[Federal Register Volume 65, Number 72 (Thursday, April 13, 2000)]
[Notices]
[Pages 19933-19941]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-9077]
=======================================================================
-----------------------------------------------------------------------
OFFICE OF MANAGEMENT AND BUDGET
Management of Federal Information Resources
AGENCY: Office of Management and Budget, Executive Office of the
President.
ACTION: Proposed revision of OMB Circular No. A-130.
-----------------------------------------------------------------------
SUMMARY: The Office of Management and Budget is revising Circular No.
A-130, ``Management of Federal Information Resources,'' to implement
provisions of the Clinger-Cohen Act (also known as ``Information
Technology Management Reform Act of 1996'') and for other purposes.
This notice proposes revisions to the sections of the Circular
concerning information systems and information technology management to
follow more closely provisions of the Clinger-Cohen Act and OMB
Circular A-11, which involve the acquisition, use, and disposal of
information technology as a capital asset by the Federal government to
improve the productivity, efficiency, and effectiveness of Federal
programs. It also makes minor technical revisions throughout the
Circular (for example, changing ``senior official'' to ``Chief
Information Officer''). It proposes a new Appendix II to address
``Information Technology Architectures,'' incorporates OMB guidance
regarding computer security into Appendix III, and revises Appendix IV
to reflect these changes.
This notice also proposes revisions to the sections of the Circular
concerning information management policy to follow more closely the
provisions of the current OMB guidance entitled ``Implementation of the
Government Paperwork Elimination Act.''
DATES: If you wish to comment on the proposed revisions to Circular No.
A-
[[Page 19934]]
130 please submit your comments no later than Friday, May 19, 2000.
Each Department and agency should submit a single coordinated set of
comments.
ADDRESSES: We welcome electronic comments and will include them as part
of the official record. Please send comments electronically to: [email protected]. You may address hardcopy comments to: Information
Policy and Technology Branch, Office of Information and Regulatory
Affairs, Office of Management and Budget, Room 10236 New Executive
Office Building, Washington, DC 20503.
Electronic Availability: This document is available on the Internet
at the OMB web site, http://www.whitehouse.gov/omb/fedreg/index.html
and at the CIO Council home page at http://cio.gov. You can also obtain
a copy of OMB Circular No. A-11, including the supplement to Part 3,
``The Programming Guide,'' at the OMB web site and the CIO Council web
site, or by calling the Budget Review and Concepts Division at OMB at
202-395-3172.
FOR FURTHER INFORMATION CONTACT: Tony Frater, Information Policy and
Technology Branch, Office of Information and Regulatory Affairs, Office
of Management and Budget, Room 10236, New Executive Office Building,
Washington, DC 20503. Telephone: (202) 395-3785.
SUPPLEMENTARY INFORMATION:
Background
The Clinger-Cohen Act (also known as ``Information Technology
Management Reform Act of 1996'') (Public Law 104-106, Division E,
codified at 40 U.S.C. Chapter 25) grants to the Director of the Office
of Management and Budget (OMB) various authorities for overseeing the
acquisition, use, and disposal of information technology by the Federal
government, so as to improve the productivity, efficiency, and
effectiveness of Federal programs. It supplements the information
resources management (IRM) policies contained in the Paperwork
Reduction Act (PRA) (44 U.S.C. Chapter 35) by establishing a
comprehensive approach to improving the acquisition and management of
agency information systems through work process redesign, and by
linking planning and investment strategies to the budget process.
The Clinger-Cohen Act establishes clear accountability for IRM
activities by creating agency Chief Information Officers (CIOs) with
the authority and management responsibility necessary to advise agency
heads. Among other responsibilities, CIOs oversee the design,
development, and implementation of information systems. CIOs also
monitor and evaluate system performance and advise agency heads to
modify or terminate those systems. The Clinger-Cohen Act also directs
agencies to work together towards the common goal of using information
technology to improve the productivity, effectiveness, and efficiency
of Federal programs and to promote an interoperable, secure, and shared
government wide information resources infrastructure.
To provide agencies with additional guidance on implementing the
Clinger-Cohen Act, OMB proposes to revise Circular No. A-130,
``Management of Federal Information Resources'' (61 FR 6428 February
20, 1996), which contains the policy framework for the management of
Federal information resources. OMB has issued previous guidance
regarding the Clinger-Cohen Act implementation, including; OMB
Memoranda M-96-20, ``Implementation of the Information Technology
Management Reform Act of 1996;'' M-97-02, ``Funding Information Systems
Investments;'' M-97-09, ``Interagency Support for Information
Technology;'' M-97-15, ``Local Telecommunications Services Policy;'' M-
97-16, ``Information Technology Architectures''. Upon issuance of final
revisions to the Circular, OMB will rescind those Memoranda. Future
revisions to A-130 will incorporate other related OMB guidance,
including issuances on computer security and agency use of electronic
transactions.
Since the last revision of this Circular, Congress passed, and the
President signed into law, the Electronic Freedom of Information Act
Amendments (Public Law 104-231). Among other changes, the E-FOIA
Amendments added a new subsection (g) to the FOIA, which reinforces the
preexisting requirement in the Paperwork Reduction Act for agencies to
maintain an inventory of their major information systems and an
information locator service. The E-FOIA Amendments also require
agencies to maintain a handbook that explains how persons may obtain
public information from the agency pursuant to the FOIA and the PRA.
Additional text has been added to this provision in Section 9 to
reflect the enactment of the E-FOIA Amendments. Also, Appendix IV has
been amended to incorporate the guidance that OMB issued to agencies in
April 1998 on implementing the E-FOIA's handbook requirement (OMB
Memorandum M-98-09). When this guidance is incorporated into the
Circular, OMB will rescind the 1998 Memorandum.
