Revision of OMB Circular No. A-130, Transmittal No. 3, Appendix III, "Security of Federal Automated Information Resources."

OFFICE OF MANAGEMENT AND BUDGET

Management of Federal Information Resources

AGENCY: Office of Management and Budget, Executive Office of the President

ACTION: Revision of OMB Circular No. A-130, Transmittal No. 3, Appendix III, "Security of Federal Automated Information Resources."

SUMMARY: The Office of Management and Budget (OMB) is revising Appendix III, "Security of Federal Automated Information Systems," of Circular No. A-130, "Management of Federal Information Resources." This is the third stage of planned revisions to Circular A-130. Enactment of the Information Technology Management Reform Act of 1996 (Division E of the National Defense Authorization Act for Fiscal Year 1996) will require OMB to issue additional guidance on capital planning, investment control, and the management of information technology. A plan for those revisions will be announced in the Spring.

Transmittal 1 to Circular A-130, effective June 25, 1993, and published on July 2, 1993 (58 FR 36068) addressed the Information Management Policy section of the Circular (Section 8a), as well as Appendix I, "Federal Agency Responsibilities for Maintaining Records About Individuals." That issuance dealt primarily with how the Federal government manages its information holdings, particularly information exchange with the public.

Transmittal 2 to Circular A-130, effective July 15, 1994, and published on July 25, 1994 (59 FR 37906) addressed agency management practices for information systems and information technology (Section 8b) That issuance was intended to (1) promote agency investments in information technology that improve service delivery to the public, reduce burden on the public, and lower the cost of Federal programs administration, and (2) encourage agencies to use information technology as a strategic resource to improve Federal work processes and organization.

This Transmittal 3 is intended to guide agencies in securing government information resources as they increasingly rely on an open and interconnected National Information Infrastructure. It stresses management controls, such as individual responsibility, awareness and training, and accountability, and explains how they can be supported by technical controls. Among other things, it requires agencies to assure that risk-based rules of behavior are established, that employees are trained in them, and that the rules are enforced. The revision also integrates security into program and mission goals, reduces the centralized reporting of security plans, emphasizes the management of risk rather than its measurement, and revises government-wide security responsibilities to be consistent with the Computer Security Act and the Paperwork Reduction Act of 1995.

This transmittal also makes minor technical revisions to Section 9 ("Assignment of Responsibilities") and Section 10 ("Oversight") to reflect the Paperwork Reduction Act of 1995 (P.L. 104-13). One substantive change has been made to Appendix I in Section 3.a. changing the annual requirement to review recordkeeping practices, training, violations, and notices to a biennial review, in accordance with other regular agency reviews not required by statute. Several minor changes have been made, none of which are intended to be substantive. In Section 2.c., a portion of the definition of "nonfederal agency" which had been inadvertently omitted has been added to reflect the current practice in state-federal matching programs. In Section 3.a., extraneous and confusing language referring to source or matching agencies was removed because the provision applies to any agency that participates in a matching program. The examples in 4.c.(1) were updated for clarity. Other editorial and organizational changes were made throughout the appendix.

Appendix IV has been changed to include material from OMB Memorandum M-95-22, "Implementing the Information Dissemination Provisions of the Paperwork Reduction Act of 1995" (September 29, 1995), and to delete some outdated or otherwise already implemented guidance from the discussion of Sections 9 and 10.

ELECTRONIC AVAILABILITY: This document is available on the OMB Home page of Welcome to the White House World Wide Web site (http://www.whitehouse.gov) as /OMB/circulars/a130/a130pre.html. This document is also available on the Internet via anonymous File Transfer Protocol (FTP) from the National Institute of Standards and Technology (NIST) Computer Security Resource Clearinghouse at csrc.ncsl.nist.gov as /pub/secplcy/a130.txt (do not use any capital letters in the file name) or via the World Wide Web from http://csrc.ncsl.nist.gov/secplcy as a130.txt. Appendix III, "Security of Federal Automated Information Resources" can be separately obtained as a130app3.txt. The clearinghouse can also be reached using dial-in access at 301-948-5717. For those who do not have file transfer capability, the document can be retrieved via mail query by sending an electronic mail message to docserver@csrc.ncsl.nist.gov with no subject and with send a130.txt (or a130app3.txt for only the security appendix) as the first line of the body of the message. Paper copies may also be obtained by writing to the Publications Office, Office of Management and Budget, Room 2200 NEOB, Washington D.C. 20503 or by telephone at (202) 395-7332.

FOR FURTHER INFORMATION CONTACT: Information Policy and Technology Branch, Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10236, New Executive Office Building, Washington, D.C. 20503. Telephone: (202) 395-3785.

SUPPLEMENTARY INFORMATION: Since December 30, 1985, Appendix III of Office of Management and Budget (OMB) Circular No. A-130, "Security of Federal Automated Information Systems," has defined a minimum set of controls for the security of Federal automated information systems (50 FR 52730). That Appendix, and its predecessor, Transmittal Memorandum No. 1 to OMB Circular No. A-71, (July 27, 1978), defined controls that were considered effective in a centralized processing environment which ran primarily custom-developed application software.

