[Federal Register Volume 65, Number 72 (Thursday, April 13, 2000)]
[Notices]
[Pages 19933-19941]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-9077]


=======================================================================
-----------------------------------------------------------------------

OFFICE OF MANAGEMENT AND BUDGET


Management of Federal Information Resources

AGENCY: Office of Management and Budget, Executive Office of the 
President.

ACTION: Proposed revision of OMB Circular No. A-130.

-----------------------------------------------------------------------

SUMMARY: The Office of Management and Budget is revising Circular No. 
A-130, ``Management of Federal Information Resources,'' to implement 
provisions of the Clinger-Cohen Act (also known as ``Information 
Technology Management Reform Act of 1996'') and for other purposes. 
This notice proposes revisions to the sections of the Circular 
concerning information systems and information technology management to 
follow more closely provisions of the Clinger-Cohen Act and OMB 
Circular A-11, which involve the acquisition, use, and disposal of 
information technology as a capital asset by the Federal government to 
improve the productivity, efficiency, and effectiveness of Federal 
programs. It also makes minor technical revisions throughout the 
Circular (for example, changing ``senior official'' to ``Chief 
Information Officer''). It proposes a new Appendix II to address 
``Information Technology Architectures,'' incorporates OMB guidance 
regarding computer security into Appendix III, and revises Appendix IV 
to reflect these changes.
    This notice also proposes revisions to the sections of the Circular 
concerning information management policy to follow more closely the 
provisions of the current OMB guidance entitled ``Implementation of the 
Government Paperwork Elimination Act.''

DATES: If you wish to comment on the proposed revisions to Circular No. 
A-

[[Page 19934]]

130 please submit your comments no later than Friday, May 19, 2000. 
Each Department and agency should submit a single coordinated set of 
comments.

ADDRESSES: We welcome electronic comments and will include them as part 
of the official record. Please send comments electronically to: [email protected]. You may address hardcopy comments to: Information 
Policy and Technology Branch, Office of Information and Regulatory 
Affairs, Office of Management and Budget, Room 10236 New Executive 
Office Building, Washington, DC 20503.
    Electronic Availability: This document is available on the Internet 
at the OMB web site, http://www.whitehouse.gov/omb/fedreg/index.html 
and at the CIO Council home page at http://cio.gov. You can also obtain 
a copy of OMB Circular No. A-11, including the supplement to Part 3, 
``The Programming Guide,'' at the OMB web site and the CIO Council web 
site, or by calling the Budget Review and Concepts Division at OMB at 
202-395-3172.

FOR FURTHER INFORMATION CONTACT: Tony Frater, Information Policy and 
Technology Branch, Office of Information and Regulatory Affairs, Office 
of Management and Budget, Room 10236, New Executive Office Building, 
Washington, DC 20503. Telephone: (202) 395-3785.

SUPPLEMENTARY INFORMATION:

Background

    The Clinger-Cohen Act (also known as ``Information Technology 
Management Reform Act of 1996'') (Public Law 104-106, Division E, 
codified at 40 U.S.C. Chapter 25) grants to the Director of the Office 
of Management and Budget (OMB) various authorities for overseeing the 
acquisition, use, and disposal of information technology by the Federal 
government, so as to improve the productivity, efficiency, and 
effectiveness of Federal programs. It supplements the information 
resources management (IRM) policies contained in the Paperwork 
Reduction Act (PRA) (44 U.S.C. Chapter 35) by establishing a 
comprehensive approach to improving the acquisition and management of 
agency information systems through work process redesign, and by 
linking planning and investment strategies to the budget process.
    The Clinger-Cohen Act establishes clear accountability for IRM 
activities by creating agency Chief Information Officers (CIOs) with 
the authority and management responsibility necessary to advise agency 
heads. Among other responsibilities, CIOs oversee the design, 
development, and implementation of information systems. CIOs also 
monitor and evaluate system performance and advise agency heads to 
modify or terminate those systems. The Clinger-Cohen Act also directs 
agencies to work together towards the common goal of using information 
technology to improve the productivity, effectiveness, and efficiency 
of Federal programs and to promote an interoperable, secure, and shared 
government wide information resources infrastructure.
    To provide agencies with additional guidance on implementing the 
Clinger-Cohen Act, OMB proposes to revise Circular No. A-130, 
``Management of Federal Information Resources'' (61 FR 6428 February 
20, 1996), which contains the policy framework for the management of 
Federal information resources. OMB has issued previous guidance 
regarding the Clinger-Cohen Act implementation, including; OMB 
Memoranda M-96-20, ``Implementation of the Information Technology 
Management Reform Act of 1996;'' M-97-02, ``Funding Information Systems 
Investments;'' M-97-09, ``Interagency Support for Information 
Technology;'' M-97-15, ``Local Telecommunications Services Policy;'' M-
97-16, ``Information Technology Architectures''. Upon issuance of final 
revisions to the Circular, OMB will rescind those Memoranda. Future 
revisions to A-130 will incorporate other related OMB guidance, 
including issuances on computer security and agency use of electronic 
transactions.
    Since the last revision of this Circular, Congress passed, and the 
President signed into law, the Electronic Freedom of Information Act 
Amendments (Public Law 104-231). Among other changes, the E-FOIA 
Amendments added a new subsection (g) to the FOIA, which reinforces the 
preexisting requirement in the Paperwork Reduction Act for agencies to 
maintain an inventory of their major information systems and an 
information locator service. The E-FOIA Amendments also require 
agencies to maintain a handbook that explains how persons may obtain 
public information from the agency pursuant to the FOIA and the PRA. 
Additional text has been added to this provision in Section 9 to 
reflect the enactment of the E-FOIA Amendments. Also, Appendix IV has 
been amended to incorporate the guidance that OMB issued to agencies in 
April 1998 on implementing the E-FOIA's handbook requirement (OMB 
Memorandum M-98-09). When this guidance is incorporated into the 
Circular, OMB will rescind the 1998 Memorandum.
    In addition, in late 1997, a lawsuit was filed against several 
agencies (Public Citizen v. Raines) alleging that they had not complied 
with the requirements in the PRA and FOIA for agencies to inventory 
their information systems. During the course of the litigation, which 
is ongoing, the argument was advanced by the plaintiff that Congress in 
the 1995 revisions to the PRA required agencies to maintain an 
inventory of all of their information systems, rather than only their 
major information systems. OMB responded by expressing its view that, 
in revising the PRA in 1995, Congress did not require agencies to 
inventory all of their information systems. Instead, consistent with 
the PRA as originally enacted in 1980 and amended in 1986, Congress in 
1995 continued to require an agency to inventory its ``major'' 
information systems. This legislative intent is reflected in Section 
3511(a) of the 1995 PRA (which requires an inventory of an agency's 
major information systems) and also in Section 3506(b)(4), which cross-
references that requirement in Section 3511. A continuing PRA focus on 
the agency's ``major'' information systems is also consistent with the 
later-enacted 1996 E-FOIA Amendments, in which Congress required 
agencies to make available to the public their inventories of major 
information systems.
    Finally, in terms of the agency's activities in managing its 
information resources, which is the overall subject of Section 3506(b), 
OMB believes that an agency needs to focus its management attention on 
its ``major'' information systems, and for this reason an inventory 
that includes those major systems (but not all systems) makes the most 
sense for improving agency management. Therefore, in addition to 
reflecting the passage of the E-FOIA Amendments, the proposed revisions 
to Section 9 also make clearer the agencies' obligations under the PRA 
and FOIA in this area. These revisions reiterate the pre-existing 
requirement in Section 9 for each agency to maintain an inventory of 
its major information systems (these systems may be electronic or 
paper--the Circular's definition of ``major information systems'' is 
format neutral). The revisions also clarify that each agency, under 
Section 3506(b)(4) of the PRA, needs to maintain as well an inventory 
of its other ``information resources'' (such as personnel and funding) 
at the level of detail that the agency's managers believe is most 
appropriate for them to use in their management of the agency's 
information resources.