In addition, in late 1997, a lawsuit was filed against several
agencies (Public Citizen v. Raines) alleging that they had not complied
with the requirements in the PRA and FOIA for agencies to inventory
their information systems. During the course of the litigation, which
is ongoing, the argument was advanced by the plaintiff that Congress in
the 1995 revisions to the PRA required agencies to maintain an
inventory of all of their information systems, rather than only their
major information systems. OMB responded by expressing its view that,
in revising the PRA in 1995, Congress did not require agencies to
inventory all of their information systems. Instead, consistent with
the PRA as originally enacted in 1980 and amended in 1986, Congress in
1995 continued to require an agency to inventory its ``major''
information systems. This legislative intent is reflected in Section
3511(a) of the 1995 PRA (which requires an inventory of an agency's
major information systems) and also in Section 3506(b)(4), which cross-
references that requirement in Section 3511. A continuing PRA focus on
the agency's ``major'' information systems is also consistent with the
later-enacted 1996 E-FOIA Amendments, in which Congress required
agencies to make available to the public their inventories of major
information systems.
Finally, in terms of the agency's activities in managing its
information resources, which is the overall subject of Section 3506(b),
OMB believes that an agency needs to focus its management attention on
its ``major'' information systems, and for this reason an inventory
that includes those major systems (but not all systems) makes the most
sense for improving agency management. Therefore, in addition to
reflecting the passage of the E-FOIA Amendments, the proposed revisions
to Section 9 also make clearer the agencies' obligations under the PRA
and FOIA in this area. These revisions reiterate the pre-existing
requirement in Section 9 for each agency to maintain an inventory of
its major information systems (these systems may be electronic or
paper--the Circular's definition of ``major information systems'' is
format neutral). The revisions also clarify that each agency, under
Section 3506(b)(4) of the PRA, needs to maintain as well an inventory
of its other ``information resources'' (such as personnel and funding)
at the level of detail that the agency's managers believe is most
appropriate for them to use in their management of the agency's
information resources.
[[Page 19935]]
What Sections of Circular No. A-130 Are Proposed for Revision?
Section 3. Authorities. This section is amended to cite, and to
incorporate changes necessitated by the Clinger-Cohen Act, the
Government Performance and Results Act (GPRA), and Executive Order
13011.
Section 5. Background. A discussion of the basic principles and
goals of the Clinger-Cohen Act is added.
Section 6. Definitions. The terms ``Chief Information Officers
Council'' and ``Information Technology Resources Board'' are introduced
to reflect the interagency support structures established by Executive
Order 13011. The term ``executive agency'' is introduced to reflect the
definition found in the Clinger-Cohen Act. The term ``information
technology'' is amended to reflect definitional changes made by the
Clinger-Cohen Act, and is supplemented by the limiting term ``national
security system'' to clearly identify those systems to which the
Circular applies. The term ``capital planning and investment control
process'' is introduced to assist agencies in the reporting
requirements of the Clinger-Cohen Act.
Section 7. Basic Considerations and Assumptions. The existing basic
considerations and assumptions are supplemented with a modified
subsection (i) and new subsection (r) to reflect the relevant goals and
purposes of the Clinger-Cohen Act and Executive Order 13011.
Section 8a. Information Management Policy. Sections 8a(3) is
proposed to be revised to reflect the Government Paperwork Elimination
Act (Public Law 105-277, Title XVII), which was enacted in October
1998. OMB issued proposed guidance to implement the GPEA on March 5,
1999 (64 FR 10896), and is preparing the final guidance, to be issued
shortly.
Section 8b. Information Systems and Information Technology
Management. This section is substantially revised to implement the
policies of the Clinger-Cohen Act and the principles of Executive Order
13011. Sections 8b(1), 8b(2), 8b(3) have been merged to better
integrate requirements under Clinger-Cohen Act, the Government
Performance and Results Act (Public Law 103-62), and revisions to OMB
Circular A-11.
New section 8b(1) is revised to provide guidance on both strategic
and operational IRM planning by integrating the agency's information
resources management plans, strategic plans, performance plans,
financial management plans, and budget processes, as discussed in OMB
Circular A-11, Sec 210.8. This new section outlines three components:
selection, control, and evaluation. It is also stresses the need to
redesign work processes before making significant investments in
automation, and the need to evaluate commercial off-the-shelf ``COTS''
software as part of the capital planning process. Additionally, this
section contains revisions that incorporate requirements for IT
accessibility by persons with disabilities that had previously resided
in the Federal Information Resource Management Regulations (FIRMR, 41
CFR 201).
Section 8b(2), previously 8b(4), is assigned a new heading ``What
is an ITA.'' This section is modified, and includes relevant concepts
from the previous section. Section 8b(3), previously 8b(5), is modified
to promote the structuring of major information systems into modules
that will reduce risk, promote flexibility and interoperability,
increase accountability, and better match mission needs with current
technology and market conditions.
Section 9. Assignment of Responsibilities.
Subsection 9a, All Federal Agencies, is changed to reflect the new
Chief Information Officer (CIO) position created by the Clinger-Cohen
Act, and reflects developments since the Circular was last revised in
February 1996.. A new subsection 9a(3) is inserted to reflect CIO
responsibilities. Old subsections 9a(3)-(8) are renumbered to become
9a(4)-(9). Existing Section 9a(5)--which would be renumbered as Section
9a(7)--is proposed to be revised to make clearer the agencies'
obligations under the Paperwork Reduction Act and the Freedom of
Information Act (as discussed above). A new Subsection 9a(10) is added
to ensure cross agency cooperation. 9a(11) is added to encourage
agencies to permit other agencies to place orders for information
technology against its contracts to the extent practicable. Subsections
9a(3), (12), (13), (14), and (15) are added to describe the CIO's
responsibilities under the Clinger-Cohen Act.