Today's computing environment is significantly different. It is characterized by open, widely distributed processing systems which frequently operate with commercial off-the-shelf software. While effective use of information technology often reduces risks to the Federal program being administered (e.g., risks from fraud or errors), the risk to and vulnerability of Federal information resources has increased. Greater risks result from increasing quantities of valuable information being committed to Federal systems, and from agencies being critically dependent on those systems to perform their missions. Greater vulnerabilities exist because virtually every Federal employee has access to Federal systems, and because these systems now interconnect with outside systems.

In part because of these trends, Congress enacted the Computer Security Act of 1987 (P.L. 100-235). That Act requires agencies to improve the security of Federal computer systems, plan for the security of sensitive systems, and provide mandatory awareness and training in security for all individuals with access to computer systems.

To assist agencies in implementing the Computer Security Act, OMB issued Bulletin No. 88-16, "Guidance for Preparation and Submission of Security Plans for Federal Computer Systems Containing Sensitive Information" (July 6, 1988), and OMB Bulletin No. 90-08, "Guidance for Preparation of Security Plans for Federal Computer Systems that Contain Sensitive Information" (July 9, 1990). This revision of Appendix III to OMB Circular A-130 incorporates and updates the policies set out in those Bulletins and supersedes them.

The report of the National Performance Review, "Creating a Government that Works Better & Costs Less: Reengineering through Information Technology" (September 1993), recommended that Circular A-130 be revised to: 1) require an information security plan to be part of each agency's strategic information technology (IT) plan; 2) require that if computer security does not meet established thresholds, it be identified as a material weakness in the Federal Managers' Financial Integrity Act report; 3) require awareness and training of employees and contractors; 4) require that agencies improve planning for contingencies; and 5) establish and employ formal emergency response capabilities. Those recommendations are incorporated in this revision.

Since its establishment by the Computer Security Act, the Computer System Security and Privacy Advisory Board has recommended changes in Circular A-130 to: 1) require that agencies establish computer emergency response teams; and 2) link oversight of Federal computer security activities more closely to the oversight established pursuant to the Federal Manager's Financial Integrity Act (FMFIA), P.L. 97-255. This revision incorporates both of those recommendations.

Subsequent to issuance of Bulletin 90-08, OMB, the National Institute of Standards and Technology (NIST), and the National Security Agency (NSA) met with 28 Federal departments and agencies to review their computer security programs. In February 1993, OMB, NIST and NSA issued a report ("Observations of Agency Computer Security Practices and Implementation of OMB Bulletin No. 90-08") which summarized those meetings and proposed several changes in OMB Circular A-130 as next steps to improving the Federal computer security program. Those proposed changes are incorporated in this revision.

The revised Appendix clarifies the relationship between requirements to protect information classified pursuant to an Executive Order and the requirements in this Appendix. Where an agency processes information which is controlled for national security reasons pursuant to an Executive Order or statute, security measures required by appropriate directives should be included in agency systems. Those policies, procedures, and practices will be coordinated with the U.S. Security Policy Board as directed by the President.

On May 22, 1995, the President signed into law the Paperwork Reduction Act of 1995, P.L. 104-13. That Act, in 44 U.S.C. 3505 and 3506, requires agencies to establish computer security programs, and it tasks OMB to develop and oversee the implementation of policies, principles, standards and guidelines on security. It also to requires Federal agencies to identify and provide security protection consistent with the Computer Security Act of 1987 (40 U.S.C. 759 note). This revision is intended to implement those OMB responsibilities.

Comments on the Proposed Appendix

On April 3, 1995, the revised Appendix was proposed for public comment (60 FR 16970). It was also sent directly to Federal agencies for comment and made available for comment via the Internet. Thirty-two comments were received. The comments supported the approach proposed in the revised Appendix. They also made a number of suggestions to improve it. The principal issues raised in comments and our response to them are set forth below.

1. Most of the comments stated that the preamble accompanying the proposed Appendix was useful in their understanding of the Appendix itself. They suggested that the information in the preamble be incorporated in the final Appendix for improved future understanding.

We agree with this suggestion, and have incorporated the preamble, as revised to accommodate changes made to the proposed Appendix, as part B of the final Appendix.

2. Many comments suggested that the terminology of the Appendix should be more directive.

We generally agree with this comment, and have changed part A of the Appendix to be directive, while leaving the descriptive material in part B as explanatory.

3. A number of comments noted that there is a difference between making individuals aware of security needs and training them. They suggested that the Appendix should clarify this distinction and the requirements associated with each.

We agree, and have made changes in the Appendix and the descriptive information in part B to clarify that the requirements for training are consistent with the Computer Security Act (i.e., for increasing computer security awareness and training in accepted security practice).

We have also added a clarification that training for members of the public who are given access to general support systems should normally be accomplished in the context of the application to which they are given access. As was pointed out in comments, members of the public should not be given direct access to general support systems, except through authorized use of an application. We have also added descriptive language in part B to address the need to train members of the public with access to major applications.