[[Page 19935]]

What Sections of Circular No. A-130 Are Proposed for Revision?

    Section 3. Authorities. This section is amended to cite, and to 
incorporate changes necessitated by the Clinger-Cohen Act, the 
Government Performance and Results Act (GPRA), and Executive Order 
13011.
    Section 5. Background. A discussion of the basic principles and 
goals of the Clinger-Cohen Act is added.
    Section 6. Definitions. The terms ``Chief Information Officers 
Council'' and ``Information Technology Resources Board'' are introduced 
to reflect the interagency support structures established by Executive 
Order 13011. The term ``executive agency'' is introduced to reflect the 
definition found in the Clinger-Cohen Act. The term ``information 
technology'' is amended to reflect definitional changes made by the 
Clinger-Cohen Act, and is supplemented by the limiting term ``national 
security system'' to clearly identify those systems to which the 
Circular applies. The term ``capital planning and investment control 
process'' is introduced to assist agencies in the reporting 
requirements of the Clinger-Cohen Act.
    Section 7. Basic Considerations and Assumptions. The existing basic 
considerations and assumptions are supplemented with a modified 
subsection (i) and new subsection (r) to reflect the relevant goals and 
purposes of the Clinger-Cohen Act and Executive Order 13011.
    Section 8a. Information Management Policy. Sections 8a(3) is 
proposed to be revised to reflect the Government Paperwork Elimination 
Act (Public Law 105-277, Title XVII), which was enacted in October 
1998. OMB issued proposed guidance to implement the GPEA on March 5, 
1999 (64 FR 10896), and is preparing the final guidance, to be issued 
shortly.
    Section 8b. Information Systems and Information Technology 
Management. This section is substantially revised to implement the 
policies of the Clinger-Cohen Act and the principles of Executive Order 
13011. Sections 8b(1), 8b(2), 8b(3) have been merged to better 
integrate requirements under Clinger-Cohen Act, the Government 
Performance and Results Act (Public Law 103-62), and revisions to OMB 
Circular A-11.
    New section 8b(1) is revised to provide guidance on both strategic 
and operational IRM planning by integrating the agency's information 
resources management plans, strategic plans, performance plans, 
financial management plans, and budget processes, as discussed in OMB 
Circular A-11, Sec 210.8. This new section outlines three components: 
selection, control, and evaluation. It is also stresses the need to 
redesign work processes before making significant investments in 
automation, and the need to evaluate commercial off-the-shelf ``COTS'' 
software as part of the capital planning process. Additionally, this 
section contains revisions that incorporate requirements for IT 
accessibility by persons with disabilities that had previously resided 
in the Federal Information Resource Management Regulations (FIRMR, 41 
CFR 201).
    Section 8b(2), previously 8b(4), is assigned a new heading ``What 
is an ITA.'' This section is modified, and includes relevant concepts 
from the previous section. Section 8b(3), previously 8b(5), is modified 
to promote the structuring of major information systems into modules 
that will reduce risk, promote flexibility and interoperability, 
increase accountability, and better match mission needs with current 
technology and market conditions.
    Section 9. Assignment of Responsibilities.
    Subsection 9a, All Federal Agencies, is changed to reflect the new 
Chief Information Officer (CIO) position created by the Clinger-Cohen 
Act, and reflects developments since the Circular was last revised in 
February 1996.. A new subsection 9a(3) is inserted to reflect CIO 
responsibilities. Old subsections 9a(3)-(8) are renumbered to become 
9a(4)-(9). Existing Section 9a(5)--which would be renumbered as Section 
9a(7)--is proposed to be revised to make clearer the agencies' 
obligations under the Paperwork Reduction Act and the Freedom of 
Information Act (as discussed above). A new Subsection 9a(10) is added 
to ensure cross agency cooperation. 9a(11) is added to encourage 
agencies to permit other agencies to place orders for information 
technology against its contracts to the extent practicable. Subsections 
9a(3), (12), (13), (14), and (15) are added to describe the CIO's 
responsibilities under the Clinger-Cohen Act.
    Subsection 9b, Department of State, is revised to reflect 
responsibilities described in the Clinger-Cohen Act and Executive Order 
13011. These include liaison, consultation, and negotiation with 
foreign governments and intergovernmental organizations on matters 
related to information resources management as well as the State 
Department's advisory role in developing U.S. positions and policies on 
international information policy and technology issues affecting the 
Federal government.
    Subsection 9c(1), Department of Commerce, is supplemented to 
reflect that agencies and the Chief Information Officers Council will 
make recommendations, as appropriate, to the Secretary of Commerce 
regarding standards development.
    Subsection 9e, General Services Administration (GSA), is changed to 
reflect that with the enactment of the Clinger-Cohen Act, GSA will no 
longer perform policy and oversight functions. GSA will continue to 
provide services, training, and assistance as requested by the agencies 
and OMB.
    Subsection 9h, Office of Management and Budget, is changed to 
reflect that OMB will provide guidance to the Boards established by 
Executive Order 13011, and may from time to time designate executive 
agents for government-wide procurement of information technology.
    Accordingly, Circular No. A-130 (61 FR 6428, February 20, 1996) is 
proposed to be amended as set forth below.

