1.8.2 Agency IT Authorities – OMB Guidance

1.8.2 Agency IT Authorities – OMB Guidance

This section consists of language from OMB guidance that further demarcates, expands upon, or clarifies IT authorities assigned to agencies. This language directly or indirectly tasks the CIO with duties or responsibilities pertaining to information resources and data. See sections on OMB Memoranda and OMB Circulars for more information about these forms of OMB guidance. See sections on Office of Inspector General (OIG) and Government Accountability Office (GAO) to review how compliance with policies is measured.

Policy
Agencies shall establish a comprehensive approach to improve the acquisition and management of their information resources by: performing information resources management activities in an efficient, effective, economical, secure, and privacy-enhancing manner; focusing information resources planning to support their missions; implementing an IT investment management process that links to and supports budget formulation and execution; and rethinking and restructuring the way work is performed before investing in new information systems. (OMB Circular A-130. Managing Information as a Strategic Resource. Page 4.)

Inventory
Agencies shall:

• Maintain an inventory of the agency’s major information systems, information holdings, and dissemination products, at the level of detail that OMB and the agency determine is most appropriate for overseeing and managing the information resources; and
• Maintain an inventory of the agency’s information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII to allow the agency to regularly review its PII and ensure, to the extent reasonably practicable, that such PII is accurate, relevant, timely, and complete; and to allow the agency to reduce its PII to the minimum necessary for the proper performance of authorized agency functions. (OMB Circular A-130. Managing Information as a Strategic Resource. Page 5.)

Information Management
[Agencies] shall:

• Continually facilitate adoption of new and emerging technologies, and regularly assess the following throughout the life of each information system: the inventory of the physical and software assets associated with the system; the maintainability and sustainability of the information resources and infrastructure supporting the system; and actively determine when significant upgrades, replacements, or disposition is required to effectively support agency missions or business functions and adequately protect agency assets. (Ibid)

Risk Management
[Agencies] shall:

• Consider information security, privacy, records management, public transparency, and supply chain security issues for all resource planning and management activities throughout the system development life cycle so that risks are appropriately managed;
• Develop plan, in consultation with CIOs, Senior Agency Officials for Records Management (SAORMs), and Senior Agency Officials for Privacy (SAOPs), for information systems and components that cannot be appropriately protected or secured and ensure that such systems are given a high priority for upgrade, replacement, or retirement. (OMB Circular A-130. Managing Information as a Strategic Resource. Page 6.)

Records Management
Agencies shall:

• Designate a [SAORM] who has overall agency-wide responsibility for records management;
• Ensure agency records managed by the SAORM are treated as information resources and follow the requirements in this Circular. (OMB Circular A-130. Managing Information as a Strategic Resource. Page 19.)

Data Management

Establish Integral Digital Governance
A strong governance structure will help agencies develop coherent priorities, set up lines of accountability, and satisfy the public’s expectation of the best possible level of service. Agencies must manage their websites and digital services not as discrete individual IT projects, but as part of a comprehensive strategy covering all their digital information and services.

• As required in the Digital Government Strategy (The White House. Digital Government Strategy.), every agency [should have established] a plan for governing its digital services, including websites and data. (OMB M-17-06. Policies for Federal Agency Public Websites and Digital Services. 11/8/2016.)

Implement Information Security and Privacy Controls
FISMA and OMB Circular A-130 require each Federal Agency to develop, document, and implement an agency-wide information security program for the information and information systems that support the agency’s operations and assets, including those provided or managed by another agency, contractor, or other source. FISMA also provides for the development and maintenance of minimum controls to protect Federal information and information systems. Moreover, OMB Circular A-130 requires agencies to develop, implement, document, maintain, and oversee an agency-wide privacy program including people, processes, and technologies. Each agency-wide privacy program must implement privacy controls and verify that those controls are operating as intended and continuously monitored and assessed.

• Agencies must follow the policies, principles, standards, and guidelines on information security and privacy, in accordance with FISMA and other laws. Each agency is already required to implement security and privacy policies as set forth in OMB Circular A-130 and [NIST] Special Publication 800-44, Guidelines on Securing Public Web Servers; and other associated standards and 800 series guidelines from NIST. (Note: for a complete list of detailed requirements see the referenced memo.) (Ibid.)

Electronic Records
Section I: Implementation Guidance for all Agencies: All Federal agencies (CFO Act and non-CFO Act) must meet the following targets in order to begin the transition to a fully electronic government.

By 2019, Federal agencies will manage all permanent electronic records in an electronic format. By December 31, 2019, all permanent electronic records in Federal agencies will be managed electronically to the fullest extent possible for eventual transfer and accessioning by NARA in an electronic format. Federal agencies have been required to manage all (permanent and temporary) email records in an electronic format since 2016 and are expected to continue to do so.

By 2022, Federal agencies will manage all permanent records in an electronic format and with appropriate metadata. By December 31, 2022, all permanent records in Federal agencies will be managed electronically to the fullest extent possible for eventual transfer and accessioning by NARA in an electronic format. This does not apply to permanent records accessioned into NARA or transferred for storage into Federal Records Centers before December 31, 2022. After December 31, 2022, all agencies will transfer permanent records to NARA in electronic formats and with appropriate metadata, in accordance with NARA regulations and transfer guidance, except where an agency has been granted an exception under procedures to be developed by NARA under paragraph 2.2, below.

