[Federal Register Volume 61, Number 34 (Tuesday, February 20, 1996)]
[Notices]
[Pages 6428-6453]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 96-3645]




[[Page 6427]]

_______________________________________________________________________

Part III





Office of Management and Budget





_______________________________________________________________________



Management of Federal Information Resources; Notice

  Federal Register / Vol. 61, No. 34 / Tuesday, February 20, 1996 / 
Notices  

[[Page 6428]]


OFFICE OF MANAGEMENT AND BUDGET


Management of Federal Information Resources

AGENCY: Office of Management and Budget, Executive Office of the 
President.

ACTION: Revision of OMB Circular No. A-130, Transmittal No. 3, Appendix 
III, ``Security of Federal Automated Information Resources.''

-----------------------------------------------------------------------

SUMMARY: The Office of Management and Budget (OMB) is revising Appendix 
III, ``Security of Federal Information Systems,'' of Circular No. A-
130, ``Management of Federal Automated Information Resources.'' This is 
the third stage of planned revisions to Circular A-130. Enactment of 
the Information Technology Management Reform Act of 1996 (Division E of 
the National Defense Authorization Act for Fiscal Year 1996) will 
require OMB to issue additional guidance on capital planning, 
investment control, and the management of information technology. A 
plan for those revisions will be announced in the Spring.
    Transmittal 1 to Circular A-130, effective June 25, 1993, and 
published on July 2, 1993 (58 FR 36068) addressed the Information 
Management Policy section of the Circular (Section 8a), as well as 
Appendix I, ``Federal Agency Responsibilities for Maintaining Records 
About Individuals.'' That issuance dealt primarily with how the Federal 
government manages its information holdings, particularly information 
exchange with the public.
    Transmittal 2 to Circular A-130, effective July 15, 1994, and 
published on July 25, 1994 (59 FR 37906) addressed agency management 
practices for information systems and information technology (Section 
8b). That issuance was intended to (1) promote agency investments in 
information technology that improve service delivery to the public, 
reduce burden on the public, and lower the cost of Federal programs 
administration, and (2) encourage agencies to use information 
technology as a strategic resource to improve Federal work processes 
and organization.
    This Transmittal 3 is intended to guide agencies in securing 
government information resources as they increasingly rely on an open 
and interconnected National Information Infrastructure. It stresses 
management controls, such as individual responsibility, awareness and 
training, and accountability, and explains how they can be supported by 
technical controls. Among other things, it requires agencies to assure 
that risk-based rules of behavior are established, that employees are 
trained in them, and that the rules are enforced. The revision also 
integrates security into program and mission goals, reduces the 
centralized reporting of security plans, emphasizes the management of 
risk rather than its measurement, and revises government-wide security 
responsibilities to be consistent with the Computer Security Act and 
the Paperwork Reduction Act of 1995.
    This transmittal also makes minor technical revisions to Section 9 
(``Assignment of Responsibilities'') and Section 10 (``Oversight'') to 
reflect the Paperwork Reduction Act of 1995 (Pub. L. 104-13). One 
substantive change has been made to Appendix I in Section 3.a. changing 
the annual requirement to review recordkeeping practices, training, 
violations, and notices to a biennial review, in accordance with other 
regular agency reviews not required by statute. Several minor changes 
have been made, none of which are intended to be substantive. In 
Section 2.c., a portion of the definition of ``nonfederal agency'' 
which has been inadvertently omitted has been added to reflect the 
current practice in state-federal matching programs. In Section 3.a., 
extraneous and confusing language referring to source or matching 
agencies was removed because the provision applies to any agency that 
participates in a matching program. The example's in 4.c.(1) were 
updated for clarity. Other editorial and organizational changes were 
made throughout the appendix.
    Appendix IV has been changed to include material from OMB 
Memorandum M-95-22, ``Implementing the Information Dissemination 
Provisions of the Paperwork Reduction Act of 1995'' (September 29, 
1995), and to delete some outdated or otherwise already implemented 
guidance from the discussion of Sections 9 and 10.

ELECTRONIC AVAILABILITY: This document is available on the OMB Home 
page of Welcome to the White House World Wide Web site (http://
www.whitehouse.gov) as http://www1.whitehouse.gov/White-House/EOP/OMB/
html/omb-a130.html. This document is also available on the Internet via 
anonymous File Transfer Protocol (FTP) from the National Institute of 
Standards and Technology (NIST) Computer Security Resource 
Clearinghouse at csrc.ncsl.nist.gov as /pub/secplcy/a130.txt (do not 
use any capital letters in the file name) or via the World Wide Web 
from http://csrc.ncsl.nist.gov/secplcy as a130.txt. Appendix III, 
``Security of Federal Automated Information Resources'' can be 
separately obtained as a130app3.txt. The clearinghouse can also be 
reached using dial-in access at 301-948-5717. For those who do not have 
file transfer capability, the document can be retrieved via mail query 
by sending an electronic mail message to [email protected] 
with no subject and with send a130.txt (or a130app3.txt for only the 
security appendix) as the first line of the body of the message. Paper 
copies may also be obtained by writing to the Publications Office, 
Office of Management and Budget, Room 2200 NEOB, Washington, D.C. 20503 
or by telephone at (202) 395-7332.

FOR FURTHER INFORMATION CONTACT: Information Policy and Technology 
Branch, Office of Information and Regulatory Affairs, Office of 
Management and Budget, Room 10236, New Executive Office Building, 
Washington, D.C. 20503. Telephone: (202) 395-3785.

SUPPLEMENTARY INFORMATION:

    Since December 30, 1985, Appendix III of Office of Management and 
Budget (OMB) Circular No. A-130, ``Security of Federal Automated 
Information Systems,'' has defined a minimum set of controls for the 
security of Federal automated information systems (50 FR 52730). That 
Appendix, and its predecessor, Transmittal Memorandum No. 1 to OMB 
Circular No. A-71, (July 27, 1978), defined controls that were 
considered effective in a centralized processing environment which ran 
primarily custom-developed application software.
    Today's computing environment is significantly different. It is 
characterized by open, widely distributed processing systems which 
frequently operate with commercial off-the-shelf software. While 
effective use of information technology often reduces risks to the 
Federal program being administered (e.g., risks from fraud or errors), 
the risk to and vulnerability of Federal information resources has 
increased. Greater risks result from increasing quantities of valuable 
information being committed to Federal systems, and from agencies being 
critically dependent on those systems to perform their missions. 
Greater vulnerabilities exist because virtually every Federal employee 
has access to Federal systems, and because these systems now 
interconnect with outside systems.
    In part because of these trends, Congress enacted the Computer 
Security Act of 1987 (Pub. L. 100-235). That Act requires agencies to 
improve the 

[[Page 6429]]
security of Federal computer systems, plan for the security of 
sensitive systems, and provide mandatory awareness and training in 
security for all individuals with access to computer systems.
    To assist agencies in implementing the Computer Security Act, OMB 
issued Bulletin No. 88-16, ``Guidance for Preparation and Submission of 
Security Plans for Federal Computer Systems Containing Sensitive 
Information'' (July 6, 1988), and OMB Bulletin No. 90-08, ``Guidance 
for Preparation of Security Plans for Federal Computer Systems that 
Contain Sensitive Information'' (July 9, 1990). This revision of 
Appendix III to OMB Circular A-130 incorporates and updates the 
policies set out in those Bulletins and supersedes them.
    The report of the National Performance Review, ``Creating a 
Government that Works Better & Costs Less: Reengineering through 
Information Technology'' (September 1993), recommended that Circular A-
130 be revised to: (1) Require an information security plan to be part 
of each agency's strategic information technology (IT) plan; (2) 
require that if computer security does not meet established thresholds, 
it be identified as a material weakness in the Federal Managers' 
Financial Integrity Act report; (3) require awareness and training of 
employees and contractors; (4) require that agencies improve planning 
for contingencies; and (5) establish and employ formal emergency 
response capabilities. Those recommendations are incorporated in this 
revision.
    Since its establishment by the Computer Security Act, the Computer 
System Security and Privacy Advisory Board has recommended changes in 
Circular A-130 to: (1) Require that agencies establish computer 
emergency response teams; and (2) link oversight of Federal computer 
security activities more closely to the oversight established pursuant 
to the Federal Manager's Financial Integrity Act (FMFIA), Public Law 
97-255. This revision incorporates both of those recommendations.
    Subsequent to issuance of Bulletin 90-08, OMB, the National 
Institute of Standards and Technology (NIST), and the National Security 
Agency (NSA) met with 28 Federal departments and agencies to review 
their computer security programs. In February 1993, OMB, NIST and NSA 
issued a report (``Observations of Agency Computer Security Practices 
and Implementation of OMB Bulletin No. 90-08'') which summarized those 
meetings and proposed several changes in OMB Circular A-130 as next 
steps to improving the Federal computer security program. Those 
proposed changes are incorporated in this revision.
    The revised Appendix clarifies the relationship between 
requirements to protect information classified pursuant to an Executive 
Order and the requirements in this Appendix. Where an agency processes 
information which is controlled for national security reasons pursuant 
to an Executive Order or statute, security measures required by 
appropriate directives should be included in agency systems. Those 
policies, procedures, and practices will be coordinated with the U.S. 
Security Policy Board as directed by the President.
    On May 22, 1995, the President signed into law the Paperwork 
Reduction Act of 1995, Public Law 104-13. That Act, in 44 U.S.C. 3505 
and 3506, requires agencies to establish computer security programs, 
and it tasks OMB to develop and oversee the implementation of policies, 
principles, standards and guidelines on security. It also requires 
Federal agencies to identify and provide security protection consistent 
with the Computer Security Act of 1987 (40 U.S.C. 759 note). This 
revision is intended to implement those OMB responsibilities.

Comments on the Proposed Appendix

    On April 3, 1995, the revised Appendix was proposed for public 
comment (60 FR 16970). It was also sent directly to Federal agencies 
for comment and made available for comment via the Internet. Thirty-two 
comments were received. The comments supported the approach proposed in 
the revised Appendix. They also made a number of suggestions to improve 
it. The principal issues raised in comments and our response to them 
are set forth below.
    1. Most of the comments stated that the preamble accompanying the 
proposed Appendix was useful in their understanding of the Appendix 
itself. They suggested that the information in the preamble be 
incorporated in the final Appendix for improved future understanding.
    We agree with this suggestion, and have incorporated the preamble, 
as revised to accommodate changes made to the proposed Appendix, as 
part B of the final Appendix.
    2. Many comments suggested that the terminology of the Appendix 
should be more directive.
    We generally agree with this comment, and have changed part A of 
the Appendix to be directive, while leaving the descriptive material in 
part B as explanatory.
    3. A number of comments noted that there is a difference between 
making individuals aware of security needs and training them. They 
suggested that the Appendix should clarify this distinction and the 
requirements associated with each.
    We agree, and have made changes in the Appendix and the descriptive 
information in part B to clarify that the requirements for training are 
consistent with the Computer Security Act (i.e., for increasing 
computer security awareness and training in accepted security 
practice).
    We have also added a clarification that training for members of the 
public who are given access to general support systems should normally 
be accomplished in the context of the application to which they are 
given access. As was pointed out in comments, members of the public 
should not be given direct access to general support systems, except 
through authorized use of an application. We have also added 
descriptive language in part B to address the need to train members of 
the public with access to major applications.
    4. Several comments raised a concern about the proposed requirement 
to limit access to systems until a new employee has been trained in 
security responsibilities. They suggested that training be required to 
be completed within a certain amount of time after access is granted 
(e.g., 60 days).
    We disagree. Understanding the security requirements that are 
integral to a system is a fundamental responsibility of each individual 
who accesses the system. It should not be delayed for administrative 
convenience. Furthermore, security training should be included as part 
of general training in use of the system for an employee. Initial 
awareness and training need not be accomplished through formal 
classroom training; in some cases it may be through interactive 
sessions of reading well-written and understandable rules. The critical 
factor is for the initial and subsequent awareness and training to be 
commensurate with the risk and magnitude of harm that could occur. 
Therefore, new employees can and should be trained in their security 
responsibilities before access is granted. The final Appendix includes 
this requirement.
    5. Several comments expressed concern about the proposed removal of 
the requirement for agencies to prepare formal risk analyses. They 
point out that such analyses assist in identifying 

[[Page 6430]]
threats, vulnerabilities, and risks to a system. They expressed a 
concern that without such analyses it would be difficult to convince 
senior management of the need for security. Other comments said that 
without risk analysis as the basis of decisions, security measures will 
not be effective. On the other hand, several comments supported the 
removal of this requirement, which they found not cost-effective.
    We agree that security measures must be risk-based. The Computer 
Security Act requires that security controls be commensurate with the 
risk and magnitude of harm that could occur. Implicit in that approach 
is a need to assess the risk to each system. However, given the 
complexity and detail such formal analyses often entail, a formal risk 
analysis is not appropriate for every system. Therefore, the Appendix 
does not require that a formal risk analysis be performed.
    At the same time, risk assessment is an essential element in 
ensuring adequate security. NIST recently issued a handbook, ``An 
Introduction to Computer Security: The NIST Handbook'' (March 16, 
1995), which contains guidance on computer security risk management and 
provides a flexible framework for performing meaningful risk 
assessments. Part B references the NIST handbook.
    6. Several comments asked about the relation between the rules of 
behavior required in the Appendix and operating policies prescribed in 
the NIST Handbook. Other comments made suggestions about the kind and 
scope of rules that should be included in the security plan.
    We have added language to part B to describe the kinds of rules we 
believe are appropriate and to clarify that rules of behavior in the 
Appendix should be consistent with the system-specific policies 
described in the NIST handbook.
    7. Several comments raised a concern about the effectiveness of 
reviews of security controls unless they are performed by independent 
reviewers.
    An independent review can improve the objectivity of the review, as 
well as its value to top management in assessing the need for 
corrective action. Therefore, we have added language to the discussion 
in part B of the Appendix that clarifies that reviews of major 
applications, because of their higher risk, should be independent. We 
have not, however, required that reviews of all general support systems 
be independent. Nevertheless, given the value of an independent review, 
agencies may elect to use this approach, particularly where a system 
supports a high-risk agency function.
    In addition, we understand that the U.S. General Accounting Office 
is developing guidance which provides a structured approach for 
performing reviews. We have also revised the Appendix to be consistent 
with OMB Circular No. A-123, ``Management Accountability and Control'' 
(June 21, 1995).
    8. Several comments requested additional guidance on enforcement of 
the rules of behavior, either from the Department of Justice or the 
Office of Personnel Management (OPM).
    The presumption in requiring rules of behavior is that they would 
be enforced as are other behavioral rules within an agency. Therefore, 
we are not proposing to have central guidance developed by either 
Justice or OPM. However, we expect that agencies will share their 
various approaches through inter-agency forums, such as the Computer 
Security Program Managers' Forum. We have added a brief discussion of 
this point to part B.
    9. Several comments concerned the protection of shared information 
and requested that additional guidance be provided. We have clarified 
our intent in the discussion in part B.
    10. One comment raised a concern about the Appendix's apparent 
subordination of technical controls to management controls. While we 
are stressing the importance of management controls, we have added 
preamble language to clarify that both types of controls must be in 
place to be effective.
    11. A number of comments raised a concern about whether adequate 
funding would be forthcoming to implement the requirements of the 
Appendix.
    Implicit in issuing the Appendix is our presumption that a system 
is created and maintained with adequate security or it should not be 
created or maintained. Security costs should therefore be factored into 
the normal capital planning and investment controls process for 
information technology, consistent with the information systems and 
information technology management requirements in Section 8b of this 
circular.
    12. A number of comments concerned the government-wide role of the 
Security Policy Board. Several favored expanding that role, others 
proposed that it be more limited. Still others said the Appendix should 
be silent on national security directives.
    We have revised the language in the Appendix to clarify the role of 
the Security Policy Board regrading security of information technology 
used to process classified information. We have also added language to 
the preamble which clarifies that Circular No. A-130 and the Appendix 
exclude certain mission critical systems, the so-called ``Warner 
systems'' from coverage, and to describe the Department of Defense's 
responsibilities pursuant to existing Presidential directives. The 
Appendix does not attempt to interpret the language of the directives. 
Rather, it clarifies that requirements issued pursuant to those 
directives should be used in place of the requirements of the Appendix 
with respect to the protection of classified information. The 
discussion of national security directives is included to assist in the 
coordination of security activities among various security communities.
    Accordingly, Circular A-130 is revised as set forth below.
Sally Katzen,
Administrator, Office of Information and Regulatory Affairs.

Executive Office of the President

Office of Management and Budget

February 8, 1996.

Circular No. A-130, Revised (Transmittal Memorandum No. 3)

Memorandum for Heads of Executive Departments and Establishments

    Subject: Management of Federal Information Resources.
    Circular No. A-130 provides uniform government-wide information 
resources management policies as required by the Paperwork Reduction 
Act of 1980, as amended by the Paperwork Reduction Act of 1995, 44 
U.S.C. Chapter 35. This Transmittal Memorandum contains updated 
guidance on the ``Security of Federal Automated Information 
Systems,'' Appendix III and makes minor technical revisions to the 
Circular to reflect the Paperwork Reduction Act of 1995 (Pub. L. 
104-13). The Circular is reprinted in its entirety for convenience.
Alice M. Rivlin,
Director.
Attachment

Circular No. A-130 Revised (Transmittal Memorandum No. 3)

Memorandum for Heads of Executive Departments and Establishments

    Subject: Management of Federal Information Resources.
    1. Purpose: This Circular establishes policy for the management 
of Federal information resources. Procedural and analytic guidelines 
for implementing specific aspects of these policies are included as 
appendices.
    2. Rescissions: This Circular rescinds OMB Circulars No. A-3, A-
71, A-90, A-108, A-114, and A-121, and all Transmittal Memoranda to 
those circulars.
    3. Authorities: This Circular is issued pursuant to the 
Paperwork Reduction Act (PRA) of 1980, as amended by the Paperwork 
Reduction Act of 1995 (44 U.S.C. Chapter 