John T. Spotila,
Administrator, Office of Information and Regulatory Affairs.

Proposed Amendments to OMB Circular No. A-130

    1. Section 3, ``Authorities,'' is revised to read as follows:

    3. Authorities: This Circular is issued pursuant to the 
Paperwork Reduction Act (PRA) of 1980, as amended by the Paperwork 
Reduction Act of 1995 (44 U.S.C. Chapter 35); the Clinger-Cohen Act 
(also known as ``Information Technology Management Reform Act of 
1996'') (Public Law 104-106, Division E); the Privacy Act, as 
amended (5 U.S.C. 552a); the Chief Financial Officers Act (31 U.S.C. 
3512 et seq.); the Federal Property and Administrative Services Act, 
as amended (40 U.S.C. 487); the Computer Security Act (Public Law 
100-235); the Budget and Accounting Act, as amended (31 U.S.C. 
Chapter 11); Executive Order 12046 of March 27, 1978; Executive 
Order 12472 of April 3, 1984; and Executive Order 13011 of July 17, 
1996.

    2. Section 5, ``Background,'' is amended by adding the following 
new paragraph:


    The Clinger-Cohen Act supplements the information resources 
management policies contained in the PRA by establishing a 
comprehensive approach for executive agencies to improve the 
acquisition and management of their information resources, through:
    (1) Focusing information resource planning to support the 
agency's strategic missions;
    (2) Implementing a capital planning and investment control 
process that links to budget formulation and execution; and

[[Page 19936]]

    (3) Rethinking and restructuring the way agencies do their work 
before investing in information systems.

    3. Section 6, ``Definitions,'' is amended by making the following 
revisions: definitions are added for ``capital planning and investment 
control process,'' ``Chief Information Officers Council,'' ``executive 
agency,'' ``Information Technology Resources Board,'' and ``national 
security system''. The definition for ``information technology'' is 
revised, and the remaining definitions are redesignated accordingly. 
The new and revised definitions are as follows:

    c. The term ``capital planning and investment control process `` 
means a management process for ongoing identification, selection, 
control, and evaluation of investments in information resources. The 
process is linked to budget formulation and execution, and is 
focused on agency missions and achieving specific program outcomes.
    d. The term ``Chief Information Officers Council'' (CIO Council) 
means the Council established in Section 3 of Executive Order 13011.
    f. The term ``executive agency'' has the meaning defined in 
section 4(1) of the Office of Federal Procurement Policy Act (41 
U.S.C. 403(1)).
    t. The term ``information technology'' means any equipment or 
interconnected system or subsystem of equipment, that is used in the 
automatic acquisition, storage, manipulation, management, movement, 
control, display, switching, interchange, transmission, or reception 
of data or information by an executive agency. For purposes of the 
preceding sentence, equipment is used by an executive agency if the 
equipment is used by the executive agency directly or is used by a 
contractor under a contract with the executive agency which (i) 
requires the use of such equipment, or (ii) requires the use, to a 
significant extent, of such equipment in the performance of a 
service or the furnishing of a product. The term ``information 
technology'' includes computers, ancillary equipment, software, 
firmware and similar procedures, services (including support 
services), and related resources. The term ``information 
technology'' does not include any equipment that is acquired by a 
Federal contractor incidental to a Federal contract.
    u. The term ``Information Technology Resources Board'' 
(Resources Board) means the board established by Section 5 of 
Executive Order 13011.
    w. The term ``national security system'' means any 
telecommunications or information system operated by the United 
States Government, the function, operation, or use of which (1) 
involves intelligence activities; (2) involves cryptologic 
activities related to national security; (3) involves command and 
control of military forces; (4) involves equipment that is an 
integral part of a weapon or weapons system; or (5) is critical to 
the direct fulfillment of military or intelligence missions, but 
excluding any system that is to be administrative and business 
applications (including payroll, finance, logistics, and personnel 
management applications). The policies and procedures established in 
this Circular shall apply to national security systems in a manner 
consistent with the applicability and related limitations regarding 
such systems set out in Section 5141 of the Clinger-Cohen Act (Pub. 
L. 104-106). Applicability of Clinger-Cohen Act to national security 
systems shall include budget document preparation requirements set 
forth in OMB Circular A-11. The resultant budget document may be 
classified in accordance with the provisions of Executive Order 
12958.

    4. Section 7, ``Basic Considerations and Assumptions,'' is amended 
by revising Sections 7i and by adding 7r to read as follows:

    i. Strategic planning improves the operation of government 
programs. The agency strategic plan will shape the redesign of work 
processes and guide the development and maintenance of a capital 
planning and investment control process. This management approach 
promotes the appropriate application of Federal information 
resources.
    r. The development and operation of interagency and 
interoperable shared information resources to support the 
performance of government missions should be supported by the Chief 
Information Officers Council and the Information Technology 
Resources Board.

