Discuss | Edit | View PDF

Circular A-130

Archive Site

Welcome! This site is archival. It was used to collect feedback from the public on proposed revisions to OMB Circular A-130. The comment period closed in November 2015. The revised OMB Circular A-130 was announced on July 27, 2016.
Read more here.

Definitions

a. 'Accessibility' or 'Accessible' means that any information technology product or service is in full compliance with the United States Architectural and Transportation Barriers Compliance Board (Access Board) Information and Communication Technology (ICT) Standards and Guidelines for electronic and information technology developed, procured, maintained, or used by Federal agencies covered by section 508 of the Rehabilitation Act of 1973 (29 U.S.C. § 794 d), as amended by the Workforce Investment Act of 1998 (29 U.S.C. § 2801, et seq.), and its guidelines for telecommunications equipment and customer premises equipment covered by Section 255 of the Communications Act of 1934 (47 U.S.C. § 151, et seq.).

b. 'Agency' means any executive agency or department, military department, Federal government corporation, Federal government-controlled corporation, or other establishment in the Executive Branch of the Federal government, or any independent regulatory agency.

c. 'Agency Information Strategy' means a strategy that demonstrates how information resources management decisions are integrated with organizational planning, budget, procurement, financial management, human resources management, and program decisions.35

d. 'Agency Strategic Plan' means plan that provides general and long-term goals the agency aims to achieve, the actions the agency will take to realize those goals, the strategies planned, how the agency will deal with challenges and risks that may hinder achieving result, and the approaches it will use to monitor its progress.36

e. 'Business Continuity Plan' means a plan that focuses on sustaining an organization's mission/business processes during and after a disruption, and may be written for mission/business processes within a single business unit or may address the entire organization's processes.37

f. 'Chief Information Officer' (CIO) means the senior official that, pursuant to the Clinger-Cohen Act, provides advice and other assistance to the head of the agency and other senior management personnel of the agency to ensure that information technology is acquired and information resources are managed for the agency in a manner that achieves the agency's strategic goals and information resources management goals.

g. 'Chief Information Officers Council' (CIO Council) means the Council codified in the E-Government Act of 2002 (44 U.S.C. § 101).

h. 'Controlled Unclassified Information' (CUI) means Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

i. 'Dissemination' means the government-initiated distribution of information to a nongovernment entity, including the public. Not considered dissemination within the meaning of this Circular is distribution limited to government employees, intra- or interagency use or sharing of Federal information, and responses to requests for agency records under the Freedom of Information Act (5 U.S.C. § 552) or the Privacy Act (5 U.S.C. § 552a).

j. 'Enterprise architecture' (a) means – (i) a strategic information asset base, which defines the mission; (ii) the information necessary to perform the mission; (iii) the technologies necessary to perform the mission; and (iv) the transitional processes for implementing new technologies in response to changing mission needs; and (b) includes – (i) a baseline architecture; (ii) a target architecture; and (iii) a sequencing plan (44 U.S.C. § 3601).

k. 'Executive agency' has the meaning defined in Title 41, Public Contracts section 133 (41 U.S.C. § 133).

l. 'Federal information' means information created, collected, processed, maintained, disseminated, or disposed of by or for the Federal Government, in any medium or form.

m. 'Federal information system' means an information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency.

n. 'Government publication' means information that is published as an individual document at government expense, or as required by law, in any medium or form (44 U.S.C. § 1901).

o. 'Incident' means an occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

p. 'Information' means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms.

q. 'Information dissemination product' means any recorded information, regardless of physical form or characteristics, disseminated by an agency, or contractor thereof, to the public.

r. 'Information life cycle' means the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion.

s. 'Information management' means the planning, budgeting, manipulating, controlling, and processing of information throughout its life cycle. The term encompasses both information itself and the related resources, such as personnel, equipment, funds, and information technology.

t. 'Information resources' means information and related resources, such as personnel, equipment, funds, and information technology (44 U.S.C. § 3502).

u. 'Information resources management' means the process of managing information resources to accomplish agency missions. The term encompasses an agency's information and the related resources, such as personnel, equipment, funds, and information technology (44 U.S.C. § 3502).

v. 'Information security' means the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:

  1. Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
  2. Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
  3. Availability, which means ensuring timely and reliable access to and use of information (44 U.S.C. § 3542).

w. 'Information system' means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. § 3502).

x. 'Information system life cycle' means all phases in the useful life of an information system, including planning, acquiring, operating, maintaining, and disposing. See also OMB A-11 Part 7 "Capital Programming Guide" and OMB Circular A-131 "Value Engineering" for more information regarding the costs and management of assets through their complete life cycle.

y. 'Information technology' means any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment is used by an agency if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. The term "information technology" includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. The term "information technology" does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use (40 U.S.C. § 11101).