Subsection 9b, Department of State, is revised to reflect
responsibilities described in the Clinger-Cohen Act and Executive Order
13011. These include liaison, consultation, and negotiation with
foreign governments and intergovernmental organizations on matters
related to information resources management as well as the State
Department's advisory role in developing U.S. positions and policies on
international information policy and technology issues affecting the
Federal government.
Subsection 9c(1), Department of Commerce, is supplemented to
reflect that agencies and the Chief Information Officers Council will
make recommendations, as appropriate, to the Secretary of Commerce
regarding standards development.
Subsection 9e, General Services Administration (GSA), is changed to
reflect that with the enactment of the Clinger-Cohen Act, GSA will no
longer perform policy and oversight functions. GSA will continue to
provide services, training, and assistance as requested by the agencies
and OMB.
Subsection 9h, Office of Management and Budget, is changed to
reflect that OMB will provide guidance to the Boards established by
Executive Order 13011, and may from time to time designate executive
agents for government-wide procurement of information technology.
Accordingly, Circular No. A-130 (61 FR 6428, February 20, 1996) is
proposed to be amended as set forth below.
John T. Spotila,
Administrator, Office of Information and Regulatory Affairs.
Proposed Amendments to OMB Circular No. A-130
1. Section 3, ``Authorities,'' is revised to read as follows:
3. Authorities: This Circular is issued pursuant to the
Paperwork Reduction Act (PRA) of 1980, as amended by the Paperwork
Reduction Act of 1995 (44 U.S.C. Chapter 35); the Clinger-Cohen Act
(also known as ``Information Technology Management Reform Act of
1996'') (Public Law 104-106, Division E); the Privacy Act, as
amended (5 U.S.C. 552a); the Chief Financial Officers Act (31 U.S.C.
3512 et seq.); the Federal Property and Administrative Services Act,
as amended (40 U.S.C. 487); the Computer Security Act (Public Law
100-235); the Budget and Accounting Act, as amended (31 U.S.C.
Chapter 11); Executive Order 12046 of March 27, 1978; Executive
Order 12472 of April 3, 1984; and Executive Order 13011 of July 17,
1996.
2. Section 5, ``Background,'' is amended by adding the following
new paragraph:
The Clinger-Cohen Act supplements the information resources
management policies contained in the PRA by establishing a
comprehensive approach for executive agencies to improve the
acquisition and management of their information resources, through:
(1) Focusing information resource planning to support the
agency's strategic missions;
(2) Implementing a capital planning and investment control
process that links to budget formulation and execution; and
[[Page 19936]]
(3) Rethinking and restructuring the way agencies do their work
before investing in information systems.
3. Section 6, ``Definitions,'' is amended by making the following
revisions: definitions are added for ``capital planning and investment
control process,'' ``Chief Information Officers Council,'' ``executive
agency,'' ``Information Technology Resources Board,'' and ``national
security system''. The definition for ``information technology'' is
revised, and the remaining definitions are redesignated accordingly.
The new and revised definitions are as follows:
c. The term ``capital planning and investment control process ``
means a management process for ongoing identification, selection,
control, and evaluation of investments in information resources. The
process is linked to budget formulation and execution, and is
focused on agency missions and achieving specific program outcomes.
d. The term ``Chief Information Officers Council'' (CIO Council)
means the Council established in Section 3 of Executive Order 13011.
f. The term ``executive agency'' has the meaning defined in
section 4(1) of the Office of Federal Procurement Policy Act (41
U.S.C. 403(1)).
t. The term ``information technology'' means any equipment or
interconnected system or subsystem of equipment, that is used in the
automatic acquisition, storage, manipulation, management, movement,
control, display, switching, interchange, transmission, or reception
of data or information by an executive agency. For purposes of the
preceding sentence, equipment is used by an executive agency if the
equipment is used by the executive agency directly or is used by a
contractor under a contract with the executive agency which (i)
requires the use of such equipment, or (ii) requires the use, to a
significant extent, of such equipment in the performance of a
service or the furnishing of a product. The term ``information
technology'' includes computers, ancillary equipment, software,
firmware and similar procedures, services (including support
services), and related resources. The term ``information
technology'' does not include any equipment that is acquired by a
Federal contractor incidental to a Federal contract.
u. The term ``Information Technology Resources Board''
(Resources Board) means the board established by Section 5 of
Executive Order 13011.
w. The term ``national security system'' means any
telecommunications or information system operated by the United
States Government, the function, operation, or use of which (1)
involves intelligence activities; (2) involves cryptologic
activities related to national security; (3) involves command and
control of military forces; (4) involves equipment that is an
integral part of a weapon or weapons system; or (5) is critical to
the direct fulfillment of military or intelligence missions, but
excluding any system that is to be administrative and business
applications (including payroll, finance, logistics, and personnel
management applications). The policies and procedures established in
this Circular shall apply to national security systems in a manner
consistent with the applicability and related limitations regarding
such systems set out in Section 5141 of the Clinger-Cohen Act (Pub.
L. 104-106). Applicability of Clinger-Cohen Act to national security
systems shall include budget document preparation requirements set
forth in OMB Circular A-11. The resultant budget document may be
classified in accordance with the provisions of Executive Order
12958.
4. Section 7, ``Basic Considerations and Assumptions,'' is amended
by revising Sections 7i and by adding 7r to read as follows:
i. Strategic planning improves the operation of government
programs. The agency strategic plan will shape the redesign of work
processes and guide the development and maintenance of a capital
planning and investment control process. This management approach
promotes the appropriate application of Federal information
resources.
r. The development and operation of interagency and
interoperable shared information resources to support the
performance of government missions should be supported by the Chief
Information Officers Council and the Information Technology
Resources Board.