    5. Section 8, ``policy,'' is amended by revising Section 8a(3) to 
read as follows:

    3. Electronic Information Collection. Executive agencies under 
Sections 1703 and 1705 the Government Paperwork Elimination Act 
(GPEA), Public Law 105-277, Title XVII. are required to provide, by 
October 21, 2003, the (1) option of the electronic maintenance, 
submission, or disclosure of information, when practicable as a 
substitute for paper; and (2) use and acceptance of electronic 
signatures, when practicable. Agencies will follow the provisions in 
OMB guidance, Implementation of the Government Paperwork Elimination 
Act.

    6. Section 8, ``Policy,'' is amended by revising Section 8b(1) to 
read as follows:

    b. How Should Agencies Manage Information Systems and 
Information Technology?
    (1) Capital Planning and Investment Control. Agencies must 
establish and maintain a capital planning and investment control 
process that links mission needs, information, and information 
technology in an effective and efficient manner. The process should 
guide both strategic and operational IRM planning by integrating the 
agency's information resources management plans, strategic plans 
prepared pursuant to the Government Performance and Results Act of 
1993 (5 U.S.C. 306), performance plans prepared pursuant to 
Government Performance and Results Act of 1993 (31 U.S.C. 1115), 
financial management plans prepared pursuant to the Chief Financial 
Officer Act of 1990 (31 U.S.C. 902a5), and the agency's budget 
formulation and execution processes. The capital planning and 
investment control process includes all stages of capital 
programming, including planning, budgeting, and procurement.
    As outlined below in section (B), the capital planning and 
investment control process has three components: selection, control, 
and evaluation. The process should be iterative, with inputs coming 
from the agency strategic plan and the outputs feeding into the 
budget and investment control processes. The goal is to link 
resources to results. For further guidance on Capital Planning refer 
to OMB Circular A-11.
    (A) What components are expected in the Information Resources 
Management Plan? As a product of the capital planning and investment 
control process, agencies must develop and maintain the agency 
Information Resource Management Plan (IRM) (also known as the IT 
Capital Plan), as required by 44 U.S.C. 3506(b)(2). The IRM Plan 
will include both Strategic and Operational IRM Plans. Specifically, 
the IRM Plan must include:
    (i) A component derived from the agency strategic plan as 
required by the Government Performance and Results Act. 
Specifically, an analysis detailing the information resource 
investment particulars contained within the agency Strategic Plan. 
These particulars should focus on the strategic implementation of IT 
to achieve the overall missions and goals of the agency and describe 
the linkage between the investment and the agency's missions, as 
required by OMB Circular A-11;
    (ii) A component derived from the agency annual performance plan 
as required by the Government Performance and Results Act. 
Specifically, an analysis describing the information resource 
investment particulars contained within the agency annual 
Performance Plan. These particulars should describe the quantifiable 
performance measures used in evaluating the implementation of 
specific IT initiatives and should provide metrics to assess 
progress towards achieving performance goals;
    (iii) A component derived from the agency annual program 
performance report as required by the Government Performance and 
Results Act. Specifically, an accountability report comparing actual 
performance to expected performance as expressed in the annual goals 
established in the agency Performance Plans. Progress should be 
detailed in OMB Circular A-11 Exhibit 300B submissions as part of 
the annual budget process; and
    (iv) A component derived from the agency security plan as 
required by the Computer Security Act. Specifically, the summary 
plan included in the agency's five-year plan as required by 44 
U.S.C. 3505 and Appendix III of this Circular.
    (B) What must an agency do as part of the selection component of 
the capital planning process?
    (i) Evaluate each investment in information resources to 
determine whether the investment will support core mission functions 
that must be performed by the Federal government;
    (ii) Ensure that improvements to existing information systems or 
the development of

[[Page 19937]]

