information technology needs through intra-agency and inter-agency sharing, when it is cost effective, before acquiring new information technology resources;

(e) For Information Processing Service Organizations (IPSOs) that have costs in excess of $5 million per year, agencies shall:

(i) account for the full costs of operating all IPSOs;

(ii) recover the costs incurred for providing IPSO services to all service recipients on an equitable basis commensurate with the costs required to provide those services; and

(iii) document sharing agreements between service recipients and IPSOs; and

(f) Establish a level of security for all information systems that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information contained in these information systems.

Acquisition of Information Technology. Agencies shall:

(a) Acquire information technology in a manner that makes use of full and open competition and that maximizes return on investment;

(b) Acquire off-the-shelf software from commercial sources, unless the cost effectiveness of developing custom software to meet mission needs is clear and has been documented;

(c) Acquire information technology in accordance with OMB Circular No. A-109, "Acquisition of Major Systems," where appropriate; and

(d) Acquire information technology in a manner that considers the need for accommodations of accessibility for individuals with disabilities to the extent that needs for such access exist.

---

9. Assignment of Responsibilities:

a. All Federal Agencies. The head of each agency shall:

1. Have primary responsibility for managing agency information resources;

2. Ensure that the information policies, principles, standards, guidelines, rules, and regulations prescribed by OMB are implemented appropriately within the agency;

3. Develop internal agency information policies and procedures and oversee, evaluate, and otherwise periodically review agency information resources management activities for conformity with the policies set forth in this Circular;

4. Develop agency policies and procedures that provide for timely acquisition of required information technology;

5. Maintain an inventory of the agencies' major information systems, holdings and information dissemination products, as required by 44 U.S.C. 3511.

6. Implement and enforce applicable records management policies and procedures, including requirements for archiving information maintained in electronic format, particularly in the planning, design and operation of information systems.

7. Identify to the Director, OMB, statutory, regulatory, and other impediments to efficient management of Federal information resources and recommend to the Director legislation, policies, procedures, and other guidance to improve such management;

8. Assist OMB in the performance of its functions under the PRA including making services, personnel, and facilities available to OMB for this purpose to the extent practicable;

9. Appoint a senior official, as required by 44 U.S.C. 3506(a), who shall report directly to the agency head to carry out the responsibilities of the agency under the PRA. The head of the agency shall keep the Director, OMB, advised as to the name, title, authority, responsibilities, and organizational resources of the senior official. For purposes of this paragraph, military departments and the Office of the Secretary of Defense may each appoint one official.

10. Direct the senior official appointed pursuant to 44 U.S.C. 3506(a) to monitor agency compliance with the policies, procedures, and guidance in this Circular. Acting as an ombudsman, the senior official shall consider alleged instances of agency failure to comply with this Circular and recommend or take corrective action as appropriate. The senior official shall report annually, not later than February 1st of each year, to the Director those instances of alleged failure to comply with this Circular and their resolution.

b. Department of State. The Secretary of State shall:

1. Advise the Director, OMB, on the development of United States positions and policies on international information policy issues affecting Federal Government information activities and ensure that such positions and policies are consistent with Federal information resources management policy;

2. Ensure, in consultation with the Secretary of Commerce, that the United States is represented in the development of international information technology standards, and advise the Director, OMB, of such activities.

c. Department of Commerce. The Secretary of Commerce shall:

1. Develop and issue Federal Information Processing Standards and guidelines necessary to ensure the efficient and effective acquisition, management, security, and use of information technology;

2. Advise the Director, OMB, on the development of policies relating to the procurement and management of Federal telecommunications resources;

3. Provide OMB and the agencies with scientific and technical advisory services relating to the development and use of information technology;

4. Conduct studies and evaluations concerning telecommunications technology, and concerning the improvement, expansion, testing, operation, and use of Federal telecommunications systems and advise the Director, OMB, and appropriate agencies of the recommendations that result from such studies;

5. Develop, in consultation with the Secretary of State and the Director of OMB, plans, policies, and programs relating to international telecommunications issues affecting government information activities;

6. Identify needs for standardization of telecommunications and information processing technology, and develop standards, in consultation with the Secretary of Defense and the Administrator of General Services, to ensure efficient application of such technology;

7. Ensure that the Federal Government is represented in the development of national and, in consultation with the Secretary of State, international information technology standards, and advise the Director, OMB, of such activities.