5. Section 8, ``policy,'' is amended by revising Section 8a(3) to
read as follows:
3. Electronic Information Collection. Executive agencies under
Sections 1703 and 1705 the Government Paperwork Elimination Act
(GPEA), Public Law 105-277, Title XVII. are required to provide, by
October 21, 2003, the (1) option of the electronic maintenance,
submission, or disclosure of information, when practicable as a
substitute for paper; and (2) use and acceptance of electronic
signatures, when practicable. Agencies will follow the provisions in
OMB guidance, Implementation of the Government Paperwork Elimination
Act.
6. Section 8, ``Policy,'' is amended by revising Section 8b(1) to
read as follows:
b. How Should Agencies Manage Information Systems and
Information Technology?
(1) Capital Planning and Investment Control. Agencies must
establish and maintain a capital planning and investment control
process that links mission needs, information, and information
technology in an effective and efficient manner. The process should
guide both strategic and operational IRM planning by integrating the
agency's information resources management plans, strategic plans
prepared pursuant to the Government Performance and Results Act of
1993 (5 U.S.C. 306), performance plans prepared pursuant to
Government Performance and Results Act of 1993 (31 U.S.C. 1115),
financial management plans prepared pursuant to the Chief Financial
Officer Act of 1990 (31 U.S.C. 902a5), and the agency's budget
formulation and execution processes. The capital planning and
investment control process includes all stages of capital
programming, including planning, budgeting, and procurement.
As outlined below in section (B), the capital planning and
investment control process has three components: selection, control,
and evaluation. The process should be iterative, with inputs coming
from the agency strategic plan and the outputs feeding into the
budget and investment control processes. The goal is to link
resources to results. For further guidance on Capital Planning refer
to OMB Circular A-11.
(A) What components are expected in the Information Resources
Management Plan? As a product of the capital planning and investment
control process, agencies must develop and maintain the agency
Information Resource Management Plan (IRM) (also known as the IT
Capital Plan), as required by 44 U.S.C. 3506(b)(2). The IRM Plan
will include both Strategic and Operational IRM Plans. Specifically,
the IRM Plan must include:
(i) A component derived from the agency strategic plan as
required by the Government Performance and Results Act.
Specifically, an analysis detailing the information resource
investment particulars contained within the agency Strategic Plan.
These particulars should focus on the strategic implementation of IT
to achieve the overall missions and goals of the agency and describe
the linkage between the investment and the agency's missions, as
required by OMB Circular A-11;
(ii) A component derived from the agency annual performance plan
as required by the Government Performance and Results Act.
Specifically, an analysis describing the information resource
investment particulars contained within the agency annual
Performance Plan. These particulars should describe the quantifiable
performance measures used in evaluating the implementation of
specific IT initiatives and should provide metrics to assess
progress towards achieving performance goals;
(iii) A component derived from the agency annual program
performance report as required by the Government Performance and
Results Act. Specifically, an accountability report comparing actual
performance to expected performance as expressed in the annual goals
established in the agency Performance Plans. Progress should be
detailed in OMB Circular A-11 Exhibit 300B submissions as part of
the annual budget process; and
(iv) A component derived from the agency security plan as
required by the Computer Security Act. Specifically, the summary
plan included in the agency's five-year plan as required by 44
U.S.C. 3505 and Appendix III of this Circular.
(B) What must an agency do as part of the selection component of
the capital planning process?
(i) Evaluate each investment in information resources to
determine whether the investment will support core mission functions
that must be performed by the Federal government;
(ii) Ensure that improvements to existing information systems or
the development of
[[Page 19937]]
new information systems are initiated because no alternative private
sector or governmental source can efficiently support the function;
(iii) Support work processes that have been simplified or
otherwise redesigned to reduce costs, improve effectiveness, and
make maximum use of commercial, off-the-shelf technology;
(iv) Reduce risk by avoiding or isolating custom designed
components, using components that can be fully tested or prototyped
prior to production, and ensuring involvement and support of users;
(v) Demonstrate a projected return on the investment that is
clearly equal to or better than alternative uses of available public
resources. The return may include improved mission performance in
accordance with GPRA measures, reduced cost, increased quality,
speed, or flexibility; and increased customer and employee
satisfaction. The return should be adjusted for such risk factors as
the project's technical complexity, the agency's management
capacity, the likelihood of cost overruns, and the consequences of
under- or non-performance. Return on investment should, where
appropriate, be demonstrated by actual returns observed through
pilot projects and prototypes;
(vi) Prepare and update a benefit-cost analysis (BCA) for each
information system throughout its life cycle. A BCA will provide a
level of detail proportionate to the size of the investment; rely on
systematic measures of mission performance; and be consistent with
the methodology described in OMB Circular No. A-94, ``Guidelines and
Discount Rates for Benefit-Cost Analysis of Federal Programs'';
(vii) Prepare and maintain a portfolio of major information
systems that monitors investments and prevents redundancy of
existing or shared systems. The portfolio should provide information
demonstrating the impact of alternative IT investment strategies and
funding levels, identify opportunities for sharing resources, and
consider the agency's inventory of information resources;
(viii) Ensure consistency with Federal, agency, and bureau
information architectures;
(ix) Ensure that improvements to existing information systems
and the development of planned information systems do not
unnecessarily duplicate information systems within the same agency,
from other agencies, or from the private sector;
(x) Ensure that the selected system or process maximizes the
usefulness of information, minimizes the burden on the public, and
preserves the appropriate integrity, availability, and
confidentiality of information throughout its life cycle. This
portion shall specifically address the planning and budgeting for
the information collection burden imposed on the public as defined
by 5 CFR part 1320;
(xi) Establish oversight mechanisms, consistent with Appendix
III of this Circular, to systematically evaluate and ensure the
continuing security and availability of systems and their data;
(xii) Ensure that Federal information system requirements do not
unnecessarily restrict the prerogatives of state, local and tribal
governments;
(xiii) Ensure that the selected system or process facilitates
accessibility pursuant to the Rehabilitation Act of 1973, as amended
(Public Law 105-220, 29 U.S.C.794d).