By 2022, Federal agencies will manage all temporary records in an electronic format or store them in commercial records storage facilities. By December 31, 2022, all temporary records in Federal agencies will be managed electronically to the fullest extent possible. Agencies that receive an exception under paragraph 2.2 may continue to produce and store records in analog formats, but inactive records eligible for transfer after December 31, 2022 must be stored in commercial storage facilities. This does not apply to temporary records that are transferred for temporary storage into Federal Records Centers before December 31, 2022. By December 31, 2022, all agencies must close agency-operated records storage facilities and transfer inactive, temporary records to Federal Records Centers or commercial records storage facilities. Temporary, analog records that become eligible for transfer after December 31, 2022 must be transferred to commercial storage facilities that meet NARA records storage requirements.

Federal agencies will maintain robust records management programs that comply with the Federal Records Act and its regulations. Agencies must continue the following practices to ensure agency records are appropriately retained, stored, and transferred according to their disposition schedules.

• Designate a [SAORM] who is at the Assistant Secretary level or equivalent and has direct responsibility for ensuring that the agency efficiently and appropriately complies with all applicable records management statutes, regulations, and policy, including the requirements of this memorandum.
• Designate an Agency Records Officer who is responsible for overseeing agency recordkeeping requirements and operations and holds the NARA Certificate of Federal Records Management Training.
• Annually inform all agency personnel of their records management responsibilities in law, regulation, and policy, and provide training specific to the practices and policies of the organization.
• Ensure all records created or maintained by the agency are covered by a NARA-approved records schedule and permanent records are transferred to the National Archives when they reach their scheduled disposition date.
• Ensure NARA-approved records schedules are updated as business practices transition to electronic workflows. (OMB M-19-21. Transition to Electronic Records. 6/28/2019.)

Federal Data Strategy – Purpose & Overview
[The Federal Data Strategy (Federal Data Strategy, Leveraging Data as a Strategic Asset.)] enables agencies-and Government as an enterprise to use and manage Federal data to serve the American people, including the critical twin goals of getting optimal value from our data assets and of protecting security, privacy, and confidentiality. It provides a common set of data principles and best practices in implementing data innovations that drive more value for the public. The Strategy complements statutory requirements and OMB information policy and guidance, and incorporates relevant changes proposed by agency and public comments received in response to M-19-01: Request for Agency Feedback on the Federal Data Strategy. (OMB M-19-18. Federal Data Strategy - A Framework for Consistency. 6/4/2019.) Annual Action Plans specify measurable actions to implement the practices that are the priorities for a given year, providing timelines for implementation and identification of responsible parties. Agencies implement the Federal Data Strategy by adhering to the Action Steps in yearly action plans in accordance with OMB guidance.

Freedom of Information Act (FOIA) Portal
This memorandum provides instructions for agencies’ Chief FOIA Officers on actions that agencies must take to ensure interoperability with the National FOIA Portal [foia.gov]. This memorandum is authorized and required by the FOIA Improvement Act of 2016, 5 U.S.C. § 552(m). “It requires agencies to provide information and complete necessary actions that will facilitate interoperability with the National FOIA Portal, through which a member of the public can submit a request for information to any Federal agency from angle website.” (OMB M-19-10. Guidance for Achieving Interoperability with the National Freedom of Information Act (FOIA) Portal On FOIA.gov. 2/12/2019.)

Improve Customer Service Delivery
Each CFO Act agency (“agency” or “agencies”) that directly provides significant services to individuals or to private and governmental entities will improve customer service through the following activities:

• Publish Customer Service Plans – …each agency will post a customer service plan (“plan”) to its Open Government website. The plan will identify implementation steps for the customer service activities outlined in EO 13571, including a high-level discussion of the process by which a “signature initiative” to use technology to improve the customer experience will be designed and executed. The plan will prepare agencies to integrate specific customer service goals into annual agency performance plans and reports, as called for by the Government Performance and Results Modernization Act (GPRA) of 2010.
• Establish a Customer Service Task Force – To facilitate the exchange of best practices and the development of agency customer service plans and signature initiatives, OMB will coordinate a Customer Service Task Force (“Task Force”), comprised of agencies that provide significant services, that will meet regularly…. each agency should identify a senior official, who will be responsible for the customer service plan and related agency goals, to represent the agency on the Task Force … Before final publication …, participating agencies will conduct a peer review of their customer service plans.
• Advance Customer Service through Innovative Technology – With advances in technology and improvements in service delivery systems, customers’ expectations continue to rise. To meet these expectations and increase efficiency, the Federal Government must incorporate increasingly common, lower cost self-service options that leverage technology, such as those accessed by the Internet or mobile phone. (OMB M-11-24. Implementing Executive Order 13571 on Streamlining Service Delivery and Improving Customer Service. 6/13/2011).
• The IDEA (GSA. 21st Century Integrated Digital Experience Act.) aims to improve the digital experience for government customers and reinforces existing requirements for federal public websites.