d. Department of Defense. The Secretary of Defense shall develop, in consultation with the Administrator of General Services, uniform Federal telecommunications standards and guidelines to ensure national security, emergency preparedness, and continuity of government.

e. General Services Administration. The Administrator of General Services shall:

1. Advise the Director, OMB, and agency heads on matters affecting the procurement of information technology;

2. Coordinate and, when required, provide for the purchase, lease, and maintenance of information technology required by Federal agencies;

3. Develop criteria for timely procurement of information technology and delegate procurement authority to agencies that comply with the criteria;

4. Provide guidelines and regulations for Federal agencies, as authorized by law, on the acquisition, maintenance, and disposition of information technology, and for implementation of Federal Information Processing Standards;

5. Develop policies and guidelines that facilitate the sharing of information technology among agencies as required by this Circular;

6. Manage the Information Technology Fund in accordance with the Federal Property and Administrative Services Act as amended;

f. Office of Personnel Management. The Director, Office of Personnel Management, shall:

1. Develop and conduct training programs for Federal personnel on information resources management including end-user computing;

2. Evaluate periodically future personnel management and staffing requirements for Federal information resources management;

3. Establish personnel security policies and develop training programs for Federal personnel associated with the design, operation, or maintenance of information systems.

g. National Archives and Records Administration. The Archivist of the United States shall:

1. Administer the Federal records management program in accordance with the National Archives and Records Act;

2. Assist the Director, OMB, in developing standards and guidelines relating to the records management program.

h. Office of Management and Budget. The Director of the Office of Management and Budget shall:

1. Provide overall leadership and coordination of Federal information resources management within the executive branch;

2. Serve as the President's principal adviser on procurement and management of Federal telecommunications systems, and develop and establish policies for procurement and management of such systems;

3. Issue policies, procedures, and guidelines to assist agencies in achieving integrated, effective, and efficient information resources management;

4. Initiate and review proposals for changes in legislation, regulations, and agency procedures to improve Federal information resources management;

5. Review and approve or disapprove agency proposals for collection of information from the public, as defined by 5 CFR 1320.3;

6. Develop and maintain a Governmentwide strategic plan for information resources management.

7. Evaluate agencies' information resources management and identify cross-cutting information policy issues through the review of agency information programs, information collection budgets, information technology acquisition plans, fiscal budgets, and by other means;

8. Provide policy oversight for the Federal records management function conducted by the National Archives and Records Administration, coordinate records management policies and programs with other information activities, and review compliance by agencies with records management requirements;

9. Review agencies' policies, practices, and programs pertaining to the security, protection, sharing, and disclosure of information, in order to ensure compliance, with respect to privacy and security, with the Privacy Act, the Freedom of Information Act, the Computer Security Act and related statutes;

10. Resolve information technology procurement disputes between agencies and the General Services Administration pursuant to Section 111 of the Federal Property and Administrative Services Act;

11. Review proposed U.S. Government Position and Policy statements on international issues affecting Federal Government information activities and advise the Secretary of State as to their consistency with Federal information resources management policy.

12. Coordinate the development and review by the Office of Information and Regulatory Affairs of policy associated with Federal procurement and acquisition of information technology with the Office of Federal Procurement Policy.

---

10. Oversight:

a. The Director, OMB, will use information technology planning reviews, fiscal budget reviews, information collection budget reviews, management reviews, and such other measures as the Director deems necessary to evaluate the adequacy and efficiency of each agency's information resources management and compliance with this Circular.

b. The Director, OMB, may, consistent with statute and upon written request of an agency, grant a waiver from particular requirements of this Circular. Requests for waivers must detail the reasons why a particular waiver is sought, identify the duration of the waiver sought, and include a plan for the prompt and orderly transition to full compliance with the requirements of this Circular. Notice of each waiver request shall be published promptly by the agency in the Federal Register, with a copy of the waiver request made available to the public on request.

---

11. Effectiveness: This Circular is effective upon issuance. Nothing in this Circular shall be construed to confer a private right of action on any person.

---

12. Inquiries: All questions or inquiries should be addressed to the Office of Information and Regulatory Affairs, Office of Management and Budget, Washington, D.C. 20503. Telephone: (202) 395-3785.

---

13. Sunset Review Date: OMB will review this Circular three years from the date of issuance to ascertain its effectiveness.

