MANAGEMENT OF FEDERAL INFORMATION RESOURCES

Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 TO THE HEADS OF EXECUTIVE DEPARTMENTS AND ESTABLISHMENTS SUBJECT: Management of Federal Information Resources 1. Purpose: This Circular establishes policy for the management of Federal information resources. Procedural and analytic guidelines for implementing specific aspects of these policies are included as appendices. 2. Rescissions: This Circular rescinds OMB Circulars No. A-71, A-90, A-108, and -1.2A, and all Transmittal Memoranda to those December 12, 1985 Executive Registry 85- 4994 CIRCULAR NO. A-130 circulars. 3. Authorities: This Circular is issued pursuant to the Paperwork eduction Act of 1980 (44 U.S.C. 35); the Privacy Act of 1974 (5 U.S.C. 552a), Sections 111 and 206 of the Federal Property and Administrative Services Act of 1949 as amended (40 U.S.C. 759 and 487, respectively), the Budget and Accounting Act of 1921 as amended (31 U.S.C. 11), Executive Order No. 12046 of March 27, 1978, and Executive Order No. 12472 of April 3, 1984. 4. Applicability and Scope: a. The policies in this Circular apply to the information activities of all agencies of the executive branch of the Federal Government. b. Information classified for national security purposes should also be -handled in accordance with the appropriate national security directives. National security emergency preparedness activities should be conducted in accordance with txecunve r er No. 12472. I. p ~ management practices in order to determine their adequacy and efficiency; and determine compliance of such practices with the policies, principles, standards, and guidelines promulgated by the Director. 5. Background: The Paperwork Reduction Act establishes a broad mandate for agencies to perform their information management activities in an efficient, effective, and economical manner. To assist agencies in an integrated approach to information resources management, the Act requires that the Director of the Office of Management and Budget (OMB) develop and implement uniform and consistent information resources management policies; oversee the development and promote the use of information mans 1 tandards and guidelines; evaluate agency EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON. D.C. 20503 Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 6. Definitions: As used in this Circular-- a. The term "agency" means any executive department,_ military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government, or any independent regulatory agency. Within the Executive Office of the President, the term includes only the Office of Management and Budget and the Office of Administration. b. The term "information" means any communication or reception of knowledge such as facts, data, or opinions, including numerical, graphic, or narrative forms, whether oral or maintained in any medium, including computerized data bases, paper, microform, or magnetic tape. c. The term "government information" means information created, collected, processed, transmitted, disseminated, used, stored, or disposed of by the Federal Government. d. The term "information system" means the organized collection, processing, transmission, and dissemination of information in accordance with defined procedures, whether automated or manual. e. The term "major information system" means an information system that requires special continuing management attention because of its importance to an agency mission; its high development, operating or maintenance costs; or its significant impact on the administration of agency programs, finances, property, or other resources. f. The term "access to information" refers to the function of providing to members of the public, upon their request, the government information to which they are entitled under law. g. The term "dissemination of information" refers to the function of distributing government information to the public, whether through printed documents, or electronic or other media. "Dissemination of information" does not include intra-agency use of information, interagency sharing of information, or responding to requests for "access to information." h., The term "information technology" means the hardware and software used in connection with government information, regardless of the technology involved, whether computers, telecommunications, micrographics, or others. For the purposes of this Circular, automatic data processing and telecommunications activities related to certain critical national security missions, as defined in 44 U.S.C. 3502 (2) and 10 U.S.C. 2315, are excluded. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 0  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 costs o e? Although certain functions are inherently governmental in nature, being so intimately related to the public interest as to Mandate perf Federal employees. the government r e b o manc y I. The term "information technology facility" means an s organizationallYa set isfthgre, and physical facilities, operation of information technology. J. The term "information resources management" means the planning, budgeting, organizing, directing, training, and control The term encompasses associated with government information. both information ente1funds.tandrtechnologyources, such as personnel, equipm k. The "gernment informational matter which h is publ expense, or as required by law. Other definitions specific to the subjects of the appendices appear in the appendices. 7. Basic Considerations and Assumptions a. The Federal Government is the largest single producer, consumer, and disseminator of information in the United States. Because of the size of the government's information activities, the dependence of government activinttiesnfuponormatthieon to public's cooperation, and the value of goa the management Federal and resources is s an to the government itself. b. Government information is a valuable national resource. it provides citizens with knowledge of their a government, means n to n ensure , iey, and economy--past, present, and future; nsmttee accountability of government; is vital to the healthy p of the economy; is an essential tool for managing the government's operations; and is itself a commodity often with economic value in the marketplace. c. The free flow of information from the government to itst citizens and vice versa is essential to a democratic society. is also essential that the government minimize the Federal paperwork buclmfofm information government activities, and maximize the usefulness information. d. In order to minimize the cost and maximize the usefulness of government information activities, the expected public and private benefits derived from government information, insofar as they are calculable, should exceed the public and private f the information. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 should look first to private sources, where available, to provide the commercial goods and services needed by the government to act on the public's behalf, particularly when cost comparisons- indicate that private performance will be the most economical. f. The use of up-to-date information technology offers opportunities to improve the management of government programs, and access to, and dissemination of, government information. g. Because the public disclosure of government information is essential to the operation of a democracy, the public's right of access to government information must be protected in the management of Federal information resources. h. The individual's right to privacy must be protected in Federal Government information activities involving personal information. I. The open and efficient exchange of government scientific and technical information, subject to applicable national security controls and proprietary rights others may have in-such information, fosters excellence in scientific research and the effective use of Federal research and development funds. J. The value of preserving government records is a function of the degree to which preservation protects the legal and financial rights of the government or its citizens, and provides an official record of Federal agency activities for agency management, public accountability, and historical purposes. k. Federal Government information resources management policies and activities can affect, and be affected by, the information policies and activities of other nations. 8. Policies a. Information Management. Agencies shall: (1) Create or collect only that information necessary for the proper performance of agency functions and that has practical utility, and only after planning for its processing, transmission, dissemination, use, storage, and disposition; (2) Seek to satisfy new information needs through legally authorized interagency or intergovernmental sharing f information, or through commercial sources, where appropriate, before creating or collecting new information; (3) Limit the collection of individually identifiable information and proprietary information to that which is legally authorized and necessary for the proper performance of agency functions; Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 (u) Maintain and protect individually identifiable information and proprietary information in a manner that precludes: (a) Unwarranted intrusion upon personal privacy (see Appendix I); and (b) Violation of confidentiality; (5) Provide individuals with access to, and the ability to amend errors in, systems of records, consistent with the Privacy Act;. (6) Provide public access to government information, consistent with the Freedom of Information Act; (7) Ensure that agency personnel are trained to safeguard information resources; (8) Disseminate information, as required by law, describing agency organization, activities, programs, meetings, systems of records, and other information holdings, and how the public may gain access to agency information resources; (9) Disseminate such information, products and services (a) Specifically required by law; or (b) Necessary for the proper performance of agency functions, provided