(C) What must an agency do as part of the control component of
the capital planning process?
(i) Institute performance measures and management processes that
monitor actual performance compared to expected results. Agencies
must use a performance based management system that provides timely
information regarding the progress of an information technology
investment. The system must also measure progress towards milestones
in an independently verifiable basis, in terms of cost, capability
of the investment to meet specified requirements, timeliness, and
quality;
(ii) Establish oversight mechanisms that require periodic review
of information systems to determine how mission requirements might
have changed, and whether the information system continues to
fulfill ongoing and anticipated mission requirements. These
mechanisms must also require information regarding the future levels
of maintenance necessary to ensure the information system meets
mission requirements cost effectively;
(iii) Ensure that major information systems proceed in a timely
fashion towards agreed-upon milestones in an information system life
cycle. Information systems must also continue to deliver intended
benefits to the agency and customers, meet user requirements, and
identify and offer security protections;
(iv) Prepare and update a strategy that identifies and mitigates
risks associated with each information system.
(v) Ensure that financial management systems conform to the
requirements of OMB Circular No. A-127, ``Financial Management
Systems.''
(D) What must an agency do as part of the evaluation component
of the capital planning process?
(i) Conduct post-implementation reviews of information systems
and information resource management processes to validate estimated
benefits and costs, and document effective management practices for
broader use;
(ii) Evaluate systems to ensure positive return on investment
and decide whether continuation, modification, or termination of the
systems is necessary to meet agency mission requirements.
(iii) Document lessons learned from the post-implementation
reviews. Redesign oversight mechanisms and performance levels to
incorporate acquired knowledge.
(2) What is an ITA? Consistent with Appendix II of this
Circular, agencies will create an Information Technology
Architectures (ITA). This framework should document linkages between
mission needs, information content, and information technology
capabilities. An ITA should also guide both strategic and
operational IRM planning. It should be supported by a complete
inventory of the agency information resources, including personnel,
equipment, and funds devoted to information resources management and
information technology, at a level of detail appropriate to support
the ITA. It should also address steps necessary to create an open
systems environment. Agencies will implement the following
principles:
(a) Develop information systems that facilitate
interoperability, application portability, and scalability of
computerized applications across networks of heterogeneous hardware,
software, and communications platforms;
(b) Meet information technology needs through cost effective
intra-agency and interagency sharing, before acquiring new
information technology resources; and
(c) Establish a level of security for all information systems
that is commensurate to the risk and magnitude of the harm resulting
from the loss, misuse, unauthorized access to, or modification of
the information stored or flowing through these systems.
(1) How Should Agencies Acquire Information Technology?
Agencies will:
(a) Make use of adequate competition, allocate risk between
government and contractor, and maximize return on investment when
acquiring information technology;
(b) Structure major information systems into useful segments
with a narrow scope and brief duration. This will reduce risk,
promote flexibility and interoperability, increase accountability,
and better match mission need with current technology and market
conditions;
(c) Acquire off-the-shelf software from commercial sources,
unless the cost effectiveness of developing custom software is clear
and has been documented through pilot projects or prototypes; and
(d) Ensure accessibility of acquired information technology
pursuant to the Rehabilitation Act of 1973, as amended (Pub. Law
105-220, 29 U.S.C.794d).
7. Section 9, ``Assignment of Responsibilities,'' is amended by
making the following revisions to Section 9a, ``All Federal Agencies'':
delete subparagraphs (9)-(10), renumber subparagraphs (3)-(8) to become
subparagraphs (5)-(10), insert new subparagraphs (3)-(4), revise new
subparagraph (7), and insert (11)-(15) to read:
(3) Appoint a Chief Information Officer, as required by 44
U.S.C. 3506(a), who must report directly to the agency head to carry
out the responsibilities of the agencies listed in Executive Order
13011. The head of the agency will consult with the Director of OMB
prior to appointing a Chief Information Officer, and will advise the
Director on matters regarding the authority, responsibilities, and
organizational resources of the Chief Information Officer. For
purposes of this paragraph, military departments and the Office of
the Secretary of Defense may each appoint one official. The Chief
Information Officer shall, among other things:
(a) Be an active participant during all agency strategic
management activities,
[[Page 19938]]
including the development, implementation, and maintenance of agency
strategic and operational plans;
(b) Be an active participant throughout the annual agency budget
process in establishing investment priorities for agency information
resources;
(c) Advise the agency head on information resource implications
of strategic planning decisions;
(d) Monitor and evaluate the performance of information resource
investments through a capital planning and investment control
process, and advise the agency head on whether to continue, modify,
or terminate a program or project;
(e) Advise the agency head on budgetary implications of
information resource decisions; and
(f) Advise the agency head on the design, development, and
implementation of information resources.
(4) Direct the Chief Information Officer, appointed pursuant to
44 U.S.C. 3506(a), to monitor agency compliance with the policies,
procedures, and guidance in this Circular. Acting as an ombudsman,
the Chief Information Officer will consider alleged instances of
agency failure to comply with section 8(a) of this Circular, and
recommend or take appropriate corrective action. The Chief
Information Officer will report instances of alleged failure and
their resolution annually to the Director of OMB, by February 1st of
each year.