1. Purpose and Scope.

This Appendix describes agency responsibilities for implementing the reporting and publication requirements of the Privacy Act of 1974, 5 U.S.C. 552a, as amended (hereinafter "the Act"). It applies to all agencies subject to the Act. Note that this Appendix does not rescind other guidance OMB has issued to help agencies interpret the Privacy Act's provisions, e.g., Privacy Act Guidelines (40 FR 28949-28978, July 9, 1975), or Final Guidance for Conducting Matching Programs (54 FR at 25819, June 19, 1989).

2. Definitions.

a. The terms "agency," "individual," "maintain," "matching program," "record," "system of records," and "routine use," as used in this Appendix, are defined in the Act (5 U.S.C. 552a(a)).

b. Matching Agency. Generally, the Recipient Federal agency (or the Federal source agency in a match conducted by a nonfederal agency) is the matching agency and is responsible for meeting the reporting and publication requirements associated with the matching program. However, in large, multi-agency matching programs, where the recipient agency is merely performing the matches and the benefit accrues to the source agencies, the partners should assign responsibility for compliance with the administrative requirements in a fair and reasonable way. This may mean having the matching agency carry out these requirements for all parties, having one participant designated to do so, or having each source agency do so for its own matching program(s).

c. Nonfederal Agency. Nonfederal agencies are State or local governmental agencies receiving or providing records in a matching program with a Federal agency.

d. Recipient Agency. Recipient agencies are Federal agencies or their contractors receiving automated records from the Privacy Act systems of records of other Federal agencies, or from State or local governments, to be used in a matching program as defined in the Act.

e. Source Agency. A source agency is a Federal agency that discloses automated records from a system of records to another Federal agency or to a State or local agency to be used in a matching program. It is also a State or local agency that discloses records to a Federal agency for use in a matching program.

3. Assignment of Responsibilities.

a. All Federal Agencies. In addition to meeting the agency requirements contained in the Act and the specific reporting and publication requirements detailed in this Appendix, the head of each agency shall ensure that the following reviews are conducted as often as specified below, and be prepared to report to the Director, OMB, the results of such reviews and the corrective action taken to resolve problems uncovered. The head of each agency shall:

(1) Section (m) Contracts. Review every two years a random sample of agency contracts that provide for the maintenance of a system of records on behalf of the agency to accomplish an agency function, in order to ensure that the wording of each contract makes the provisions of the Act binding on the contractor and his or her employees. (See 5 U.S.C. 552a(m)(1))

(2) Recordkeeping Practices. Review biennially agency recordkeeping and disposal policies and practices in order to assure compliance with the Act, paying particular attention to the maintenance of automated records.

(3) Routine Use Disclosures. Review every four years the routine use disclosures associated with each system of records in order to ensure that the recipient's use of such records continues to be compatible with the purpose for which the disclosing agency collected the information.

(4) Exemption of Systems of Records. Review every four years each system of records for which the agency has promulgated exemption rules pursuant to Section (j) or (k) of the Act in order to determine whether such exemption is still needed.

(5) Matching Programs. Review annually each ongoing matching program in which the agency has participated during the year in order to ensure that the requirements of the Act, the OMB guidance, and any agency regulations, operating instructions, or guidelines have been met.

(6) Privacy Act Training. Review biennially agency training practices in order to ensure that all agency personnel are familiar with the requirements of the Act, with the agency's implementing regulation, and with any special requirements of their specific jobs.

(7) Violations. Review biennially the actions of agency personnel that have resulted either in the agency being found civilly liable under Section (g) of the Act, or an employee being found criminally liable under the provisions of Section (i) of the Act, in order to determine the extent of the problem, and to find the most effective way to prevent recurrence of the problem.

(8) Systems of Records Notices. Review biennially each system of records notice to ensure that it accurately describes the system of records. Where minor changes are needed, e.g., the name of the system manager, ensure that an amended notice is published in the Federal Register. Agencies may choose to make one annual comprehensive publication consolidating such minor changes. This requirement is distinguished from and in addition to the requirement to report to OMB and Congress significant changes to systems of records and to publish those changes in the Federal Register (See paragraph 4c of this Appendix).

b. Department of Commerce. The Secretary of Commerce shall, consistent with guidelines issued by the Director, OMB, develop and issue standards and guidelines for ensuring the security of information protected by the Act in automated information systems.

c. The Department of Defense, General Services Administration, and National Aeronautics and Space Administration. These agencies shall, consistent with guidelines issued by the Director, OMB, ensure that instructions are issued on what agencies must do in order to comply with the requirements of Section (m) of the Act when contracting for the operation of a system of records to accomplish an agency purpose.

d. Office of Personnel Management. The Director of the Office of Personnel Management shall, consistent with guidelines issued by the Director, OMB:

(1) Develop and maintain government-wide standards and procedures for civilian personnel information processing and recordkeeping directives to assure conformance with the Act.