that the latter do not duplicate similar products or services that are or would otherwise be provided by other government or private sector organizations; (10) Disseminate significant new, or terminate significant existing, information products and services only after providing adequate notice to the public; (11) Disseminate such government information products and services: (a) In a manner that ensures that members of the public whom the agency has an obligation to reach have a reasonable ability to acquire the information; (b) In the manner most cost effective for the government, including placing maximum feasible reliance on the prlva*.. _ _ - _ -P tt,n nnnrlitnta nr services ith 0MB Circular No. A-25; Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 accordance with 0MB Circular No. A-76; and (c) So as to recover costs of disseminating the ,fir services through user charges, where appropriate, in km' -  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 (12) Establish procedures for: (a) Reviewing periodically the continued need for and manner of dissemination of the agency's information products or services; and (b) Ensuring that government publications are made available to depository libraries as required by law. b. Information Systems and Information Technology Management. Agencies shall: (1) Establish multiyear strategic planning processes for acquiring and operating information technology that meet program and mission needs, reflect budget constraints, and form the bases for their budget requests; (2) Establish systems of management control that document the requirements that each major information system is intended to serve; and provide for periodic review of those requirements over the life of the system in order to determine whether the requirements continue to exist and the system continues to meet the purposes for which it was developed; (3) Make the official whose program an information system supports responsible and accountable for the products of that system; (4) Meet information processing needs through interagency sharing and from commercial sources, when it is cost eftective, before acquiring new information processing capacity; (5) Share available information processing capacity with other agencies to the extent practicable and legally permissible; (6) Acquire information technology in a competitive manner that minimizes total life cycle costs; (7) Ensure that existing and planned major information systems do not unnecessarily duplicate information systems available from other agencies or from the private sector; (8) Acquire off-the-shelf software from commercial sources, unless the cost effectiveness of developing custom software is clear and has been documented; (9) Acquire or develop information systems in a manner that facilitates necessary compatibility; (10) Assure that information systems operate effectively and accurately; Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 0  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 (11) Establish a level of security for all agency information systems commensurate with the sensitivity of the information and therisk magnitude inof loss or harm formation systemsa(Seeuld result from improper operation Appendix III); (12) Assure that only authorized personnel have access to information systems; (13) Plan to provide information systems with reasonable continuity of support should their normal operation3 be disrupted in an emergency; (14) Use Federal Information Processing and Telecommunications Standards except that the costs of using a standard exceed the benefits or the standard will impede the agency in accomplishing its mission; specifii (15) Not require program managers. to information technology facilities or services clear and is convincingly documented, subject to periodic review, that such use is the most cost effective method for meeting program requirements; (16) Account for the full costs of operating information technology facilities and recover such costs from government users as provided in Appendix II; (17) Not prescribe Federal information system requirements that t unduly State and local government units; (18) Seek opportunities to improve the operation of government programs or to realize savings for the government and the public through the application of up-to-date information technology to government information activities. 9. Assignment of Responsibilities: a. All Federal Agencies. The head of each agency shall: (1) Have primary responsibility for managing agency information resources; (2) Ensure that the information policies, principles, Standards, guidelines, rules, and regulations prescribed by 0MB are implemented appropriately within the agency; prcoe (3) Develop internal agency information policies and cures and oversee, evaluate, and otherwise periodically -1lw a ement activities for mana g gency information resources D itV forth in thin circular: Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 (4) Develop agency policies and procedures that provide for timely acquisition of required information technology; (5) Maintain an inventory of the agencies' major information systems and information dissemination programs; (6) Create, maintain, and dispose of a record of 0 agency activities in accordance with the Federal Recoras Act of 1950, as amended; (7) Identify to the Director, OMB, statutory, regulatory, and other impediments to efficient management of Federal information resources and recommend to the Director legislation, policies, procedures, and other guidance to improve such management; (8) Assist OMB in the performance of its functions under the Paperwork Reduction Act, including making services, personnel, and facilities available to OMB for this purpose to the extent practicable; (9) Appoint a senior official, as required by 44 U.S.C. 3506(b), who shall report directly to the agency head, to carry out the responsibilities of the agency under the Paperwork Reduction Act. The head of the agency shall keep the Director, OMB, advised as to the name, title, authority, responsibilities, and organizational resources of the senior official. For purposes of this paragraph military departments and the Office of the Secretary of Defense may each appoint one official. b. Department of State. The Secretary of State shall: (1) Advise the Director, OMB, on the development of United States positions and policies on international information policy issues affecting Federal Government information activities and ensure that such positions and policies are consistent with Federal information resources management policy; (2) Ensure, in consultation with the Secretary of Commerce, that the United States is represented in the development of international information technology standards, and advise the Director, OMB, of such activities. c. Department of Commerce. The Secretary of Commerce shall: (1) Develop and issue Federal Information Processing Standards and guidelines necessary to ensure the efficient and effective acquisition, management, security, and use of information technology; Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 0 a comp y (4) Provide uidelines and regulations for Federal (2) Advise the Director, OMB, on the development of oetherprocurement and management of Federal to policies relating telecommunications (3) Provide 0MB and the agencies with scientific and technical advisory services relating to the development and use of information technology; (4) Conduct studies and evaluations. concerning telecommunications technology, and concerning the improvement, expansion, testing, operation, and use of Federal appropacagyofethearecommendationsithatoresuult,from such appropriate agencies studies; (5) Develop, in consultation with the Secretary of State and the Director, OMB, plans, policies, and programs relating to international telecommunications issues affecting government information activities; (6) Identify needs for standardization of telecommunications and information processing technology, and consultation with develop standards, and nd the Administrator application of such technology; and, represented (7) Ensure that the in the development of national Secretary 0MB, information standards, d. Department of Defense. The Secretary of Defense shall develop, in consultation with the Administrator of General Services, uniform Federal telecommunications standasand guidelines to ensure national security, emergency preparedness, and continuity of government. e. General Services Administration. The Administrator of General Services shall: (1) Advise the Director, OMB, and agency heads on matters affecting the procurement of information technology; . (2) Coordinate and, when required, provide for the purchase, lease, required by Federal agencies; (3) Develop criteria for timely procurement of information technology and delegate procurement authority to agencies th t 1 with the criteria; Position of information technology; Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 Male $Ud died' as authorized by law, on the acquisition, maintenance,  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 (5) Develop policies and guidelines that facilitate the sharing of information technology among agencies as required by this Circular; (6) Review agencies' information resources management activities to meet the objectives of the triennial reviews required by the Paperwork Reduction Act and report the results to the Director, OMB; (7) Manage the Automatic Data Processing Fund and the Federal Telecommunications Fund in accordance with the Federal Property and Administrative Services Act, as amended; (8) Establish procedures for approval, implementation, and dissemination of Federal telecommunications standards and guidelines and for implementation of Federal Information Processing Standards. f. Office of Personnel Management. The Director, Office of Personnel Management, shall: (1) Develop and conduct training programs for Federal personnel on information resources management, including end user computing; _ (2) Evaluate periodically future personnel management and staffing requirements for