Updating OMB Circular A-130, Management of Federal Information Resources was a discussion topic on the second day of the Internet Security and Privacy Advisory Board’s (ISPAB’s) meeting. The ISPAB is an expert advisory body established by Congress to advise NIST, the Secretary of Commerce and OMB. The Board received a presentation on work underway to revise Appendix III of the Circular, Security of Federal Automated Information Resources was the focus of discussions. The presentation was made by representatives of an ad hoc group of senior A-130 information security experts working to assist OMB in the revision process.
There was broad consensus expressed that OMB has “ample authority” to overhaul A-130 as needed to improve management of federal information resources.
In addition to continuous monitoring, the ad hoc group discussed and asked ISPAB’s views on other A-130-related issues including the definition of a system. The ad hoc group explained that the traditional ways of defining a system are not necessarily relevant as data centers consolidate and agencies move to cloud-based storage and applications. The traditional way of understanding a network as a set of computing boxes which are tied together, often on a functional basis, such as financial management or office automation.
The ad hoc group discussed moving toward a definition of system in A-130 that is based on the type of information, and the sensitivity of the information rather than the boxes that the information is stored/processed on. For example, different types of systems (internal payroll and a database with external user data) may both contain PII (personally identifiable information) that requires similar protection. Instead of looking at applications which are run on stored data, a new approach to system definition would frame the issue into terms of services that are layered on the data.
With respect to the underlying data, the ad hoc panel cited the core needs of identifying the risks associated with the information, determining how the risk is measured, and identifying who is reponsible for managing/mitigating the risk. One concern expressed by the panel about the current definition of a system is that it creates gaps in responsibility for data as it moves from one system to another, such as PII, that a citizen enters on a web application and then moves to a different system for processing.
Another A-130 modernization issue is the need to bring the Department of Homeland Security (DHS) under the Circular since it was last revised prior to passage of the Homeland Security Act. DHS operates information security programs under a delegation of authority from OMB.
The ad hoc group also suggested that consideration should be given to toward a “maturity model” approach to assessing organizational security that would take into account where the organization is in terms of information security and where it should go rather than holding each agency to the same scoring system. The possibility of using a model based on three levels of maturity, (low, medium and high) under which the organization would advance to the next level after they successfully achieved their lower level goals.