(2) Develop and conduct Privacy Act training programs for agency personnel, including both the conduct of courses in various substantive areas (e.g., administrative, information technology) and the development of materials that agencies can use in their own courses. The assignment of this responsibility to OPM does not affect the responsibility of individual agency heads for developing and conducting training programs tailored to the specific needs of their own personnel.

e. National Archives and Records Administration. The Archivist of the United States through the Office of the Federal Register, shall, consistent with guidelines issued by the Director, OMB:

(1) Issue instructions on the format of the agency notices and rules required to be published under the Act.

(2) Compile and publish every two years, the rules promulgated under 5 U.S.C. 552a(f) and agency notices published under 5 U.S.C. 552a(e)(4) in a form available to the public at low cost.

(3) Issue procedures governing the transfer of records to Federal Records Centers for storage, processing, and servicing pursuant to 44 U.S.C. 3103. For purposes of the Act, such records are considered to be maintained by the agency that deposited them. The Archivist may disclose deposited records only according to the access rules established by the agency that deposited them.

f. Office of Management and Budget. The Director of the Office of Management and Budget will:

(1) Issue guidelines and directives to the agencies to implement the Act.

(2) Assist the agencies, at their request, in implementing their Privacy Act programs.

(3) Review new and altered system of records and matching program reports submitted pursuant to Section (o) of the Act.

(4) Compile the biennial report of the President to Congress in accordance with Section (s) of the Act.

(5) Compile and issue a biennial report on the agencies' implementation of the computer matching provisions of the Privacy Act, pursuant to Section (u)(6) of the Act.

4. Reporting Requirements. The Privacy Act requires agencies to make the following kinds of reports:

Report
When Due
Recipient**

Biennial Privacy Act Report
June 30, 1996, 1998, 2000, 2002
Administrator, OIRA

Biennial Matching Activity Report
June 30, 1996, 1998, 2000, 2002
Administrator, OIRA

New System of Records Report
When establishing a system of records - at least 40 days before operating the system*
Administrator, OIRA, Congress

Altered System of Records Report
When adding a new routine use, exemption, or otherwise significantly altering an existing system of records - at least 40 days before change to system takes place*
Administrator, OIRA, Congress

New Matching Program Report
When establishing a new matching program - at least 40 days before operating the program*
Administrator, OIRA, Congress

Renewal of Existing Matching Program
At least 40 days prior to expiration of any one year extension of the original program - treat as a new program
Administrator, OIRA, Congress

Altered Matching Program
When making a significant change to an existing matching program - at least 40 days before operating an altered program*
Administrator, OIRA, Congress

Matching Agreements
At least 40 days prior to the start of a matching program*
Congress

* Review Period: Note that the statutory reporting requirement is 30 days prior; the additional ten days will ensure that OMB and Congress have sufficient time to review the proposal. Agencies should therefore ensure that reports are mailed expeditiously after being signed.

** Recipient Addresses: At bottom of envelope print "PRIVACY ACT REPORT"

House of Representatives:
The Chair of the House Committee on Government Reform and Oversight, 2157 RHOB, Washington, D.C. 20515-6143.

Senate:
The Chair of the Senate Committee on Governmental Affairs, 340 SDOB, Washington, D.C. 20510-6250.

Office of Management and Budget:
The Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, ATTN: Docket Library, NEOB Room 10012, Washington, D.C. 20503.

a. Biennial Privacy Act Report. To provide the necessary information for the biennial report of the President, agencies shall submit a biennial report to OMB, covering their Privacy Act activities for the calendar years covered by the reporting period. The exact format of the report will be established by OMB. At a minimum, however, agencies should collect and be prepared to report the following data on a calendar year basis:

(1) A listing of publication activity during the year showing the following:

• Total Number of Systems of Records (Exempt/NonExempt)
• Number of New Systems of Records Added (Exempt/NonExempt)
• Number Routine Uses Added
• Number Exemptions Added to Existing Systems
• Number Exemptions Deleted from Existing Systems
• Total Number of Automated Systems of Records (Exempt/NonExempt)

The agency should provide a brief narrative describing those activities in detail, e.g., "the Department added a (k)(1) exemption to an existing system of records entitled "Investigative Records of the Office of Investigations;" or "the agency added a new routine use to a system of records entitled "Employee Health Records" that would permit disclosure of health data to researchers under contract to the agency to perform workplace risk analysis."