Federal information resources management; (3) Establish personnel security policies and develop training programs for Federal personnel associated with the design, operation, or maintenance of information systems. g. National Archives and Records Administration. The Archivist of the United States shall: (1) Administer the Federal records management program in accordance with the National Archives and Records Act; (2) Assist the Director, ONE, in developing standards and guidelines relating to the records management program. h. Office of Management and Budget. The Director of the Office of Management and Budget shall: (1) Provide overall leadership and coordination of Federal information resources management within the executive branch; (2) Serve as the President's principal adviser on procurement and management of Federal telecommunications systems, and develop and establish policies for procurement and.management of such systems; Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 (3) Issue policies, procedures, and guidelines to assist agencies in achieving integrated, effective, and efficient information resources management; (u) Initiate and review proposals for changes in rocedures to improve enc d a l ti y p g ons, an a legislation, regu Federal information resources management; (5) Review and approve or disapprove agency proposals for collection of information from the public, as defined in 5 CFR 1320.7; (6) Develop and publish annually, in consultation with the Administrator of General Services, a five-year plan for meeting the information technology needs of the Federal government; (7) Evaluate agencies' information resources management and identify cross-cutting information policy issues through the review of agency information programs, information collection budgets, information technology acquisition plans, fiscal budgets, and by other means; (8) Provide policy oversight for the Federal records management function conducted by the National Archives and Records Administration and coordinate records management policies and programs with other information activities; (9) Review, with the advice and assistance of the Administrator of General Services, selected agencies' information resources management activities to meet the objectives of the triennial reviews required by the Paperwork Reduction Act; (10) Review agencies' policies, practices, and programs pertaining to the security, protection, sharing, and disclosure of information, in order to ensure compliance with the Privacy Act and related statutes; (11) Resolve information technology procurement disputes between agencies and the General Services Administration pursuant to Section 111 of the Federal Property and Administrative Services Act; (12) Review proposed U.S. government position and policy statements on international issues affecting Federal 00vernment information activities and advise the Secretary of SLete n resources ti i f o orma n as t thisistency with Federal oer con `arht. The Director, OMB, will use information lon Planning reviews, fiscal budget reviews, information Udt reviews reviews, management ti reviews, or r a m dh on resources management activities,an suc "I cL Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 other measures as he deems necessary resourcestmanagementyandd efficiency of each agency's compliance with this Circular. 11. Effective Date. This Circular is effective upon publication. 12. Inquiries. All questions or inquiries should be to Of ce o information and Regulatory Affairs, Office Management and Budget, Washington, D.C. 20503. Telephone: (202) 395-3287. 13. Sunset Review Date. This Circular shall have an independent policy review to ascertain its effectiveness three years from the date of issuance. Appendix I: Federal Agency Responsibilities for Maintaining Records about Individuals Appendix II: Cost Accounting, Cost Recovery, And Sharing of Information Technology daI Appendix III: Security of Federal Automated Information Systems Appendix IV: Analysis of Key Sections ? Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 is APPENDIX I TO OMB CIRCULAR NO. A-130 FEDERAL AGENCY RESPONSIBILITIES FOR MAINTAINING RECORDS ABOUT INDIVIDUALS 1. Purpose and Scope This Appendix describes agency responsibilities for implementing the Privacy Act of 1974, 5 U.S.C. 552a as amended (hereinafter "the Act"). It applies to all agencies subject to the Act. The Appendix constitutes a revision to procedures formerly contained in OMB Circular No. A-108, now rescinded. Note that this Appendix does not rescind other guidance OMB has issued to help agencies interpret the Privacy Act's provisions, e.g., Privacy Act Guidelines (40 Federal Register 28949-28978, July 9, 1975), or Guidance for Conducting Matching Programs (47 Federal Register 21656-21658, May 19, 1982). 2. Definitions a. The terms "agency," "individual," !'maintain," "record," "system of records," and "routine use," as used in this Appendix, are defined in the Act (5 U.S.C. 552a (a)). The definition of "agency" in the Act differs somewhat from the definition in the Circular. b. The term "minor change to a system of records" means a change that does not significantly change the system; that is, does not affect the character or purpose of the system and does not affect the ability of an individual to gain access to his or her record or to any information pertaining to him or her which is contained in the system; e.g., changing the title of the system manager. 3. Assignment of Responsibilities a. All Federal Agencies. In addition to meeting the agency requirements contained in the Act, and the specific reporting requirements detailed in this Appendix, the head of each agency shall ensure that the following reviews are conducted as often as specified below, and be prepared to report to the Director, OMB, the results of such reviews and the corrective action taken to resolve problems uncovered. The head of each agency shall: (1) Section (m) Contracts. Review every two years a random sample of agency contracts that provide for the. maintenance of a system of records on behalf of the agency to Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 accomplish an agency function, in order to ensure that the wording of each contract makes the provisions of the Act apply. (5 U.S.C. 552a (m)(1)) (2) Recordkeeping Practices. Review annually agency recordkeeping and disposal policies and practices in order to assure compliance with the Act. (3) Routine Use Disclosures. Review every three years t f h sys em o the routine use disclosures associated with eac records in order to ensure that the recipient's use of such records continues to be compatible with the purpose for which the disclosing agency originally collected the information. The first such review should commence immediately upon the issuance of this Appendix. (4) Exemption of Systems of Records. Review every three years each system of records for which the agency has promulgated exemption rules pursuant to Section (j) or (k) of the Privacy Act in order to determine whether such exemption is still needed. (5) Matching Programs. Review annually each ongoing matching program in which the agency has participated during the year, either as a source or as a matching agency, in order to ensure that the requirements of the Act, the 0MB Matching Guidelines, and the 0MB Model Control System and Checklist have been met. (6) Privacy Act Training. Review annually agency training practices in order to ensure that all agency personnel are familiar with the requirements of the Act, with the agency's implementing regulation, and with any special requirements that their specific jobs entail. (7) Violations. Review annually the actions of agency personnel that have resulted either in the agency being found civilly liable under Section (g) of the Act, or an employee being found criminally liable under the provisions of Section (i) of the Act, in order to determine the extent.of the problem and to find the most effective way to prevent recurrences of the problem. (8) Systems of Records Notices. Review annually each system of records notice to ensure that it accurately describes the system. Where minor changes are needed, ensure that an amended notice is published in the Federal Register. Agencies may choose to make one annual comprehensive publication consolidating such minor changes. This requirement is distinguished from and in addition to the requirement to report to 0MB and the Congress major changes to systems of records and to publish those changes in the Federal Register (see paragraph 4b of this Appendix). Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 I-3 Department of Commerce. The Secretary of Commerce b, shall, consistent with guidelines issued by the Director, OMB, develop and issue standards and guidelines for assActuringn theomated security of information protected by i information systems. c. General Services Administration. The Administrator of General Services shall, consistent with guidelines issued by the Director, OMB, issue instructions on what agencies must do in order to comply with the requirements of Section (m) of the Act when contracting for the operation of a system of records to accomplish an agency purpose. d. Office of Persone~entashallenconsistentrwithrguidelines Office of Personnel Management issued by the Director, (1) Develop and maintain government-wide standards and ves personnel procedures for civilian recordkeeping direct (2) Develop and conduct training programs for agency personnel, including both the conduct of coursesiinovarious ion substantive areas (e.g., legal, administrative, technology) and the development of materials that agencies can use in their own courses. The assignment of this responsibility training programs individual OPM does not the conducting responsibility tail heads tailored to hefor developing the specific needs of their own personnel. The e. National ni ted Archives States shall, consistent with Administration. Archivist guidelines of the U issued by the Director, OMB: puon the format blished underothehActagency equiredinstructions (1)Issue required notices and rules (2) Compile and publish annually the rules promulgated under 5 U.S.C. 552a(f) and agency notices published under 5 U.S.C. 552a (e)(4) in a form available to the public. (3) Issue procedures governing the transfer of records to Federal Records Centers for storage, processing, and servicing pursuant to 44 U.S.C. 3103. For purposes of the Act, such records are considered to be maintained by the agency that deposited and sited them. The Archivist agencysthat Y according g to the deposited them. llo~? Office of Management and Budget. The Director of the ct Management and Budget w 11. M Issue guidelines and directives to the agencies to t Lhe Act. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 (2) Assist the agencies, at, their request, in implementing their Privacy Act programs. (3) Review the new and altered system reports agencies submit pursuant to Section (o) of the Act. (4) Compile the annual report of the President to the Congress in accordance with Section (p) of the Act. 4. Reporting Requirements a. Privacy Act Annual Reports. To provide the necessary information for the annual report of the President, agencies shall submit a Privacy Act Annual Report to the Director, OMB, covering their Privacy Act activities for the calendar year. The exact format and timing of the report will be established by the Director, OMB. (5 U.S.C. 552a (p)); but, agencies should, at a minimum collect, and be prepared to report the following data on a calendar year basis: (1) Total number of active systems of records and changes to that population during the year, e.g., publications of new systems, additions and deletions of routine uses, exemptions, automation of record systems. (2) Public comments received on agency publications and implementation activities. (3) Number of requests from individuals for access to records about themselves in systems of records that cited the Privacy Act in support of their requests. (4) Number granted in whole or part, denied in whole, and for which no record was found. (5) Number of amendment requests from individuals to amend records about them in systems of records that cited the Privacy Act in support of their requests. (6) Number granted in whole or part, denied in whole, and for which no record was found. (7) Number of appeals of access and amendment denials and the results of such appeals. (8) Number of instances in which individuals litigated the results of appeals of access or amendment, and the results of such litigation. (9) Number and description of matching programs participated in either as source or matching agency. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 b. New and Altered System Reports. The Act requires agencies to publish notices in the Federal Register describing Dsystems irector~fOMBcoand,tontheoCosubmit ngressreports on these new or altered systems to (1) Altered System of Records. Minor changes to systems of records need not be reported. For example, a change in the designation of the system manager due to a reorganization would not require a report, so long as an individual's ability to gain access to his or her records safeguards as a0result of a examples include changing applicable risk analysis, deleting a routine use when there is no longer a need for the authorized disclosure. These examples are not intended to be all-inclusive. The following changes are those for which a report is required: (a) An increase or change in the number or types of individuals on whom records are maintained. For example, a decision to expand a system that originally covered only residents of public housing in major cities to cover such residents nationwide would require a report. Increases attributable to normal growth should not be reported. (b) A change that expands the types or categories of ibeemeitoaincludeFmedicalprecordsewoulderequiretaat has been expanded report. ~ziStin solidated new or g nott Boa ,..,~ as,nflnr- t na documentation included in the to the records in the system. For example, lo,.;= g terminals at regional offices for accessing a system formerly accessible only at the headquarters would require a report. (e) The addition of an exemption (pursuant to Sections (j) or (k) of the Act). Note that, in submitting a rulemaking for an exemption as part of a report of a new or need not requirements of altered system, No. will meet the Executive Order e under that order. When an agency makes a change to an information technology in3tallation, telecommunication network, or any other general changes in information collection, processing, dissemination, or Storage that affect multiple systems of records, it may submit a single con altered system report, with changes to (c) A change that alters the purpose for which the information is used. (d) A change to equipment configuration (either greater hardware or software) that creates substantially tin interactive Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 (2) Con ort. The report for a new or altered system has three elements: A LCMn, _i 3 a-u-sa a narrative statements and aunnprrina documentation that includes a copy of the proposed Federal Register notice. There is no prescribed format a ther the letter or the narrative thetement. The notice must appear in the format prescribed by rri^ t er s Document Draftin (a) Transmittal Letter a transmittal 1 *# r such information. The statement should: es ating should be signed by the senior agency official responsible for implementation of the Act within the agency and should contain the name and telephone number of the individual who can best answer questions about the system. The letter should contain the agency's assurance that the proposed system does not duplicate any existing agency systems. It should also state that a copy of the report has been distributed to the Speaker of the House and the President of the Senate as the Act requires. The letter may also include requests for waiver of the reporting time period. (b) Narrative Statement. The narrative statement should be brief. It should make reference, as appropriate, to information in the supporting documentation rather than t 1 Describe the purpose for which the agency is establishing the system of records. 2 Identify the authority under which the system is maintained. The agency should avoid citing housekeeping statutes, but rather cite the underlying programmatic authority for collecting, maintaining, and using the information. When the system is being operated to support an agency housekeeping program, e.g., a carpool locator, the agency may, however, cite a general housekeeping statute that authorizes the agency head to keep such records as are necessary. 3 Provide the agency's evaluation of the probable or potential effects of the proposal on the privacy of individuals. u Describe the relationship of the proposal, if any, to the other branches of the Federal Government and to State and local governments. 5 Provide a brief description of the steps taken by the agency to minimize the risk of unauthorized access to the system of records. A more detailed assessment of the risks and specific administrative, technical, procedural, and physical safeguards established shall be made available to 0MB upon request. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 1-7 6 Explain how each proposed routine use satisfies the compatibility requirement of subsection (a)(7) of the Act. For altered systems, this requirement pertains oply to any newly proposed routine uses. 7 Provide OMB. control numbers, expiration dates, and titles of any OMB approved Information collection requirements contained in the system of records. If the request for OMB clearance of an information collection is pending, the agency may simply state the title of the collection and the date it was submitted for OMB clearance. (c) Supporting Documentation. Attach the following to all new or altered system reports: 1 An advance copy of the new or altered system notice (consistent with the provisions of 5 U.S.C. 552a (e)(')) that the agency proposes to publish for the new or altered system. For proposed altered systems the documentation should be in the same form as the agency proposes to publish in the public notice. 2 An advance copy of any new rules or changes to published rules (consistent with the provision of 5 U.S.C. 552a (f), (j), and (k)) that the agency proposes to issue for the new or altered system. If no changes to existing rules are required, the agency shall so state in the narrative portion of the report. Proposed changes to existing rules shall be provided in the same form as the agency proposes to publish for formal notice and comment. (3) Timing and Distribution for Submitting New and Altered System Reports. Submit reports on new and altered systems of records not later than 60 days prior to establishment of a new system-or the implementation of an altered system (5 U.S.C. 552a (o)). Submit three copies of each report to: President of the Senate Washington, D.C. 20510 Speaker of the House of Representatives Washington, D.C. 20515 Administrator Office of Information and Regulatory Affairs Office of Management and Budget Washington, D.C. 20503 Agencies may assume that OMB concurs in Privacy Act aspects of their proposal if OMB has not commented within 60 days from the date the transmittal letter was signed. Agencies may publish system and routine use notices as well as exemption rules in th Federal Register at the same time that they send the new or Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 1-8 altered system report to 0MB and the Congress. The 60 day period for 0MB and Congressional review and the 30 day notice and comment period for routine uses and exemptions will then rain concurrently. (u) Waivers of Report Time Period. The Director, OMB, may grant a waiver of the 60 day period if the agency asks for the waiver and can demonstrate compelling reasons. Agencies may assume that 0MB concurs in their request if 0MB has not commented within 30 days of the date the transmittal letter was signed. When a waiver is granted, the agency is not thereby relieved of ,any other responsibility or liability under the Act. Note that 0MB cannot waive'time periods specifically established by the Act. Agencies will still have to meet the statutory notice and comment periods required for establishing a routine use or claiming an exemption. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 APPENDIX II TO OMB CIRCULAR NO. A-130 COST ACCOUNTING, COST RECOVERY, AND INTERAGENCY SHARING OF INFORMATION'TECHNOLOGY FACILITIES 1. Purpose This Appendix establishes procedures for cost accounting, cost recovery, and interagency sharing of Federal information technology facilities. The Appendix revises procedures formerly contained in OMB Circular No. A-121, now rescinded. 2. Applicability This Appendix applies to all information technology facilities that are operated by or on behalf of a Federal agency; provide information technology service to more than one user; operate one or more general management computers; and have obligations in excess of $3 million per year. 3. Definitions a. The term "information technology facility" means an organizationally defined set of personnel, hardware, software, and physical facilities, a primary function of which is the operation of information technology. An information technology facility includes: (1) The personnel who operate computers or telecommunications systems; develop or maintain software; provide user liaison and training; schedule computers, prepare and control input data; control, reproduce, and distribute output data; maintain tape and disk libraries; provide security, maintenance, and custodial services; and directly manage or provide direct administrative support to personnel engaged in these activities. (2) The owned or leased computer and tele- communications hardware, including central processing units; associated peripheral equipment such as disk drives, tape drives, drum storage, printers, card readers, and consoles; data entry equipment; data reproduction, decollation, booking, and binding equipment; telecommunications equipment including control units, terminals, modems, and dedicated telephone and satellite links provided by the facility to enable data transfer and access to users. Hardware acquired and maintained by users of the facility is excluded. (3) The software, including operating system software, utilities, sorts, language processors, access methods, data base processors, and other similar multi-user software required by the Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 facility for support of the facility and/or for general use by users of the facility. All software acquired or maintained by users of the facility is excluded. (4) The physical facilities, including computer rooms; tape and disk libraries; stockrooms and warehouse space; office space; physical fixtures. b. The term "full costs" means all significant expenses incurred in the operation of an information technology facility. The following elements are included: (1) Personnel, including salaries, overtime, and fringe benefits of civilian and military personnel; training; and travel. (2) Equipment, including depreciation for owned, capitalized equipment; equipment rental or lease; and direct expenses for noncapitalized equipment. (3) Software, including depreciation for capitalized costs of developing, converting, or acquiring software; rental of for software; and direct expenses for noncapitalized acquisition of software. (4) Supplies, including office supplies; data processing materials; and miscellaneous expenses. (5) Contracted services, including technical and consulting services; equipment maintenance; data entry support; operations support; facilities management; maintenance of software; and telecommunications network services. (6) Space occupancy, including rental and lease of buildings, general office furniture, and equipment; building maintenance; heating, air conditioning and other utilities; telephone services; power conditioning and distribution equipment and alternate power sources; and building security and custodial services. (7) Intra-agency services, including normal agency support services that are paid by the installation. (8) Interagency services, including services provided by other- agencies and departments that are paid by the installation. c. The term "user" means an organizational or programmatic entity that receives service from an information technology facility. A user may be either internal or external to the agency organization responsible for the facility, but normally does not report either to the manager or director of the facility or to the same immediate supervisor. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 0 0  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 11-3 0 ne consistent witn guiaance proviaea in Lne Commerce, 1982). Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 d. The term "general management computer" means a digital computer that is used for any purpose other than as a part of a process control system, space system, mobile system, or a system meeting one of the exclusions identified in the Department of Defense Authorization Act of 1982. 4. Accounting and Reimbursement f-or Sharing of Information Technology ac es a. Interagency Sharing. Agencies shall: (1) Share their information technology facilities with users from other agencies to the maximum extent feasible; (2) Document sharing arrangements, where the total annual reimbursement exceeds $500,000, with individual written agreements that identify: (a) Services available for sharing; (b) Service priority procedures and terms (e.g., quality performance standards) to be provided to each user; provided; and agreement; (c) (d) (e) Prices to be charged for providing services; Reimbursement arrangements for services Arrangements for terminating the sharing (3) Provide standard terms and conditions to users obtaining similar services insofar as possible; (4) Include such sharing arrangements, when fully documented and part of a formal sharing program, in justifications to 0MB for resource requests (see 0MB Circular No. A-11, revised) and allocations. Direct funding by a shared facility should be requested only where exceptional circumstances preclude the user agency from using alternative sources. b. Cost Accounting. Agencies shall account for the full cost of the operation o information technology facilities. C. User Cost Distribution System. Agencies shall implement a system to distribute the full cost of Mr. -9 ror Developing and Implementing a Charging System for oaa 11M - ~Ing Services" (National Bureau of Standards,  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 (2) Price each service provided by the facility to the users of that service on an equitable basis commensurate with the amount of resources required to provide that service and the priority of service provided. The price of individual transactions may be estimated provided that they are periodically reconciled to assure that the full costs of operations are equitably distributed among all users. (3) Directly distribute to the recipient of the services the full costs of dedicated services, including applications developed and maintained; software unique to a single application; and telecommunications equipment, including control units, terminals, modems, and dedicated telephone or satellite links provided by the facility to enable data transfer and computer access to users. d. Cost Recovery. Consistent with statutory authority, agencies shal : (1) Submit periodic statements to all users of agency information technology facilities specifying the costs of services provided; (2) Recover full costs from Federal users of the facility; and (3) Recover costs from nonfederal users of the facilities consistent with 0MB Circular No. A-25. e. Accounting for Reimbursements Received. Agencies shall: (1) Include resource requests for the amount of planned information technology use in user budget and appropriation requests; (2) Assure that shared facilities reduce budget and appropriation requests by the amount of planned reimbursements from users; (3) Prepare, at the close of each fiscal year, a report that documents in the agency's official records the full past year cost of operating information technology facilities that recover more than $500,000 per year from sharing reimbursements; and (u) Use the portion of reimbursements arising from equipment and software depreciation for the replacement of equipment and software capital assets, provided such usage is included in the agency's budget. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 11-5 5. Selection of Information Technology Facilities to Support New Applications. In selecting information technology facilities to support new applications, agencies shall establish a management control procedure for determining which facility will be used to support each significant application. This procedure shall ensure that: (a) All alternative facilities are considered, including other Federal agency and nonfederal facilities and services; (b) Agency. rules do not require that priority be given to the use of in-house facilities; and (c) The user of the application has primary responsibility for selecting the facility. 6. Assignment of Responsibilities a. All Federal Agencies. The head of each agency shall: (1) Establish policies and procedures and assign responsibilities to implement the requirements of this Appendix; and (2) Ensure that contracts awarded for the operation of information technology facilities include provisions for compliance with the requirements of this Appendix. b. General Services Administration. The Administrator of General Services shall: (1) Ensure that information technology facilities designated as Federal Data Processing Centers comply with the procedures established by this Appendix; (2) Ensure that provisions consistent with this Appendix are included in contracts for the operation of information technology facilities when acquiring services on behalf of an agency; 7. Implementation Requirements Agencies. shall implement the provisions of this Appendix effective at the beginning of fiscal year 1987. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 APPENDIX III TO OMB CIRCULAR NO. A-130 SECURITY OF FEDERAL AUTOMRTED INFORMATION SYSTEMS 1. Purpose This Appendix establishes a minimum set of controls to be included in Federal automated information systems security programs; assigns responsibilities for the security of agency automated information systems; and clarifies the relationship between such agency security programs and internal control systems established in accordance with OMB Circular No. A-123, Internal Control Systems. The Appendix revises procedures formerly contained in Transmittal Memorandum No. 1 to OMB Circular No. A-71, now rescinded, and incorporates responsibilities from applicable national security directives. 2. Definitions a. The term "automated information system" means an information system (defined in Section 6d of the Circular) that is automated. b. The term "information technology installation" means one or more computer or office automation systems including related telecommunications, peripheral and storage units, central processing units, and operating and support system software. Information technology installations may range from information technology facilities such as large centralized computer centers to individual stand-alone microprocessors such as personal computers. - c. The term "sensitive data" means data that require protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data. The term includes data whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary data, records about individuals requiring protection under the Privacy Act, and'data not releasable under the Freedom of Information Act. d The term "sensitive application" means an application of information technology that requires protection because it laa:?ases saris{tive d t~ or bec use of the risk and magnitude of operation or ib result a r r L? of the application. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 e. The term "security specifications" means a detailed description of the safeguards required, to protect a sensitive application. - 3. Automated Information Systems Security Programs Agencies shall assure an adequate=level of security for all agency automated information systems, whether maintained in-house or commercially. Specifically, agencies shall: Assure that automated information systems operate effectively and accurately; Assure that there are appropriate technical, personnel, administrative, environmental, and telecommunications safeguards in automated information systems; and Assure the continuity of operation of automated information systems that support critical agency functions. Agencies shall implement and maintain an automated information systems security program, including the preparation of policies, standards, and procedures. This program will be consistent with government-wide policies, procedures, and standards issued by the. Office of Management and Budget, the Department of Commerce, the Department of Defense, the General Services- Administration, and the Office of Personnel Management. Agency programs shall incorporate additional requirements for securing national security information in accordance with appropriate national security directives. Agency programs shall, at a minimum, include four primary elements: applications security, personnel security, information technology installation security, and security awareness and training. a. Applications Security (1) Management Control Process and Sensitivity Evaluation. Agencies shall establish a management control process to assure that appropriate administrative, physical, and technical safeguards are incorporated into all new applications, and into significant modifications to existing applications. Management officials who are the primary users of applications should evaluate the sensitivity of new or existing applications being substantially modified. For those applications considered sensitive, the management control process shall, at a minimum, include security specifications and design reviews and systems tests. (a) Security Specifications. Agencies shall define and approve security requirements and specifications prior to acquiring or starting formal development of the applications. The results of risk analyses performed at the information technology installation where the applications will be, processed should be taken into account when defining and approving security Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 111-3 specifications for the applications. Other vulnerabilities of the applications, such as in telecommunications links, shall also be considered in defining security requirements. The views and recommendations of the information technology user organization, the information technology installation, and the individual responsible for security at the installation shall be considered prior to the approval of securityspecifications for the applications. (b) Design Reviews and System Tests. Agencies shall conduct and approve design reviews and system tests, prior to placing the application into operation, to assure the proposed design meets the'approved security specifications. The objective of the system tests should be to verify that required administrative, technical, and physical safeguards are operationally adequate. The results of the design reviews and system tests shall be fully documented and maintained in the official agency records. (c) Certification. Upon completion of the system tests, an agency official shall certify that the system meets all applicable Federal policies, regulations, and standards, and that the results of the tests demonstrate that the installed security safeguards are adequate for the application. ? (2) Periodic Review and Recertification. Agencies shall conduct periodic audits or reviews of sensitive applications and recertify the adequacy of security safeguards. Audits or reviews shall evaluate the adequacy of implemented safeguards, assure they are functioning properly, identify vulnerabilities that could heighten threats to sensitive data or valuable resources, and assist with the implementation of new safeguards where required. They are intended to provide a basis for recertification of the security of the application. Recertification shall be fully documented and maintained in the official agency-records. Audits or reviews and recertifications shall be performed at least every three years. They should be considered as part of agency vulnerability assessments and internal control reviews conducted in accordance with OMB Circular No. A-123. Security or other control weaknesses identified shall be included in the annual internal control assurance letter and report required by Circular No. A-123. (3) Contingency Plans. Agencies shall establish policies and assign responsibilities to assure that appropriate contingency plans are developed and maintained by end users of information technology applications. The intent of such plans is to assure that users can continue to perform essential functions in the event their information technology support is interrupted. Such plans should be consistent with disaster recovery and continuity of operations plans maintained by the installation at which the application is processed. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 b. Personnel Security. Agencies shall establish and manage personnel security policies and procedures to assure an adequate level of security for Federal automated information systems. Such policies and procedures shall include requirements for screening all individuals participating in the design, development, operation, or maintenance of sensitive applications as well as those having access to-sensitive data. The level of screening required by these policies should vary from minimal checks to full background investigations, depending upon the sensitivity of the information to be handled and the risk and magnitude of loss or harm that could be caused by the individual. These policies shall be established for both Federal and contractor personnel. Personnel security policies for Federal employees shall be consistent with policies issued by the Office of Personnel Management. c. Information Technology Installation Security. Agencies shall assure that an appropriate level of security is maintained at all information technology installations operated by or on behalf of the Federal Government (e.g., government-owned, contractor-operated installations). (1) Assigning Responsibility. Agencies shall assign responsibility for the security of each installation to a management official knowledgeable in information technology and security matters. (2) Periodic Risk Analysis. Agencies shall establish and maintain a program for the conduct of periodic risk analyses at each installation to ensure that appropriate, cost effective safeguards are incorporated into existing and new installations. The objective of a risk analysis is to provide a measure of the relative vulnerabilities and threats to an installation so that security resources can be effectively distributed to minimize potential loss. Risk analyses may vary from an informal review of a microcomputer installation to a formal, fully quantified risk analysis of a large scale computer system. The results of these analyses should be documented and taken into consideration by management officials when certifying sensitive applications processed at the installation. Such analyses should also be consulted during the evaluation of general controls over the management of information technology installations conducted in accordance with OMB Circular No. A-123. A risk analysis shall be performed: (a) Prior to the approval of design specifications for new installations; (b) Whenever a significant change occurs to the installations (e.g., adding a local area network; changing from batch to online processing; adding dial-up capability). Agency criteria for defining significant change shall be commensurate with the sensitivity of the data processed by the installation. 