[[Page 6431]]
35); the Privacy Act, as amended (5 U.S.C. 552a); the Chief Financial 
Officers Act (31 U.S.C. 3512 et seq.); the Federal Property and 
Administrative Services Act, as amended (40 U.S.C. 759 and 487); the 
Computer Security Act (40 U.S.C. 759 note); the Budget and 
Accounting Act, as amended (31 U.S.C. Chapter 11); Executive Order 
No. 12046 of March 27, 1978; and Executive Order No. 12472 of April 
3, 1984.
    4. Applicability and Scope:
    a. The policies in this Circular apply to the information 
activities of all agencies of the executive branch of the Federal 
government.
    b. Information classified for national security purposes should 
also be handled in accordance with the appropriate national security 
directives. National security emergency preparedness activities 
should be conducted in accordance with Executive Order No. 12472.
    5. Background: The Paperwork Reduction Act establishes a broad 
mandate for agencies to perform their information resources 
management activities in an efficient, effective, and economical 
manner. To assist agencies in an integrated approach to information 
resources management, the Act requires that the Director of OMB 
develop and implement uniform and consistent information resources 
management policies; oversee the development and promote the use of 
information management principles, standards, and guidelines; 
evaluate agency information resources management practices in order 
to determine their adequacy and efficiency; and determine compliance 
of such practices with the policies, principles, standards, and 
guidelines promulgated by the Director.
    6. Definitions:
    a. The term ``agency'' means any executive department, military 
department, government corporation, government controlled 
corporation, or other establishment in the executive branch of the 
Federal government, or any independent regulatory agency. Within the 
Executive Office of the President, the term includes only OMB and 
the Office of Administration.
    b. The term ``audiovisual production'' means a unified 
presentation, developed according to a plan or script, containing 
visual imagery, sound or both, and used to convey information.
    c. The term ``dissemination'' means the government initiated 
distribution of information to the public. Not considered 
dissemination within the meaning of this Circular is distribution 
limited to government employees or agency contractors or grantees, 
intra- or inter-agency use or sharing of government information, and 
responses to requests for agency records under the Freedom of 
Information Act (5 U.S.C. 552) or Privacy Act.
    d. The term ``full costs,'' when applied to the expenses 
incurred in the operation of an information processing service 
organization (IPSO), is comprised of all direct, indirect, general, 
and administrative costs incurred in the operation of an IPSO. These 
costs include, but are not limited to, personnel, equipment, 
software, supplies, contracted services from private sector 
providers, space occupancy, intra-agency services from within the 
agency, inter-agency services from other Federal agencies, other 
services that are provided by State and local governments, and 
Judicial and Legislative branch organizations.
    e. The term ``government information'' means information 
created, collected, processed, disseminated, or disposed of by or 
for the Federal Government.
    f. The term ``government publication'' means information which 
is published as an individual document at government expense, or as 
required by law. (44 U.S.C. 1901)
    g. The term ``information'' means any communication or 
representation of knowledge such as facts, data, or opinions in any 
medium or form, including textual, numerical, graphic, cartographic, 
narrative, or audiovisual forms.
    h. The term ``information dissemination product'' means any 
book, paper, map, machine-readable material, audiovisual production, 
or other documentary material, regardless of physical form or 
characteristic, disseminated by an agency to the public.
    i. The term ``information life cycle'' means the stages through 
which information passes, typically characterized as creation or 
collection, processing, dissemination, use, storage, and 
disposition.
    j. The term ``information management'' means the planning, 
budgeting, manipulating, and controlling of information throughout 
its life cycle.
    k. The term ``information resources'' includes both government 
information and information technology.
    l. The term ``information processing services organization'' 
(IPSO) means a discrete set of personnel, information technology, 
and support equipment with the primary function of providing 
services to more than one agency on a reimbursable basis.
    m. The term ``information resources management'' means the 
process of managing information resources to accomplish agency 
missions. The term encompasses both information itself and the 
related resources, such as personnel, equipment, funds, and 
information technology.
    n. The term ``information system'' means a discrete set of 
information resources organized for the collection, processing, 
maintenance, transmission, and dissemination of information, in 
accordance with defined procedures, whether automated or manual.
    o. The term ``information system life cycle'' means the phases 
through which an information system passes, typically characterized 
as initiation, development, operation, and termination.
    p. The term ``information technology'' means the hardware and 
software operated by a Federal agency or by a contractor of a 
Federal agency or other organization that processes information on 
behalf of the Federal government to accomplish a Federal function, 
regardless of the technology involved, whether computers, 
telecommunications, or others. It includes automatic data processing 
equipment as that term is defined in Section 111(a)(2) of the 
Federal Property and Administrative Services Act of 1949. For the 
purposes of this Circular, automatic data processing and 
telecommunications activities related to certain critical national 
security missions, as defined in 44 U.S.C. 3502(2) and 10 U.S.C. 
2315, are excluded.
    q. The term ``major information system'' means an information 
system that requires special management attention because of its 
importance to an agency mission; its high development, operating, or 
maintenance costs; or its significant role in the administration of 
agency programs, finances, property, or other resources.
    r. The term ``records'' means all books, papers, maps, 
photographs, machine-readable materials, or other documentary 
materials, regardless of physical form or characteristics, made or 
received by an agency of the United States Government under Federal 
law or in connection with the transaction of public business and 
preserved or appropriate for preservation by that agency or its 
legitimate successor as evidence of the organization, functions, 
policies, decisions, procedures, operations, or other activities of 
the government or because of the informational value of the data in 
them. Library and museum material made or acquired and preserved 
solely for reference or exhibition purposes, extra copies of 
documents preserved only for convenience of reference, and stocks of 
publications and of processed documents are not included. (44 U.S.C. 
3301)
    s. The term ``records management'' means the planning, 
controlling, directing, organizing, training, promoting, and other 
managerial activities involved with respect to records creation, 
records maintenance and use, and records disposition in order to 
achieve adequate and proper documentation of the policies and 
transactions of the Federal Government and effective and economical 
management of agency operations. (44 U.S.C. 2901(2))
    t. The term ``service recipient'' means an agency organizational 
unit, programmatic entity, or chargeable account that receives 
information processing services from an information processing 
service organization (IPSO). A service recipient may be either 
internal or external to the organization responsible for providing 
information resources services, but normally does not report either 
to the manager or director of the IPSO or to the same immediate 
supervisor.
    7. Basic Considerations and Assumptions:
    a. The Federal Government is the largest single producer, 
collector, consumer, and disseminator of information in the United 
States. Because of the extent of the government's information 
activities, and the dependence of those activities upon public 
cooperation, the management of Federal information resources is an 
issue of continuing importance to all Federal agencies, State and 
local governments, and the public.
    b. Government information is a valuable national resource. It 
provides the public with knowledge of the government, society, and 
economy--past, present, and future. It is a means to ensure the 
accountability of government, to manage the government's operations, 
to maintain the healthy performance of the economy, and is itself a 
commodity in the marketplace. 

[[Page 6432]]

    c. The free flow of information between the government and the 
public is essential to a democratic society. It is also essential 
that the government minimize the Federal paperwork burden on the 
public, minimize the cost of its information activities, and 
maximize the usefulness of government information.
    d. In order to minimize the cost and maximize the usefulness of 
government information, the expected public and private benefits 
derived from government information should exceed the public and 
private costs of the information, recognizing that the benefits to 
be derived from government information may not always be 
quantifiable.
    e. The nation can benefit from government information 
disseminated both by Federal agencies and by diverse nonfederal 
parties, including State and local government agencies, educational 
and other not-for-profit institutions, and for-profit organizations.
    f. Because the public disclosure of government information is 
essential to the operation of a democracy, the management of Federal 
information resources should protect the public's right of access to 
government information.
    g. The individual's right to privacy must be protected in 
Federal Government information activities involving personal 
information.
    h. Systematic attention to the management of government records 
is an essential component of sound public resources management which 
ensures public accountability. Together with records preservation, 
it protects the government's historical record and guards the legal 
and financial rights of the government and the public.
    i. Agency strategic planning can improve the operation of 
government programs. The application of information resources should 
support an agency's strategic plan to fulfill its mission. The 
integration of IRM planning with agency strategic planning promotes 
the appropriate application of Federal information resources.
    j. Because State and local governments are important producers 
of government information for many areas such as health, social 
welfare, labor, transportation, and education, the Federal 
Government must cooperate with these governments in the management 
of information resources.
    k. The open and efficient exchange of scientific and technical 
government information, subject to applicable national security 
controls and the proprietary rights of others, fosters excellence in 
scientific research and effective use of Federal research and 
development funds.
    l. Information technology is not an end in itself. It is one set 
of resources that can improve the effectiveness and efficiency of 
Federal program delivery.
    m. Federal Government information resources management policies 
and activities can affect, and be affected by, the information 
policies and activities of other nations.
    n. Users of Federal information resources must have skills, 
knowledge, and training to manage information resources, enabling 
the Federal government to effectively serve the public through 
automated means.
    o. The application of up-to-date information technology presents 
opportunities to promote fundamental changes in agency structures, 
work processes, and ways of interacting with the public that improve 
the effectiveness and efficiency of Federal agencies.
    p. The availability of government information in diverse media, 
including electronic formats, permits agencies and the public 
greater flexibility in using the information.
    q. Federal managers with program delivery responsibilities 
should recognize the importance of information resources management 
to mission performance.
     8. Policy
    a. Information Management Policy:
    (1) Information Management Planning. Agencies shall plan in an 
integrated manner for managing information throughout its life 
cycle. Agencies shall:
    (a) Consider, at each stage of the information life cycle, the 
effects of decisions and actions on other stages of the life cycle, 
particularly those concerning information dissemination;
    (b) Consider the effects of their actions on members of the 
public and ensure consultation with the public as appropriate;
    (c) Consider the effects of their actions on State and local 
governments and ensure consultation with those governments as 
appropriate;
    (d) Seek to satisfy new information needs through interagency or 
intergovernmental sharing of information, or through commercial 
sources, where appropriate, before creating or collecting new 
information;
    (e) Integrate planning for information systems with plans for 
resource allocation and use, including budgeting, acquisition, and 
use of information technology;
    (f) Train personnel in skills appropriate to management of 
information;
    (g) Protect government information commensurate with the risk 
and magnitude of harm that could result from the loss, misuse, or 
unauthorized access to or modification of such information;
    (h) Use voluntary standards and Federal Information Processing 
Standards where appropriate or required;
    (i) Consider the effects of their actions on the privacy rights 
of individuals, and ensure that appropriate legal and technical 
safeguards are implemented;
    (j) Record, preserve, and make accessible sufficient information 
to ensure the management and accountability of agency programs, and 
to protect the legal and financial rights of the Federal Government;
    (k) Incorporate records management and archival functions into 
the design, development, and implementation of information systems;
    (l) Provide for public access to records where required or 
appropriate.
    (2) Information Collection. Agencies shall collect or create 
only that information necessary for the proper performance of agency 
functions and which has practical utility.
    (3) Electronic Information Collection. Agencies shall use 
electronic collection techniques where such techniques reduce burden 
on the public, increase efficiency of government programs, reduce 
costs to the government and the public, and/or provide better 
service to the public. Conditions favorable to electronic collection 
include:
    (a) The information collection seeks a large volume of data and/
or reaches a large proportion of the public;
    (b) The information collection recurs frequently;
    (c) The structure, format, and/or definition of the information 
sought by the information collection does not change significantly 
over several years;
    (d) The agency routinely converts the information collected to 
electronic format;
    (e) A substantial number of the affected public are known to 
have ready access to the necessary information technology and to 
maintain the information in electronic form;
    (f) Conversion to electronic reporting, if mandatory, will not 
impose substantial costs or other adverse effects on the public, 
especially State and local governments and small business entities.
    (4) Records Management. Agencies shall:
    (a) Ensure that records management programs provide adequate and 
proper documentation of agency activities;
    (b) Ensure the ability to access records regardless of form or 
medium;
    (c) In a timely fashion, establish, and obtain the approval of 
the Archivist of the United States for, retention schedules for 
Federal records; and
    (d) Provide training and guidance as appropriate to all agency 
officials and employees and contractors regarding their Federal 
records management responsibilities.
    (5) Providing Information to the Public. Agencies have a 
responsibility to provide information to the public consistent with 
their missions. Agencies shall discharge this responsibility by:
    (a) Providing information, as required by law, describing agency 
organization, activities, programs, meetings, systems of records, 
and other information holdings, and how the public may gain access 
to agency information resources;
    (b) Providing access to agency records under provisions of the 
Freedom of Information Act and the Privacy Act, subject to the 
protections and limitations provided for in these Acts;
    (c) Providing such other information as is necessary or 
appropriate for the proper performance of agency functions; and
    (d) In determining whether and how to disseminate information to 
the public, agencies shall:
     (i) Disseminate information in a manner that achieves the best 
balance between the goals of maximizing the usefulness of the 
information and minimizing the cost to the government and the 
public;
     (ii) Disseminate information dissemination products on 
equitable and timely terms;
     (iii) Take advantage of all dissemination channels, Federal and 
nonfederal, including State and local governments, libraries and 
private sector entities, in discharging agency information 
dissemination responsibilities;
     (iv) Help the public locate government information maintained 
by or for the agency.
    (6) Information Dissemination Management System. Agencies shall 
maintain and 

[[Page 6433]]
implement a management system for all information dissemination 
products which shall, at a minimum:
    (a) Assure that information dissemination products are necessary 
for proper performance of agency functions (44 U.S.C. 1108);
    (b) Consider whether an information dissemination product 
available from other Federal or nonfederal sources is equivalent to 
an agency information dissemination product and reasonably fulfills 
the dissemination responsibilities of the agency;
    (c) Establish and maintain inventories of all agency information 
dissemination products;
    (d) Develop such other aids to locating agency information 
dissemination products including catalogs and directories, as may 
reasonably achieve agency information dissemination objectives;
    (e) Identify in information dissemination products the source of 
the information, if from another agency;
    (f) Ensure that members of the public with disabilities whom the 
agency has a responsibility to inform have a reasonable ability to 
access the information dissemination products;
    (g) Ensure that government publications are made available to 
depository libraries through the facilities of the Government 
Printing Office, as required by law (44 U.S.C. Part 19);
    (h) Provide electronic information dissemination products to the 
Government Printing Office for distribution to depository libraries;
    (i) Establish and maintain communications with members of the 
public and with State and local governments so that the agency 
creates information dissemination products that meet their 
respective needs;
    (j) Provide adequate notice when initiating, substantially 
modifying, or terminating significant information dissemination 
products; and
    (k) Ensure that, to the extent existing information 
dissemination policies or practices are inconsistent with the 
requirements of this Circular, a prompt and orderly transition to 
compliance with the requirements of this Circular is made.
    (7) Avoiding Improperly Restrictive Practices. Agencies shall:
    (a) Avoid establishing, or permitting others to establish on 
their behalf, exclusive, restricted, or other distribution 
arrangements that interfere with the availability of information 
dissemination products on a timely and equitable basis;
    (b) Avoid establishing restrictions or regulations, including 
the charging of fees or royalties, on the reuse, resale, or 
redissemination of Federal information dissemination products by the 
public; and,
    (c) Set user charges for information dissemination products at a 
level sufficient to recover the cost of dissemination but no higher. 
They shall exclude from calculation of the charges costs associated 
with original collection and processing of the information. 
Exceptions to this policy are:
    (i) Where statutory requirements are at variance with the 
policy;
    (ii) Where the agency collects, processes, and disseminates the 
information for the benefit of a specific identifiable group beyond 
the benefit to the general public;
    (iii) Where the agency plans to establish user charges at less 
than cost of dissemination because of a determination that higher 
charges would constitute a significant barrier to properly 
performing the agency's functions, including reaching members of the 
public whom the agency has a responsibility to inform; or
    (iv) Where the Director of OMB determines an exception is 
warranted.
    (8) Electronic Information Dissemination. Agencies shall use 
electronic media and formats, including public networks, as 
appropriate and within budgetary constraints, in order to make 
government information more easily accessible and useful to the 
public. The use of electronic media and formats for information 
dissemination is appropriate under the following conditions:
    (a) The agency develops and maintains the information 
electronically;
    (b) Electronic media or formats are practical and cost effective 
ways to provide public access to a large, highly detailed volume of 
information;
    (c) The agency disseminates the product frequently;
    (d) The agency knows a substantial portion of users have ready 
access to the necessary information technology and training to use 
electronic information dissemination products;
    (e) A change to electronic dissemination, as the sole means of 
disseminating the product, will not impose substantial acquisition 
or training costs on users, especially State and local governments 
and small business entities.
    (9) Safeguards. Agencies shall:
    (a) Ensure that information is protected commensurate with the 
risk and magnitude of the harm that would result from the loss, 
misuse, or unauthorized access to or modification of such 
information;
    (b) Limit the collection of information which identifies 
individuals to that which is legally authorized and necessary for 
the proper performance of agency functions;
    (c) Limit the sharing of information that identifies individuals 
or contains proprietary information to that which is legally 
authorized, and impose appropriate conditions on use where a 
continuing obligation to ensure the confidentiality of the 
information exists;
    (d) Provide individuals, upon request, access to records about 
them maintained in Privacy Act systems of records, and permit them 
to amend such records as are in error consistent with the provisions 
of the Privacy Act.
    b. Information Systems and Information Technology Management
    (1) Evaluation and Performance Measurement. Agencies shall 
promote the appropriate application of Federal information resources 
as follows:
    (a) Seek opportunities to improve the effectiveness and 
efficiency of government programs through work process redesign and 
the judicious application of information technology;
    (b) Prepare, and update as necessary throughout the information 
system life cycle, a benefit-cost analysis for each information 
system:
    (i) At a level of detail appropriate to the size of the 
investment;
    (ii) Consistent with the methodology described in OMB Circular 
No. A-94, ``Guidelines and Discount Rates for Benefit-Cost Analysis 
of Federal Programs;'' and
    (iii) that relies on systematic measures of mission performance, 
including the:
    (a) Effectiveness of program delivery;
    (b) Efficiency of program administration; and
    (c) Reduction in burden, including information collection 
burden, imposed on the public;
    (c) Conduct benefit-cost analyses to support ongoing management 
oversight processes that maximize return on investment and minimize 
financial and operational risk for investments in major information 
systems on an agency-wide basis; and
    (d) Conduct post-implementation reviews of information systems 
to validate estimated benefits and document effective management 
practices for broader use.
    (2) Strategic Information Resources Management (IRM) Planning. 
Agencies shall establish and maintain strategic information 
resources management planning processes which include the following 
components:
    (a) Strategic IRM planning that addresses how the management of 
information resources promotes the fulfillment of an agency's 
mission. This planning process should support the development and 
maintenance of a strategic IRM plan that reflects and anticipates 
changes in the agency's mission, policy direction, technological 
capabilities, or resource levels;
    (b) Information planning that promotes the use of information 
throughout its life cycle to maximize the usefulness of information, 
minimize the burden on the public, and preserve the appropriate 
integrity, availability, and confidentiality of information. It 
shall specifically address the planning and budgeting for the 
information collection burden imposed on the public as defined by 5 
CFR 1320;
    (c) Operational information technology planning that links 
information technology to anticipated program and mission needs, 
reflects budget constraints, and forms the basis for budget 
requests. This planning should result in the preparation and 
maintenance of an up-to-date five-year plan, as required by 44 
U.S.C. 3506, which includes:
    (i) A listing of existing and planned major information systems;
    (ii) A listing of planned information technology acquisitions;
    (iii) An explanation of how the listed major information systems 
and planned information technology acquisitions relate to each other 
and support the achievement of the agency's mission; and
    (iv) A summary of computer security planning, as required by 
Section 6 of the Computer Security Act of 1987 (40 U.S.C. 759 note); 
and
    (d) Coordination with other agency planning processes including 
strategic, human resources, and financial resources. 

[[Page 6434]]

    (3) Information Systems Management Oversight. Agencies shall 
establish information system management oversight mechanisms that:
    (a) Ensure that each information system meets agency mission 
requirements;
    (b) Provide for periodic review of information systems to 
determine:
    (i) How mission requirements might have changed;
    (ii) Whether the information system continues to fulfill ongoing 
and anticipated mission requirements; and
    (iii) What level of maintenance is needed to ensure the 
information system meets mission requirements cost effectively;
    (c) Ensure that the official who administers a program supported 
by an information system is responsible and accountable for the 
management of that information system throughout its life cycle;
    (d) Provide for the appropriate training for users of Federal 
information resources;
    (e) Prescribe Federal information system requirements that do 
not unduly restrict the prerogatives of State, local, and tribal 
governments;
    (f) Ensure that major information systems proceed in a timely 
fashion towards agreed-upon milestones in an information system life 
cycle, meet user requirements, and deliver intended benefits to the 
agency and affected publics through coordinated decision making 
about the information, human, financial, and other supporting 
resources; and
    (g) Ensure that financial management systems conform to the 
requirements of OMB Circular No. A-127, ``Financial Management 
Systems.''
    (4) Use of Information Resources. Agencies shall create and 
maintain management and technical frameworks for using information 
resources that document linkages between mission needs, information 
content, and information technology capabilities. These frameworks 
should guide both strategic and operational IRM planning. They 
should also address steps necessary to create an open systems 
environment. Agencies shall implement the following principles:
    (a) Develop information systems in a manner that facilitates 
necessary interoperability, application portability, and scalability 
of computerized applications across networks of heterogeneous 
hardware, software, and communications platforms;
    (b) Ensure that improvements to existing information systems and 
the development of planned information systems do not unnecessarily 
duplicate information systems available within the same agency, from 
other agencies, or from the private sector;
    (c) Share available information systems with other agencies to 
the extent practicable and legally permissible;
    (d) Meet information technology needs through intra-agency and 
inter-agency sharing, when it is cost effective, before acquiring 
new information technology resources;
    (e) For Information Processing Service Organizations (IPSOs) 
that have costs in excess of $5 million per year, agencies shall:
    (i) Account for the full costs of operating all IPSOs; (ii) 
Recover the costs incurred for providing IPSO services to all 
service recipients on an equitable basis commensurate with the costs 
required to provide those services; and
    (iii) Document sharing agreements between service recipients and 
IPSOs; and
    (f) Establish a level of security for all information systems 
that is commensurate with the risk and magnitude of the harm 
resulting from the loss, misuse, or unauthorized access to or 
modification of the information contained in these information 
systems.
    (5) Acquisition of Information Technology. Agencies shall:
    (a) Acquire information technology in a manner that makes use of 
full and open competition and that maximizes return on investment;
    (b) Acquire off-the-shelf software from commercial sources, 
unless the cost effectiveness of developing custom software to meet 
mission needs is clear and has been documented;
    (c) Acquire information technology in accordance with OMB 
Circular No. A-109, ``Acquisition of Major Systems,'' where 
appropriate; and
    (d) Acquire information technology in a manner that considers 
the need for accommodations of accessibility for individuals with 
disabilities to the extent that needs for such access exist.