4. Several comments raised a concern about the proposed requirement to limit access to systems until a new employee has been trained in security responsibilities. They suggested that training be required to be completed within a certain amount of time after access is granted (e.g., 60 days).

We disagree. Understanding the security requirements that are integral to a system is a fundamental responsibility of each individual who accesses the system. It should not be delayed for administrative convenience. Furthermore, security training should be included as part of general training in use of the system for an employee. Initial awareness and training need not be accomplished through formal classroom training; in some cases it may be through interactive sessions or reading well-written and understandable rules. The critical factor is for the initial and subsequent awareness and training to be commensurate with the risk and magnitude of harm that could occur. Therefore, new employees can and should be trained in their security responsibilities before access is granted. The final Appendix includes this requirement.

5. Several comments expressed concern about the proposed removal of the requirement for agencies to prepare formal risk analyses. They point out that such analyses assist in identifying threats, vulnerabilities, and risks to a system. They expressed a concern that without such analyses it would be difficult to convince senior management of the need for security. Other comments said that without risk analysis as the basis of decisions, security measures will not be effective. On the other hand, several comments supported the removal of this requirement, which they found not cost-effective.

We agree that security measures must be risk-based. The Computer Security Act requires that security controls be commensurate with the risk and magnitude of harm that could occur. Implicit in that approach is a need to assess the risk to each system. However, given the complexity and detail such formal analyses often entail, a formal risk analysis is not appropriate for every system. Therefore, the Appendix does not require that a formal risk analysis be performed.

At the same time, risk assessment is an essential element in ensuring adequate security. NIST recently issued a handbook, "An Introduction to Computer Security: The NIST Handbook" (March 16, 1995), which contains guidance on computer security risk management and provides a flexible framework for performing meaningful risk assessments. Part B references the NIST handbook.

6. Several comments asked about the relation between the rules of behavior required in the Appendix and operating policies prescribed in the NIST Handbook. Other comments made suggestions about the kind and scope of rules that should be included in the security plan.

We have added language to part B to describe the kinds of rules we believe are appropriate and to clarify that rules of behavior in the Appendix should be consistent with the system-specific policies described in the NIST handbook.

7. Several comments raised a concern about the effectiveness of reviews of security controls unless they are performed by independent reviewers.

An independent review can improve the objectivity of the review, as well as its value to top management in assessing the need for corrective action. Therefore, we have added language to the discussion in part B of the Appendix that clarifies that reviews of major applications, because of their higher risk, should be independent. We have not, however, required that reviews of all general support systems be independent. Nevertheless, given the value of an independent review, agencies may elect to use this approach, particularly where a system supports a high-risk agency function.

In addition, we understand that the U.S. General Accounting Office is developing guidance which provides a structured approach for performing reviews. We have also revised the Appendix to be consistent with OMB Circular No. A-123, "Management Accountability and Control" (June 21, 1995).

8. Several comments requested additional guidance on enforcement of the rules of behavior, either from the Department of Justice or the Office of Personnel Management (OPM).

The presumption in requiring rules of behavior is that they would be enforced as are other behavioral rules within an agency. Therefore, we are not proposing to have central guidance developed by either Justice or OPM. However, we expect that agencies will share their various approaches through inter-agency forums, such as the Computer Security Program Managers' Forum. We have added a brief discussion of this point to part B.

9. Several comments concerned the protection of shared information and requested that additional guidance be provided. We have clarified our intent in the discussion in part B.

10. One comment raised a concern about the Appendix's apparent subordination of technical controls to management controls. While we are stressing the importance of management controls, we have added preamble language to clarify that both types of controls must be in place to be effective.

11. A number of comments raised a concern about whether adequate funding would be forthcoming to implement the requirements of the Appendix.

Implicit in issuing the Appendix is our presumption that a system is created and maintained with adequate security or it should not be created or maintained. Security costs should therefore be factored into the normal capital planning and investment controls process for information technology, consistent with the information systems and information technology management requirements in Section 8b of this circular.

12. A number of comments concerned the government-wide role of the Security Policy Board. Several favored expanding that role, others proposed that it be more limited. Still others said the Appendix should be silent on national security directives.

We have revised the language in the Appendix to clarify the role of the Security Policy Board regarding security of information technology used to process classified information. We have also added language to the preamble which clarifies that Circular No. A-130 and the Appendix exclude certain mission critical systems, the so-called "Warner systems" from coverage, and to describe the Department of Defense's responsibilities pursuant to existing Presidential directives. The Appendix does not attempt to interpret the language of the directives. Rather, it clarifies that requirements issued pursuant to those directives should be used in place of the requirements of the Appendix with respect to the protection of classified information. The discussion of national security directives is included to assist in the coordination of security activities among various security communities.

Accordingly, Circular A-130 is revised as set forth below.

Sally Katzen
Administrator
Office of Information
and Regulatory Affairs