new information systems are initiated because no alternative private 
sector or governmental source can efficiently support the function;
    (iii) Support work processes that have been simplified or 
otherwise redesigned to reduce costs, improve effectiveness, and 
make maximum use of commercial, off-the-shelf technology;
    (iv) Reduce risk by avoiding or isolating custom designed 
components, using components that can be fully tested or prototyped 
prior to production, and ensuring involvement and support of users;
    (v) Demonstrate a projected return on the investment that is 
clearly equal to or better than alternative uses of available public 
resources. The return may include improved mission performance in 
accordance with GPRA measures, reduced cost, increased quality, 
speed, or flexibility; and increased customer and employee 
satisfaction. The return should be adjusted for such risk factors as 
the project's technical complexity, the agency's management 
capacity, the likelihood of cost overruns, and the consequences of 
under- or non-performance. Return on investment should, where 
appropriate, be demonstrated by actual returns observed through 
pilot projects and prototypes;
    (vi) Prepare and update a benefit-cost analysis (BCA) for each 
information system throughout its life cycle. A BCA will provide a 
level of detail proportionate to the size of the investment; rely on 
systematic measures of mission performance; and be consistent with 
the methodology described in OMB Circular No. A-94, ``Guidelines and 
Discount Rates for Benefit-Cost Analysis of Federal Programs'';
    (vii) Prepare and maintain a portfolio of major information 
systems that monitors investments and prevents redundancy of 
existing or shared systems. The portfolio should provide information 
demonstrating the impact of alternative IT investment strategies and 
funding levels, identify opportunities for sharing resources, and 
consider the agency's inventory of information resources;
    (viii) Ensure consistency with Federal, agency, and bureau 
information architectures;
    (ix) Ensure that improvements to existing information systems 
and the development of planned information systems do not 
unnecessarily duplicate information systems within the same agency, 
from other agencies, or from the private sector;
    (x) Ensure that the selected system or process maximizes the 
usefulness of information, minimizes the burden on the public, and 
preserves the appropriate integrity, availability, and 
confidentiality of information throughout its life cycle. This 
portion shall specifically address the planning and budgeting for 
the information collection burden imposed on the public as defined 
by 5 CFR part 1320;
    (xi) Establish oversight mechanisms, consistent with Appendix 
III of this Circular, to systematically evaluate and ensure the 
continuing security and availability of systems and their data;
    (xii) Ensure that Federal information system requirements do not 
unnecessarily restrict the prerogatives of state, local and tribal 
governments;
    (xiii) Ensure that the selected system or process facilitates 
accessibility pursuant to the Rehabilitation Act of 1973, as amended 
(Public Law 105-220, 29 U.S.C.794d).
    (C) What must an agency do as part of the control component of 
the capital planning process?
    (i) Institute performance measures and management processes that 
monitor actual performance compared to expected results. Agencies 
must use a performance based management system that provides timely 
information regarding the progress of an information technology 
investment. The system must also measure progress towards milestones 
in an independently verifiable basis, in terms of cost, capability 
of the investment to meet specified requirements, timeliness, and 
quality;
    (ii) Establish oversight mechanisms that require periodic review 
of information systems to determine how mission requirements might 
have changed, and whether the information system continues to 
fulfill ongoing and anticipated mission requirements. These 
mechanisms must also require information regarding the future levels 
of maintenance necessary to ensure the information system meets 
mission requirements cost effectively;
    (iii) Ensure that major information systems proceed in a timely 
fashion towards agreed-upon milestones in an information system life 
cycle. Information systems must also continue to deliver intended 
benefits to the agency and customers, meet user requirements, and 
identify and offer security protections;
    (iv) Prepare and update a strategy that identifies and mitigates 
risks associated with each information system.
    (v) Ensure that financial management systems conform to the 
requirements of OMB Circular No. A-127, ``Financial Management 
Systems.''
    (D) What must an agency do as part of the evaluation component 
of the capital planning process?
    (i) Conduct post-implementation reviews of information systems 
and information resource management processes to validate estimated 
benefits and costs, and document effective management practices for 
broader use;
    (ii) Evaluate systems to ensure positive return on investment 
and decide whether continuation, modification, or termination of the 
systems is necessary to meet agency mission requirements.
    (iii) Document lessons learned from the post-implementation 
reviews. Redesign oversight mechanisms and performance levels to 
incorporate acquired knowledge.
    (2) What is an ITA? Consistent with Appendix II of this 
Circular, agencies will create an Information Technology 
Architectures (ITA). This framework should document linkages between 
mission needs, information content, and information technology 
capabilities. An ITA should also guide both strategic and 
operational IRM planning. It should be supported by a complete 
inventory of the agency information resources, including personnel, 
equipment, and funds devoted to information resources management and 
information technology, at a level of detail appropriate to support 
the ITA. It should also address steps necessary to create an open 
systems environment. Agencies will implement the following 
principles:
    (a) Develop information systems that facilitate 
interoperability, application portability, and scalability of 
computerized applications across networks of heterogeneous hardware, 
software, and communications platforms;
    (b) Meet information technology needs through cost effective 
intra-agency and interagency sharing, before acquiring new 
information technology resources; and
    (c) Establish a level of security for all information systems 
that is commensurate to the risk and magnitude of the harm resulting 
from the loss, misuse, unauthorized access to, or modification of 
the information stored or flowing through these systems.
    (1) How Should Agencies Acquire Information Technology?
    Agencies will:
    (a) Make use of adequate competition, allocate risk between 
government and contractor, and maximize return on investment when 
acquiring information technology;
    (b) Structure major information systems into useful segments 
with a narrow scope and brief duration. This will reduce risk, 
promote flexibility and interoperability, increase accountability, 
and better match mission need with current technology and market 
conditions;
    (c) Acquire off-the-shelf software from commercial sources, 
unless the cost effectiveness of developing custom software is clear 
and has been documented through pilot projects or prototypes; and
    (d) Ensure accessibility of acquired information technology 
pursuant to the Rehabilitation Act of 1973, as amended (Pub. Law 
105-220, 29 U.S.C.794d).

    7. Section 9, ``Assignment of Responsibilities,'' is amended by 
making the following revisions to Section 9a, ``All Federal Agencies'': 
delete subparagraphs (9)-(10), renumber subparagraphs (3)-(8) to become 
subparagraphs (5)-(10), insert new subparagraphs (3)-(4), revise new 
subparagraph (7), and insert (11)-(15) to read:

    (3) Appoint a Chief Information Officer, as required by 44 
U.S.C. 3506(a), who must report directly to the agency head to carry 
out the responsibilities of the agencies listed in Executive Order 
13011. The head of the agency will consult with the Director of OMB 
prior to appointing a Chief Information Officer, and will advise the 
Director on matters regarding the authority, responsibilities, and 
organizational resources of the Chief Information Officer. For 
purposes of this paragraph, military departments and the Office of 
the Secretary of Defense may each appoint one official. The Chief 
Information Officer shall, among other things:
    (a) Be an active participant during all agency strategic 
management activities,

[[Page 19938]]

including the development, implementation, and maintenance of agency 
strategic and operational plans;
    (b) Be an active participant throughout the annual agency budget 
process in establishing investment priorities for agency information 
resources;
    (c) Advise the agency head on information resource implications 
of strategic planning decisions;
    (d) Monitor and evaluate the performance of information resource 
investments through a capital planning and investment control 
process, and advise the agency head on whether to continue, modify, 
or terminate a program or project;
    (e) Advise the agency head on budgetary implications of 
information resource decisions; and
    (f) Advise the agency head on the design, development, and 
implementation of information resources.
    (4) Direct the Chief Information Officer, appointed pursuant to 
44 U.S.C. 3506(a), to monitor agency compliance with the policies, 
procedures, and guidance in this Circular. Acting as an ombudsman, 
the Chief Information Officer will consider alleged instances of 
agency failure to comply with section 8(a) of this Circular, and 
recommend or take appropriate corrective action. The Chief 
Information Officer will report instances of alleged failure and 
their resolution annually to the Director of OMB, by February 1st of 
each year.
    (7) Maintain the following, as required by the Paperwork 
Reduction Act (44 U.S.C. 3506(b)(4) and 3511) and the Freedom of 
Information Act (5 U.S.C. 552(g)): an inventory of the agency's 
major information systems, holdings, and dissemination products; an 
agency information locator service; a description of the agency's 
major information and record locator systems; an inventory of the 
agency's other information resources, such as personnel and funding 
(at the level of detail that the agency determines is most 
appropriate for its use in managing the agency's information 
resources); and a handbook for persons to obtain public information 
from the agency pursuant to these Acts.
    (11) Ensure that the agency;
    (a) cooperates with other agencies in the use of information 
technology to improve the productivity, effectiveness, and 
efficiency of Federal programs;
    (b) promotes a coordinated, interoperable, secure, and shared 
government wide infrastructure that is provided and supported by a 
diversity of private sector suppliers; and
    (c) develops a well-trained corps of information resource 
professionals.
    (12) Use the guidance provided in OMB Circular A-11, ``Planning, 
Budgeting, and Acquisition of Fixed Assets,'' to promote effective 
and efficient capital planning within the organization;
    (13) Ensure that the agency provides budget data pertaining to 
information resources to OMB, consistent with the requirements of 
OMB Circular A-11,
    (14) Permit, to the extent practicable, the use of one agency's 
contract by another agency or the award of multi-agency contracts, 
provided the action is within the scope of the contract and 
consistent with OMB guidance; and
    (15) As designated by the Director of OMB, act as executive 
agent for the government-wide acquisition of information technology.