9. Assignment of Responsibilities

    a. All Federal Agencies. The head of each agency shall:
    (1) Have primary responsibility for managing agency information 
resources;
    (2) Ensure that the information policies, principles, standards, 
guidelines, rules, and regulations prescribed by OMB are implemented 
appropriately within the agency;
    (3) Develop internal agency information policies and procedures 
and oversee, evaluate, and otherwise periodically review agency 
information resources management activities for conformity with the 
policies set forth in this Circular;
    (4) Develop agency policies and procedures that provide for 
timely acquisition of required information technology;
    (5) Maintain an inventory of the agencies' major information 
systems, holdings and information dissemination products, as 
required by 44 U.S.C. 3511.
    (6) Implement and enforce applicable records management policies 
and procedures, including requirements for archiving information 
maintained in electronic format, particularly in the planning, 
design and operation of information systems.
    (7) Identify to the Director, OMB, statutory, regulatory, and 
other impediments to efficient management of Federal information 
resources and recommend to the Director legislation, policies, 
procedures, and other guidance to improve such management;
    (8) Assist OMB in the performance of its functions under the PRA 
including making services, personnel, and facilities available to 
OMB for this purpose to the extent practicable;
    (9) Appoint a senior official, as required by 44 U.S.C. 3506(a), 
who shall report directly to the agency head to carry out the 
responsibilities of the agency under the PRA. The head of the agency 
shall keep the Director, OMB, advised as to the name, title, 
authority, responsibilities, and organizational resources of the 
senior official. For purposes of this paragraph, military 
departments and the Office of the Secretary of Defense may each 
appoint one official.
    (10) Direct the senior official appointed pursuant to 44 U.S.C. 
3506(a) to monitor agency compliance with the policies, procedures, 
and guidance in this Circular. Acting as an ombudsman, the senior 
official shall consider alleged instances of agency failure to 
comply with this Circular and recommend or take corrective action as 
appropriate. The senior official shall report annually, not later 
than February 1st of each year, to the Director those instances of 
alleged failure to comply with this Circular and their resolution.
    b. Department of State. The Secretary of State shall:
    (1) Advise the Director, OMB, on the development of United 
States positions and policies on international information policy 
issues affecting Federal Government information activities and 
ensure that such positions and policies are consistent with Federal 
information resources management policy;
    (2) Ensure, in consultation with the Secretary of Commerce, that 
the United States is represented in the development of international 
information technology standards, and advise the Director, OMB, of 
such activities.
    c. Department of Commerce. The Secretary of Commerce shall:
    (1) Develop and issue Federal Information Processing Standards 
and guidelines necessary to ensure the efficient and effective 
acquisition, management, security, and use of information 
technology;
    (2) Advise the Director, OMB, on the development of policies 
relating to the procurement and management of Federal 
telecommunications resources;
    (3) Provide OMB and the agencies with scientific and technical 
advisory services relating to the development and use of information 
technology;
    (4) Conduct studies and evaluations concerning 
telecommunications technology, and concerning the improvement, 
expansion, testing, operation, and use of Federal telecommunications 
systems and advise the Director, OMB, and appropriate agencies of 
the recommendations that result from such studies;
    (5) Develop, in consultation with the Secretary of State and the 
Director of OMB, plans, policies, and programs relating to 
international telecommunications issues affecting government 
information activities;
    (6) Identify needs for standardization of telecommunications and 
information processing technology, and develop standards, in 
consultation with the Secretary of Defense and the Administrator of 
General Services, to ensure efficient application of such 
technology;
    (7) Ensure that the Federal Government is represented in the 
development of national and, in consultation with the Secretary of 

[[Page 6435]]
State, international information technology standards, and advise the 
Director, OMB, of such activities.
    d. Department of Defense. The Secretary of Defense shall 
develop, in consultation with the Administrator of General Services, 
uniform Federal telecommunications standards and guidelines to 
ensure national security, emergency preparedness, and continuity of 
government.
    e. General Services Administration. The Administrator of General 
Services shall:
    (1) Advise the Director, OMB, and agency heads on matters 
affecting the procurement of information technology;
    (2) Coordinate and, when required, provide for the purchase, 
lease, and maintenance of information technology required by Federal 
agencies;
    (3) Develop criteria for timely procurement of information 
technology and delegate procurement authority to agencies that 
comply with the criteria;
    (4) Provide guidelines and regulations for Federal agencies, as 
authorized by law, on the acquisition, maintenance, and disposition 
of information technology, and for implementation of Federal 
Information Processing Standards;
    (5) Develop policies and guidelines that facilitate the sharing 
of information technology among agencies as required by this 
Circular;
    (6) Manage the Information Technology Fund in accordance with 
the Federal Property and Administrative Services Act as amended;
    f. Office of Personnel Management. The Director, Office of 
Personnel Management, shall:
    (1) Develop and conduct training programs for Federal personnel 
on information resources management including end-user computing;
    (2) Evaluate periodically future personnel management and 
staffing requirements for Federal information resources management;
    (3) Establish personnel security policies and develop training 
programs for Federal personnel associated with the design, 
operation, or maintenance of information systems.
    g. National Archives and Records Administration. The Archivist 
of the United States shall:
    (1) Administer the Federal records management program in 
accordance with the National Archives and Records Act;
    (2) Assist the Director, OMB, in developing standards and 
guidelines relating to the records management program.
    h. Office of Management and Budget. The Director of the Office 
of Management and Budget shall:
    (1) Provide overall leadership and coordination of Federal 
information resources management within the executive branch;
    (2) Serve as the President's principal adviser on procurement 
and management of Federal telecommunications systems, and develop 
and establish policies for procurement and management of such 
systems;
    (3) Issue policies, procedures, and guidelines to assist 
agencies in achieving integrated, effective, and efficient 
information resources management;
    (4) Initiate and review proposals for changes in legislation, 
regulations, and agency procedures to improve Federal information 
resources management;
    (5) Review and approve or disapprove agency proposals for 
collection of information from the public, as defined by 5 CFR 
1320.3;
    (6) Develop and maintain a Governmentwide strategic plan for 
information resources management.
    (7) Evaluate agencies' information resources management and 
identify cross-cutting information policy issues through the review 
of agency information programs, information collection budgets, 
information technology acquisition plans, fiscal budgets, and by 
other means;
    (8) Provide policy oversight for the Federal records management 
function conducted by the National Archives and Records 
Administration, coordinate records management policies and programs 
with other information activities, and review compliance by agencies 
with records management requirements;
    (9) Review agencies' policies, practices, and programs 
pertaining to the security, protection, sharing, and disclosure of 
information, in order to ensure compliance, with respect to privacy 
and security, with the Privacy Act, the Freedom of Information Act, 
the Computer Security Act and related statutes;
    (10) Resolve information technology procurement disputes between 
agencies and the General Services Administration pursuant to Section 
111 of the Federal Property and Administrative Services Act;
    (11) Review proposed U.S. Government Position and Policy 
statements on international issues affecting Federal Government 
information activities and advise the Secretary of State as to their 
consistency with Federal information resources management policy.
    (12) Coordinate the development and review by the Office of 
Information and Regulatory Affairs of policy associated with Federal 
procurement and acquisition of information technology with the 
Office of Federal Procurement Policy.
    10. Oversight:
    a. The Director, OMB, will use information technology planning 
reviews, fiscal budget reviews, information collection budget 
reviews, management reviews, and such other measures as the Director 
deems necessary to evaluate the adequacy and efficiency of each 
agency's information resources management and compliance with this 
Circular.
    b. The Director, OMB, may, consistent with statute and upon 
written request of an agency, grant a waiver from particular 
requirements of this Circular. Requests for waivers must detail the 
reasons why a particular waiver is sought, identify the duration of 
the waiver sought, and include a plan for the prompt and orderly 
transition to full compliance with the requirements of this 
Circular. Notice of each waiver request shall be published promptly 
by the agency in the Federal Register, with a copy of the waiver 
request made available to the public on request.
    11. Effectiveness: This Circular is effective upon issuance. 
Nothing in this Circular shall be construed to confer a private 
right of action on any person.
    12. Inquiries: All questions or inquiries should be addressed to 
the Office of Information and Regulatory Affairs, Office of 
Management and Budget, Washington, D.C. 20503. Telephone: (202) 395-
3785.
    13. Sunset Review Date: OMB will review this Circular three 
years from the date of issuance to ascertain its effectiveness.

Appendix I to OMB Circular No. A-130--Federal Agency Responsibilities 
for Maintaining Records About Individuals

1. Purpose and Scope

    This Appendix describes agency responsibilities for implementing 
the reporting and publication requirements of the Privacy Act of 
1974, 5 U.S.C. 552a, as amended (hereinafter ``the Act''). It 
applies to all agencies subject to the Act. Note that this Appendix 
does not rescind other guidance OMB has issued to help agencies 
interpret the Privacy Act's provisions, e.g., Privacy Act Guidelines 
(40 FR 28949-28978, July 9, 1975), or Final Guidance for Conducting 
Matching Programs (54 FR at 25819, June 19, 1989).

2. Definitions

    a. The terms ``agency,'' ``individual,'' ``maintain,'' 
``matching program,'' ``record,'' ``system of records,'' and 
``routine use,'' as used in this Appendix, are defined in the Act (5 
U.S.C. 552a(a)).
    b. Matching Agency. Generally, the Recipient Federal agency (or 
the Federal source agency in a match conducted by a nonfederal 
agency) is the matching agency and is responsible for meeting the 
reporting and publication requirements associated with the matching 
program. However, in large, multi-agency matching programs, where 
the recipient agency is merely performing the matches and the 
benefit accrues to the source agencies, the partners should assign 
responsibility for compliance with the administrative requirements 
in a fair and reasonable way. This may mean having the matching 
agency carry out these requirements for all parties, having one 
participant designated to do so, or having each source agency do so 
for its own matching program(s).
    c. Nonfederal Agency. Nonfederal agencies are State or local 
governmental agencies receiving or providing records in a matching 
program with a Federal agency.
    d. Recipient Agency. Recipient agencies are Federal agencies or 
their contractors receiving automated records from the Privacy Act 
systems of records of other Federal agencies, or from State or local 
governments, to be used in a matching program as defined in the Act.
    e. Source Agency. A source agency is a Federal agency that 
discloses automated records from a system of records to another 
Federal agency or to a State or local agency to be used in a 
matching program. It is also a State or local agency that discloses 
records to a Federal agency for use in a matching program. 

[[Page 6436]]


3. Assignment of Responsibilities

    a. All Federal Agencies. In addition to meeting the agency 
requirements contained in the Act and the specific reporting and 
publication requirements detailed in this Appendix, the head of each 
agency shall ensure that the following reviews are conducted as 
often as specified below, and be prepared to report to the Director, 
OMB, the results of such reviews and the corrective action taken to 
resolve problems uncovered. The head of each agency shall:
    (1) Section (m) Contracts. Review every two years a random 
sample of agency contracts that provide for the maintenance of a 
system of records on behalf of the agency to accomplish an agency 
function, in order to ensure that the wording of each contract makes 
the provisions of the Act binding on the contractor and his or her 
employees. (See 5 U.S.C. 552a(m)(1)).
    (2) Recordkeeping Practices. Review biennially agency 
recordkeeping and disposal policies and practices in order to assure 
compliance with the Act, paying particular attention to the 
maintenance of automated records.
    (3) Routine Use Disclosures. Review every four years the routine 
use disclosures associated with each system of records in order to 
ensure that the recipient's use of such records continues to be 
compatible with the purpose for which the disclosing agency 
collected the information.
    (4) Exemption of Systems of Records. Review every four years 
each system of records for which the agency has promulgated 
exemption rules pursuant to Section (j) or (k) of the Act in order 
to determine whether such exemption is still needed.
    (5) Matching Programs. Review annually each ongoing matching 
program in which the agency has participated during the year in 
order to ensure that the requirements of the Act, the OMB guidance, 
and any agency regulations, operating instructions, or guidelines 
have been met.
    (6) Privacy Act Training. Review biennially agency training 
practices in order to ensure that all agency personnel are familiar 
with the requirements of the Act, with the agency's implementing 
regulation, and with any special requirements of their specific 
jobs.
    (7) Violations. Review biennially the actions of agency 
personnel that have resulted either in the agency being found 
civilly liable under Section (g) of the Act, or an employee being 
found criminally liable under the provisions of Section (i) of the 
Act, in order to determine the extent of the problem, and to find 
the most effective way to prevent recurrence of the problem.
    (8) Systems of Records Notices. Review biennially each system of 
records notice to ensure that it accurately describes the system of 
records. Where minor changes are needed, e.g., the name of the 
system manager, ensure that an amended notice is published in the 
Federal Register. Agencies may choose to make one annual 
comprehensive publication consolidating such minor changes. This 
requirement is distinguished from and in addition to the requirement 
to report to OMB and Congress significant changes to systems of 
records and to publish those changes in the Federal Register (See 
paragraph 4c of this Appendix).
    b. Department of Commerce. The Secretary of Commerce shall, 
consistent with guidelines issued by the Director, OMB, develop and 
issue standards and guidelines for ensuring the security of 
information protected by the Act in automated information systems.
    c. The Department of Defense, General Services Administration, 
and National Aeronautics and Space Administration. These agencies 
shall, consistent with guidelines issued by the Director, OMB, 
ensure that instructions are issued on what agencies must do in 
order to comply with the requirements of Section (m) of the Act when 
contracting for the operation of a system of records to accomplish 
an agency purpose.
    d. Office of Personnel Management. The Director of the Office of 
Personnel Management shall, consistent with guidelines issued by the 
Director, OMB:
    (1) Develop and maintain government-wide standards and 
procedures for civilian personnel information processing and 
recordkeeping directives to assure conformance with the Act.
    (2) Develop and conduct Privacy Act training programs for agency 
personnel, including both the conduct of courses in various 
substantive areas (e.g., administrative, information technology) and 
the development of materials that agencies can use in their own 
courses. The assignment of this responsibility to OPM does not 
affect the responsibility of individual agency heads for developing 
and conducting training programs tailored to the specific needs of 
their own personnel.
    e. National Archives and Records Administration. The Archivist 
of the United States through the Office of the Federal Register, 
shall, consistent with guidelines issued by the Director, OMB:
    (1) Issue instructions on the format of the agency notices and 
rules required to be published under the Act.
    (2) Compile and publish every two years, the rules promulgated 
under 5 U.S.C. 552a(f) and agency notices published under 5 U.S.C. 
552a(e)(4) in a form available to the public at low cost.
    (3) Issue procedures governing the transfer of records to 
Federal Records Centers for storage, processing, and servicing 
pursuant to 44 U.S.C. 3103. For purposes of the Act, such records 
are considered to be maintained by the agency that deposited them. 
The Archivist may disclose deposited records only according to the 
access rules established by the agency that deposited them.
    f. Office of Management and Budget. The Director of the Office 
of Management and Budget will:
    (1) Issue guidelines and directives to the agencies to implement 
the Act.
    (2) Assist the agencies, at their request, in implementing their 
Privacy Act programs.
    (3) Review new and altered system of records and matching 
program reports submitted pursuant to Section (o) of the Act.
    (4) Compile the biennial report of the President to Congress in 
accordance with Section (s) of the Act.
    (5) Compile and issue a biennial report on the agencies' 
implementation of the computer matching provisions of the Privacy 
Act, pursuant to Section (u)(6) of the Act.
    4. Reporting Requirements. The Privacy Act requires agencies to 
make the following kinds of reports:

----------------------------------------------------------------------------------------------------------------
                    Report                           When Due                        Recipient**                
----------------------------------------------------------------------------------------------------------------
Biennial Privacy Act Report..................  June 30, 1996,       Administrator, OIRA.                        
                                                1998, 2000, 2002.                                               
Biennial Matching Activity Report............  June 30, 1996,       Administrator, OIRA.                        
                                                1998, 2000, 2002.                                               
New System of Records Report.................  When establishing a  Administrator, OIRA, Congress.              
                                                system of records--                                             
                                                at least 40 days                                                
                                                before operating                                                
                                                the system*.                                                    
Altered System of Records Report.............  When adding a new    *Administrator, OIRA, Congress.             
                                                routine use,                                                    
                                                exemption, or                                                   
                                                otherwise                                                       
                                                significantly                                                   
                                                altering an                                                     
                                                existing system of                                              
                                                records--at least                                               
                                                40 days before                                                  
                                                change to system                                                
                                                takes place.                                                    
New Matching Program Report..................  When establishing a  Administrator, OIRA, Congress.              
                                                new matching                                                    
                                                program--at least                                               
                                                40 days before                                                  
                                                operating the                                                   
                                                program*.                                                       
Renewal of Existing Matching Program.........  At least 40 days     Administrator, OIRA, Congress.              
                                                prior to                                                        
                                                expiration of any                                               
                                                one year extension                                              
                                                of the original                                                 
                                                program--treat as                                               
                                                a new program.                                                  
Altered Matching Program.....................  When making a        Administrator, OIRA, Congress.              
                                                significant change                                              
                                                to an existing                                                  
                                                matching program--                                              
                                                at least 40 days                                                
                                                before operating                                                
                                                an altered                                                      
                                                program*.                                                       
Matching Agreements..........................  At least 40 days     Congress.                                   
                                                prior to the start                                              
                                                of a matching                                                   
                                                program*.                                                       
----------------------------------------------------------------------------------------------------------------
*Review Period: Note that the statutory reporting requirement is 30 days prior; the additional ten days will    
  ensure that OMB and Congress have sufficient time to review the proposal. Agencies should therefore ensure    
  that reports are mailed expeditiously after being signed.                                                     
**Recipient Addresses: At bottom of envelope print ``Privacy Act Report''.                                      

 
[[Page 6437]]

    House of Representatives: The Chair of the House Committee on 
Government Reform and Oversight, 2157 RHOB, Washington, D.C. 20515-
6143.
    Senate: The Chair of the Senate Committee on Governmental 
Affairs, 340 SDOB, Washington, D.C. 20510-6250.
    Office of Management and Budget: The Administrator of the Office 
of Information and Regulatory Affairs, Office of Management and 
Budget, ATTN: Docket Library, NEOB Room 10012, Washington, D.C. 
20503.
    a. Biennial Privacy Act Report. To provide the necessary 
information for the biennial report of the President, agencies shall 
submit a biennial report to OMB, covering their Privacy Act 
activities for the calendar years covered by the reporting period. 
The exact format of the report will be established by OMB. At a 
minimum, however, agencies should collect and be prepared to report 
the following data on a calendar year basis:
     (1) A listing of publication activity during the year showing 
the following:

*Total Number of Systems of Records (Exempt/NonExempt)
*Number of New Systems of Records Added (Exempt/NonExempt)
*Number Routine Uses Added
*Number Exemptions Added to Existing Systems
*Number Exemptions Deleted from Existing Systems
*Total Number of Automated Systems of Records (Exempt/NonExempt)

    The agency should provide a brief narrative describing those 
activities in detail, e.g., ``the Department added a (k)(1) 
exemption to an existing system of records entitled ``Investigative 
Records of the Office of Investigations;'' or ``the agency added a 
new routine use to a system of records entitled `Employee Health 
Records' that would permit disclosure of health data to researchers 
under contract to the agency to perform workplace risk analysis.''
    (2) A brief description of any public comments received on 
agency publication and implementation activities, and agency 
response.
    (3) Number of access and amendment requests from record subjects 
citing the Privacy Act that were received during the calendar year 
of the report. Also the disposition of requests from any year that 
were completed during the calendar year of the report:

*Total Number of Access Requests
    Number Granted in Whole
    Number Granted in Part
    Number Wholly Denied
    Number For Which No Record Found
*Total Amendment Requests
    Number Granted in Whole
    Number Granted in Part
    Number Wholly Denied
*Number of Appeals of Denials of Access
    Number Granted in Whole
    Number Granted in Part
    Number Wholly Denied
    Number For Which No Record Found
*Number of Appeals of Denials of Amendment
    Number Granted in Whole
    Number Granted in Part
    Number Wholly Denied

    (4) Number of instances in which individuals brought suit under 
section (g) of the Privacy Act against the agency and the results of 
any such litigation that resulted in a change to agency practices or 
affected guidance issued by OMB.
    (5) Results of the reviews undertaken in response to paragraph 
3a of this Appendix.
    (6) Description of agency Privacy Act training activities 
conducted in accordance with paragraph 3a(6) of this Appendix.
    b. Biennial Matching Activity Report (See 5 U.S.C. 
552a(u)(3)(D)). At the end of each calendar year, the Data Integrity 
Board of each agency that has participated in a matching program 
will collect data summarizing that year's matching activity. The Act 
requires that such activity be reported every two years. OMB will 
establish the exact format of the report, but agencies' Data 
Integrity Boards should be prepared to report the data identified 
below both to the agency head and to OMB:
    (1) A listing of the names and positions of the members of the 
Data Integrity Board and showing separately the name of the Board 
Secretary, his or her agency mailing address, and telephone number. 
Also show and explain any changes in membership or structure 
occurring during the reporting year.
    (2) A listing of each matching program, by title and purpose, in 
which the agency participated during the reporting year. This 
listing should show names of participant agencies, give a brief 
description of the program, and give a page citation and the date of 
the Federal Register notice describing the program.
    (3) For each matching program, an indication of whether the 
cost/benefit analysis performed resulted in a favorable ratio. The 
Data Integrity Board should explain why the agency proceeded with 
any matching program for which an unfavorable ratio was reached.
    (4) For each program for which the Board waived a cost/benefit 
analysis, the reasons for the waiver and the results of the match, 
if tabulated.
    (5) A description of any matching agreement the Board rejected 
and an explanation of the rejection.
    (6) A listing of any violations of matching agreements that have 
been alleged or identified, and a discussion of any action taken.
    (7) A discussion of any litigation involving the agency's 
participation in any matching program.
    (8) For any litigation based on allegations of inaccurate 
records, an explanation of the steps the agency used to ensure the 
integrity of its data as well as the verification process it used in 
the matching program, including an assessment of the adequacy of 
each.
    c. New and Altered System of Records Report. The Act requires 
agencies to publish notices in the Federal Register describing new 
or altered systems of records, and to submit reports to OMB, and to 
the Chair of the Committee on Government Reform and Oversight of the 
House of Representatives, and the Chair of the Committee on 
Governmental Affairs of the Senate. The reports must be transmitted 
at least 40 days prior to the operation of the new system of records 
or the date on which the alteration to an existing system takes 
place.
    (1) Which Alterations Require a Report. Minor changes to systems 
of records need not be reported. For example, a change in the 
designation of the system manager due to a reorganization would not 
require a report, so long as an individual's ability to gain access 
to his or her records is not affected. Other examples include 
changing applicable safeguards as a result of a risk analysis or 
deleting a routine use when there is no longer a need for the 
disclosure. The following changes are those for which a report is 
required:
    (a) A significant increase in the number, type, or category of 
individuals about whom records are maintained. For example, a system 
covering physicians that has been expanded to include other types of 
health care providers, e.g., nurses, technicians, etc., would 
require a report. Increases attributable to normal growth should not 
be reported.
    (b) A change that expands the types or categories of information 
maintained. For example, a benefit system which originally included 
only earned income information that has been expanded to include 
unearned income information.
    (c) A change that alters the purpose for which the information 
is used.
    (d) A change to equipment configuration (either hardware or 
software) that creates substantially greater access to the records 
in the system of records. For example, locating interactive 
terminals at regional offices for accessing a system formerly 
accessible only at the headquarters would require a report.
    (e) The addition of an exemption pursuant to Section (j) or (k) 
of the Act. Note that, in examining a rulemaking for a Privacy Act 
exemption as part of a report of a new or altered system of records, 
OMB will also review the rule under applicable regulatory review 
procedures and agencies need not make a separate submission for that 
purpose.
    (f) The addition of a routine use pursuant to 5 U.S.C. 
552a(b)(3).
    (2) Reporting Changes to Multiple Systems of Records. When an 
agency makes a change to an information technology installation or a 
telecommunication network, or makes any other general changes in 
information collection, processing, dissemination, or storage that 
affect multiple systems of records, it may submit a single, 
consolidated report, with changes to existing notices and supporting 
documentation included in the submission.
    (3) Contents of the New or Altered System Report. The report for 
a new or altered system has three elements: a transmittal letter, a 
narrative statement, and supporting documentation.
    (a) Transmittal Letter. The transmittal letter should be signed 
by the senior agency official responsible for implementation of the 
Act within the agency and should contain the name and telephone 
number of the individual who can best answer questions about the 
system of records. The letter should contain the agency's assurance 
that the proposed system does not duplicate any existing agency or 
government-wide systems of records. The letter sent to OMB may also 
include a request for waiver of the time 

