Senators Carper, Johnson Press OMB for Update on Revisions to Key Federal Cybersecurity Guidance

WASHINGTON – U.S. Senators Tom Carper (D-Del.) and Ron Johnson (R-Wis.), Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, sent a letter to Shaun Donovan, Director of the Office of Management and Budget (OMB), requesting an update on efforts to complete and issue revisions to Circular A-130, which establishes OMB’s official policy and guidance on information technology management and cybersecurity for federal agencies.

Circular A-130 was first issued in the 1980s and has not been revised in more than 15 years despite the ever-evolving nature of cyber threats and repeated calls for updates dating back to 2005. To enhance federal network security and more quickly transition federal agencies to continuous and automated cybersecurity monitoring, Congress passed the Federal Information Security Modernization Act of 2014. Among other things, the Act required OMB to update Appendix III of Circular A-130 by December 2015 “to eliminate inefficient or wasteful reporting.” It also requires OMB to “provide quarterly briefings to Congress on the status of the amendment or revision.”

“According to the most recent FISMA annual report, OMB is currently in the process of significantly revising Circular A-130 and has asked for public comment on the proposed revisions,” the Senators wrote. “We appreciate OMB’s work to update Circular A-130, but also emphasize the importance of completing this revision in a timely manner. We request that you provide us with a date by which you plan to issue revisions to Circular A-130, and that OMB briefs our staffs on the status of the update within 30 days of this letter and quarterly thereafter until its completion.”                                                     

The text of the letter can be found below and in PDF form here.

Dear Director Donovan,

We write regarding the Office of Management and Budget’s Circular A-130, “Management of Federal Information Resources.”[1]  Continuous, automated monitoring of cybersecurity controls is a primary component of an organization’s cybersecurity program.  Indeed, OMB, the Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST) have all indicated that continuous monitoring is a top priority. 

Circular A-130 remains an obstacle to the full adoption of this modern, automated approach to cybersecurity across government.  As you know, Circular A-130 is OMB’s primary policy document for information technology and cybersecurity.  However, Circular A-130 originated in the 1980s and, despite the ever-changing nature of cyber threats, has not been revised in more than 15 years.  Calls for revisions date as far back as 2005.[2]  In 2012, a group of experts called for a rewrite of Circular A-130, stating that “absent changes in policy, agency staff and oversight groups (e.g., Inspectors General and the Government Accountability Office) will continue to waste scarce resources on strategies that do little to mitigate risk.”[3]

Presently, Circular A-130 Appendix III, “Security of Federal Automated Information Resources,” requires an agency to audit the security controls for general support systems and major applications at least every three years and to produce a large volume of paperwork to report the audits.[4]  While some documentation of security controls is essential, these three-year assessments are not cost-effective or consistent with best-practices or other federal policies. 

To more quickly transition to continuous, automated monitoring, Congress passed the Federal Information Security Modernization Act of 2014.[5]  Among other things, the Act requires OMB to update Appendix III of Circular A-130 by December 2015 “to eliminate inefficient or wasteful reporting.”[6]  It also requires OMB to “provide quarterly briefings to Congress on the status of the amendment or revision.”[7]

According to the most recent FISMA annual report, OMB is currently in the process of significantly revising Circular A-130 and has asked for public comment on the proposed revisions.  We appreciate OMB’s work to update Circular A-130, but also emphasize the importance of completing this revision in a timely manner.  We request that you provide us with a date by which you plan to issue revisions to Circular A-130, and that OMB briefs our staffs on the status of the update within 30 days of this letter and quarterly thereafter until its completion. 

Thank you for your attention to this important matter.  We look forward to your response.