(2) A brief description of any public comments received on agency publication and implementation activities, and agency response.

(3) Number of access and amendment requests from record subjects citing the Privacy Act that were received during the calendar year of the report. Also the disposition of requests from any year that were completed during the calendar year of the report:

• Total Number of Access Requests
  Number Granted in Whole
  Number Granted in Part
  Number Wholly Denied
  Number For Which No Record Found

• Total Amendment Requests Number Granted in Whole
  Number Granted in Part
  Number Wholly Denied

• Number of Appeals of Denials of Access
  Number Granted in Whole
  Number Granted in Part
  Number Wholly Denied
  Number For Which No Record Found

• Number of Appeals of Denials of Amendment
  Number Granted in Whole
  Number Granted in Part
  Number Wholly Denied
  

(4) Number of instances in which individuals brought suit under section (g) of the Privacy Act against the agency and the results of any such litigation that resulted in a change to agency practices or affected guidance issued by OMB.

(5) Results of the reviews undertaken in response to paragraph 3a of this Appendix.

(6) Description of agency Privacy Act training activities conducted in accordance with paragraph 3a(6) of this Appendix.

b. Biennial Matching Activity Report (See 5 U.S.C. 552a(u)(3)(D)). At the end of each calendar year, the Data Integrity Board of each agency that has participated in a matching program will collect data summarizing that year's matching activity. The Act requires that such activity be reported every two years. OMB will establish the exact format of the report, but agencies' Data Integrity Boards should be prepared to report the data identified below both to the agency head and to OMB:

(1) A listing of the names and positions of the members of the Data Integrity Board and showing separately the name of the Board Secretary, his or her agency mailing address, and telephone number. Also show and explain any changes in membership or structure occurring during the reporting year.

(2) A listing of each matching program, by title and purpose, in which the agency participated during the reporting year. This listing should show names of participant agencies, give a brief description of the program, and give a page citation and the date of the Federal Register notice describing the program.

(3) For each matching program, an indication of whether the cost/benefit analysis performed resulted in a favorable ratio. The Data Integrity Board should explain why the agency proceeded with any matching program for which an unfavorable ratio was reached.

(4) For each program for which the Board waived a cost/benefit analysis, the reasons for the waiver and the results of the match, if tabulated.

(5) A description of any matching agreement the Board rejected and an explanation of the rejection.

(6) A listing of any violations of matching agreements that have been alleged or identified, and a discussion of any action taken.

(7) A discussion of any litigation involving the agency's participation in any matching program.

(8) For any litigation based on allegations of inaccurate records, an explanation of the steps the agency used to ensure the integrity of its data as well as the verification process it used in the matching program, including an assessment of the adequacy of each.

c. New and Altered System of Records Report. The Act requires agencies to publish notices in the Federal Register describing new or altered systems of records, and to submit reports to OMB, and to the Chair of the Committee on Government Reform and Oversight of the House of Representatives, and the Chair of the Committee on Governmental Affairs of the Senate. The reports must be transmitted at least 40 days prior to the operation of the new system of records or the date on which the alteration to an existing system takes place.

(1) Which Alterations Require a Report. Minor changes to systems of records need not be reported. For example, a change in the designation of the system manager due to a reorganization would not require a report, so long as an individual's ability to gain access to his or her records is not affected. Other examples include changing applicable safeguards as a result of a risk analysis or deleting a routine use when there is no longer a need for the disclosure. The following changes are those for which a report is required:

(a) A significant increase in the number, type, or category of individuals about whom records are maintained. For example, a system covering physicians that has been expanded to include other types of health care providers, e.g., nurses, technicians, etc., would require a report. Increases attributable to normal growth should not be reported.

(b) A change that expands the types or categories of information maintained. For example, a benefit system which originally included only earned income information that has been expanded to include unearned income information.

(c) A change that alters the purpose for which the information is used.

(d) A change to equipment configuration (either hardware or software) that creates substantially greater access to the records in the system of records. For example, locating interactive terminals at regional offices for accessing a system formerly accessible only at the headquarters would require a report.

(e) The addition of an exemption pursuant to Section (j) or (k) of the Act. Note that, in examining a rulemaking for a Privacy Act exemption as part of a report of a new or altered system of records, OMB will also review the rule under applicable regulatory review procedures and agencies need not make a separate submission for that purpose.