[[Page 6438]]
period for the review. The agency should indicate why it cannot meet 
the established review period and the consequences of not obtaining 
the waiver. (See paragraph 4e below.) There is no prescribed format 
for the letter.
    (b) Narrative Statement. There is also no prescribed format for 
the narrative statement, but it should be brief. It should make 
reference, as appropriate, to information in the supporting 
documentation rather than restating such information. The statement 
should:
    1. Describe the purpose for which the agency is establishing the 
system of records.
    2. Identify the authority under which the system of records is 
maintained. The agency should avoid citing housekeeping statutes, 
but rather cite the underlying programmatic authority for 
collecting, maintaining, and using the information. When the system 
is being operated to support an agency housekeeping program, e.g., a 
carpool locator, the agency may, however, cite a general 
housekeeping statute that authorizes the agency head to keep such 
records as necessary.
    3. Provide the agency's evaluation of the probable or potential 
effect of the proposal on the privacy of individuals.
    4. Provide a brief description of the steps taken by the agency 
to minimize the risk of unauthorized access to the system of 
records. A more detailed assessment of the risks and specific 
administrative, technical, procedural, and physical safeguards 
established shall be made available to OMB upon request.
    5. Explain how each proposed routine use satisfies the 
compatibility requirement of subsection (a)(7) of the Act. For 
altered systems, this requirement pertains only to any newly 
proposed routine use.
    6. Provide OMB Control Numbers, expiration dates, and titles of 
any information collection requests (e.g., forms, surveys, etc.) 
contained in the system of records and approved by OMB under the 
Paperwork Reduction Act. If the request for OMB clearance of an 
information collection is pending, the agency may simply state the 
title of the collection and the date it was submitted for OMB 
clearance.
    (c) Supporting Documentation. Attach the following to all new or 
altered system of records reports:
    1. A copy of the new or altered system of records notice 
consistent with the provisions of 5 U.S.C. 552a(e)(4). The notice 
must appear in the format prescribed by the Office of the Federal 
Register's Document Drafting Handbook. For proposed altered systems 
the agency should supply a copy of the original system of records 
notice to ensure that reviewers can understand the changes proposed. 
If the sole change to an existing system of records is to add a 
routine use, the agency should either republish the entire system of 
records notice, a condensed description of the system of records, or 
a citation to the last full text Federal Register publication.
    2. A copy in Federal Register format of any new exemption rules 
or changes to published rules (consistent with the provisions of 5 
U.S.C. 552a(f),(j), or (k)) that the agency proposes to issue for 
the new or altered system.
    (4) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) 
and provide comments if appropriate. Agencies may assume that OMB 
concurs in the Privacy Act aspects of their proposal if OMB has not 
commented within 40 days from the date the transmittal letter was 
signed. Agencies should ensure that letters are transmitted 
expeditiously after they are signed.
    (5) Timing of Systems of Records Reports. Agencies may publish 
system of records and routine use notices as well as proposed 
exemption rules in the Federal Register at the same time that they 
send the new or altered system report to OMB and Congress. The 
period for OMB and congressional review and the notice and comment 
period for routine uses and exemptions will then run concurrently. 
Note that exemptions must be published as final rules before they 
are effective.
    d. New or Altered Matching Program Report. The Act requires 
agencies to publish notices in the Federal Register describing new 
or altered matching programs, and to submit reports to OMB, and to 
Congress. The report must be received at least 40 days prior to the 
initiation of any matching activity carried out under a new or 
substantially altered matching program. For renewals of continuing 
programs, the report must be dated at least 40 days prior to the 
expiration of any existing matching agreement.
    (1) When to Report Altered Matching Programs. Agencies need not 
report minor changes to matching programs. The term ``minor change 
to a matching program'' means a change that does not significantly 
alter the terms of the agreement under which the program is being 
carried out. Examples of significant changes include:
    (a) Changing the purpose for which the program was established.
    (b) Changing the matching population, either by including new 
categories of record subjects or by greatly increasing the numbers 
of records matched.
    (c) Changing the legal authority covering the matching program.
    (d) Changing the source or recipient agencies involved in the 
matching program.
    (2) Contents of New or Altered Matching Program Report. The 
report for a new or altered matching program has three elements: a 
transmittal letter, a narrative statement, and supporting 
documentation that includes a copy of the proposed Federal Register 
notice.
    (a) Transmittal Letter. The transmittal letter should be signed 
by the senior agency official responsible for implementation of the 
Privacy Act within the agency and should contain the name and 
telephone number of the individual who can best answer questions 
about the matching program. The letter should state that a copy of 
the matching agreement has been distributed to Congress as the Act 
requires. The letter to OMB may also include a request for waiver of 
the review time period. (See 4e below.)
    (b) Narrative Statement. There is no prescribed format for the 
narrative statement, but it should be brief. It should make 
reference, as appropriate, to information in the supporting 
documentation rather than restating such information. The statement 
should provide:
    1. A description of the purpose of the matching program and the 
authority under which it is being carried out.
    2. A description of the security safeguards used to protect 
against any unauthorized access or disclosure of records used in the 
match.
     3. If the cost/benefit analysis required by Section (u)(4)(A) 
indicated an unfavorable ratio or was waived pursuant to OMB 
guidance, an explanation of the basis on which the agency justifies 
conducting the match.
     (c) Supporting Documentation. Attach the following:
     1. A copy of the Federal Register notice describing the 
matching program. The notice must appear in the format prescribed by 
the Office of the Federal Register's Document Drafting Handbook. 
(See 5b (3).)
    2. For the Congressional report only, a copy of the matching 
agreement.
    (3) OMB Review. OMB will review reports under 5 U.S.C. 552a(r) 
and provide comments if appropriate. Agencies may assume that OMB 
concurs in the Privacy Act aspects of their proposal if OMB has not 
commented within 40 days from the date the transmittal letter was 
signed.
    (4) Timing of Matching Program Reports. Agencies should ensure 
that letters are transmitted expeditiously after they are signed. 
Agencies may publish matching program notices in the Federal 
Register at the same time that they send the matching program report 
to OMB and Congress. The period for OMB and congressional review and 
the notice and comment period will then run concurrently.
    e. Expedited Review. The Director, OMB, may grant a waiver of 
the 40-day review period for either systems of records or matching 
program reviews. The agency must ask for the waiver in the 
transmittal letter and demonstrate compelling reasons. When a waiver 
is granted, the agency is not thereby relieved of any other 
requirement of the Act. If no waiver is granted, agencies may 
presume concurrence at the expiration of the 40 day review period if 
OMB has not commented by that time. Note that OMB cannot waive time 
periods specifically established by the Act such as the 30 days 
notice and comment period required for the adoption of a routine use 
proposal pursuant to Section (b)(3) of the Act.
    5. Publication Requirements. The Privacy Act requires agencies 
to publish notices or rules in the Federal Register in the following 
circumstances: when adopting a new or altered system of records, 
when adopting a routine use, when adopting an exemption for a system 
of records, or when proposing to carry out a new or altered matching 
program. (See paragraph 4c(1) and 4d(1) above on what constitutes an 
alteration requiring a report to OMB and the Congress.)
    a. Publishing New or Altered Systems of Records Notices and 
Exemption Rules.
    (1) Who Publishes. The agency responsible for operating the 
system of records makes the necessary publication. Publication 
should be carried out at the departmental or agency level. Even 
where a system of records is to 

[[Page 6439]]
be operated exclusively by a component, the department rather than the 
component should publish the notice. Thus, for example, the 
Department of the Treasury would publish a system of records notice 
covering a system operated exclusively by the Internal Revenue 
Service. Note that if the agency is proposing to exempt the system 
under Section (j) or (k) of the Act, it must publish a rule in 
addition to the system of records notice.
    (a) Government-wide Systems of Records. Certain agencies publish 
systems of records containing records for which they have 
government-wide responsibilities. The records may be located in 
other agencies, but they are being used under the authority of and 
in conformance with the rules mandated by the publishing agency. The 
Office of Personnel Management, for example, has published a number 
of government-wide systems of records relating to the operation of 
the government's personnel program. Agencies should not publish 
systems of records that wholly or partly duplicate existing 
government-wide systems of records.
    (b) Section (m) Contract Provisions. When an agency provides by 
contract for the operation of a system of records, it should ensure 
that a system of records notice describing the system has been 
published. It should also review the notice to ensure that it 
contains a routine use under Section (e)(4)(D) of the Act permitting 
disclosure to the contractor and his or her personnel.
    (2) When to Publish.
    (a) System Notice. The system of records notice must appear in 
the Federal Register before the agency begins to operate the system, 
e.g., collect and use the information.
    (b) Routine Use. A routine use must be published in the Federal 
Register 30 days before the agency discloses records pursuant to its 
terms. (Note that the addition of a routine use to an existing 
system of records requires a report to OMB and Congress, and that 
the review period for this report is 40 days.)
    (c) Exemption Rule. A rule exempting a system of records under 
(j) or (k) or the Act must be established through informal 
rulemaking pursuant to the Administrative Procedure Act. This 
process generally requires publication of a proposed rule, a period 
during which the public may comment, publication of a final rule, 
and the adoption of the final rule. Agencies may not withhold 
records under an exemption until these requirements have been met.
    (3) Format. Agencies should follow the publication format 
contained in the Office of the Federal Register's Document Drafting 
Handbook which may be obtained from the Government Printing Office.
    b. Publishing Matching Notices.
    (1) Who Publishes. Generally, the recipient Federal agency (or 
the Federal source agency in a match conducted by a nonfederal 
agency) is responsible for publishing in the Federal Register a 
notice describing the new or altered matching program. However, in 
large, multi-agency matching programs, where the recipient agency is 
merely performing the matches, and the benefit accrues to the source 
agencies, the partners should assign responsibility for compliance 
with the administrative requirements in a fair and reasonable way. 
This may mean having the matching agency carry out these 
requirements for all parties, having one participant designated to 
do so, or having each source agency do so for its own matching 
program(s).
    (2) Timing. Publication must occur at least 30 days prior to the 
initiation of any matching activity carried out under a new or 
substantially altered matching program. For renewals of programs 
agencies wish to continue past the 30 month period of initial 
eligibility (i.e., the initial 18 months plus a one year extension), 
publication must occur at least 30 days prior to the expiration of 
the existing matching agreement. (But note that a report to OMB and 
the Congress is also required with a 40 day review period).
    (3) Format. The matching notice shall be in the format 
prescribed by the Office of the Federal Register's Document Drafting 
Handbook and contain the following information:
    (a) The name of the Recipient Agency.
    (b) The Name(s) of the Source Agencies.
    (c) The beginning and ending dates of the match.
    (d) A brief description of the matching program, including its 
purpose; the legal authorities authorizing its operation; categories 
of individuals involved; and identification of records used, 
including name(s) of Privacy Act Systems of records.
    (e) The identification, address, and telephone number of a 
Recipient Agency official who will answer public inquiries about the 
program.

Appendix II to OMB Circular No. A-130--Cost Accounting, Cost Recovery, 
and Interagency Sharing of Information Technology Facilities

    [The guidance formerly found in Appendix II has been revised and 
placed in Section 8b. See, Transmittal No. 2, 59 FR 37906. Appendix 
II has been deleted and is reserved for future topics.]

Appendix III to OMB Circular No. A-130--Security of Federal Automated 
Information Resources

A. Requirements

1. Purpose

    This Appendix establishes a minimum set of controls to be 
included in Federal automated information security programs; assigns 
Federal agency responsibilities for the security of automated 
information; and links agency automated information security 
programs and agency management control systems established in 
accordance with OMB Circular No. A-123. The Appendix revises 
procedures formerly contained in Appendix III to OMB Circular No. A-
130 (50 FR 52730; December 24, 1985), and incorporates requirements 
of the Computer Security Act of 1987 (P.L. 100-235) and 
responsibilities assigned in applicable national security 
directives.

2. Definitions

    The term:
    a. ``Adequate security'' means security commensurate with the 
risk and magnitude of the harm resulting from the loss, misuse, or 
unauthorized access to or modification of information. This includes 
assuring that systems and applications used by the agency operate 
effectively and provide appropriate confidentiality, integrity, and 
availability, through the use of cost-effective management, 
personnel, operational, and technical controls.
    b. ``Application'' means the use of information resources 
(information and information technology) to satisfy a specific set 
of user requirements.
    c. ``General support system'' or ``system'' means an 
interconnected set of information resources under the same direct 
management control which shares common functionality. A system 
normally includes hardware, software, information, data, 
applications, communications, and people. A system can be, for 
example, a local area network (LAN) including smart terminals that 
supports a branch office, an agency-wide backbone, a communications 
network, a departmental data processing center including its 
operating system and utilities, a tactical radio network, or a 
shared information processing service organization (IPSO).
    d. ``Major application'' means an application that requires 
special attention to security due to the risk and magnitude of the 
harm resulting from the loss, misuse, or unauthorized access to or 
modification of the information in the application. Note: All 
Federal applications require some level of protection. Certain 
applications, because of the information in them, however, require 
special management oversight and should be treated as major. 
Adequate security for other applications should be provided by 
security of the systems in which they operate.
    3. Automated Information Security Programs. Agencies shall 
implement and maintain a program to assure that adequate security is 
provided for all agency information collected, processed, 
transmitted, stored, or disseminated in general support systems and 
major applications.
    Each agency's program shall implement policies, standards and 
procedures which are consistent with government-wide policies, 
standards, and procedures issued by the Office of Management and 
Budget, the Department of Commerce, the General Services 
Administration and the Office of Personnel Management (OPM). 
Different or more stringent requirements for securing national 
security information should be incorporated into agency programs as 
required by appropriate national security directives. At a minimum, 
agency programs shall include the following controls in their 
general support systems and major applications:
    a. Controls for general support systems.
    (1) Assign Responsibility for Security. Assign responsibility 
for security in each system to an individual knowledgeable in the 
information technology used in the system and in providing security 
for such technology.
    (2) System Security Plan. Plan for adequate security of each 
general support system as part of the organization's information 
resources management (IRM) planning process. The security plan shall 
be consistent 

[[Page 6440]]
with guidance issued by the National Institute of Standards and 
Technology (NIST). Independent advice and comment on the security 
plan shall be solicited prior to the plan's implementation. A 
summary of the security plans shall be incorporated into the 
strategic IRM plan required by the Paperwork Reduction Act (44 
U.S.C. Chapter 35) and Section 8(b) of this circular. Security plans 
shall include:
    (a) Rules of the System. Establish a set of rules of behavior 
concerning use of, security in, and the acceptable level of risk 
for, the system. The rules shall be based on the needs of the 
various users of the system. The security required by the rules 
shall be only as stringent as necessary to provide adequate security 
for information in the system. Such rules shall clearly delineate 
responsibilities and expected behavior of all individuals with 
access to the system. They shall also include appropriate limits on 
interconnections to other systems and shall define service provision 
and restoration priorities. Finally, they shall be clear about the 
consequences of behavior not consistent with the rules.
    (b) Training. Ensure that all individuals are appropriately 
trained in how to fulfill their security responsibilities before 
allowing them access to the system. Such training shall assure that 
employees are versed in the rules of the system, be consistent with 
guidance issued by NIST and OPM, and apprise them about available 
assistance and technical security products and techniques. Behavior 
consistent with the rules of the system and periodic refresher 
training shall be required for continued access to the system.
    (c) Personnel Controls. Screen individuals who are authorized to 
bypass significant technical and operational security controls of 
the system commensurate with the risk and magnitude of harm they 
could cause. Such screening shall occur prior to an individual being 
authorized to bypass controls and periodically thereafter.
    (d) Incident Response Capability. Ensure that there is a 
capability to provide help to users when a security incident occurs 
in the system and to share information concerning common 
vulnerabilities and threats. This capability shall share information 
with other organizations, consistent with NIST coordination, and 
should assist the agency in pursuing appropriate legal action, 
consistent with Department of Justice guidance.
    (e) Continuity of Support. Establish and periodically test the 
capability to continue providing service within a system based upon 
the needs and priorities of the participants of the system.
    (f) Technical Security. Ensure that cost-effective security 
products and techniques are appropriately used within the system.
    (g) System Interconnection. Obtain written management 
authorization, based upon the acceptance of risk to the system, 
prior to connecting with other systems. Where connection is 
authorized, controls shall be established which are consistent with 
the rules of the system and in accordance with guidance from NIST.
    (3) Review of Security Controls. Review the security controls in 
each system when significant modifications are made to the system, 
but at least every three years. The scope and frequency of the 
review should be commensurate with the acceptable level of risk for 
the system. Depending on the potential risk and magnitude of harm 
that could occur, consider identifying a deficiency pursuant to OMB 
Circular No. A-123, ``Management Accountability and Control'' and 
the Federal Managers' Financial Integrity Act (FMFIA), if there is 
no assignment of security responsibility, no security plan, or no 
authorization to process for a system.
    (4) Authorize Processing. Ensure that a management official 
authorizes in writing the use of each general support system based 
on implementation of its security plan before beginning or 
significantly changing processing in the system. Use of the system 
shall be re-authorized at least every three years.
    b. Controls for Major Applications.
    (1) Assign Responsibility for Security. Assign responsibility 
for security of each major application to a management official 
knowledgeable in the nature of the information and process supported 
by the application and in the management, personnel, operational, 
and technical controls used to protect it. This official shall 
assure that effective security products and techniques are 
appropriately used in the application and shall be contacted when a 
security incident occurs concerning the application.
    (2) Application Security Plan. Plan for the adequate security of 
each major application, taking into account the security of all 
systems in which the application will operate. The plan shall be 
consistent with guidance issued by NIST. Advice and comment on the 
plan shall be solicited from the official responsible for security 
in the primary system in which the application will operate prior to 
the plan's implementation. A summary of the security plans shall be 
incorporated into the strategic IRM plan required by the Paperwork 
Reduction Act. Application security plans shall include:
    (a) Application Rules. Establish a set of rules concerning use 
of and behavior within the application. The rules shall be as 
stringent as necessary to provide adequate security for the 
application and the information in it. Such rules shall clearly 
delineate responsibilities and expected behavior of all individuals 
with access to the application. In addition, the rules shall be 
clear about the consequences of behavior not consistent with the 
rules.
    (b) Specialized Training. Before allowing individuals access to 
the application, ensure that all individuals receive specialized 
training focused on their responsibilities and the application 
rules. This may be in addition to the training required for access 
to a system. Such training may vary from a notification at the time 
of access (e.g., for members of the public using an information 
retrieval application) to formal training (e.g., for an employee 
that works with a high-risk application).
    (c) Personnel Security. Incorporate controls such as separation 
of duties, least privilege and individual accountability into the 
application and application rules as appropriate. In cases where 
such controls cannot adequately protect the application or 
information in it, screen individuals commensurate with the risk and 
magnitude of the harm they could cause. Such screening shall be done 
prior to the individuals' being authorized to access the application 
and periodically thereafter.
    (d) Contingency Planning. Establish and periodically test the 
capability to perform the agency function supported by the 
application in the event of failure of its automated support.
    (e) Technical Controls. Ensure that appropriate security 
controls are specified, designed into, tested, and accepted in the 
application in accordance with appropriate guidance issued by NIST.
    (f) Information Sharing. Ensure that information shared from the 
application is protected appropriately, comparable to the protection 
provided when information is within the application.
    (g) Public Access Controls. Where an agency's application 
promotes or permits public access, additional security controls 
shall be added to protect the integrity of the application and the 
confidence the public has in the application. Such controls shall 
include segregating information made directly accessible to the 
public from official agency records.
    (3) Review of Application Controls. Perform an independent 
review or audit of the security controls in each application at 
least every three years. Consider identifying a deficiency pursuant 
to OMB Circular No. A-123, ``Management Accountability and Control'' 
and the Federal Managers' Financial Integrity Act if there is no 
assignment of responsibility for security, no security plan, or no 
authorization to process for the application.
    (4) Authorize Processing. Ensure that a management official 
authorizes in writing use of the application by confirming that its 
security plan as implemented adequately secures the application. 
Results of the most recent review or audit of controls shall be a 
factor in management authorizations. The application must be 
authorized prior to operating and re-authorized at least every three 
years thereafter. Management authorization implies accepting the 
risk of each system used by the application.