(7) Maintain the following, as required by the Paperwork
Reduction Act (44 U.S.C. 3506(b)(4) and 3511) and the Freedom of
Information Act (5 U.S.C. 552(g)): an inventory of the agency's
major information systems, holdings, and dissemination products; an
agency information locator service; a description of the agency's
major information and record locator systems; an inventory of the
agency's other information resources, such as personnel and funding
(at the level of detail that the agency determines is most
appropriate for its use in managing the agency's information
resources); and a handbook for persons to obtain public information
from the agency pursuant to these Acts.
(11) Ensure that the agency;
(a) cooperates with other agencies in the use of information
technology to improve the productivity, effectiveness, and
efficiency of Federal programs;
(b) promotes a coordinated, interoperable, secure, and shared
government wide infrastructure that is provided and supported by a
diversity of private sector suppliers; and
(c) develops a well-trained corps of information resource
professionals.
(12) Use the guidance provided in OMB Circular A-11, ``Planning,
Budgeting, and Acquisition of Fixed Assets,'' to promote effective
and efficient capital planning within the organization;
(13) Ensure that the agency provides budget data pertaining to
information resources to OMB, consistent with the requirements of
OMB Circular A-11,
(14) Permit, to the extent practicable, the use of one agency's
contract by another agency or the award of multi-agency contracts,
provided the action is within the scope of the contract and
consistent with OMB guidance; and
(15) As designated by the Director of OMB, act as executive
agent for the government-wide acquisition of information technology.
8. Section 9, ``Assignment of Responsibilities,'' is further
amended by revising Section 9b, ``Department of State,'' to read as
follows:
b. Department of State. The Secretary of State will:
(1) Advise the Director of OMB on the development of United
States positions and policies on international information policy
and technology issues affecting Federal government activities and
the development of international information technology standards;
and
(2) Be responsible for liaison, consultation, and negotiation
with foreign governments and intergovernmental organizations on all
matters related to information resources management, including
federal information technology. The Secretary will also ensure, in
consultation with the Secretary of Commerce, that the United States
is represented in the development of international standards and
recommendations affecting information technology. These
responsibilities may also require the Secretary to consult, as
appropriate, with affected domestic agencies, organizations, and
other members of the public.
9. Section 9, ``Assignment of Responsibilities'' is further amended
by making the following revision to Section 9c, ``Department of
Commerce'': Subparagraph (1) is revised to read as follows:
(1) Develop and issue Federal Information Processing Standards
and guidelines necessary to ensure the efficient and effective
acquisition, management, security, and use of information technology
while taking into consideration the recommendations of the agencies
and the Chief Information Officers Council;
10. Section 9, ``Assignment of Responsibilities,'' is further
amended by making the following revisions to Section 9e, ``General
Services Administration'': subparagraphs (1) through (5) are deleted,
subparagraph (6) is renumbered as subparagraph (7); and the following
new subparagraphs are added after the introductory text:
(1) Continue to manage the FTS2001 program and coordinate the
follow-up to that program, on behalf of and with the advice of
agencies;
(2) Develop, maintain, and disseminate for the use of the
Federal community (as requested by OMB or the agencies) recommended
methods and strategies for the development and acquisition of
information technology;
(3) Conduct and manage outreach programs in cooperation with
agency managers;
(4) Be a liaison on information resources management (including
Federal information technology) with State and local governments.
GSA will also be a liaison with non-governmental international
organizations, subject to prior consultation with the Secretary of
State to ensure consistency with the overall United States foreign
policy objectives;
(5) Support the activities of the Secretary of State for
liaison, consultation, and negotiation with intergovernmental
organizations on information resource management matters;
(6) Provide support and assistance to the CIO Council and the
Information Technology Resources Board.
11. Section 9, ``Assignment of Responsibilities,'' is amended by
making the following revisions to Section 9h, ``Office of Management
and Budget'': Subparagraph (10) is deleted, subparagraphs (11) and (12)
are renumbered as subparagraphs (10) and (11), and the following new
subparagraphs are added at the end:
(12) Evaluate agency information resources management practices
and programs and, as part of the budget process, analyze, track, and
evaluate the risks and results of major capital investments in
information systems;
(13) Notify an agency if OMB believes that a major information
system project requires outside assistance;
(14) Provide guidance on the implementation of the Clinger-Cohen
Act and on the management of information resources to the executive
agencies, to the CIO Council, and to the Information Technology
Resources Board; and
(15) Designate one or more heads of executive agencies as
executive agent for government-wide acquisitions of information
technology.
Proposed Appendix II to OMB Circular No. A-130--Information Technology
Architecture
This Appendix defines the minimum criteria for an agency
Information Technology Architecture (ITA). Many agencies have
already developed frameworks and methodologies guiding the
development, implementation, and maintenance of an ITA. Therefore
this guidance is intended to ensure that as agencies complete or
update their ITA, critical information is included.
An IT architecture in compliance with the Clinger-Cohen Act and
OMB guidance will contain an Enterprise Architecture and a Technical
Reference Model and Standards Profile.
What Is an Enterprise Architecture?
An Enterprise Architecture is the explicit description of the
current and desired relationships among business and management
processes and information technology. It describes the ``target''
environment which the agency wishes to create and maintain by
managing its IT portfolio. The Enterprise Architecture must also
provide a strategy that will enable the agency to transition from
its current to its target environment. Within the Enterprise
Architecture it is important that agencies identify and document:
(1) the business processes, (2) the information flow and
[[Page 19939]]
relationships, (3) applications, (4) data descriptions, and (5)
technology infrastructure, as follows:
1. Business Processes--Agencies must identify the work performed
to support its mission, vision and performance goals. Agencies must
also document change agents, such as legislation or new
technologies, that will drive changes in the Enterprise
Architecture.
2. Information Flow and Relationships--Agencies must analyze the
information utilized by the agency in its business processes,
identifying the information used and the movement of the
information. These information flows indicate where the information
is needed and how the information is shared to support mission
functions.