    8. Section 9, ``Assignment of Responsibilities,'' is further 
amended by revising Section 9b, ``Department of State,'' to read as 
follows:

    b. Department of State. The Secretary of State will:
    (1) Advise the Director of OMB on the development of United 
States positions and policies on international information policy 
and technology issues affecting Federal government activities and 
the development of international information technology standards; 
and
    (2) Be responsible for liaison, consultation, and negotiation 
with foreign governments and intergovernmental organizations on all 
matters related to information resources management, including 
federal information technology. The Secretary will also ensure, in 
consultation with the Secretary of Commerce, that the United States 
is represented in the development of international standards and 
recommendations affecting information technology. These 
responsibilities may also require the Secretary to consult, as 
appropriate, with affected domestic agencies, organizations, and 
other members of the public.

    9. Section 9, ``Assignment of Responsibilities'' is further amended 
by making the following revision to Section 9c, ``Department of 
Commerce'': Subparagraph (1) is revised to read as follows:

    (1) Develop and issue Federal Information Processing Standards 
and guidelines necessary to ensure the efficient and effective 
acquisition, management, security, and use of information technology 
while taking into consideration the recommendations of the agencies 
and the Chief Information Officers Council;

    10. Section 9, ``Assignment of Responsibilities,'' is further 
amended by making the following revisions to Section 9e, ``General 
Services Administration'': subparagraphs (1) through (5) are deleted, 
subparagraph (6) is renumbered as subparagraph (7); and the following 
new subparagraphs are added after the introductory text:

    (1) Continue to manage the FTS2001 program and coordinate the 
follow-up to that program, on behalf of and with the advice of 
agencies;
    (2) Develop, maintain, and disseminate for the use of the 
Federal community (as requested by OMB or the agencies) recommended 
methods and strategies for the development and acquisition of 
information technology;
    (3) Conduct and manage outreach programs in cooperation with 
agency managers;
    (4) Be a liaison on information resources management (including 
Federal information technology) with State and local governments. 
GSA will also be a liaison with non-governmental international 
organizations, subject to prior consultation with the Secretary of 
State to ensure consistency with the overall United States foreign 
policy objectives;
    (5) Support the activities of the Secretary of State for 
liaison, consultation, and negotiation with intergovernmental 
organizations on information resource management matters;
    (6) Provide support and assistance to the CIO Council and the 
Information Technology Resources Board.

    11. Section 9, ``Assignment of Responsibilities,'' is amended by 
making the following revisions to Section 9h, ``Office of Management 
and Budget'': Subparagraph (10) is deleted, subparagraphs (11) and (12) 
are renumbered as subparagraphs (10) and (11), and the following new 
subparagraphs are added at the end:

    (12) Evaluate agency information resources management practices 
and programs and, as part of the budget process, analyze, track, and 
evaluate the risks and results of major capital investments in 
information systems;
    (13) Notify an agency if OMB believes that a major information 
system project requires outside assistance;
    (14) Provide guidance on the implementation of the Clinger-Cohen 
Act and on the management of information resources to the executive 
agencies, to the CIO Council, and to the Information Technology 
Resources Board; and
    (15) Designate one or more heads of executive agencies as 
executive agent for government-wide acquisitions of information 
technology.

Proposed Appendix II to OMB Circular No. A-130--Information Technology 
Architecture

    This Appendix defines the minimum criteria for an agency 
Information Technology Architecture (ITA). Many agencies have 
already developed frameworks and methodologies guiding the 
development, implementation, and maintenance of an ITA. Therefore 
this guidance is intended to ensure that as agencies complete or 
update their ITA, critical information is included.
    An IT architecture in compliance with the Clinger-Cohen Act and 
OMB guidance will contain an Enterprise Architecture and a Technical 
Reference Model and Standards Profile.

What Is an Enterprise Architecture?

    An Enterprise Architecture is the explicit description of the 
current and desired relationships among business and management 
processes and information technology. It describes the ``target'' 
environment which the agency wishes to create and maintain by 
managing its IT portfolio. The Enterprise Architecture must also 
provide a strategy that will enable the agency to transition from 
its current to its target environment. Within the Enterprise 
Architecture it is important that agencies identify and document: 
(1) the business processes, (2) the information flow and

[[Page 19939]]

relationships, (3) applications, (4) data descriptions, and (5) 
technology infrastructure, as follows:
    1. Business Processes--Agencies must identify the work performed 
to support its mission, vision and performance goals. Agencies must 
also document change agents, such as legislation or new 
technologies, that will drive changes in the Enterprise 
Architecture.
    2. Information Flow and Relationships--Agencies must analyze the 
information utilized by the agency in its business processes, 
identifying the information used and the movement of the 
information. These information flows indicate where the information 
is needed and how the information is shared to support mission 
functions.
    3. Applications--Agencies must identify, define, and organize 
the activities that capture, manipulate, and manage the business 
information to support business processes. It also describes the 
logical dependencies and relationships among business activities.
    4. Data Descriptions and Relationships--Agencies must identify 
how data is created, maintained, accessed, and used. At a high 
level, agencies define the data and describe the relationships among 
data elements used in the agency's information systems.
    5. Technology Infrastructure--Agencies must describe and 
identify the functional characteristics, capabilities, and 
interconnections of the hardware, software, and telecommunications.