(f) The addition of a routine use pursuant to 5 U.S.C. 552a(b)(3).

(2) Reporting Changes to Multiple Systems of Records. When an agency makes a change to an information technology installation or a telecommunication network, or makes any other general changes in information collection, processing, dissemination, or storage that affect multiple systems of records, it may submit a single, consolidated report, with changes to existing notices and supporting documentation included in the submission.

(3) Contents of the New or Altered System Report. The report for a new or altered system has three elements: a transmittal letter, a narrative statement, and supporting documentation.

(a) Transmittal Letter. The transmittal letter should be signed by the senior agency official responsible for implementation of the Act within the agency and should contain the name and telephone number of the individual who can best answer questions about the system of records. The letter should contain the agency's assurance that the proposed system does not duplicate any existing agency or government-wide systems of records. The letter sent to OMB may also include a request for waiver of the time period for the review. The agency should indicate why it cannot meet the established review period and the consequences of not obtaining the waiver. (See paragraph 4e below.) There is no prescribed format for the letter.

(b) Narrative Statement. There is also no prescribed format for the narrative statement, but it should be brief. It should make reference, as appropriate, to information in the supporting documentation rather than restating such information. The statement should:

1. Describe the purpose for which the agency is establishing the system of records.

2. Identify the authority under which the system of records is maintained. The agency should avoid citing housekeeping statutes, but rather cite the underlying programmatic authority for collecting, maintaining, and using the information. When the system is being operated to support an agency housekeeping program, e.g., a carpool locator, the agency may, however, cite a general housekeeping statute that authorizes the agency head to keep such records as necessary.

3. Provide the agency's evaluation of the probable or potential effect of the proposal on the privacy of individuals.

4. Provide a brief description of the steps taken by the agency to minimize the risk of unauthorized access to the system of records. A more detailed assessment of the risks and specific administrative, technical, procedural, and physical safeguards established shall be made available to OMB upon request.

5. Explain how each proposed routine use satisfies the compatibility requirement of subsection (a)(7) of the Act. For altered systems, this requirement pertains only to any newly proposed routine use.

6. Provide OMB Control Numbers, expiration dates, and titles of any information collection requests (e.g., forms, surveys, etc.) contained in the system of records and approved by OMB under the Paperwork Reduction Act. If the request for OMB clearance of an information collection is pending, the agency may simply state the title of the collection and the date it was submitted for OMB clearance.

(c) Supporting Documentation. Attach the following to all new or altered system of records reports:

1. A copy of the new or altered system of records notice consistent with the provisions of 5 U.S.C. 552a(e)(4). The notice must appear in the format prescribed by the Office of the Federal Register's Document Drafting Handbook. For proposed altered systems the agency should supply a copy of the original system of records notice to ensure that reviewers can understand the changes proposed. If the sole change to an existing system of records is to add a routine use, the agency should either republish the entire system of records notice, a condensed description of the system of records, or a citation to the last full text Federal Register publication.

2. A copy in Federal Register format of any new exemption rules or changes to published rules (consistent with the provisions of 5 U.S.C. 552a(f),(j), or (k)) that the agency proposes to issue for the new or altered system.

(4) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide comments if appropriate. Agencies may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40 days from the date the transmittal letter was signed. Agencies should ensure that letters are transmitted expeditiously after they are signed.

(5) Timing of Systems of Records Reports. Agencies may publish system of records and routine use notices as well as proposed exemption rules in the Federal Register at the same time that they send the new or altered system report to OMB and Congress. The period for OMB and congressional review and the notice and comment period for routine uses and exemptions will then run concurrently. Note that exemptions must be published as final rules before they are effective.

d. New or Altered Matching Program Report. The Act requires agencies to publish notices in the Federal Register describing new or altered matching programs, and to submit reports to OMB, and to Congress. The report must be received at least 40 days prior to the initiation of any matching activity carried out under a new or substantially altered matching program. For renewals of continuing programs, the report must be dated at least 40 days prior to the expiration of any existing matching agreement.

(1) When to Report Altered Matching Programs. Agencies need not report minor changes to matching programs. The term "minor change to a matching program" means a change that does not significantly alter the terms of the agreement under which the program is being carried out. Examples of significant changes include:

(a) Changing the purpose for which the program was established.

(b) Changing the matching population, either by including new categories of record subjects or by greatly increasing the numbers of records matched.

(c) Changing the legal authority covering the matching program.