4. Assignment of Responsibilities

    a. Department of Commerce. The Secretary of Commerce shall:
    (1) Develop and issue appropriate standards and guidance for the 
security of sensitive information in Federal computer systems.
    (2) Review and update guidelines for training in computer 
security awareness and accepted computer security practice, with 
assistance from OPM.
    (3) Provide agencies guidance for security planning to assist in 
their development of application and system security plans.
    (4) Provide guidance and assistance, as appropriate, to agencies 
concerning cost-effective controls when interconnecting with other 
systems.
    (5) Coordinate agency incident response activities to promote 
sharing of incident response information and related 
vulnerabilities. 

[[Page 6441]]

    (6) Evaluate new information technologies to assess their 
security vulnerabilities, with technical assistance from the 
Department of Defense, and apprise Federal agencies of such 
vulnerabilities as soon as they are known.
    b. Department of Defense. The Secretary of Defense shall:
    (1) Provide appropriate technical advice and assistance 
(including work products) to the Department of Commerce.
    (2) Assist the Department of Commerce in evaluating the 
vulnerabilities of emerging information technologies.
    c. Department of Justice. The Attorney General shall:
    (1) Provide appropriate guidance to agencies on legal remedies 
regarding security incidents and ways to report and work with law 
enforcement concerning such incidents.
    (2) Pursue appropriate legal actions when security incidents 
occur.
    d. General Services Administration. The Administrator of General 
Services shall:
    (1) Provide guidance to agencies on addressing security 
considerations when acquiring automated data processing equipment 
(as defined in section 111(a)(2) of the Federal Property and 
Administrative Services Act of 1949, as amended).
    (2) Facilitate the development of contract vehicles for agencies 
to use in the acquisition of cost-effective security products and 
services (e.g., back-up services).
    (3) Provide appropriate security services to meet the needs of 
Federal agencies to the extent that such services are cost-
effective.
    e. Office of Personnel Management. The Director of the Office of 
Personnel Management shall:
    (1) Assure that its regulations concerning computer security 
training for Federal civilian employees are effective.
    (2) Assist the Department of Commerce in updating and 
maintaining guidelines for training in computer security awareness 
and accepted computer security practice.
    f. Security Policy Board. The Security Policy Board shall 
coordinate the activities of the Federal government regarding the 
security of information technology that processes classified 
information in accordance with applicable national security 
directives;

5. Correction of Deficiencies and Reports

    a. Correction of Deficiencies. Agencies shall correct 
deficiencies which are identified through the reviews of security 
for systems and major applications described above.
    b. Reports on Deficiencies. In accordance with OMB Circular No. 
A-123, ``Management Accountability and Control'', if a deficiency in 
controls is judged by the agency head to be material when weighed 
against other agency deficiencies, it shall be included in the 
annual FMFIA report. Less significant deficiencies shall be reported 
and progress on corrective actions tracked at the appropriate agency 
level.
    c. Summaries of Security Plans. Agencies shall include a summary 
of their system security plans and major application plans in the 
strategic plan required by the Paperwork Reduction Act (44 U.S.C. 
3506).

B. Descriptive Information

    The following descriptive language is explanatory. It is 
included to assist in understanding the requirements of the 
Appendix.
    The Appendix re-orients the Federal computer security program to 
better respond to a rapidly changing technological environment. It 
establishes government-wide responsibilities for Federal computer 
security and requires Federal agencies to adopt a minimum set of 
management controls. These management controls are directed at 
individual information technology users in order to reflect the 
distributed nature of today's technology.
    For security to be most effective, the controls must be part of 
day-to-day operations. This is best accomplished by planning for 
security not as a separate activity, but as an integral part of 
overall planning.
    ``Adequate security'' is defined as ``security commensurate with 
the risk and magnitude of harm resulting from the loss, misuse, or 
unauthorized access to or modification of information.'' This 
definition explicitly emphasizes the risk-based policy for cost-
effective security established by the Computer Security Act.
    The Appendix no longer requires the preparation of formal risk 
analyses. In the past, substantial resources have been expended 
doing complex analyses of specific risks to systems, with limited 
tangible benefit in terms of improved security for the systems. 
Rather than continue to try to precisely measure risk, security 
efforts are better served by generally assessing risks and taking 
actions to manage them. While formal risk analyses need not be 
performed, the need to determine adequate security will require that 
a risk-based approach be used. This risk assessment approach should 
include a consideration of the major factors in risk management: the 
value of the system or application, threats, vulnerabilities, and 
the effectiveness of current or proposed safeguards. Additional 
guidance on effective risk assessment is available in ``An 
Introduction to Computer Security: The NIST Handbook'' (March 16, 
1995).
    Discussion of the Appendix's Major Provisions. The following 
discussion is provided to aid reviewers in understanding the changes 
in emphasis in the Appendix.
    Automated Information Security Programs. Agencies are required 
to establish controls to assure adequate security for all 
information processed, transmitted, or stored in Federal automated 
information systems. This Appendix emphasizes management controls 
affecting individual users of information technology. Technical and 
operational controls support management controls. To be effective, 
all must interrelate. For example, authentication of individual 
users is an important management control, for which password 
protection is a technical control. However, password protection will 
only be effective if both a strong technology is employed, and it is 
managed to assure that it is used correctly.
    Four controls are set forth: assigning responsibility for 
security, security planning, periodic review of security controls, 
and management authorization. The Appendix requires that these 
management controls be applied in two areas of management 
responsibility: one for general support systems and one for major 
applications.
    The terms ``general support system'' and ``major application'' 
were used in OMB Bulletins Nos. 88-16 and 90-08. A general support 
system is ``an interconnected set of information resources under the 
same direct management control which shares common functionality.'' 
Such a system can be, for example, a local area network (LAN) 
including smart terminals that supports a branch office, an agency-
wide backbone, a communications network, a departmental data 
processing center including its operating system and utilities, a 
tactical radio network, or a shared information processing service 
organization. Normally, the purpose of a general support system is 
to provide processing or communications support.
    A major application is a use of information and information 
technology to satisfy a specific set of user requirements that 
requires special management attention to security due to the risk 
and magnitude of harm resulting from the loss, misuse or 
unauthorized access to or modification of the information in the 
application. All applications require some level of security, and 
adequate security for most of them should be provided by security of 
the general support systems in which they operate. However, certain 
applications, because of the nature of the information in them, 
require special management oversight and should be treated as major. 
Agencies are expected to exercise management judgement in 
determining which of their applications are major.
    The focus of OMB Bulletins Nos. 88-16 and 90-08 was on 
identifying and securing both general support systems and 
applications which contained sensitive information. The Appendix 
requires the establishment of security controls in all general 
support systems, under the presumption that all contain some 
sensitive information, and focuses extra security controls on a 
limited number of particularly high-risk or major applications.
    a. General Support Systems. The following controls are required 
in all general support systems:
    (1) Assign Responsibility for Security. For each system, an 
individual should be a focal point for assuring there is adequate 
security within the system, including ways to prevent, detect, and 
recover from security problems. That responsibility should be 
assigned in writing to an individual trained in the technology used 
in the system and in providing security for such technology, 
including the management of security controls such as user 
identification and authentication.
    (2) Security Plan. The Computer Security Act requires that 
security plans be developed for all Federal computer systems that 
contain sensitive information. Given the expansion of distributed 
processing since passage of the Act, the presumption in the Appendix 
is that all general support systems contain some sensitive 
information which requires protection to assure its integrity, 
availability, or confidentiality, and therefore all systems require 
security plans. 

[[Page 6442]]

    Previous guidance on security planning was contained in OMB 
Bulletin No. 90-08. This Appendix supersedes OMB Bulletin 90-08 and 
expands the coverage of security plans from Bulletin 90-08 to 
include rules of individual behavior as well as technical security. 
Consistent with OMB Bulletin 90-08, the Appendix directs NIST to 
update and expand security planning guidance and issue it as a 
Federal Information Processing Standard (FIPS). In the interim, 
agencies should continue to use the Appendix of OMB Bulletin No. 90-
08 as guidance for the technical portion of their security plans.
    The Appendix continues the requirement that independent advice 
and comment on the security plan for each system be sought. The 
intent of this requirement is to improve the plans, foster 
communication between managers of different systems, and promote the 
sharing of security expertise.
    This Appendix also continues the requirement from the Computer 
Security Act that summaries of security plans be included in agency 
strategic information resources management plans. OMB will provide 
additional guidance about the contents of those strategic plans, 
pursuant to the Paperwork Reduction Act of 1995.
    The following specific security controls should be included in 
the security plan for a general support system:
    (a) Rules. An important new requirement for security plans is 
the establishment of a set of rules of behavior for individual users 
of each general support system. These rules should clearly delineate 
responsibilities of and expectations for all individuals with access 
to the system. They should be consistent with system-specific policy 
as described in ``An Introduction to Computer Security: The NIST 
Handbook'' (March 16, 1995). In addition, they should state the 
consequences of non-compliance. The rules should be in writing and 
will form the basis for security awareness and training.
    The development of rules for a system must take into 
consideration the needs of all parties who use the system. Rules 
should be as stringent as necessary to provide adequate security. 
Therefore, the acceptable level of risk for the system must be 
established and should form the basis for determining the rules.
    Rules should cover such matters as work at home, dial-in access, 
connection to the Internet, use of copyrighted works, unofficial use 
of government equipment, the assignment and limitation of system 
privileges, and individual accountability. Often rules should 
reflect technical security controls in the system. For example, 
rules regarding password use should be consistent with technical 
password features in the system. Rules may be enforced through 
administrative sanctions specifically related to the system (e.g. 
loss of system privileges) or through more general sanctions as are 
imposed for violating other rules of conduct. In addition, the rules 
should specifically address restoration of service as a concern of 
all users of the system.
    (b) Training. The Computer Security Act requires Federal 
agencies to provide for the mandatory periodic training in computer 
security awareness and accepted computer security practice of all 
employees who are involved with the management, use or operation of 
a Federal computer system within or under the supervision of the 
Federal agency. This includes contractors as well as employees of 
the agency. Access provided to members of the public should be 
constrained by controls in the applications through which access is 
allowed, and training should be within the context of those 
controls. The Appendix enforces such mandatory training by requiring 
its completion prior to granting access to the system. Each new user 
of a general support system in some sense introduces a risk to all 
other users. Therefore, each user should be versed in acceptable 
behavior--the rules of the system--before being allowed to use the 
system. Training should also inform the individual how to get help 
in the event of difficulty with using or security of the system.
    Training should be tailored to what a user needs to know to use 
the system securely, given the nature of that use. Training may be 
presented in stages, for example as more access is granted. In some 
cases, the training should be in the form of classroom instruction. 
In other cases, interactive computer sessions or well-written and 
understandable brochures may be sufficient, depending on the risk 
and magnitude of harm.
    Over time, attention to security tends to dissipate. In 
addition, changes to a system may necessitate a change in the rules 
or user procedures. Therefore, individuals should periodically have 
refresher training to assure that they continue to understand and 
abide by the applicable rules.
    To assist agencies, the Appendix requires NIST, with assistance 
from the Office of Personnel Management (OPM), to update its 
existing guidance. It also proposes that OPM assure that its rules 
for computer security training for Federal civilian employees are 
effective.
    (c) Personnel Controls. It has long been recognized that the 
greatest harm has come from authorized individuals engaged in 
improper activities, whether intentional or accidental. In every 
general support system, a number of technical, operational, and 
management controls are used to prevent and detect harm. Such 
controls include individual accountability, ``least privilege,'' and 
separation of duties.
    Individual accountability consists of holding someone 
responsible for his or her actions. In a general support system, 
accountability is normally accomplished by identifying and 
authenticating users of the system and subsequently tracing actions 
on the system to the user who initiated them. This may be done, for 
example, by looking for patterns of behavior by users.
    Least privilege is the practice of restricting a user's access 
(to data files, to processing capability, or to peripherals) or type 
of access (read, write, execute, delete) to the minimum necessary to 
perform his or her job.
    Separation of duties is the practice of dividing the steps in a 
critical function among different individuals. For example, one 
system programmer can create a critical piece of operating system 
code, while another authorizes its implementation. Such a control 
keeps a single individual from subverting a critical process.
    Nevertheless, in some instances, individuals may be given the 
ability to bypass some significant technical and operational 
controls in order to perform system administration and maintenance 
functions (e.g., LAN administrators or systems programmers). 
Screening such individuals in positions of trust will supplement 
technical, operational, and management controls, particularly where 
the risk and magnitude of harm is high.
    (d) Incident Response Capability. Security incidents, whether 
caused by viruses, hackers, or software bugs, are becoming more 
common. When faced with a security incident, an agency should be 
able to respond in a manner that both protects its own information 
and helps to protect the information of others who might be affected 
by the incident. To address this concern, agencies should establish 
formal incident response mechanisms. Awareness and training for 
individuals with access to the system should include how to use the 
system's incident response capability.
    To be fully effective, incident handling must also include 
sharing information concerning common vulnerabilities and threats 
with those in other systems and other agencies. The Appendix directs 
agencies to effectuate such sharing, and tasks NIST to coordinate 
those agency activities government-wide.
    The Appendix also directs the Department of Justice to provide 
appropriate guidance on pursuing legal remedies in the case of 
serious incidents.
    (e) Continuity of Support. Inevitably, there will be service 
interruptions. Agency plans should assure that there is an ability 
to recover and provide service sufficient to meet the minimal needs 
of users of the system. Manual procedures are generally NOT a viable 
back-up option. When automated support is not available, many 
functions of the organization will effectively cease. Therefore, it 
is important to take cost-effective steps to manage any disruption 
of service.
    Decisions on the level of service needed at any particular time 
and on priorities in service restoration should be made in 
consultation with the users of the system and incorporated in the 
system rules. Experience has shown that recovery plans that are 
periodically tested are substantially more viable than those that 
are not. Moreover, untested plans may actually create a false sense 
of security.
    (f) Technical Security. Agencies should assure that each system 
appropriately uses effective security products and techniques, 
consistent with standards and guidance from NIST. Often such 
techniques will correspond with system rules of behavior, such as in 
the proper use of password protection.
    The Appendix directs NIST to continue to issue computer security 
guidance to assist agencies in planning for and using technical 
security products and techniques. Until such guidance is issued, 
however, the planning guidance included in OMB Bulletin 90-08 can 
assist in determining techniques for 

[[Page 6443]]
effective security in a system and in addressing technical controls in 
the security plan.
    (g) System Interconnection. In order for a community to 
effectively manage risk, it must control access to and from other 
systems. The degree of such control should be established in the 
rules of the system and all participants should be made aware of any 
limitations on outside access. Technical controls to accomplish this 
should be put in place in accordance with guidance issued by NIST.
    There are varying degrees of how connected a system is. For 
example, some systems will choose to isolate themselves, others will 
restrict access such as allowing only e-mail connections or remote 
access only with sophisticated authentication, and others will be 
fully open. The management decision to interconnect should be based 
on the availability and use of technical and non-technical 
safeguards and consistent with the acceptable level of risk defined 
in the system rules.
    (3) Review of Security Controls. The security of a system will 
degrade over time, as the technology evolves and as people and 
procedures change. Reviews should assure that management, 
operational, personnel, and technical controls are functioning 
effectively. Security controls may be reviewed by an independent 
audit or a self review. The type and rigor of review or audit should 
be commensurate with the acceptable level of risk that is 
established in the rules for the system and the likelihood of 
learning useful information to improve security. Technical tools 
such as virus scanners, vulnerability assessment products (which 
look for known security problems, configuration errors, and the 
installation of the latest patches), and penetration testing can 
assist in the on-going review of different facets of systems. 
However, these tools are no substitute for a formal management 
review at least every three years. Indeed, for some high-risk 
systems with rapidly changing technology, three years will be too 
long.
    Depending upon the risk and magnitude of harm that could result, 
weaknesses identified during the review of security controls should 
be reported as deficiencies in accordance with OMB Circular No. A-
123, ``Management Accountability and Control'' and the Federal 
Managers' Financial Integrity Act. In particular, if a basic 
management control such as assignment of responsibility, a workable 
security plan, or management authorization are missing, then 
consideration should be given to identifying a deficiency.
    (4) Authorize Processing. The authorization of a system to 
process information, granted by a management official, provides an 
important quality control (some agencies refer to this authorization 
as accreditation). By authorizing processing in a system, a manager 
accepts the risk associated with it. Authorization is not a decision 
that should be made by the security staff.
    Both the security official and the authorizing management 
official have security responsibilities. In general, the security 
official is closer to the day-to-day operation of the system and 
will direct or perform security tasks. The authorizing official will 
normally have general responsibility for the organization supported 
by the system.
    Management authorization should be based on an assessment of 
management, operational, and technical controls. Since the security 
plan establishes the security controls, it should form the basis for 
the authorization, supplemented by more specific studies as needed. 
In addition, the periodic review of controls should also contribute 
to future authorizations. Some agencies perform ``certification 
reviews'' of their systems periodically. These formal technical 
evaluations lead to a management accreditation, or ``authorization 
to process.'' Such certifications (such as those using the 
methodology in FIPS Pub 102 ``Guideline for Computer Security 
Certification and Accreditation'') can provide useful information to 
assist management in authorizing a system, particularly when 
combined with a review of the broad behavioral controls envisioned 
in the security plan required by the Appendix.
    Re-authorization should occur prior to a significant change in 
processing, but at least every three years. It should be done more 
often where there is a high risk and potential magnitude of harm.
    b. Controls in Major Applications. Certain applications require 
special management attention due to the risk and magnitude of harm 
that could occur. For such applications, the controls of the support 
system(s) in which they operate are likely to be insufficient. 
Therefore, additional controls specific to the application are 
required. Since the function of applications is the direct 
manipulation and use of information, controls for securing 
applications should emphasize protection of information and the way 
it is manipulated.
    (1) Assign Responsibility for Security. By definition, major 
applications are high risk and require special management attention. 
Major applications usually support a single agency function and 
often are supported by more than one general support system. It is 
important, therefore, that an individual be assigned responsibility 
in writing to assure that the particular application has adequate 
security. To be effective, this individual should be knowledgeable 
in the information and process supported by the application and in 
the management, personnel, operational, and technical controls used 
to protect the application.
    (2) Application Security Plans. Security for each major 
application should be addressed by a security plan specific to the 
application. The plan should include controls specific to protecting 
information and should be developed from the application manager's 
perspective. To assist in assuring its viability, the plan should be 
provided to the manager of the primary support system which the 
application uses for advice and comment. This recognizes the 
critical dependence of the security of major applications on the 
underlying support systems they use. Summaries of application 
security plans should be included in strategic information resource 
management plans in accordance with this Circular.
    (a) Application Rules. Rules of behavior should be established 
which delineate the responsibilities and expected behavior of all 
individuals with access to the application. The rules should state 
the consequences of inconsistent behavior. Often the rules will be 
associated with technical controls implemented in the application. 
Such rules should include, for example, limitations on changing 
data, searching databases, or divulging information.
    (b) Specialized Training. Training is required for all 
individuals given access to the application, including members of 
the public. It should vary depending on the type of access allowed 
and the risk that access represents to the security of the 
application and information in it. This training will be in addition 
to that required for access to a support system.
    (c) Personnel Security. For most major applications, management 
controls such as individual accountability requirements, separation 
of duties enforced by access controls, or limitations on the 
processing privileges of individuals, are generally more cost-
effective personnel security controls than background screening. 
Such controls should be implemented as both technical controls and 
as application rules. For example, technical controls to ensure 
individual accountability, such as looking for patterns of user 
behavior, are most effective if users are aware that there is such a 
technical control. If adequate audit or access controls (through 
both technical and non-technical methods) cannot be established, 
then it may be cost-effective to screen personnel, commensurate with 
the risk and magnitude of harm they could cause. The change in 
emphasis on screening in the Appendix should not affect background 
screening deemed necessary because of other duties that an 
individual may perform.
    (d) Contingency Planning. Normally the Federal mission supported 
by a major application is critically dependent on the application. 
Manual processing is generally NOT a viable back-up option. Managers 
should plan for how they will perform their mission and/or recover 
from the loss of existing application support, whether the loss is 
due to the inability of the application to function or a general 
support system failure. Experience has demonstrated that testing a 
contingency plan significantly improves its viability. Indeed, 
untested plans or plans not tested for a long period of time may 
create a false sense of ability to recover in a timely manner.
    (e) Technical Controls. Technical security controls, for example 
tests to filter invalid entries, should be built into each 
application. Often these controls will correspond with the rules of 
behavior for the application. Under the previous Appendix, 
application security was focused on the process by which sensitive, 
custom applications were developed. While that process is not 
addressed in detail in this Appendix, it remains an effective method 
for assuring that security controls are built into applications. 
Additionally, the technical security controls defined in OMB 
Bulletin No. 90-08 will continue, until that guidance is replaced by 
NIST's security planning guidance.
    (f) Information Sharing. Assure that information which is shared 
with Federal 