3. Applications--Agencies must identify, define, and organize
the activities that capture, manipulate, and manage the business
information to support business processes. It also describes the
logical dependencies and relationships among business activities.
4. Data Descriptions and Relationships--Agencies must identify
how data is created, maintained, accessed, and used. At a high
level, agencies define the data and describe the relationships among
data elements used in the agency's information systems.
5. Technology Infrastructure--Agencies must describe and
identify the functional characteristics, capabilities, and
interconnections of the hardware, software, and telecommunications.
What Are the Technical Reference Model and Standards Profile?
Technical Reference Model (TRM)--A TRM identifies and describes
the information services (such as database, communications,
intranet, etc.) used throughout the agency.
Standards--Agencies should define the set of IT standards that
support the services articulated in the TRM. Agencies are expected
to adopt standards necessary to support the entire Enterprise
Architecture, and must be enforced consistently throughout the
agency.
Proposed Revisions to Appendix IV to OMB Circular No. A-130--
Analysis of Key Sections
Revise Section 8a(5) to include:
As described in Section 11 of the ``Electronic Freedom of
Information Act Amendments of 1996'' (Public Law 104-231), an agency
must place its index and description of major information and record
locator systems in its reference material or guide. We expect that
this index and description would include an agency's Government
Information Locator Service (GILS) presence as well as any other
major information and record locator systems the agency has
identified.
In addition, each agency should prepare a handbook that
describes in one place the various ways by which a person can obtain
public information from the agency, as well as the types and
categories of information available. In preparing the handbook, each
agency should review the dissemination policies contained in this
Circular. The handbook should be in plain English and user-friendly.
Where applicable, it should indicate that the public is encouraged
to access information electronically via the agency's home page or
to search in its reading room, and that the public may also submit a
request to the agency under the Freedom of Information Act. ``Types
and categories'' of available information will vary from agency to
agency, and agencies should describe their information resources in
whatever manner seems most appropriate.
Although the law does not require that the handbook be available
on-line, OMB encourages agencies to do so as a matter of policy. The
handbook should include the following elements:
1. The location of reading rooms within the agency and within
its major field offices, as well as a brief description of the types
and categories of information available.
2. The location of the agency's World Wide Web home page.
3. A reference to the agency's FOIA regulations and how to get a
copy.
4. A reference to the agency's FOIA annual report and how to get
a copy.
5. The location of the agency's GILS page.
6. A brief description of the types and categories of
information generally available from the agency.
In addition, if there is an on-line version, it should have
electronic links to these elements wherever they exist.
Section 8b(1)
What is the capital planning and investment control process?
The capital planning and investment control process is a
systematic approach to managing the risks and returns of IT
investments. The process has three phases: select, control and
evaluate. The process covers all stages of capital programming,
including planning, budgeting and procurement. For additional
information describing capital planning, please consult Circular A-
11.
Where can I get more information about return on investment (ROI)?
Agencies that would like to learn more about compiling and
demonstrating projected return on investments (ROI) are encouraged
to consult the Federal CIO Council document ``ROI and the Value
Puzzle''. This document may be obtained at the CIO Council's web
page (http://cio.gov).
How should agencies incorporate security into management of
information resources?
Effective security is an essential element of all information
systems. A process assuring adequate security must be integrated
into the agency's management of information resources. This process
should be a component of the both capital planning process and the
information technology architecture. A system's security
requirements must be supported by the agency ITA in order for it to
be considered during the select phase of the capital planning
process. Agencies will use the control and evaluate phases of
capital planning to ensure these security requirements are met
throughout the system's life cycle. For more information on computer
security please read Appendix III of this Circular.
How will agencies use the information collected during the capital
planning process?
As a quick guide, this table summarizes the information trail
and describes how certain types of information will be utilized
throughout the capital planning process.
----------------------------------------------------------------------------------------------------------------
Components of the capital planning process
Required information --------------------------------------------------------------------------
Select (planned) Control (actual) Evaluate (variance)
----------------------------------------------------------------------------------------------------------------
Justification and descriptive Provided as part of the Reviewed and reported Reported annually as
information. pre-screening process systematically to part of the Capital
and documents the ensure business needs Asset Plan and
business case are being met. Justification (Exhibit
justification for the 300B).
investment.
[[Page 19940]]
Summary of spending by project Provided as part of the Reviewed systematically Reported annually as
stages, cost, schedule, and initial planning and to ensure that costs part of the Capital
performance goals. budgeting process and scheduled goals Asset Plan and
using a work break- are on target. Justification (Exhibit
down process. The 300B).
summary reflects a
life cycle project
management approach
for all stages of the
investment, and is
structured using a
performance based
management process
(such as earned value
management).
Program management and contracting Provided as part of the Reviewed systematically Reported annually as
information. planning phase and to ensure that part of the Capital
includes information contract and Asset Plan and
such as type of acquisition goals are Justification (Exhibit
contract, and on target. 300B).
acquisition planning
information.
Financial Basis for the project...... Details financial Reviewed and updated Reported annually as
analysis such as systematically to part of the Capital
benefits-cost analysis capture the latest Asset Plan and
(BCA), return on information on ROI and Justification (Exhibit
investment and other benefits and to track 300B).
financial analysis financial performance.
performed to justify
the investment.
Performance measures and goals....... Provided prior to the Monitored and reported Reported annually as
selection of the systematically for part of the Capital
project and performance goals and Asset Plan and
establishes the the progress of Justification (Exhibit
baseline for meeting the business 300B).
performance measures goals and needs of an
and goals whereby the agency.
investment will be
monitored.