(d) Changing the source or recipient agencies involved in the matching program.

(2) Contents of New or Altered Matching Program Report. The report for a new or altered matching program has three elements: a transmittal letter, a narrative statement, and supporting documentation that includes a copy of the proposed Federal Register notice.

(a) Transmittal Letter. The transmittal letter should be signed by the senior agency official responsible for implementation of the Privacy Act within the agency and should contain the name and telephone number of the individual who can best answer questions about the matching program. The letter should state that a copy of the matching agreement has been distributed to Congress as the Act requires. The letter to OMB may also include a request for waiver of the review time period. (See 4e below.)

(b) Narrative Statement. There is no prescribed format for the narrative statement, but it should be brief. It should make reference, as appropriate, to information in the supporting documentation rather than restating such information. The statement should provide:

1. A description of the purpose of the matching program and the authority under which it is being carried out.

2. A description of the security safeguards used to protect against any unauthorized access or disclosure of records used in the match.

3. If the cost/benefit analysis required by Section (u)(4)(A) indicated an unfavorable ratio or was waived pursuant to OMB guidance, an explanation of the basis on which the agency justifies conducting the match.

(c) Supporting Documentation. Attach the following:

1. A copy of the Federal Register notice describing the matching program. The notice must appear in the format prescribed by the Office of the Federal Register's Document Drafting Handbook. (See 5b (3).)

2. For the Congressional report only, a copy of the matching agreement.

(3) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) and provide comments if appropriate. Agencies may assume that OMB concurs in the Privacy Act aspects of their proposal if OMB has not commented within 40 days from the date the transmittal letter was signed.

(4) Timing of Matching Program Reports. Agencies should ensure that letters are transmitted expeditiously after they are signed. Agencies may publish matching program notices in the Federal Register at the same time that they send the matching program report to OMB and Congress. The period for OMB and congressional review and the notice and comment period will then run concurrently.

e. Expedited Review. The Director, OMB, may grant a waiver of the 40-day review period for either systems of records or matching program reviews. The agency must ask for the waiver in the transmittal letter and demonstrate compelling reasons. When a waiver is granted, the agency is not thereby relieved of any other requirement of the Act. If no waiver is granted, agencies may presume concurrence at the expiration of the 40 day review period if OMB has not commented by that time. Note that OMB cannot waive time periods specifically established by the Act such as the 30 days notice and comment period required for the adoption of a routine use proposal pursuant to Section (b)(3) of the Act.

a. Publishing New or Altered Systems of Records Notices and Exemption Rules.

(1) Who Publishes. The agency responsible for operating the system of records makes the necessary publication. Publication should be carried out at the departmental or agency level. Even where a system of records is to be operated exclusively by a component, the department rather than the component should publish the notice. Thus, for example, the Department of the Treasury would publish a system of records notice covering a system operated exclusively by the Internal Revenue Service. Note that if the agency is proposing to exempt the system under Section (j) or (k) of the Act, it must publish a rule in addition to the system of records notice.

(a) Government-wide Systems of Records. Certain agencies publish systems of records containing records for which they have government-wide responsibilities. The records may be located in other agencies, but they are being used under the authority of and in conformance with the rules mandated by the publishing agency. The Office of Personnel Management, for example, has published a number of government-wide systems of records relating to the operation of the government's personnel program. Agencies should not publish systems of records that wholly or partly duplicate existing government-wide systems of records.

(b) Section (m) Contract Provisions. When an agency provides by contract for the operation of a system of records, it should ensure that a system of records notice describing the system has been published. It should also review the notice to ensure that it contains a routine use under Section (e)(4)(D) of the Act permitting disclosure to the contractor and his or her personnel.

(2) When to Publish.

(a) System Notice. The system of records notice must appear in the Federal Register before the agency begins to operate the system, e.g., collect and use the information.

(b) Routine Use. A routine use must be published in the Federal Register 30 days before the agency discloses records pursuant to its terms. (Note that the addition of a routine use to an existing system of records requires a report to OMB and Congress, and that the review period for this report is 40 days.)

(c) Exemption Rule. A rule exempting a system of records under (j) or (k) or the Act must be established through informal rulemaking pursuant to the Administrative Procedure Act. This process generally requires publication of a proposed rule, a period during which the public may comment, publication of a final rule, and the adoption of the final rule. Agencies may not withhold records under an exemption until these requirements have been met.

