Smart Card Alliance Commentary: OMB Circular A-130 – Managing Information as a Strategic Resource
Publication Date: September 2016
Circular A-130, “Managing Information as a Strategic Resource,” published by the Office of Management and Budget (OMB), sets policy and establishes guidance for management of Federal information resources. As OMB is within the Executive Office of the President, OMB A-130 is authoritative and clarifies policies for both Federal agencies and service providers.
The previous version was published in 2000 on the heels of the dot-com collapse, yet before the creation of the Department of Homeland Security (DHS). Much has changed. The world and government have become heavily dependent on information technology (IT) and the security of the IT ecosystem. After the Office of Personnel Management (OPM) data breach and subsequent “cybersecurity sprint,” OMB released a new revision of Circular A-130 in July of 2016. The 2016 revision addresses new statutory requirements (e.g., FISMA 2014) and the enhanced technological capabilities that are now available.
The 85-page July 27, 2016 revision can be considered a major rewrite with significant changes throughout the document. The following aspects of the revision are particularly significant to entities involved with logical and physical access control, smart card technology, identity management, and associated security systems:
- Federal Information is now seen as a strategic resource, with a focus on IT, security, data governance, and privacy. Accordingly, the guidance establishes general policy for IT planning and budgeting through governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services. The guidance includes:
- Moving from periodic checklist compliance to ongoing monitoring assessment and evaluation and providing guidance to embrace new technology and solutions
- Conducting proactive risk management with repeated testing of agency solutions
- Assigning responsibility and accountability to everyone (government and citizens) for assuring privacy (especially personally identifiable information (PII)) and the security of information
- The guidance establishes the chief information officer (CIO) as THE accountable party and mandates a Senior Agency Official for Privacy (SAOP).
- The guidance reinforces aspects of Homeland Security Presidential Directive 12 (HSPD-12), Federal Information Processing Standard (FIPS) 201, and associated documents and encapsulates the principles into one authoritative policy document.
- The guidance more explicitly brings the existence of a physical access control system (PACS) under the jurisdiction of the CIO and IT departments, who now clearly have the budgeting, planning, funding, and decision-making authority.
This position paper was developed by the Smart Card Alliance Access Control Council to highlight the impact of the OMB Circular A-130 2016 update on the access control industry and on government agencies procuring and implementing access control systems. The position paper focuses on highlighting relevant changes in the 2016 update to A-130, discussing the impact of these changes on the Federal government and commercial industry, and outlining issues to be considered in complying with A-130 for selected topic areas.
About the Smart Card Alliance Access Control Council
The Smart Card Alliance Access Control Council is focused on accelerating the widespread acceptance, use, and application of smart card technology for physical and logical access control. The group brings together, in an open forum, leading users and technologists from both the public and private sectors and works on activities that are important to the access control community and that will help expand smart card technology adoption in this important market. The Council works on projects to stimulate the use of smart card technology for access control.