z. 'Information technology investment' means an expenditure of information technology resources to address mission delivery and management support. This may include a project or projects for the development, modernization, enhancement, or maintenance of a single information technology asset or group of information technology assets with related functionality, and the subsequent operation of those assets in a production environment. These investments should have a defined life cycle with start and end dates, with the end date representing the end of the currently estimated useful life of the investment, consistent with the investment's most current alternatives analysis if applicable.

aa. 'Information Technology Investment Management' means a decision-making process that, in support of agency missions and business needs, provides for analyzing, tracking, and evaluating the risks, including information security and privacy risks, and results of all major capital investments made by an agency for information systems. The process shall cover the life of each system and shall include explicit criteria for analyzing the projected and actual costs, benefits, and risks, including information security and privacy risks, associated with the investments. The CPIC process has three distinct phases: Select, Control, and Evaluate. See 40 U.S.C. § 11302 and the Clinger-Cohen Act of 1996 for statutory requirements.

bb. 'Information technology resources' means all agency budgetary resources, personnel, equipment, facilities, or services that are primarily used in the management, operation, acquisition, or other activity related to the life cycle of information technology; acquisitions or interagency agreements which include information technology and the services or equipment provided by such acquisitions or interagency agreements; but does not include grants which establish or support information technology not operated directly by the Federal Government.

cc.'Interagency agreement' means, for the purposes of this document, a written agreement entered into between two Federal agencies that specifies the goods to be furnished or tasks to be accomplished by one agency (the servicing agency) in support of the other (the requesting agency), including assisted acquisitions as described in OMB Memorandum: Improving the Management and Use of Interagency Acquisitions and other cases described in Federal Acquisition Regulation (FAR) Part 17.

dd. 'Major information system' means a system that is part of an investment that requires special management attention as defined in OMB guidance and agency policies, a "major automated information system" as defined in 10 U.S.C. § 2445, or a system that is part of a major acquisition as defined in the OMB Circular A-11 Capital Programming Guide consisting of information resources.

ee. 'Major information technology investment' means an investment that requires special management attention as defined in OMB guidance and agency policies, a "major automated information system" as defined in 10 U.S.C. § 2445, or a major acquisition as defined in the OMB Circular A-11 Capital Programming Guide consisting of information resources.

ff. 'National security system' means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency: the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy (44 U.S.C. § 3542).

gg. 'Open data' means publicly available data structured in a way that enables the data to be fully discoverable and usable by end users. Generally, open data are public, accessible, machine-readable, described, reusable, complete, timely, and managed in manners consistent with OMB guidance defining these terms, including relevant privacy, security, and other valid access, use, and dissemination restrictions.

hh. 'Personally identifiable information' (PII) means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.

ii. 'Privacy Impact Assessment' (PIA) means an analysis of how information is handled: to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information systems; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns.

jj. 'Provisioned IT Service' means an IT service that is owned, operated, and provided by an outside vendor or external government organization, and consumed by the agency on an as-needed basis.

kk. 'Public information' means any information, regardless of form or format, that an agency discloses, disseminates, or makes available to the public (44 U.S.C. chapter 35).

ll. 'Records' means all recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them (44 U.S.C. § 3301).

mm. 'Records management' means the planning, controlling, directing, organizing, training, promoting, and other managerial activities involved with respect to records creation, records maintenance and use, and records disposition in order to achieve adequate and proper documentation of the policies and transactions of the Federal Government and effective and economical management of agency operations (44 U.S.C. § 2901(2)).

nn. 'Senior Agency Official for Privacy' (SAOP) means the senior official, designated by the head of each agency, who has overall agency-wide responsibility for information privacy, including implementation of information privacy protections, compliance with Federal laws, regulations, and policies relating to information privacy, and a central policy-making role in the agency's development and evaluation of legislative, regulatory, and other policy proposals.

oo. 'Senior Agency Official for Records Management' (SAORM) means the senior official who has direct responsibility for ensuring the agency efficiently and appropriately complies with all applicable records management statutes, regulations, NARA policy, and OMB policy.

pp. 'TechStat' means a face-to-face, evidence-based accountability review of an IT investment that enables the Federal government to intervene to turn around, halt or terminate IT projects that are failing or are not producing results for the American people.

Footnotes

  • 35 The Agency Information Strategy is referred to as Information Resource Management Strategic Plan in the Paperwork Reduction Act (44 U.S.C. 3506 (b)(2)).
  • 36 For additional information, refer to the Government Performance and Results Act (GPRA) of 1993, as amended by the Government Performance and Results Modernization Act (GPRM) of 2010 (5 U.S.C. § 306 and 31 U.S.C. §§ 1115 _et seq._ ); and OMB Circular A-11, Preparation, Submission and Execution of the Budget.
  • 37 The Federal Information Security Modernization Act (44 U.S.C. chapter 35) requires each agency to develop, document, and implement an agency-wide information security program that includes plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.