New OMB guidance clarifies how agencies should prepare for, respond to data breaches

The policy released this week is replacing three memos from before Obama's tenure.
(Getty Images)

A new White House memorandum seeks to clarify how federal agencies should be preparing for and responding to a breach.

The Office of Management and Budget memo released Tuesday is replacing three outdated memos, one from 2007 and two from 2006. It doesn’t address specific policy on information security or technical methods to control or detect incidents, but it does offer a “a framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach,” and guidance on whether and how to notify people and offer support services.

The policy comes after the House Oversight and Government Reform Committee reported in September that the historic data breach at the Office of Personnel Management was the result of failed leadership and consistent cybersecurity ignorance.

[Read more: Report: ‘Failure of OPM’s leadership’ led to historic data breaches]


That report called for the OMB to develop certification requirements that include requirements for reporting breaches to a federal cybersecurity center and notifying people whose personally identifiable information might have been compromised.

The memo released this week offers guidance for reporting breaches and notification, and also outlines some requirements for contracts, including the contracting language that should be included to ensure that agencies can respond properly to a breach when a contractor collects or maintains information on behalf of an agency.

Back in 2014 the GAO also identified a need for further guidance from OMB on data breaches, in a report that said that agencies might not be taking corrective actions consistently to limit the risk of personally identifiable information data breach incidents because of incomplete guidance from OMB.

[Read more: GAO: Federal agencies putting personal data at risk]

The report recommended OMB’s policy include guidance on notifying affected people based on a risk level, criteria for whether or not to offer help and revised reporting requirements to US-CERT.


For now it is unclear if this new policy adequately addresses all of the concerns identified in the 2014 report, or in the Oversight committee report.

The memo requires each agency’s Senior Agency Official for Privacy to update within 180 days their agency’s breach response plan and give it to OMB.

Contact Samantha via email at, or follow her on Twitter at @samehlingerSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Samantha Ehlinger

Written by Samantha Ehlinger

Samantha Ehlinger is a technology reporter for FedScoop. Her work has appeared in the Houston Chronicle, Fort Worth Star-Telegram, and several McClatchy papers, including Miami Herald and The State. She was a part of a McClatchy investigative team for the “Irradiated” project on nuclear worker conditions, which won a McClatchy President’s Award. She is a graduate of Texas Christian University. Contact Samantha via email at, or follow her on Twitter at @samehlinger. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Latest Podcasts