(3) Format. Agencies should follow the publication format contained in the Office of the Federal Register's Document Drafting Handbook which may be obtained from the Government Printing Office.

b. Publishing Matching Notices.

(1) Who Publishes. Generally, the recipient Federal agency (or the Federal source agency in a match conducted by a nonfederal agency) is responsible for publishing in the Federal Register a notice describing the new or altered matching program. However, in large, multi-agency matching programs, where the recipient agency is merely performing the matches, and the benefit accrues to the source agencies, the partners should assign responsibility for compliance with the administrative requirements in a fair and reasonable way. This may mean having the matching agency carry out these requirements for all parties, having one participant designated to do so, or having each source agency do so for its own matching program(s).

(2) Timing. Publication must occur at least 30 days prior to the initiation of any matching activity carried out under a new or substantially altered matching program. For renewals of programs agencies wish to continue past the 30 month period of initial eligibility (i.e., the initial 18 months plus a one year extension), publication must occur at least 30 days prior to the expiration of the existing matching agreement. (But note that a report to OMB and the Congress is also required with a 40 day review period).

(3) Format. The matching notice shall be in the format prescribed by the Office of the Federal Register's Document Drafting Handbook and contain the following information:

(a) The name of the Recipient Agency.
(b) The Name(s) of the Source Agencies.
(c) The beginning and ending dates of the match.
(d) A brief description of the matching program, including its purpose; the legal authorities authorizing its operation; categories of individuals involved; and identification of records used, including name(s) of Privacy Act Systems of records.
(e) The identification, address, and telephone number of a Recipient Agency official who will answer public inquiries about the program.

1. Purpose

This Appendix establishes a minimum set of controls to be included in Federal automated information security programs; assigns Federal agency responsibilities for the security of automated information; and links agency automated information security programs and agency management control systems established in accordance with OMB Circular No. A-123. The Appendix revises procedures formerly contained in Appendix III to OMB Circular No. A-130 (50 FR 52730; December 24, 1985), and incorporates requirements of the Computer Security Act of 1987 (P.L. 100-235) and responsibilities assigned in applicable national security directives.

2. Definitions

The term:

a. "adequate security" means security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.

b. "application" means the use of information resources (information and information technology) to satisfy a specific set of user requirements.

c. "general support system" or "system" means an interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. A system can be, for example, a local area network (LAN) including smart terminals that supports a branch office, an agency-wide backbone, a communications network, a departmental data processing center including its operating system and utilities, a tactical radio network, or a shared information processing service organization (IPSO).

d. "major application" means an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All Federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.

3. Automated Information Security Programs. Agencies shall implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications.

Each agency's program shall implement policies, standards and procedures which are consistent with government-wide policies, standards, and procedures issued by the Office of Management and Budget, the Department of Commerce, the General Services Administration and the Office of Personnel Management (OPM). Different or more stringent requirements for securing national security information should be incorporated into agency programs as required by appropriate national security directives. At a minimum, agency programs shall include the following controls in their general support systems and major applications:

a. Controls for general support systems.

1) Assign Responsibility for Security. Assign responsibility for security in each system to an individual knowledgeable in the information technology used in the system and in providing security for such technology.

2) System Security Plan. Plan for adequate security of each general support system as part of the organization's information resources management (IRM) planning process. The security plan shall be consistent with guidance issued by the National Institute of Standards and Technology (NIST). Independent advice and comment on the security plan shall be solicited prior to the plan's implementation. A summary of the security plans shall be incorporated into the strategic IRM plan required by the Paperwork Reduction Act (44 U.S.C. Chapter 35) and Section 8(b) of this circular. Security plans shall include:

a) Rules of the System. Establish a set of rules of behavior concerning use of, security in, and the acceptable level of risk for, the system. The rules shall be based on the needs of the various users of the system. The security required by the rules shall be only as stringent as necessary to provide adequate security for information in the system. Such rules shall clearly delineate responsibilities and expected behavior of all individuals with access to the system. They shall also include appropriate limits on interconnections to other systems and shall define service provision and restoration priorities. Finally, they shall be clear about the consequences of behavior not consistent with the rules.

b) Training. Ensure that all individuals are appropriately trained in how to fulfill their security responsibilities before allowing them access to the system. Such training shall assure that employees are versed in the rules of the system, be consistent with guidance issued by NIST and OPM, and apprise them about available assistance and technical security products and techniques. Behavior consistent with the rules of the system and periodic refresher training shall be required for continued access to the system.

c) Personnel Controls. Screen ind