Costs and schedule goals............. Provided as part of the Updated systematically Reported annually as
initial planning and to ensure that the part of the Capital
budgeting process investment is earning Asset Plan and
using a work break- at the planned rate. Justification (Exhibit
down process. The 300B).
goals reflect a life-
cycle project
management approach
for all stages of the
investment and is
structured using an
earned value
management process.
Risks................................ Risk assessments are Reviewed and updated Reported annually as
performed and systematically to part of the Capital
mitigation plans are gauge effectiveness of Asset Plan and
provided as part of the mitigation plans Justification (Exhibit
the initial planning and to identify any 300B).
phase. Assessments new risks that may
must address arise.
technology, security,
strategic issues, and
IT architecture. Risks
Assessments may also
address the risk of
not continuing a
project.
Benefits associated with the Benefits can be either Updated systematically Reported annually as
investment. financial or non- to further strengthen part of the Capital
financial and may also the business case for Asset Plan and
be cost avoidance. The the investment or its Justification (Exhibit
expected benefits are continuance and to 300B).
captured as part of ensure that the
the initial planning benefits are realized.
phase of an investment.
----------------------------------------------------------------------------------------------------------------
Section 8b(2)
What Is an ITA?
An Information Technology Architecture (ITA) should guide the
agency's management of information resources for agency-wide
information and information technology needs consistent with
Appendix II of this Circular. The ITA will help the agency cope with
technology and business change by serving as a reference for updates
to existing and new information systems. The ITA will also assure
interoperability of business processes, data, applications and
technology as agencies integrate proposed information systems
projects with one another and with existing legacy systems. The
agency's strategic IRM plan should describe the parameters (e.g.,
technical standards) of such an ITA. The ITA must also drive
operational planning and describe how the agency intends to use
information and information technology.
Where Can I Get More Information Describing the ITA?
Agencies that require additional information on developing or
maintaining an ITA are encouraged to consult the Federal CIO Council
document entitled ``The Federal Enterprise Architecture (FEA)
Framework'' which is available on the CIO Council's web site (http://cio.gov).
[[Page 19941]]
What Is an Open Systems Environment?
An open system should be based on an architecture with published
or documented interface specifications that have been adopted by a
standards settings body.
Ultimately, Who Determines the Acceptable Level of Security for a
System?
Each agency program official must understand the risk to systems
under their control and determine the acceptable level of risk,
ensure adequate security is maintained to support and assist the
programs under their control, ensure that security controls comport
with program needs and appropriately accommodate operational
necessities. In addition, program officials should work in
conjunction with Chief Information Officers and other appropriate
agency officials so that security measures support agency
information architectures.
Section 8b(3)
What Should agencies Consider Before Acquiring a COTS Solution?
COTS products can provide agencies a cost effective and
efficient solution. However, often COTS products require
customization for seamless use. Therefore agencies must still
thoroughly examine the impact of a COTS product selection. A
lessons-learned guide describing the risks of COTS products has been
published by the Information Technology Resources Board (ITRB). The
guide, entitled ``Assessing the Risks of Commercial-Off-The-Shelf
(COTS) Applications,'' is available on the ITRB web site (http://itrb.gov).
Section 9a(3). Chief Information Officer (CIO)
To Whom Does the CIO Report?
Each agency must appoint a Chief Information Officer, as
required by 44 U.S.C. 3506(a), who will report directly to the
agency's head to carry out the responsibilities of the agency under
the PRA.
What Are the CIO's Responsibilities in Regards to Financial
Management Systems?
The head of the agency is responsible for defining the operating
relationship between the CIO and CFO functions and ensuring
coordination in the implementation of the Clinger-Cohen Act, the
PRA, the Chief Financial Officers Act, and the Government
Performance and Results Act. The Clinger-Cohen Act encourages the
CIO and CFO to work together under the direction of the agency head
to ensure that the agency's information systems provide reliable,
consistent, and timely program performance information.
What Is the CIO's Role in the Capital Planning Process?
The CIO will ensure that a capital planning process is
established and rigorously used to define and validate all
information resource investments. Through this process, the CIO
shall monitor and evaluate the performance of the information
technology portfolio of the agency and advise the agency head
whether to continue, modify, or terminate a program or project. The
CIO will have accountability and authority over continuation or
termination of information resource investments.
Additionally, the CIO will establish a board composed of senior
level managers who will have the responsibility of making key
business recommendations on information resource investments, and
who will be continuously involved. Many agencies will institute a
second board, composed of program or project level managers, with
more detailed business and information resource knowledge. They will
be able to provide technical support to the senior level board in
proposing, evaluating, and recommending information resource
investments.
What Is the CIO's Role in the Annual Budget Process?
The CIO will be an active participant during all agency annual
budget processes and strategic planning activities, including the
development, implementation, and maintenance of agency strategic
plans. The CIO's role is to provide leadership and a strategic
vision for using information technology to transform the agency.
CIO's must also ensure that all information resource investments
deliver a substantial mission benefit to the agency and/or a
substantial ROI to the taxpayer.
Additionally, the CIO will ensure coordination of information
resource planning processes and documentation with the agency's
strategic, performance and budget process.
Section 9a(4)
Why Is the CIO Considered an Ombudsman?
The CIO designated by the head of each agency under 44 U.S.C.
3506(a) is charged with carrying out the responsibilities of the
agency under the PRA. Agency CIOs are responsible for ensuring that
their agency practices are in compliance with OMB policies. It is
envisioned that the CIO will work as an ombudsman to investigate
alleged instances of agency failures to adhere to the policies set
forth in the Circular and to recommend or take corrective action as
appropriate. Agency heads should continue to use existing mechanisms
to ensure compliance with laws and policies.
[FR Doc. 00-9077 Filed 4-12-00; 8:45 am]
BILLING CODE 5110-01-P