[[Page 6444]]
organizations, State and local governments, and the private sector is 
appropriately protected comparable to the protection provided when 
the information is within the application. Controls on the 
information may stay the same or vary when the information is shared 
with another entity. For example, the primary user of the 
information may require a high level of availability while the 
secondary user does not, and can therefore relax some of the 
controls designed to maintain the availability of the information. 
At the same time, however, the information shared may require a 
level of confidentiality that should be extended to the secondary 
user. This normally requires notification and agreement to protect 
the information prior to its being shared.
    (g) Public Access Controls. Permitting public access to a 
Federal application is an important method of improving information 
exchange with the public. At the same time, it introduces risks to 
the Federal application. To mitigate these risks, additional 
controls should be in place as appropriate. These controls are in 
addition to controls such as ``firewalls'' that are put in place for 
security of the general support system.
    In general, it is more difficult to apply conventional controls 
to public access systems, because many of the users of the system 
may not be subject to individual accountability policies. In 
addition, public access systems may be a target for mischief because 
of their higher visibility and published access methods.
    Official records need to be protected against loss or 
alteration. Official records in electronic form are particularly 
susceptible since they can be relatively easy to change or destroy. 
Therefore, official records should be segregated from information 
made directly accessible to the public. There are different ways to 
segregate records. Some agencies and organizations are creating 
dedicated information dissemination systems (such as bulletin boards 
or World Wide Web servers) to support this function. These systems 
can be on the outside of secure gateways which protect internal 
agency records from outside access.
    In order to secure applications that allow direct public access, 
conventional techniques such as least privilege (limiting the 
processing capability as well as access to data) and integrity 
assurances (such as checking for viruses, clearly labeling the age 
of data, or periodically spot checking data) should also be used. 
Additional guidance on securing public access systems is available 
from NIST Computer Systems Laboratory Bulletin ``Security Issues in 
Public Access Systems'' (May, 1993).
    (3) Review of Application Controls. At least every three years, 
an independent review or audit of the security controls for each 
major application should be performed. Because of the higher risk 
involved in major applications, the review or audit should be 
independent of the manager responsible for the application. Such 
reviews should verify that responsibility for the security of the 
application has been assigned, that a viable security plan for the 
application is in place, and that a manager has authorized the 
processing of the application. A deficiency in any of these controls 
should be considered a deficiency pursuant to the Federal Manager's 
Financial Integrity Act and OMB Circular No. A-123, ``Management 
Accountability and Control.''
    The review envisioned here is different from the system test and 
certification process required in the current Appendix. That 
process, however, remains useful for assuring that technical 
security features are built into custom-developed software 
applications. While the controls in that process are not 
specifically called for in this Appendix, they remain in Bulletin 
No. 90-08, and are recommended in appropriate circumstances as 
technical controls.
    (4) Authorize Processing. A major application should be 
authorized by the management official responsible for the function 
supported by the application at least every three years, but more 
often where the risk and magnitude of harm is high. The intent of 
this requirement is to assure that the senior official whose mission 
will be adversely affected by security weaknesses in the application 
periodically assesses and accepts the risk of operating the 
application. The authorization should be based on the application 
security plan and any review(s) performed on the application. It 
should also take into account the risks from the general support 
systems used by the application.
    4. Assignment of Responsibilities. The Appendix assigns 
government-wide responsibilities to agencies that are consistent 
with their missions and the Computer Security Act.
    a. Department of Commerce. The Department of Commerce, through 
NIST, is assigned the following responsibilities consistent with the 
Computer Security Act.
    (1) Develop and issue security standards and guidance.
    (2) Review and update, with assistance from OPM, the guidelines 
for security training issued in 1988 pursuant to the Computer 
Security Act to assure they are effective.
    (3) Replace and update the technical planning guidance in the 
appendix to OMB Bulletin 90-08 This should include guidance on 
effective risk-based security absent a formal risk analysis.
    (4) Provide agencies with guidance and assistance concerning 
effective controls for systems when interconnecting with other 
systems, including the Internet. Such guidance on, for example, so-
called ``firewalls'' is becoming widely available and is critical to 
agencies as they consider how to interconnect their communications 
capabilities.
    (5) Coordinate agency incident response activities. Coordination 
of agency incident response activities should address both threats 
and vulnerabilities as well as improve the ability of the Federal 
government for rapid and effective cooperation in response to 
serious security breaches.
    (6) Assess security vulnerabilities in new information 
technologies and apprise Federal agencies of such vulnerabilities. 
The intent of this new requirement is to help agencies understand 
the security implications of technology before they purchase and 
field it. In the past, there have been too many instances where 
agencies have acquired and implemented technology, then found out 
about vulnerabilities in the technology and had to retrofit security 
measures. This activity is intended to help avoid such difficulties 
in the future.
    b. Department of Defense. The Department, through the National 
Security Agency, should provide technical advice and assistance to 
NIST, including work products such as technical security guidelines, 
which NIST can draw upon for developing standards and guidelines for 
protecting sensitive information in Federal computers.
    Also, the Department, through the National Security Agency, 
should assist NIST in evaluating vulnerabilities in emerging 
technologies. Such vulnerabilities may present a risk to national 
security information as well as to unclassified information.
    c. Department of Justice. The Department of Justice should 
provide appropriate guidance to Federal agencies on legal remedies 
available to them when serious security incidents occur. Such 
guidance should include ways to report incidents and cooperate with 
law enforcement.
    In addition, the Department should pursue appropriate legal 
actions on behalf of the Federal government when serious security 
incidents occur.
    d. General Services Administration. The General Services 
Administration should provide agencies guidance for addressing 
security considerations when acquiring information technology 
products or services. This continues the current requirement.
    In addition, where cost-effective to do so, GSA should establish 
government-wide contract vehicles for agencies to use to acquire 
certain security services. Such vehicles already exist for providing 
system back-up support and conducting security analyses.
    GSA should also provide appropriate security services to assist 
Federal agencies to the extent that provision of such services is 
cost-effective. This includes providing, in conjunction with the 
Department of Defense and the Department of Commerce, appropriate 
services which support Federal use of the National Information 
Infrastructure (e.g., use of digital signature technology).
    e. Office of Personnel Management. In accordance with the 
Computer Security Act, OPM should review its regulations concerning 
computer security training and assure that they are effective.
    In addition, OPM should assist the Department of Commerce in the 
review and update of its computer security awareness and training 
guidelines. OPM worked closely with NIST in developing the current 
guidelines and should work with NIST in revising those guidelines.
    f. Security Policy Board. The Security Policy Board is assigned 
responsibility for national security policy coordination in 
accordance with the appropriate Presidential directive. This 
includes policy for the security of information technology used to 
process classified information.
    Circular A-130 and this Appendix do not apply to information 
technology that supports certain critical national security 

[[Page 6445]]
missions, as defined in 44 U.S.C. 3502 (9) and 10 U.S.C. 2315. Policy 
and procedural requirements for the security of national security 
systems (telecommunications and information systems that contain 
classified information or that support those critical national 
security missions (44 U.S.C. 3502 (9) and 10 U.S.C. 2315)) is 
assigned to the Department of Defense pursuant to Presidential 
directive. The Circular clarifies that information classified for 
national security purposes should also be handled in accordance with 
appropriate national security directives. Where classified 
information is required to be protected by more stringent security 
requirements, those requirements should be followed rather than the 
requirements of this Appendix.
    5. Reports. The Appendix requires agencies to provide two 
reports to OMB:
    The first is a requirement that agencies report security 
deficiencies and material weaknesses within their FMFIA reporting 
mechanisms as defined by OMB Circular No. A-123, ``Management 
Accountability and Control,'' and take corrective actions in 
accordance with that directive.
    The second, defined by the Computer Security Act, requires that 
a summary of agency security plans be included in the information 
resources management plan required by the Paperwork Reduction Act.

Appendix IV to OMB Circular No. A-130--Analysis of Key Sections

1. Purpose

    The purpose of this Appendix is to provide a general context and 
explanation for the contents of the key Sections of the Circular.

2. Background

    The Paperwork Reduction Act (PRA) of 1980, Public Law 96-511, as 
amended by the Paperwork Reduction Act of 1995, Public Law 104-13, 
codified at Chapter 35 of Title 44 of the United States Code, 
establishes a broad mandate for agencies to perform their 
information activities in an efficient, effective, and economical 
manner. Section 3504 of the Act provides authority to the Director, 
OMB, to develop and implement uniform and consistent information 
resources management policies; oversee the development and promote 
the use of information management principles, standards, and 
guidelines; evaluate agency information management practices in 
order to determine their adequacy and efficiency, and determine 
compliance of such practices with the policies, principles, 
standards, and guidelines promulgated by the Director.
    The Circular implements OMB authority under the PRA with respect 
to Section 3504(b), general information resources management policy, 
Section 3504(d), information dissemination, Section 3504(f), records 
management, Section 3504(g), privacy and security, and Section 
3504(h), information technology. The Circular also implements 
certain provisions of the Privacy Act of 1974 (5 U.S.C. 552a); the 
Chief Financial Officers Act (31 U.S.C. 3512 et seq.); Sections 111 
and 206 of the Federal Property and Administrative Services Act of 
1949, as amended (40 U.S.C. 759 and 487, respectively); the Computer 
Security Act (40 U.S.C. 759 note); the Budget and Accounting Act of 
1921 (31 U.S.C. 1 et seq.); and Executive Order No. 12046 of March 
27, 1978, and Executive Order No. 12472 of April 3, 1984, Assignment 
of National Security and Emergency Telecommunications Functions. The 
Circular complements 5 CFR Part 1320, Controlling Paperwork Burden 
on the Public, which implements other Sections of the PRA dealing 
with controlling the reporting and recordkeeping burden placed on 
the public.
    In addition, the Circular revises and consolidates policy and 
procedures in seven previous OMB directives and rescinds those 
directives, as follows:
    A-3--Government Publications.
    A-71--Responsibilities for the Administration and Management of 
Automatic Data Processing Activities Transmittal Memorandum No. 1 to 
Circular No. A-71--Security of Federal Automated Information 
Systems.
    A-90--Cooperating with State and Local Governments to Coordinate 
and Improve Information Systems.
    A-108--Responsibilities for the Maintenance of Records about 
Individuals by Federal Agencies
    A-114--Management of Federal Audiovisual Activities
    A-121--Cost Accounting, Cost Recovery, and Interagency Sharing 
of Data Processing Facilities

3. Analysis

    Section 6, Definitions. Access and Dissemination. The original 
Circular No. A-130 distinguished between the terms ``access to 
information'' and ``dissemination of information'' in order to 
separate statutory requirements from policy considerations. The 
first term means giving members of the public, at their request, 
information to which they are entitled by a law such as the FOIA. 
The latter means actively distributing information to the public at 
the initiative of the agency. The distinction appeared useful at the 
time Circular No. A-130 was written, because it allowed OMB to focus 
discussion on Federal agencies' responsibilities for actively 
distributing information. However, popular usage and evolving 
technology have blurred differences between the terms ``access'' and 
``dissemination'' and readers of the Circular were confused by the 
distinction. For example, if an agency ``disseminates'' information 
via an on-line computer system, one speaks of permitting users to 
``access'' the information, and on-line ``access'' becomes a form of 
``dissemination.''
    Thus, the revision defines only the term ``dissemination.'' 
Special considerations based on access statutes such as the Privacy 
Act and the FOIA are explained in context.
    Government Information. The definition of ``government 
information'' includes information created, collected, processed, 
disseminated, or disposed of both by and for the Federal Government. 
This recognizes the increasingly distributed nature of information 
in electronic environments. Many agencies, in addition to collecting 
information for government use and for dissemination to the public, 
require members of the public to maintain information or to disclose 
it to the public. Sound information resources management dictates 
that agencies consider the costs and benefits of a full range of 
alternatives to meet government objectives. In some cases, there is 
no need for the government actually to collect the information 
itself, only to assure that it is made publicly available. For 
example, banks insured by the FDIC must provide statements of 
financial condition to bank customers on request. Particularly when 
information is available in electronic form, networks make the 
physical location of information increasingly irrelevant.
    The inclusion of information created, collected, processed, 
disseminated, or disposed of for the Federal Government in the 
definition of ``government information'' does not imply that 
responsibility for implementing the provisions of the Circular 
itself extends beyond the executive agencies to other entities. Such 
an interpretation would be inconsistent with Section 4, 
Applicability, and with existing law. For example, the courts have 
held that requests to Federal agencies for release of information 
under the FOIA do not always extend to those performing information 
activities under grant or contract to a Federal agency. Similarly, 
grantees may copyright information where the government may not. 
Thus the information responsibilities of grantees and contractors 
are not identical to those of Federal agencies except to the extent 
that the agencies make them so in the underlying grants or 
contracts. Similarly, agency information resources management 
responsibilities do not extend to other entities.
    Information Dissemination Product. This notice defines the term 
``information dissemination product'' to include all information 
that is disseminated by Federal agencies. While the provision of 
access to on-line databases and search software included on compact 
disk, read-only memory (CD-ROM) are often called information 
services rather than products, there is no clear distinction and, 
moreover, no real difference for policy purposes between the two. 
Thus, the term ``information dissemination product'' applies to both 
products and services, and makes no distinction based on how the 
information is delivered.
    Section 8a(1). Information Management Planning. Parallel to new 
Section 7, Basic Considerations and Assumptions, Section 8a begins 
with information resources management planning. Planning is the 
process of establishing a course of action to achieve desired 
results with available resources. Planners translate organizational 
missions into specific goals and, in turn, into measurable 
objectives.
    The PRA introduced the concept of information resources 
management and the principle of information as an institutional 
resource which has both value and associated costs. Information 
resources management is a tool that managers use to achieve agency 
objectives. Information resources management is successful if it 
enables managers to achieve agency objectives efficiently and 
effectively.
    Information resources management planning is an integral part of 
overall mission 

[[Page 6446]]
planning. Agencies need to plan from the outset for the steps in the 
information life cycle. When creating or collecting information, 
agencies must plan how they will process and transmit the 
information, how they will use it, how they will protect its 
integrity, what provisions they will make for access to it, whether 
and how they will disseminate it, how they will store and retrieve 
it, and finally, how the information will ultimately be disposed of. 
They must also plan for the effects their actions and programs will 
have on the public and State and local governments.
    The Role of State and Local Governments. OMB made additions at 
Sections 7a, 7e, and 7j, Basic Considerations and Assumptions, 
concerning State and local governments, and also in policy 
statements at Sections 8a(1)(c), (3)(f), (5)(d)(iii), and (8)(e).
    State and local governments, and tribal governments, cooperate 
as major partners with the Federal Government in the collection, 
processing, and dissemination of information. For example, State 
governments are the principal collectors and/or producers of 
information in the areas of health, welfare, education, labor 
markets, transportation, the environment, and criminal justice.
    The States supply the Federal Government with data on aid to 
families with dependent children; medicare; school enrollments, 
staffing, and financing; statistics on births, deaths, and 
infectious diseases; population related data that form the basis for 
national estimates; employment and labor market data; and data used 
for census geography. National information resources are greatly 
enhanced through these major cooperating efforts.
    Federal agencies need to be sensitive to the role of State and 
local governments, and tribal governments, in managing information 
and in managing information technology. When planning, designing, 
and carrying out information collections, agencies should 
systematically consider what effect their activities will have on 
cities, counties, and States, and take steps to involve these 
governments as appropriate. Agencies should ensure that their 
information collections impose the minimum burden and do not 
duplicate or conflict with local efforts or other Federal agency 
requirements or mandates. The goal is that Federal agencies 
routinely integrate State and local government concerns into Federal 
information resources management practices. This goal is consistent 
with standards for State and local government review of Federal 
policies and programs.
    Training. Training is particularly important in view of the 
changing nature of information resources management. 
Decentralization of information technology has placed the management 
of automated information and information technology directly in the 
hands of nearly all agency personnel rather than in the hands of a 
few employees at centralized facilities. Agencies must plan for 
incorporating policies and procedures regarding computer security, 
records management, protection of privacy, and other safeguards into 
the training of every employee and contractor.
    Section 8a(2). Information Collection. The PRA requires that the 
creation or collection of information be carried out in an 
efficient, effective, and economical manner. When Federal agencies 
create or collect information--just as when they perform any other 
program functions--they consume scarce resources. Such activities 
must be continually evaluated for their relevance to agency 
missions.
    Agencies must justify the creation or collection of information 
based on their statutory functions. Policy statement 8a(2) uses the 
justification standard--``necessary for the proper performance of 
the functions of the agency''--established by the PRA (44 U.S.C. 
3508). Furthermore, the policy statement includes the requirement 
that the information have practical utility, as defined in the PRA 
(44 U.S.C. 3502(11)) and elaborated in 5 CFR Part 1320. Practical 
utility includes such qualities of information as accuracy, 
adequacy, and reliability. In the case of general purpose statistics 
or recordkeeping, practical utility means that actual uses can be 
demonstrated (5 CFR 1320.3(l)). It should be noted that OMB's intent 
in placing emphasis on reducing unjustified burden in collecting 
information, an emphasis consistent with the Act, is not to diminish 
the importance of collecting information whenever agencies have 
legitimate program reasons for doing so. Rather, the concern is that 
the burdens imposed should not exceed the benefits to be derived 
from the information. Moreover, if the same benefit can be obtained 
by alternative means that impose a lesser burden, that alternative 
should be adopted.
    Section 8a(3). Electronic Information Collection. Section 7l 
articulates a basic assumption of the Circular that modern 
information technology can help the government provide better 
service to the public through improved management of government 
programs. One potentially useful application of information 
technology is in the government's collection of information. While 
some information collections may not be good candidates for 
electronic techniques, many are. Agencies with major electronic 
information collection programs have found that automated 
information collections allow them to meet program objectives more 
efficiently and effectively. Electronic data interchange (EDI) and 
related standards for the electronic exchange of information will 
ease transmission and processing of routine business transaction 
information such as invoices, purchase orders, price information, 
bills of lading, health insurance claims, and other common 
commercial documents. EDI holds similar promise for the routine 
filing of regulatory information such as tariffs, customs 
declarations, license applications, tax information, and 
environmental reports.
    Benefits to the public and agencies from electronic information 
collection appear substantial. Electronic methods of collection 
reduce paperwork burden, reduce errors, facilitate validation, and 
provide increased convenience and more timely receipt of benefits.
    The policy in Section 8a(3) encourages agencies to explore the 
use of automated techniques for collection of information, and sets 
forth conditions conducive to the use of those techniques.
    Section 8a(4). Records Management. Section 8a(4) begins with the 
fundamental requirement for Federal records management, namely, that 
agencies create and keep adequate and proper documentation of their 
activities. Federal agencies cannot carry out their missions in a 
responsible and responsive manner without adequate recordkeeping. 
Section 7h articulates the basic considerations concerning records 
management. Policy statements concerning records management are also 
interwoven throughout Section 8a, particularly in subsections on 
planning (8a(1)(j)), information dissemination (8a(6)), and 
safeguards (8a(9)).
    Records support the immediate needs of government--
administrative, legal, fiscal--and ensure its continuity. Records 
are essential for protecting the rights and interests of the public, 
and for monitoring the work of public servants. The government needs 
records to ensure accountability to the public which includes making 
the information available to the public.
    Each stage of the information life cycle carries with it records 
management responsibilities. Agencies need to record their plans, 
carefully document the content and procedures of information 
collection, ensure proper documentation as a feature of every 
information system, keep records of dissemination programs, and, 
finally, ensure that records of permanent value are preserved.
    Preserving records for future generations is the archival 
mission. Advances in technology affect the amount of information 
that can be created and saved, and the ways this information can be 
made available. Technological advances can ease the task of records 
management; however, the rapid pace of change in modern technology 
makes decisions about the appropriate application of technology 
critical to records management. Increasingly the records manager 
must be concerned with preserving valuable electronic records in the 
context of a constantly changing technological environment.
    Records schedules are essential for the appropriate maintenance 
and disposition of records. Records schedules must be prepared in a 
timely fashion, implement the General Records Schedules issued by 
the National Archives and Records Administration, be approved by the 
Archivist of the United States, and be kept accurate and current. 
(See 44 U.S.C. 3301 et seq.) The National Archives and Records 
Administration and the General Services Administration provide 
guidance and assistance to agencies in implementing records 
management responsibilities. They also evaluate agencies' records 
management programs to determine the extent to which they are 
appropriately implementing their records management 
responsibilities.
    Sections 8a(5) and 8a(6). Information Dissemination Policy. 
Section 8a(5). Every agency has a responsibility to inform the 
public within the context of its mission. This responsibility 
requires that agencies distribute information at the agency's 
initiative, rather than merely responding when the public requests 
information.
    The FOIA requires each agency to publish in the Federal Register 
current descriptions 

