Industry questions authorization, open data changes to OMB tech policy memo A-130
The division between the privacy and security approval process for federal IT projects and various rules tied to open data in the revisions to the Office of Management and Budget Circular A-130 have elicited numerous public comments as the extended comment period came to a close last week.
The circular, which governs how the federal government uses its IT assets, is undergoing its first revision since 2000. Released to the public in October, the comment period was extended another two weeks after calls from various groups for more time to parse over the additions.
A number of comments that were posted on the A-130 GitHub page just prior to the closing of the initial comment period and during the two-week extension came from technology companies and policy groups looking to further streamline the process by which agencies can modernize their platforms — and aiming to “future proof” the circular so it is not obsolescent as soon as it’s published.
A good portion of the comments focused on better integration of the Federal Risk and Authorization Management Program, which would codify the government’s push to embrace cloud-based technologies. In a lengthy comment posted in November, Microsoft called for OMB to revise the document “to reaffirm the applicability of FedRAMP.”
“As A-130 itself is being modernized to support the development and use of cutting edge IT and leading information policy approaches associated with its effective management, it would be a stark remission not to integrate the Administration’s ‘cloud first’ policy commitments, achievements and goals embodied through FedRAMP,” the company’s comment reads.
Additionally, a number of commenters asked for further clarification when it comes to a section in Appendix III that creates a parallel authorization authority for privacy issues and gives privacy officers the ability to deny authorizations. FedScoop learned about this provision in June, when sources said they thought this provision would make it harder for agencies to authorize new projects.
Those worries were expressed in numerous comments, coming in from Microsoft, Salesforce and the IT Alliance for the Public Sector, among others. Trey Hodgkins, senior vice president of the public sector for ITAPS, told FedScoop he would like the person in charge of privacy to “co-habitate” with the security folks to streamline the process.
“If you bifurcate the process, you will slow it down and make it disjointed and disconnected,” Hodgkins said.
Comments also called for more clarity around continuous monitoring, asking for benchmarks when it comes to vulnerability risks or how often scans need to be performed in order to be considered “continuous.”
Ralph Kahn, vice president of federal for Tanium, said the document should force agencies to aim for a specific benchmark when it comes to monitoring their systems.
“We need to start asking for more aggressive targets,” Kahn told FedScoop. “When you say things like ‘continuous monitoring,’ that’s a little vague. To some people, ‘continuous’ might be once a day, it might be once every 25 or 30 seconds. We can aspire to much more aggressive targets these days.”
A number of comments also asked for better distinctions around open data. Comments from Socrata, the Center for Data Innovation and the Professional Services all wanted revisions on things like data governance policies and business continuity plans regarding what data stays open in the event of a government shutdown.
Overall, most comments were supportive of the revision, but various groups told FedScoop they wanted to help push the government toward making the document “future-proof.”
“The only way to help the government is to be vocal,” Kahn said. “If someone thinks there is a better way or thinks we can improve on what is the state-of-the-art in the government, than we want to do that.”