What Are the Technical Reference Model and Standards Profile?

    Technical Reference Model (TRM)--A TRM identifies and describes 
the information services (such as database, communications, 
intranet, etc.) used throughout the agency.
    Standards--Agencies should define the set of IT standards that 
support the services articulated in the TRM. Agencies are expected 
to adopt standards necessary to support the entire Enterprise 
Architecture, and must be enforced consistently throughout the 
agency.

Proposed Revisions to Appendix IV to OMB Circular No. A-130--
Analysis of Key Sections

    Revise Section 8a(5) to include:

    As described in Section 11 of the ``Electronic Freedom of 
Information Act Amendments of 1996'' (Public Law 104-231), an agency 
must place its index and description of major information and record 
locator systems in its reference material or guide. We expect that 
this index and description would include an agency's Government 
Information Locator Service (GILS) presence as well as any other 
major information and record locator systems the agency has 
identified.
    In addition, each agency should prepare a handbook that 
describes in one place the various ways by which a person can obtain 
public information from the agency, as well as the types and 
categories of information available. In preparing the handbook, each 
agency should review the dissemination policies contained in this 
Circular. The handbook should be in plain English and user-friendly. 
Where applicable, it should indicate that the public is encouraged 
to access information electronically via the agency's home page or 
to search in its reading room, and that the public may also submit a 
request to the agency under the Freedom of Information Act. ``Types 
and categories'' of available information will vary from agency to 
agency, and agencies should describe their information resources in 
whatever manner seems most appropriate.
    Although the law does not require that the handbook be available 
on-line, OMB encourages agencies to do so as a matter of policy. The 
handbook should include the following elements:
    1. The location of reading rooms within the agency and within 
its major field offices, as well as a brief description of the types 
and categories of information available.
    2. The location of the agency's World Wide Web home page.
    3. A reference to the agency's FOIA regulations and how to get a 
copy.
    4. A reference to the agency's FOIA annual report and how to get 
a copy.
    5. The location of the agency's GILS page.
    6. A brief description of the types and categories of 
information generally available from the agency.
    In addition, if there is an on-line version, it should have 
electronic links to these elements wherever they exist.

Section 8b(1)

What is the capital planning and investment control process?

    The capital planning and investment control process is a 
systematic approach to managing the risks and returns of IT 
investments. The process has three phases: select, control and 
evaluate. The process covers all stages of capital programming, 
including planning, budgeting and procurement. For additional 
information describing capital planning, please consult Circular A-
11.

Where can I get more information about return on investment (ROI)?

    Agencies that would like to learn more about compiling and 
demonstrating projected return on investments (ROI) are encouraged 
to consult the Federal CIO Council document ``ROI and the Value 
Puzzle''. This document may be obtained at the CIO Council's web 
page (http://cio.gov).

How should agencies incorporate security into management of 
information resources?

    Effective security is an essential element of all information 
systems. A process assuring adequate security must be integrated 
into the agency's management of information resources. This process 
should be a component of the both capital planning process and the 
information technology architecture. A system's security 
requirements must be supported by the agency ITA in order for it to 
be considered during the select phase of the capital planning 
process. Agencies will use the control and evaluate phases of 
capital planning to ensure these security requirements are met 
throughout the system's life cycle. For more information on computer 
security please read Appendix III of this Circular.

How will agencies use the information collected during the capital 
planning process?

    As a quick guide, this table summarizes the information trail 
and describes how certain types of information will be utilized 
throughout the capital planning process.

----------------------------------------------------------------------------------------------------------------
                                                       Components of the capital planning process
         Required information         --------------------------------------------------------------------------
                                           Select (planned)         Control (actual)       Evaluate (variance)
----------------------------------------------------------------------------------------------------------------
Justification and descriptive          Provided as part of the  Reviewed and reported    Reported annually as
 information.                           pre-screening process    systematically to        part of the Capital
                                        and documents the        ensure business needs    Asset Plan and
                                        business case            are being met.           Justification (Exhibit
                                        justification for the                             300B).
                                        investment.

[[Page 19940]]

 
Summary of spending by project         Provided as part of the  Reviewed systematically  Reported annually as
 stages, cost, schedule, and            initial planning and     to ensure that costs     part of the Capital
 performance goals.                     budgeting process        and scheduled goals      Asset Plan and
                                        using a work break-      are on target.           Justification (Exhibit
                                        down process. The                                 300B).
                                        summary reflects a
                                        life cycle project
                                        management approach
                                        for all stages of the
                                        investment, and is
                                        structured using a
                                        performance based
                                        management process
                                        (such as earned value
                                        management).
Program management and contracting     Provided as part of the  Reviewed systematically  Reported annually as
 information.                           planning phase and       to ensure that           part of the Capital
                                        includes information     contract and             Asset Plan and
                                        such as type of          acquisition goals are    Justification (Exhibit
                                        contract, and            on target.               300B).
                                        acquisition planning
                                        information.
Financial Basis for the project......  Details financial        Reviewed and updated     Reported annually as
                                        analysis such as         systematically to        part of the Capital
                                        benefits-cost analysis   capture the latest       Asset Plan and
                                        (BCA), return on         information on ROI and   Justification (Exhibit
                                        investment and other     benefits and to track    300B).
                                        financial analysis       financial performance.
                                        performed to justify
                                        the investment.
Performance measures and goals.......  Provided prior to the    Monitored and reported   Reported annually as
                                        selection of the         systematically for       part of the Capital
                                        project and              performance goals and    Asset Plan and
                                        establishes the          the progress of          Justification (Exhibit
                                        baseline for             meeting the business     300B).
                                        performance measures     goals and needs of an
                                        and goals whereby the    agency.
                                        investment will be
                                        monitored.
Costs and schedule goals.............  Provided as part of the  Updated systematically   Reported annually as
                                        initial planning and     to ensure that the       part of the Capital
                                        budgeting process        investment is earning    Asset Plan and
                                        using a work break-      at the planned rate.     Justification (Exhibit
                                        down process. The                                 300B).
                                        goals reflect a life-
                                        cycle project
                                        management approach
                                        for all stages of the
                                        investment and is
                                        structured using an
                                        earned value
                                        management process.
Risks................................  Risk assessments are     Reviewed and updated     Reported annually as
                                        performed and            systematically to        part of the Capital
                                        mitigation plans are     gauge effectiveness of   Asset Plan and
                                        provided as part of      the mitigation plans     Justification (Exhibit
                                        the initial planning     and to identify any      300B).
                                        phase. Assessments       new risks that may
                                        must address             arise.
                                        technology, security,
                                        strategic issues, and
                                        IT architecture. Risks
                                        Assessments may also
                                        address the risk of
                                        not continuing a
                                        project.
Benefits associated with the           Benefits can be either   Updated systematically   Reported annually as
 investment.                            financial or non-        to further strengthen    part of the Capital
                                        financial and may also   the business case for    Asset Plan and
                                        be cost avoidance. The   the investment or its    Justification (Exhibit
                                        expected benefits are    continuance and to       300B).
                                        captured as part of      ensure that the
                                        the initial planning     benefits are realized.
                                        phase of an investment.
----------------------------------------------------------------------------------------------------------------