[[Page 6447]]
of agency organization, where and how the public may obtain 
information, the general methods and procedural requirements by 
which agency functions are determined, rules of procedure, 
descriptions of forms and how to obtain them, substantive 
regulations, statements of general policy, and revisions to all the 
foregoing (5 U.S.C. 552(a)(1)). The Privacy Act also requires 
publication of information concerning ``systems of records'' which 
are records retrieved by individual identifier such as name, Social 
Security Number, or fingerprint. The Government in the Sunshine Act 
requires agencies to publish meeting announcements (5 U.S.C. 552b 
(e)(1)). The PRA (44 U.S.C. 3507(a)(2)) and its implementing 
regulations (5 CFR Part 1320) require agencies to publish notices 
when they submit information collection requests for OMB approval. 
The public's right of access to government information under these 
statutes is balanced against other concerns, such as an individual's 
right to privacy and protection of the government's deliberative 
process.
    As agencies satisfy these requirements, they provide the public 
basic information about government activities. Other statutes direct 
specific agencies to issue specific information dissemination 
products or to conduct information dissemination programs. Beyond 
generic and specific statutory requirements, agencies have 
responsibilities to disseminate information as a necessary part of 
performing their functions. For some agencies the responsibility is 
made explicit and sweeping; for example, the Agriculture Department 
is directed to ``. . . diffuse among people of the United States, 
useful information on subjects connected with agriculture.  . . .'' 
(7 U.S.C. 2201) For other agencies, the responsibility may be much 
more narrowly drawn.
    Information dissemination is also a consequence of other agency 
activities. Agency programs normally include an organized effort to 
inform the public about the program. Most agencies carry out 
programs that create or collect information with the explicit or 
implicit intent that the information will be made public. 
Disseminating information is in many cases the logical extension of 
information creation or collection.
    In other cases, agencies may have information that is not meant 
for public dissemination but which may be the subject of requests 
from the public. When the agency establishes that there is public 
demand for the information and that it is in the public interest to 
disseminate the information, the agency may decide to disseminate it 
automatically.
    The policy in Section 8a(5)(d) sets forth several factors for 
agencies to take into account in conducting their information 
dissemination programs. First, agencies must balance two goals: 
maximizing the usefulness of the information to the government and 
the public, and minimizing the cost to both. Deriving from the basic 
purposes of the PRA (44 U.S.C. 3501), the two goals are frequently 
in tension because increasing usefulness usually costs more. Second, 
Section 8a(5)(d)(ii) requires agencies to conduct information 
dissemination programs equitably and in a timely manner. The word 
``equal'' was removed from this Section since there may be instances 
where, for example, an agency determines that its mission includes 
disseminating information to certain specific groups or members of 
the public, and the agency determines that user charges will 
constitute a significant barrier to carrying out this 
responsibility.
    Section 8a(5)(d)(iii), requiring agencies to take advantage of 
all dissemination channels, recognizes that information reaches the 
public in many ways. Few persons may read a Federal Register notice 
describing an agency action, but those few may be major secondary 
disseminators of the information. They may be affiliated with 
publishers of newspapers, newsletters, periodicals, or books; 
affiliated with on-line database providers; or specialists in 
certain information fields. While millions of information users in 
the public may be affected by the agency's action, only a handful 
may have direct contact with the agency's own information 
dissemination products. As a deliberate strategy, therefore, 
agencies should cooperate with the information's original creators, 
as well as with secondary disseminators, in order to further 
information dissemination goals and foster a diversity of 
information sources. An adjunct responsibility to this strategy is 
reflected in Section 8a(5)(d)(iv), which directs agencies to assist 
the public in finding government information. Agencies may 
accomplish this, for example, by specifying and disseminating 
``locator'' information, including information about content, 
format, uses and limitations, location, and means of access.
    Section 8a(6). Information Dissemination Management System. This 
Section requires agencies to maintain an information dissemination 
management system which can ensure the routine performance of 
certain functions, including the essential functions previously 
required by Circular No. A-3. Smaller agencies need not establish 
elaborate formal systems, so long as the heads of the agencies can 
ensure that the functions are being performed.
    Subsection (6)(a) carries over a requirement from OMB Circular 
No. A-3 that agencies' information dissemination products are to be, 
in the words of 44 U.S.C. 1108, ``necessary in the transaction of 
the public business required by law of the agency.'' (Circular No. 
A-130 uses the expression ``necessary for the proper performance of 
agency functions,'' which OMB considers to be equivalent to the 
expression in 44 U.S.C. 1108.) The point is that agencies should 
determine systematically the need for each information dissemination 
product.
    Section 8a(6)(b) recognizes that to carry out effective 
information dissemination programs, agencies need knowledge of the 
marketplace in which their information dissemination products are 
placed. They need to know what other information dissemination 
products users have available in order to design the best agency 
product. As agencies are constrained by finite budgets, when there 
are several alternatives from which to choose, they should not 
expend public resources filling needs which have already been met by 
others in the public or private sector. Agencies have a 
responsibility not to undermine the existing diversity of 
information sources.
    At the same time, an agency's responsibility to inform the 
public may be independent of the availability or potential 
availability of a similar information dissemination product. That 
is, even when another governmental or private entity has offered an 
information dissemination product identical or similar to what the 
agency would produce, the agency may conclude that it nonetheless 
has a responsibility to disseminate its own product. Agencies should 
minimize such instances of duplication but could reach such a 
conclusion because legal considerations require an official 
government information dissemination product.
    Section 8a(6)(c) makes the Circular consistent with current 
practice (See OMB Bulletins 88-15, 89-15, 90-09, and 91-16), by 
requiring agencies to establish and maintain inventories of 
information dissemination products. (These bulletins eliminated 
annual reporting to OMB of title-by-title listings of publications 
and the requirement for agencies to obtain OMB approval for each new 
periodical. Publications are now reviewed as necessary during the 
normal budget review process.) Inventories help other agencies and 
the public identify information which is available. This serves both 
to increase the efficiency of the dissemination function and to 
avoid unnecessary burdens of duplicative information collections. A 
corollary, enunciated in Section 8a(6)(d), is that agencies can 
better serve public information needs by developing finding aids for 
locating information produced by the agencies. Finally, Section 
8a(6)(f) recognizes that there will be situations where agencies may 
have to take appropriate steps to ensure that members of the public 
with disabilities whom the agency has a responsibility to inform 
have a reasonable ability to access the information dissemination 
products.
    Depository Library Program. Sections 8a(6)(g) and (h) pertain to 
the Federal Depository Library Program. Agencies are to establish 
procedures to ensure compliance with 44 U.S.C. 1902, which requires 
that government publications (defined in 44 U.S.C. 1901 and repeated 
in Section 6 of the Circular) be made available to depository 
libraries through the Government Printing Office (GPO).
    Depository libraries are major partners with the Federal 
Government in the dissemination of information and contribute 
significantly to the diversity of information sources available to 
the public. They provide a mechanism for wide distribution of 
government information that guarantees basic availability to the 
public. Executive branch agencies support the depository library 
program both as a matter of law and on its merits as a means of 
informing the public about the government. On the other hand, the 
law places the administration of depository libraries with GPO. 
Agency responsibility for the depository libraries is limited to 
supplying government publications through GPO. 

[[Page 6448]]

    Agencies can improve their performance in providing government 
publications as well as electronic information dissemination 
products to the depository library program. For example, the 
proliferation of ``desktop publishing'' technology in recent years 
has afforded the opportunity for many agencies to produce their own 
printed documents. Many such documents may properly belong in the 
depository libraries but are not sent because they are not printed 
at GPO. The policy requires agencies to establish management 
controls to ensure that the appropriate documents reach the GPO for 
inclusion in the depository library program.
    At present, few agencies provide electronic information 
dissemination products to the depository libraries. At the same 
time, a small but growing number of information dissemination 
products are disseminated only in electronic format.
    OMB believes that, as a matter of policy, electronic information 
dissemination products generally should be provided to the 
depository libraries. Given that production and supply of 
information dissemination products to the depository libraries is 
primarily the responsibility of GPO, agencies should provide 
appropriate electronic information dissemination products to GPO for 
inclusion in the depository library program.
    While cost may be a consideration, agencies should not conclude 
without investigation that it would be prohibitively expensive to 
place their electronic information dissemination products in the 
depository libraries. For electronic information dissemination 
products other than on-line services, agencies may have the option 
of having GPO produce the information dissemination product for 
them, in which case GPO would pay for depository library costs. 
Agencies should consider this option if it would be a cost effective 
alternative to the agency making its own arrangements for production 
of the information dissemination product. Using GPO's services in 
this manner is voluntary and at the agency's discretion. Agencies 
could also consider negotiating other terms, such as inviting GPO to 
participate in agency procurement orders in order to distribute the 
necessary copies for the depository libraries. With adequate advance 
planning, agencies should be able to provide electronic information 
dissemination products to the depository libraries at nominal cost.
    In a particular case, substantial cost may be a legitimate 
reason for not providing an electronic information dissemination 
product to the depository library program. For example, for an 
agency with a substantial number of existing titles of electronic 
information dissemination products, furnishing copies of each to the 
depository libraries could be prohibitively expensive. In that 
situation, the agency should endeavor to make available those titles 
with the greatest general interest, value, and utility to the 
public. Substantial cost could also be an impediment in the case of 
some on-line information services where the costs associated with 
operating centralized databases would make provision of unlimited 
direct access to numerous users prohibitively expensive. In both 
cases, agencies should consult with the GPO, in order to identify 
those information dissemination products with the greatest public 
interest and utility for dissemination. In all cases, however, where 
an agency discontinues publication of an information dissemination 
product in paper format in favor of electronic formats, the agency 
should work with the GPO to ensure availability of the information 
dissemination product to depository libraries.
    Notice to the Public. Sections 8a(6)(i) and (j) present new 
practices for agencies to observe in communicating with the public 
about information dissemination. Among agencies' responsibilities 
for dissemination is an active knowledge of, and regular 
consultation with, the users of their information dissemination 
products. A primary reason for communication with users is to gain 
their contribution to improving the quality and relevance of 
government information--how it is created, collected, and 
disseminated. Consultations with users might include participation 
at conferences and workshops, careful attention to correspondence 
and telephone communications (e.g., logging and analyzing 
inquiries), or formalized user surveys.
    A key part of communicating with the public is providing 
adequate notice of agency information dissemination plans. Because 
agencies' information dissemination actions affect other agencies as 
well as the public, agencies must forewarn other agencies of 
significant actions. The decision to initiate, terminate, or 
substantially modify the content, form, frequency, or availability 
of significant products should also trigger appropriate advance 
public notice. Where appropriate, the Government Printing Office 
should be notified directly. Information dissemination products 
deemed not to be significant require no advance notice.
    Examples of significant products (or changes to them) might be 
those that:
    (a) Are required by law; e.g., a statutorily mandated report to 
Congress;
    (b) Involve expenditure of substantial funds;
    (c) By reason of the nature of the information, are matters of 
continuing public interest; e.g., a key economic indicator;
    (d) By reason of the time value of the information, command 
public interest; e.g., monthly crop reports on the day of their 
release;
    (e) Will be disseminated in a new format or medium; e.g., 
disseminating a printed product in electronic medium, or 
disseminating a machine-readable data file via on-line access.
    Where members of the public might consider a proposed new agency 
product unnecessary or duplicative, the agency should solicit and 
evaluate public comments. Where users of an agency information 
dissemination product may be seriously affected by the introduction 
of a change in medium or format, the agency should notify users and 
consider their views before instituting the change. Where members of 
the public consider an existing agency product important and 
necessary, the agency should consider these views before deciding to 
terminate the product. In all cases, however, determination of what 
is a significant information dissemination product and what 
constitutes adequate notice are matters of agency judgment.
    Achieving Compliance with the Circular's Requirements. Section 
8a(6)(k) requires that the agency information dissemination 
management system ensure that, to the extent existing information 
dissemination policies or practices are inconsistent with the 
requirements of this Circular, an orderly transition to compliance 
with the requirements of this Circular is made. For example, some 
agency information dissemination products may be priced at a level 
which exceeds the cost of dissemination, or the agency may be 
engaged in practices which are otherwise unduly restrictive. In 
these instances, agencies must plan for an orderly transition to the 
substantive policy requirements of the Circular. The information 
dissemination management system must be capable of identifying these 
situations and planning for a reasonably prompt transition. 
Instances of existing agency practices which cannot immediately be 
brought into conformance with the requirements of the Circular are 
to be addressed through the waiver procedures of Section 10(b).
    Section 8a(7). Avoiding Improperly Restrictive Practices. 
Federal agencies are often the sole suppliers of the information 
they hold. The agencies have either created or collected the 
information using public funds, usually in furtherance of unique 
governmental functions, and no one else has it. Hence agencies need 
to take care that their behavior does not inappropriately constrain 
public access to government information.
    When agencies use private contractors to accomplish 
dissemination, they must take care that they do not permit 
contractors to impose restrictions that undercut the agencies' 
discharge of their information dissemination responsibilities. The 
contractual terms should assure that, with respect to dissemination, 
the contractor behaves as though the contractor were the agency. For 
example, an agency practice of selling, through a contractor, on-
line access to a database but refusing to sell copies of the 
database itself may be improperly restrictive because it precludes 
the possibility of another firm making the same service available to 
the public at a lower price. If an agency is willing to provide 
public access to a database, the agency should be willing to sell 
copies of the database itself.
    By the same reasoning, agencies should behave in an even-handed 
manner in handling information dissemination products. If an agency 
is willing to sell a database or database services to some members 
of the public, the agency should sell the same products under 
similar terms to other members of the public, unless prohibited by 
statute. When an agency decides it has public policy reasons for 
offering different terms of sale to different groups in the public, 
the agency should provide a clear statement of the policy and its 
basis.
    Agencies should not attempt to exert control over the secondary 
uses of their 

[[Page 6449]]
information dissemination products. In particular, agencies should not 
establish exclusive, restricted, or other distribution arrangements 
which interfere with timely and equitable availability of 
information dissemination products, and should not charge fees or 
royalties for the resale or redissemination of government 
information. These principles follow from the fact that the law 
prohibits the Federal Government from exercising copyright.
    Agencies should inform the public as to the limitations inherent 
in the information dissemination product (e.g., possibility of 
errors, degree of reliability, and validity) so that users are fully 
aware of the quality and integrity of the information. If 
circumstances warrant, an agency may wish to establish a procedure 
by which disseminators of the agency's information may at their 
option have the data and/or value-added processing checked for 
accuracy and certified by the agency. Using this method, 
redisseminators of the data would be able to respond to the demand 
for integrity from purchasers and users. This approach could be 
enhanced by the agency using its authority to trademark its 
information dissemination product, and requiring that 
redisseminators who wish to use the trademark agree to appropriate 
integrity procedures. These methods have the possibility of 
promoting diversity, user responsiveness, and efficiency as well as 
integrity. However, an agency's responsibility to protect against 
misuse of a government information dissemination product does not 
extend to restricting or regulating how the public actually uses the 
information.
    The Lanham Trademark Act of 1946, 15 U.S.C. 1055, 1125, 1127, 
provides an efficient method to address legitimate agency concerns 
regarding public safety. Specifically, the Act permits a trademark 
owner to license the mark, and to demand that the user maintain 
appropriate quality controls over products reaching consumers under 
the mark. See generally, McCarthy on Trademarks, Sec. 18.13. When a 
trademark owner licenses the trademark to another, it may retain the 
right to control the quality of goods sold under the trademark by 
the licensee. Furthermore, if a licensee sells goods under the 
licensed trademark in breach of the licensor's quality 
specifications, the licensee may be liable for breach of contract as 
well as for trademark infringement. This technique is increasingly 
being used to assure the integrity of digital information 
dissemination products. For example, the Census Bureau has 
trademarked its topologically integrated geographic encoding and 
referencing data product (``TIGER/Line''), which is used as official 
source data for legislative districting and other sensitive 
applications.
    Whenever a need for special quality control procedures is 
identified, agencies should adopt the least burdensome methods and 
ensure that the methods chosen do not establish an exclusive, 
restricted, or other distribution arrangement that interferes with 
timely and equitable availability of public information to the 
public. Agencies should not attempt to condition the resale or 
redissemination of its information dissemination products by members 
of the public.
    User charges. Title 5 of the Independent Offices Appropriations 
Act of 1952 (31 U.S.C. 9701) establishes Federal policy regarding 
fees assessed for government services, and for sale or use of 
government property or resources. OMB Circular No. A-25, User 
Charges, implements the statute. It provides for charges for 
government goods and services that convey special benefits to 
recipients beyond those accruing to the general public. It also 
establishes that user charges should be set at a level sufficient to 
recover the full cost of providing the service, resource, or 
property. Since Circular No. A-25 is silent as to the extent of its 
application to government information dissemination products, full 
cost recovery for information dissemination products might be 
interpreted to include the cost of collecting and processing 
information rather than just the cost of dissemination. The policy 
in Section 8a(7)(c) clarifies the policy of Circular No. A-25 as it 
applies to information dissemination products. This policy was 
codified by the Paperwork Reduction Act of 1995 at 35 U.S.C. Section 
3506(d)(4)(D).
    Statutes such as FOIA and the Government in the Sunshine Act 
establish a broad and general obligation on the part of Federal 
agencies to make government information available to the public and 
to avoid erecting barriers that impede public access. User charges 
higher than the cost of dissemination may be a barrier to public 
access. The economic benefit to society is maximized when government 
information is publicly disseminated at the cost of dissemination. 
Absent statutory requirements to the contrary, the general standard 
for user charges for government information dissemination products 
should be to recover no more than the cost of dissemination. It 
should be noted in this connection that the government has already 
incurred the costs of creating and processing the information for 
governmental purposes in order to carry out its mission.
    Underpinning this standard is the FOIA fee structure which 
establishes limits on what agencies can charge for access to Federal 
records. That Act permits agencies to charge only the direct 
reasonable cost of search, reproduction and, in certain cases, 
review of requested records. In the case of FOIA requests for 
information dissemination products, charges would be limited to 
reasonable direct reproduction costs alone. No search would be 
needed to find the product, thus no search fees would be charged. 
Neither would the record need to be reviewed to determine if it 
could be withheld under one of the Act's exemptions since the agency 
has already decided to release it. Thus, FOIA provides an 
information ``safety net'' for the public.
    While OMB does not intend to prescribe procedures for pricing 
government information dissemination products, the cost of 
dissemination may generally be thought of as the sum of all costs 
specifically associated with preparing a product for dissemination 
and actually disseminating it to the public. When an agency prepares 
an information product for its own internal use, costs associated 
with such production would not generally be recoverable as user 
charges on subsequent dissemination. When the agency prepares the 
product for public dissemination, and disseminates it, costs 
associated with preparation and actual dissemination would be 
recoverable as user charges.
    In the case of government databases which are made available to 
the public on-line, the costs associated with initial database 
development, including the costs of the necessary hardware and 
software, would not be included in the cost of dissemination. Once a 
decision is made to disseminate the data, additional costs logically 
associated with dissemination can be included in the user fee. These 
may include costs associated with modification of the database to 
make it suitable for dissemination, any hardware or software 
enhancements necessary for dissemination, and costs associated with 
providing customer service or telecommunications capacity.
    In the case of information disseminated via cd-rom, the costs 
associated with initial database development would likewise not be 
included in the cost of dissemination. However, a portion of the 
costs associated with formatting the data for cd-rom dissemination 
and the costs of mastering the cd-rom, could logically be included 
as part of the dissemination cost, as would the cost associated with 
licensing appropriate search software.
    Determining the appropriate user fee is the responsibility of 
each agency, and involves the exercise of judgment and reliance on 
reasonable estimates. Agencies should be able to explain how they 
arrive at user fees which represent average prices and which, given 
the likely demand for the product, can be expected to recover the 
costs associated with dissemination.
    When agencies provide custom tailored information services to 
specific individuals or groups, full cost recovery, including the 
cost of collection and processing, is appropriate. For example, if 
an agency prepares special tabulations or similar services from its 
databases in answer to a specific request from the public, all costs 
associated with fulfilling the request would be charged, and the 
requester should be so informed before work is begun.
    In a few cases, agencies engaging in information collection 
activities augment the information collection at the request of, and 
with funds provided by, private sector groups. Since the 1920's, the 
Bureau of the Census has carried out, on request, surveys of certain 
industries at greater frequency or at a greater level of detail than 
Federal funding would permit, because gathering the additional 
information is consistent with Federal purposes and industry groups 
have paid the additional information collection and processing 
costs. While the results of these surveys are disseminated to the 
public at the cost of dissemination, the existence and availability 
of the additional government data are special benefits to certain 
recipients beyond those accruing to the public. It is appropriate 
that those recipients should bear the full costs of information 
collection and processing, in addition to the normal costs of 
dissemination.
    Agencies must balance the requirement to establish user charges 
and the level of fees 