0 Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 111-5 (c) At periodic intervals established by the agency commensurate with the sensitivity of the data processed, but not to exceed every five years if no risk analysis has-been performed during that period. (3) Disaster and Continuity Plan. Agencies shall maintain disaster recovery and continuity of operations plans for all information technology installations. The objective of these plans should be to provide reasonable continuity of data processing support should events occur that prevent normal operations at the installation. For large installations and installations that support essential agency functions, the plans should be fully documented and operationally tested periodically, at a frequency commensurate with the risk and magnitude of loss or harm that could result from disruption of information technology support. (u) Acquisition Specifications. Agencies shall assure that appropriate technical, administrative, physical, and personnel security requirements are included in specifications for the acquisition or operation of information technology installations, equipment, software, and related services, whether procured by the agency or by GSA. These security requirements shall be reviewed and approved by the management official responsible for security at the installation making the acquisition. d. Security Awareness and Training Programs. Agencies shall establish a security awareness and training program to assure that agency and contractor personnel involved in the management, operation, programming, maintenance, or use of information technology are aware of their security responsibilities and know how to fulfill them. Users of information technology systems should be apprised of the vulnerabilities of such systems and trained in techniques to enhance security. 4. Assignment of Responsibilities a. Department of Commerce. The Secretary of Commerce shall: (1) Develop and issue standards and guidelines for assuring the security of Federal automated information systems; (2) Establish standards, approved in accordance with applicable national security directives, for systems used to process sensitive information the loss of which could adversely affect the national security interest; and (3) Provide technical assistance to Federal agencies in implementing Department of Commerce standards and guidelines. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 111-6 b. Department of Defense. The Secretary of Defense shall: (1) Act,.in accordance with applicable national security directives, as executive agent of the government for the security of telecommunications and automated information systems that process information the loss of which could adversely affect the national security interest; and (2) Provide technical material and assistance to Federal agencies concerning security of Federal telecommunications and automated information systems. c. General'Services Administration. The Administrator of General Services shall: (1) Issue policies and regulations for the physical and environmental security of computer rooms in Federal buildings consistent with standards issued by the Department of Commerce and the Department of Defense. (2) Assure that agency procurement requests for computers, software, telecommunications services, and related services include security requirements. Delegations of procurement authority to agencies by GSA under mandatory programs, dollar threshold delegations, certification programs, or other so-called blanket delegations shall include requirements for agency specification of security requirements. (3) Assure that information technology equipment, software, computer room construction, guard or custodial services, telecommunications services, and any other related services procured by GSA meet the security requirements established and specified by the user agency and are consistent with other applicable policies and standards issued by OMB, the Department of Commerce, the Department of Defense, and the Office of Personnel Management. (4) Issue appropriate standards for the security of Federal telecommunications systems. Standards related to systems used to communicate sensitive information, the loss of which could adversely affect the national security interest, shall be developed and issued in accordance with applicable national security directives. d. Office of Personnel Management. The Director, Office of Personnel Management, shall maintain personnel security policies for Federal personnel associated with the design, programming, operation, maintenance, or use of Federal automated information systems. Requirements for personnel checks imposed by these policies should vary commensurate with the risk and magnitude of loss or harm that could be caused by the individual. The checks may range from merely normal reemployment screening procedures to full background investigations. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 111-7 5. Reports In their annual internal control report to the President and the Congress, required under 0MB Circular No. A-123, agencies shall: a. Describe any security or other control weaknesses identified during audits or reviews of sensitive applications or when conducting risk analyses of installations; and b. Provide assurance that there is adequate security of agency automated information systems. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 APPENDIX IV TO OMB.CIRCULAR NO. A-130 ANALYSIS OF KEY SECTIONS 0 1. Purpose The purpose of this Appendix is to provide a general context and explanation for the contents of the key sections of the Circular. 2. Background The Paperwork Reduction Act of 1980, P.L. 96-511, 94 Stat 2812, codified at Chapter 35 of Title 44 of the United States Code, establishes a broad mandate for agencies to perform their information activities in an efficient, effective, and economical manner. Section 3504 of the Act provides authority to the Director, Office of Management and Budget (OMB), to develop and implement uniform and consistent information resources management policies; oversee the development and promote the use of information management principles, standards, and guidelines; evaluate agency information management practices in order to determine their adequacy and efficiency; and determine compliance of such practices with the policies, principles, standards, and guidelines promulgated by the Director. The Circular implements OMB authority under the Act with respect to Section 3504(b), general information policy, Section 3504(e), records management, Section 3504(f), privacy, and Section 3504(g), Federal automatic data processing and telecommunications; the Privacy Act of 1974 (5 U.S.C. 552a); Sections 111 and 206 of the Federal Property and Administrative Services Act of 1949, as amended (40 U.S.C. 759 and 487, respectively ); the Budget and Accounting Act of 1921 (31 U.S.C. 1 et seq.); and Executive Order No. 12046 of March 27, 1978 and Executive Order No. 12472 of April 3, 1984, Assignment of National Security and Emergency Telecommunications Functions. The Circular complements 5 CFR 1320, Controlling Paperwork Burden on the Public, which implements other sections of the Paperwork Reduction Act dealing with controlling the reporting and recordkeeping burden placed on the public. In addition, the Circular revises and consolidates policy and procedures in five existing OMB directives and rescinds those directives, as follows: A-71 - Responsibilities for the Administration and Management of Automatic Data Processing Activities Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 IV-2 Transmittal Memorandum No. 1 to Circular No. A-T1 - Security of Federal Automated Information Systems A-90 - Cooperating with State and Local Governments to Coordinate and Improve Information Systems A-108 - Responsibilities for=the Maintenance of Records about Individuals by Federal Agencies A-121 - Cost Accounting, Cost Recovery, and Interagency Sharing of Data Processing Facilities OMB's review of the five existing policy directives led to the conclusion that much, but not all, of their content was procedural in nature, concerned chiefly with how policies were to be carried out. OMB determined that it was important clearly to distinguish the statement of policies from the procedures for implementing those policies. For this reason, the main body of the Circular consists of basic considerations and assumptions, policies, and assignments of responsibility; the appendices to the Circular consist of procedures for implementing various policies and with analysis of key sections. OMB developed the main body of the Circular relying upon comments on the Federal Register notice as well as other forms of Federal agency and public input, principally meetings with interested parties. For the procedural revisions, OMB relied on the assistance of interagency task groups. The revised contents of OMB Circular No. A-71, dealing with assignments of responsibilities, are in the main body of this Circular. The contents of OMB Circular No. A-90 are rescinded entirely, with the exception of a policy statement at Section 8 (b)(17) of this Circular. Revisions of the procedural aspects of the other three policy directives--Transmittal Memorandum No. 1 to A-71, A-108,-and A-121--are appendices to this Circular. Appendices I, II, and III have the same prescriptive force as the' Circular; Appendix IV is an explanatory document. On September 17, 1984, the President signed National Security Decision Directive (NSDD) No. 145, National Policy on Telecommunications and Automated Information Systems Security. The NSDD requires that the Director, OMB, review for consistency with the. NSDD, and amend as appropriate, OMB Circular No. A-71, Transmittal Memorandum No. 1. The Circular and Appendix III satisfy the NSDD requirement. 3. Analysis Section 6. Definitions f. Access to information. g. Dissemination of information. The Circular defines access to n ormation" as the function of providing to members of the public, upon their ? Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 IV-3 0 request, the government information to which they are entitled under law. Access refers to those situations in which the government agency's role is passive; access is what the - government's responsibilities are when the public comes to the government and asks for information the government has and the public is entitled to. "Dissemination," in the Circular's usage, refers to the function of distributing government information; dissemination connotes an active outreach by a government agency. Dissemination refers to those situations in which the government provides the public with information without the public having to come and ask for it. The distinction between access and dissemination is posed in order to elaborate the responsibilities of Federal agencies for providing information to the public. Two fundamentally different situations exist: one in which the public goes to the agency to ask for information the agency holds and may or may not have disseminated; and one in which the agency chooses to take the information it holds to the public. In the first instance-- access--Congress has provided specific statutory policy in the Freedom of Information Act (FOIA) and in the Privacy Act. These laws and policies concerning access to government information are explicit, well known, and now so widely accepted in practice by Federal agencies as not to require policy elaboration in this Circular. Agencies should know that, if members of the public ask for information subject to FOIA or the Privacy Act, the agencies should normally provide the information forthwith, because the public has a formal legal process for forcing the agencies to yield the information. The relationship between access to and dissemination of information is explained below, in the discussion of 8a(8) through (12). Section 7. Basic Considerations and Assumptions Basic considerations and assumptions are statements that provide the underpinnings for the prescriptive policies in Section 8; they are not themselves policy statements. They are either derived from statutes or legislative history, or represent executive branch management philosophy as embodied in the Circular. Statement 7-e summarizes policy found in 0MB Circular No. A-76, Performance of Commercial Activities. Statement 7-f states a general predisposition to use up-to-date information technology to manage Federal information resources. Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05CO1629R000701570005-3 Statements 7-a through 7-d provide the general context for management of Federal information resources.  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 Statements 7-g and 7-h pertain to the Privacy Act and the Freedom of Information Act, respectively. Statement 7-i pertains to the National Science and Technology Policy, Organization and Priorities Act. Statement 7-j pertains to the Federal Records Act. Statement 7-k states a relationship between Federal information policy and international information policy. Section 8. Policies. This section is divided into two subsections that generally correspond to the twofold definition of information resources management in Section 6-b, namely, information itself and the resources associated with information. a. Information Management. The Paperwork Reduction Act acknowledges that information is a valuable resource and should be managed as such. Proceeding from this premise, this subsection states policies concerning the management of Federal information. (1) and (2). Information Collection and Sharing. The Circular's basic considerations and assumptions (Section ) establish the value of government information activities. Without question, some information created or collected by Federal agencies is so vital that the American form of government, the economy, national security, and citizens' safety and wellbeing could not continue to exist in its absence. Nothing in this Circular is intended to diminish or derogate the creation or collection of such information, nor to serve as a pretext under which a Federal agency could damage the Nation's critical needs by failing to create or collect such information. At the same time, the Paperwork Reduction Act was designed to remedy deficiencies Congress perceived in Federal information activities. In the words of the report of the House Committee cr: Government Operations (Report No. 96-835, p. 3): The legislation is the result of a growing concern that the way the Government collects, uses, and disseminates information must be improved. Inefficiencies in current Federal information practices drastically reduce the effectiveness of the Government while, at the same time, drowning our citizens in a sea of forms, questionnaires, and reports. The Act intends that the creation or collection of information be carried out within the context of efficient, effective, and economical management. When Federal agencies create or collect Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 -  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 IV-5 Information--Just as when they perform any other vital functions --they consume scarce resources and such activities must be continually scrutinized in light of good management.principles. The applicable principles provided in the purposes of the Act are: to minimize the Federal paperwork burden for individuals, small businesses, State and local governments, and other persons; to minimize the cost to the Federal Government of collecting, maintaining, using, and disseminating information; and each of these processes, the requirement for information resources planning is clearly contained in the Act (44 U.S.C. 3506 (c)(1)), and the absence of adequate planning is sufficient reason not to create or collect information in the first place. gore creating or collecting new information, agencies should 10k first to other agencies and the private sector so as not to daplioate exi ld t - to maximize the usefulness of information collected by the Federal Government. (44 U.S.C. 3501) Agencies must justify the creation or collection of information in the light of their statutory functions. Policy statement 8a(9) uses the standard, "necessary for the proper performance of agency functions," taken directly from the Paperwork Reduction Act (44 U.S.C. 3504 (c)(2)). Further, the policy statement includes the requirement that the information have practical utility, as defined in the Paperwork Reduction Act (44 U.S.C. 3502 (15)) and elaborated in Controlling Paperwork Burdens on the Public (5 CFR 1320). Note that practical utility includes characteristics pertaining to the quality of,information such as accuracy, adequacy, and reliability, and that, in the case of general purpose statistics or recordkeeping, practical utility means that actual uses can be demonstrated (5 CFR 1320.7 (q)). Good management and the requirement of practical utility dictate that agencies must plan from the outset for the steps in the information life cycle. The Act also stipulates that agencies must "formulate plans for tabulating the information in a manner which will enhance its usefulness to other agencies and to the public" (44 U.S.C. 3507 (a)(1)(C)). When creating or collecting information, agencies must plan how they will process and transmit the information, how they will use it, what provisions they will make for access to it, whether and how they will disseminate it, how they will store it, and finally, how the information will ultimately be disposed of. While agencies cannot at the outset achieve absolute certitude in planning for wou Bali Lheir sneng information sources or services tha d 4 hall not e s th t Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 agenc es a s. The Act requires sPona or information collections unless they have  Sanitized Copy Approved for Release 2011/05/13: CIA-RDP05C01629R000701570005-3 available from another source within the Federal Government" ((44 U.S.C. 3507 (a)(1)IA)). Each agency must a! so "ensure Its !nfor?mation systems do not overlap each other or duplicate the systems or other agencies" (44 U.S.C. 3506 (c)(2)). The Act also contains provisions governing the sharing of information between agencies (44 U.S.C. 3510). App y+_ng the policy of OMB Circular No. A-76, the Circular also requires agencies to examine the possibility of acquiring the necessary information from private sector sources. This is not to say that information creation or collection functions should be indiscriminately turned over to other agencies or to the private sector, but rather to say that agencies have an obligation to examine other potential sources of information which may satisfy agency needs. Some information can only be created or collected by Federal agencies themselves in the exercise of the government's sovereign powers. For some information, the government can satisfy its legitimate needs only when a Federal agency is the creation or collection agent. But other information needs can be met, and in many cases are routinely met, through existing services and sources in other agencies or the private oector. In many cases there is no _nherently governmental tunctfon that is Served by having information collected by a Federal agency; agencies should and do consider acquiring information collection services from the private sector. The Circular emphasizes that these sources should always be looked to first in the inte:.?ests of efficiency and ee :nomy . (3) through !6). i'rivacy Act and Freedom of Information Act. These statements contain policy statements pertaining to the Privacy Ac:: an::: in,_-orporati.ng th policies cf OMB Circular No. A-108, which is rescc;need and superseded. Agencies are to ensure that trey meet the req-irements of the Privacy Act regarding collection of `ndivi~l~ca' !y iuentifl=bl.e :nformation. Stich inf.ortratio.-: is to be maints!r.e^ and prc:s^.t:d so as to preclude intrus!.rni into the pro vacv of indivicuals. Individuals must n:' accorder1 access a?ld awe.iJm?cnt t ^hts to j- 2s, as provided in the ?ri':acy Act. Ant?:nd!x ; prescribes { procedures for the ma ntenunce of accordance with the Privacy '.ct. In uddit? cr. to Privacy Act ccrsideraticn9, :, atement8 ) and (Ii ) include provisions concerning proprietary information.. Agencies a??a '.:-) !u!_n i mi ze the '_r collecti oti of propri