Section 8b(2)

What Is an ITA?

    An Information Technology Architecture (ITA) should guide the 
agency's management of information resources for agency-wide 
information and information technology needs consistent with 
Appendix II of this Circular. The ITA will help the agency cope with 
technology and business change by serving as a reference for updates 
to existing and new information systems. The ITA will also assure 
interoperability of business processes, data, applications and 
technology as agencies integrate proposed information systems 
projects with one another and with existing legacy systems. The 
agency's strategic IRM plan should describe the parameters (e.g., 
technical standards) of such an ITA. The ITA must also drive 
operational planning and describe how the agency intends to use 
information and information technology.

Where Can I Get More Information Describing the ITA?

    Agencies that require additional information on developing or 
maintaining an ITA are encouraged to consult the Federal CIO Council 
document entitled ``The Federal Enterprise Architecture (FEA) 
Framework'' which is available on the CIO Council's web site (http://cio.gov).

[[Page 19941]]

What Is an Open Systems Environment?

    An open system should be based on an architecture with published 
or documented interface specifications that have been adopted by a 
standards settings body.

Ultimately, Who Determines the Acceptable Level of Security for a 
System?

    Each agency program official must understand the risk to systems 
under their control and determine the acceptable level of risk, 
ensure adequate security is maintained to support and assist the 
programs under their control, ensure that security controls comport 
with program needs and appropriately accommodate operational 
necessities. In addition, program officials should work in 
conjunction with Chief Information Officers and other appropriate 
agency officials so that security measures support agency 
information architectures.

Section 8b(3)

What Should agencies Consider Before Acquiring a COTS Solution?

    COTS products can provide agencies a cost effective and 
efficient solution. However, often COTS products require 
customization for seamless use. Therefore agencies must still 
thoroughly examine the impact of a COTS product selection. A 
lessons-learned guide describing the risks of COTS products has been 
published by the Information Technology Resources Board (ITRB). The 
guide, entitled ``Assessing the Risks of Commercial-Off-The-Shelf 
(COTS) Applications,'' is available on the ITRB web site (http://itrb.gov).

Section 9a(3). Chief Information Officer (CIO)

To Whom Does the CIO Report?

    Each agency must appoint a Chief Information Officer, as 
required by 44 U.S.C. 3506(a), who will report directly to the 
agency's head to carry out the responsibilities of the agency under 
the PRA.

What Are the CIO's Responsibilities in Regards to Financial 
Management Systems?

    The head of the agency is responsible for defining the operating 
relationship between the CIO and CFO functions and ensuring 
coordination in the implementation of the Clinger-Cohen Act, the 
PRA, the Chief Financial Officers Act, and the Government 
Performance and Results Act. The Clinger-Cohen Act encourages the 
CIO and CFO to work together under the direction of the agency head 
to ensure that the agency's information systems provide reliable, 
consistent, and timely program performance information.

What Is the CIO's Role in the Capital Planning Process?

    The CIO will ensure that a capital planning process is 
established and rigorously used to define and validate all 
information resource investments. Through this process, the CIO 
shall monitor and evaluate the performance of the information 
technology portfolio of the agency and advise the agency head 
whether to continue, modify, or terminate a program or project. The 
CIO will have accountability and authority over continuation or 
termination of information resource investments.
    Additionally, the CIO will establish a board composed of senior 
level managers who will have the responsibility of making key 
business recommendations on information resource investments, and 
who will be continuously involved. Many agencies will institute a 
second board, composed of program or project level managers, with 
more detailed business and information resource knowledge. They will 
be able to provide technical support to the senior level board in 
proposing, evaluating, and recommending information resource 
investments.

What Is the CIO's Role in the Annual Budget Process?

    The CIO will be an active participant during all agency annual 
budget processes and strategic planning activities, including the 
development, implementation, and maintenance of agency strategic 
plans. The CIO's role is to provide leadership and a strategic 
vision for using information technology to transform the agency. 
CIO's must also ensure that all information resource investments 
deliver a substantial mission benefit to the agency and/or a 
substantial ROI to the taxpayer.
    Additionally, the CIO will ensure coordination of information 
resource planning processes and documentation with the agency's 
strategic, performance and budget process.

Section 9a(4)

Why Is the CIO Considered an Ombudsman?

    The CIO designated by the head of each agency under 44 U.S.C. 
3506(a) is charged with carrying out the responsibilities of the 
agency under the PRA. Agency CIOs are responsible for ensuring that 
their agency practices are in compliance with OMB policies. It is 
envisioned that the CIO will work as an ombudsman to investigate 
alleged instances of agency failures to adhere to the policies set 
forth in the Circular and to recommend or take corrective action as 
appropriate. Agency heads should continue to use existing mechanisms 
to ensure compliance with laws and policies.

[FR Doc. 00-9077 Filed 4-12-00; 8:45 am]
BILLING CODE 5110-01-P