[[Page 6450]]
charged against other policies, specifically, the proper performance of 
agency functions and the need to ensure that information 
dissemination products reach the public for whom they are intended. 
If an agency mission includes disseminating information to certain 
specific groups or members of the public and the agency determines 
that user charges will constitute a significant barrier to carrying 
out this responsibility, the agency may have grounds for reducing or 
eliminating its user charges for the information dissemination 
product, or for exempting some recipients from the charge. Such 
reductions or eliminations should be the subject of agency 
determinations on a case by case basis and justified in terms of 
agency policies.
    Section 8a(8). Electronic Information Dissemination. Advances in 
information technology have changed government information 
dissemination. Agencies now have available new media and formats for 
dissemination, including CD-ROM, electronic bulletin boards, and 
public networks. The growing public acceptance of electronic data 
interchange (EDI) and similar standards enhances their 
attractiveness as methods for government information dissemination. 
For example, experiments with the use of electronic bulletin boards 
to advertise Federal contracting opportunities and to receive vendor 
quotes have achieved wider dissemination of information about 
business opportunities with the Federal Government than has been the 
case with traditional notices and advertisements. Improved 
information dissemination has increased the number of firms 
expressing interest in participating in the government market and 
decreased prices to the government due to expanded competition. In 
addition, the development of public electronic information networks, 
such as the Internet, provides an additional way for agencies to 
increase the diversity of information sources available to the 
public. Emerging applications such as Wide Area Information Servers 
and the World-wide Web (using the NISO Z39.50 standard) will be used 
increasingly to facilitate dissemination of government information 
such as environmental data, international trade information, and 
economic statistics in a networked environment.
    A basic purpose of the PRA is to ``provide for the dissemination 
of public information on a timely basis, on equitable terms, and in 
a manner that promotes the utility of the information to the public 
and makes effective use of information technology.'' (44 U.S.C. 
3501(7)) Agencies can frequently enhance the value, practical 
utility, and timeliness of government information as a national 
resource by disseminating information in electronic media. 
Electronic collection and dissemination may substantially increase 
the usefulness of government information dissemination products for 
three reasons. First, information disseminated electronically is 
likely to be more timely and accurate because it does not require 
data re-entry. Second, electronic records often contain more 
complete and current information because, unlike paper, it is 
relatively easy to make frequent changes. Finally, because 
electronic information is more easily manipulated by the user and 
can be tailored to a wide variety of needs, electronic information 
dissemination products are more useful to the recipients.
    As stated at Section 8a(1)(h), agencies should use voluntary 
standards and Federal Information Processing Standards to the extent 
appropriate in order to ensure the most cost effective and 
widespread dissemination of information in electronic formats.
    Agencies can frequently make government information more 
accessible to the public and enhance the utility of government 
information as a national resource by disseminating information in 
electronic media. Agencies generally do not utilize data in raw 
form, but edit, refine, and organize the data in order to make it 
more accessible and useful for their own purposes. Information is 
made more accessible to users by aggregating data into logical 
groupings, tagging data with descriptive and other identifiers, and 
developing indexing and retrieval systems to facilitate access to 
particular data within a larger file. As a general matter, and 
subject to budgetary, security or legal constraints, agencies should 
make available such features developed for internal agency use as 
part of their information dissemination products.
    There will also be situations where the agency determines that 
its mission will be furthered by providing enhancements beyond those 
needed for its own use, particularly those that will improve the 
public availability of government information over the long term. In 
these instances, the agency should evaluate the expected usefulness 
of the enhanced information in light of its mission, and where 
appropriate construct partnerships with the private sector to add 
these elements of value. This approach may be particularly 
appropriate as part of a strategy to utilize new technology 
enhancements, such as graphic images, as part of a particular 
dissemination program.
    Section 8a(9). Information Safeguards. The basic premise of this 
Section is that agencies should provide an appropriate level of 
protection to government information, given an assessment of the 
risks associated with its maintenance and use. Among the factors to 
be considered include meeting the specific requirements of the 
Privacy Act of 1974 and the Computer Security Act of 1987.
    In particular, agencies are to ensure that they meet the 
requirements of the Privacy Act regarding information retrievable by 
individual identifier. Such information is to be collected, 
maintained, and protected so as to preclude intrusion into the 
privacy of individuals and the unwarranted disclosure of personal 
information. Individuals must be accorded access and amendment 
rights to records, as provided in the Privacy Act. To the extent 
that agencies share information which they have a continuing 
obligation to protect, agencies should see that appropriate 
safeguards are instituted. Appendix I prescribes agency procedures 
for the maintenance of records about individuals, reporting 
requirements to OMB and Congress, and other special requirements of 
specific agencies, in accordance with the Privacy Act.
    This Section also incorporates the requirement of the Computer 
Security Act of 1987 that agencies plan to secure their systems 
commensurate with the risk and magnitude of loss or harm that could 
result from the loss, misuse, or unauthorized access to information 
contained in those systems. It includes assuring the integrity, 
availability, and appropriate confidentiality of information. It 
also involves protection against the harm that could occur to 
individuals or entities outside of the Federal Government as well as 
the harm to the Federal Government. Appendix III prescribes a 
minimum set of controls to be included in Federal automated 
information resources security programs and assigns Federal agency 
responsibilities for the security of automated information 
resources. The Section also includes limits on collection and 
sharing of information and procedures to assure the integrity of 
information as well as requirements to adequately secure the 
information.
    Incorporation of Circular No. A-114. OMB Circular No. A-114, 
Management of Federal Audiovisual Activities, last revised on March 
20, 1985, prescribed policies and procedures to improve Federal 
audiovisual management. Although OMB has rescinded Circular No. A-
114, its essential policies and procedures continue. This revision 
provides information resources management policies and principles 
independent of medium, including paper, electronic, or audiovisual. 
By including the term ``audiovisual'' in the definition of 
``information,'' audiovisual materials are incorporated into all 
policies of this Circular.
    The requirement in Circular No. A-114 that the head of each 
agency designate an office with responsibility for the management 
oversight of an agency's audiovisual productions and that an 
appropriate program for the management of audiovisual productions in 
conformance with 36 CFR 1232.4 is incorporated into this Circular at 
Section 9a(10). The requirement that audiovisual activities be 
obtained consistent with OMB Circular No. A-76 is covered by 
Sections 8a(1)(d), 8a(5)(d)(i) and 8a(6)(b).
    The National Archives and Records Administration will continue 
to prescribe the records management and archiving practices of 
agencies with respect to audiovisual productions at 36 CFR 1232.4, 
``Audiovisual Records Management.''
    Section 8b. Information Systems and Information Technology 
Management.
    Section 8b(1). Evaluation and Performance Measurement. OMB 
encourages agencies to stress several types of evaluation in their 
oversight of information systems. As a first step, agencies must 
assess the continuing need for the mission function. If the agency 
determines there is a continuing need for a function, agencies 
should reevaluate existing work processes prior to creating new or 
updating existing information systems. Without this analysis, 
agencies tend to develop information systems that improve the 
efficiency of traditional paper-based processes which may be no 
longer needed. The application of information technology presents an 
opportunity to reevaluate existing organizational structures, work 

[[Page 6451]]
processes, and ways of interacting with the public to see whether they 
still efficiently and effectively support the agency's mission.
    Benefit-cost analyses provide vital management information on 
the most efficient allocation of human, financial, and information 
resources to support agency missions. Agencies should conduct a 
benefit-cost analysis for each information system to support 
management decision making to ensure: (a) alignment of the planned 
information system with the agency's mission needs; (b) 
acceptability of information system implementation to users inside 
the Government; (c) accessibility to clientele outside the 
Government; and (d) realization of projected benefits. When 
preparing benefit-cost analyses to support investments in 
information technology, agencies should seek to quantify the 
improvements in agency performance results through the measurement 
of program outputs.
    The requirement to conduct a benefit-cost analysis need not 
become a burdensome activity for agencies. The level of detail 
necessary for such analyses varies greatly and depends on the nature 
of the proposed investment. Proposed investments in ``major 
information systems'' as defined in this Circular require detailed 
and rigorous analysis. This analysis should not merely serve as 
budget justification material, but should be part of the ongoing 
management oversight process to ensure prudent allocation of scarce 
resources. Proposed investments for information systems that are not 
considered ``major information systems'' should be analyzed and 
documented more informally.
    While it is not necessary to create a new benefit-cost analysis 
at each stage of the information system life cycle, it is useful to 
refresh these analyses with up-to-date information to ensure the 
continued viability of an information system prior to and during 
implementation. Reasons for updating a benefit-cost analysis may 
include such factors as significant changes in projected costs and 
benefits, significant changes in information technology 
capabilities, major changes in requirements (including legislative 
or regulatory changes), or empirical data based on performance 
measurement gained through prototype results or pilot experience.
    Agencies should also weigh the relative benefits of proposed 
investments in information technology across the agency. Given the 
fiscal constraints facing the Federal government in the upcoming 
years, agencies should fund a portfolio of investments across the 
agency that maximizes return on investment for the agency as a 
whole. Agencies should also emphasize those proposed investments 
that show the greatest probability (i.e., display the lowest 
financial and operational risk) of achieving anticipated benefits 
for the organization. OMB and GAO are creating a publication that 
will provide agencies with reference materials for setting up such 
evaluation processes.
    Agencies should complete a retrospective evaluation of 
information systems once operational to validate projected savings, 
changes in practices, and effectiveness in serving affected publics. 
These post-implementation reviews may also serve as the basis for 
agency-wide learning about effective management practices.
    Section 8b(2). Strategic Information Resources Management (IRM) 
Planning. Agencies should link to, and to the extent possible, 
integrate IRM planning with the agency strategic planning required 
by the Government Performance and Results Act (P.L. 103-62). Such a 
linkage ensures that agencies apply information resources to 
programs that support the achievement of agreed-upon mission goals. 
Additionally, strategic IRM planning by agencies may help avoid 
automating out-of-date, ineffective, or inefficient procedures and 
work processes.
    Agencies should also devote management attention to operational 
information resources management planning. This operational IRM 
planning should provide a one to five year focus to agency IRM 
activities and projects. Agency operational IRM plans should also 
provide a listing of the major information systems covered by the 
management oversight processes described in Section 8b(3). Agency 
operational planning for IRM should also communicate to the public 
how the agency's application of information resources might affect 
them. For the contractor community, this includes articulating the 
agency's intent to acquire information technology from the private 
sector. These data should not be considered acquisition sensitive, 
so that they can be distributed as widely as possible to the vendor 
community in order to promote competition. Agencies should make 
these acquisition plans available to the public through government-
wide information dissemination mechanisms, including electronic 
means.
    Operational planning should also include initiatives to reduce 
the burden, including information collection burden, an agency 
imposes on the public. Too often, for example, agencies require 
personal visits to government offices during office hours 
inconvenient to the public. Instead, agencies should plan to use 
information technology in ways that make the public's dealing with 
the Federal government as ``user-friendly'' as possible.
    Each year, OMB issues a bulletin requesting copies of agencies' 
latest strategic IRM plans and annual updates to operational plans 
for information and information technology.
    Section 8b(3). Information Systems Management Oversight. 
Agencies should consider what constitutes a ``major information 
system'' for purposes of this Circular when determining the 
appropriate level of management attention for an information system. 
The anticipated dollar size of an information system or a supporting 
acquisition is only one determinant of the level of management 
attention an information system requires. Additional criteria to 
assess include the maturity and stability of the technology under 
consideration, how well defined user requirements are, the level of 
stability of program and user requirements, and security concerns.
    For instance, certain risky or ``cutting-edge'' information 
systems require closer scrutiny and more points of review and 
evaluation. This is particularly true when an agency uses an 
evolutionary life cycle strategy that requires a technical and 
financial evaluation of the project's viability at prototype and 
pilot testing phases. Projects relying on commercial off-the-shelf 
technology and applications will generally require less oversight 
than those using custom-designed software.
    While each phase of an information system life cycle may have 
unique characteristics, the dividing line between the phases may not 
always be distinct. For instance, both planning and evaluation 
should continue throughout the information system life cycle. In 
fact, during any phase, it may be necessary to revisit the previous 
stages based on new information or changes in the environment in 
which the system is being developed.
    The policy statements in this Circular describe an information 
system life cycle. It does not, however, make a definitive statement 
that there must be four versus five phases of a life cycle because 
the life cycle varies by the nature of the information system. Only 
two phases are common to all information systems--a beginning and an 
end. As a result, life cycle management techniques that agencies can 
use may vary depending on the complexity and risk inherent in the 
project.
    One element of this management oversight policy is the 
recognition of imbedded and/or parallel life cycles. Within an 
information system's life cycle there may be other subsidiary life 
cycles. For instance, most Federal information systems projects 
include an acquisition of goods and services that have life cycle 
characteristics. Some projects include software development 
components, which also have life cycles. Effective management 
oversight of major information systems requires a recognition of all 
these various life cycles and an integrated information systems 
management oversight with the budget and human resource management 
cycles that exist in the agency.
    Section 8b(2) of the Circular underscores the need for agencies 
to bring an agency-wide perspective to a number of information 
resources management issues. These issues include policy 
formulation, planning, management and technical frameworks for using 
information resources, and management oversight of major information 
systems. Agencies should also provide for coordinated decision 
making (Section 8b(3)(f)) in order to bring together the 
perspectives from across an agency, and outside if appropriate. Such 
coordination may take place in an agency-wide management or IRM 
committee. Interested groups typically include functional users, 
managers of financial and human resources, information resources 
management specialists, and, as appropriate, the affected public.
    Section 8b(4). Use of Information Resources. Agency management 
of information resources should be guided by management and 
technical frameworks for agency-wide information and information 
technology needs. The technical framework should serve as a 
reference for updates to existing and new information systems. The 

[[Page 6452]]
management framework should assure the integration of proposed 
information systems projects into the technical framework in a 
manner that will ensure progress toward achieving an open systems 
environment. Agency strategic IRM planning should describe the 
parameters (e.g., technical standards) of such a technical 
framework. The management framework should drive operational 
planning and should describe how the agency intends to use 
information and information technology consistent with the technical 
framework.
    Agency management and technical frameworks for information 
resources should address agency strategies to move toward an open 
systems environment. These strategies should consist of one or 
multiple profiles (an internally consistent set of standards), based 
on the current version of the NIST's Application Portability 
Profile. These profiles should satisfy user requirements, 
accommodate officially recognized or de facto standards, and promote 
interoperability, application portability, and scalability by 
defining interfaces, services, protocols, and data formats favoring 
the use of nonproprietary specifications.
    Agencies should focus on how to better utilize the data they 
currently collect from the public. Because agencies generally do not 
share information, the public often must respond to duplicative 
information collections from various agencies or their components. 
Sharing of information about individuals should be consistent with 
the Privacy Act of 1974, as amended, and Appendix I of this 
Circular.
    Services provided by IPSOs to components of their own agency are 
often perceived to be ``free'' by the service recipients because 
their costs are budgeted as an ``overhead'' charge. Service 
recipients typically do not pay for IPSO services based on actual 
usage. Since the services are perceived to be free, there is very 
little incentive for either the service recipients or the IPSO 
managers to be watchful for opportunities to improve productivity or 
to reduce costs. Agencies are encouraged to institute chargeback 
mechanisms for IPSOs that provide common information processing 
services across a number of agency components when the resulting 
economies are expected to exceed the cost of administration.
    Section 8b(5). Acquisition of Information Technology. Consistent 
with the requirements of the Brooks Act and the Paperwork Reduction 
Act, agencies should acquire information technology to improve 
service delivery, reduce the cost of Federal program administration, 
and minimize burden of dealing with the Federal government. Agencies 
may wish to ask potential offerors to propose different technical 
solutions and approaches to fulfilling agency mission requirements. 
Evaluating acquisitions of information technology must assess both 
the benefits and costs of applying technology to meet such 
requirements.
    The distinction between information system life cycles and 
acquisition life cycles is important when considering the 
implications of OMB Circular A-109, Acquisition of Major Systems, to 
the acquisition of information resources. Circular A-109 presents 
one strategy for acquiring information technology when:
    (i) The agency intends to fund operational tests and 
demonstrations of system design;
    (ii) The risk is high due to the unproven integration of custom 
designed software and/or hardware components;
    (iii) The estimated cost savings or operational improvements 
from such a demonstration will further improve the return on 
investment; or
    (iv) The agency wants to acquire a solution based on state-of-
the-art, unproven technology.
    Agencies should comply with OMB Circular A-76, Performance of 
Commercial Activities, when considering conversion to or from in-
house or contract performance.
    Agencies should ensure that acquisitions for new information 
technology comply with GSA regulations concerning information 
technology accessibility for individuals with disabilities [41 
C.F.R. 201-20.103-7].
    Section 9a(11). Ombudsman. The senior agency official designated 
by the head of each agency under 44 U.S.C. 3506(a) is charged with 
carrying out the responsibilities of the agency under the PRA. 
Agency senior information resources management officials are 
responsible for ensuring that their agency practices are in 
compliance with OMB policies. It is envisioned that the agency 
senior information resources management official will work as an 
ombudsman to investigate alleged instances of agency failure to 
adhere to the policies set forth in the Circular and to recommend or 
take corrective action as appropriate. Agency heads should continue 
to use existing mechanisms to ensure compliance with laws and 
policies.
    Section 9b. International Relationships. The information 
policies contained in the PRA and Circular A-130 are based on the 
premise that government information is a valuable national resource, 
and that the economic benefits to society are maximized when 
government information is available in a timely and equitable manner 
to all. Maximizing the benefits of government information to society 
depends, in turn, on fostering diversity among the entities involved 
in disseminating it. These include for-profit and not-for-profit 
entities, such as information vendors and libraries, as well as 
State, local and tribal governments. The policies on charging the 
cost of dissemination and against restrictive practices contained in 
the PRA and Circular A-130 are aimed at achieving this goal.
    Other nations do not necessarily share these values. Although an 
increasing number are embracing the concept of equitable and 
unrestricted access to public information--particularly scientific, 
environmental, and geographic information of great public benefit--
other nations are treating their information as a commodity to be 
``commercialized''. Whereas the Copyright Act, 17 U.S.C. 105, has 
long provided that ``[c]opyright protection under this title is not 
available for any work of the United States Government,'' some other 
nations take advantage of their domestic copyright laws that do 
permit government copyright and assert a monopoly on certain 
categories of information in order to maximize revenues. Such 
arrangements tend to preclude other entities from developing markets 
for the information or otherwise disseminating the information in 
the public interest.
    Thus, Federal agencies involved in international data exchanges 
are sometimes faced with problems in disseminating data stemming 
from differing national treatment of government copyright. For 
example, one country may attempt to condition the sharing of data 
with a Federal agency on an agreement that the agency will withhold 
release of the information or otherwise restrict its availability to 
the public. Since the Freedom of Information Act does not provide a 
categorical exemption for copyrighted information, and Federal 
agencies have neither the authority nor capability to enforce 
restrictions on behalf of other nations, agencies faced with such 
restrictive conditions lack clear guidance as to how to respond.
    The results of the July 1995 Congress of the World 
Meteorological Organization, which sought to strike a balance of 
interests in this area, are instructive. Faced with a resolution 
which would have essentially required member nations to enforce 
restrictions on certain categories of information for the commercial 
benefit of other nations, the United States proposed a compromise 
which was ultimately accepted. The compromise explicitly affirmed 
the general principle that government meteorological information--
like all other scientific, technical and environmental information--
should be shared globally without restriction; but recognized that 
individual nations may in particular cases apply their own domestic 
copyright and similar laws to prevent what they deem to be unfair or 
inappropriate competition within their own territories. This 
compromise leaves open the door for further consultation as to 
whether the future of government information policy in a global 
information infrastructure should follow the ``open and unrestricted 
access'' model embraced by the United States and a number of other 
nations, or if it should follow the ``government commercialization'' 
model of others.
    Accordingly, since the PRA and Circular A-130 are silent as to 
how agencies should respond to similar situations, we are providing 
the following suggestions. They are intended to foster globally the 
open and unrestricted information policy embraced by the United 
States and like minded nations, while permitting agencies to have 
access to data provided by foreign governments with restrictive 
conditions.
    Release by a Federal agency of copyrighted information, whether 
under a FOIA request or otherwise, does not affect any rights the 
copyright holder might otherwise possess. Accordingly, agencies 
should inform any concerned foreign governments that their copyright 
claims may be enforceable under United States law, but that the 
agency is not authorized to prosecute any such claim on behalf of 
the foreign government.
    Whenever an agency seeks to negotiate an international agreement 
in which a foreign party seeks to impose restrictive practices on 
information to be exchanged, the agency 

[[Page 6453]]
should first coordinate with the State Department. The State Department 
will work with the agency to develop the least restrictive terms 
consistent with United States policy, and ensure that those terms 
receive full interagency clearance through the established process 
for granting agencies authority to negotiate and conclude 
international agreements.
    Finally, whenever an agency is attending meetings of 
international or multilateral organizations where restrictive 
practices are being proposed as binding on member states, the agency 
should coordinate with the State Department, the Office of 
Management and Budget, the Office of Science and Technology Policy, 
or the U.S. Trade Representative, as appropriate, before expressing 
a position on behalf of the United States.

[FR Doc. 96-3645 Filed 2-16-96; 8:45 am]
BILLING CODE 3110-01-P