Late July, 2016 the White House released the finalized revision of A-130 (Circular A-130: Managing Information as a Strategic Resource) which is designed to enhance the security and privacy of government and individual information. All those operating under the Federal information security umbrella will want to pay close attention to the revisions and adjustments which have been made. Facility Security Officers (FSO) and those dealing with sensitive or confidential data will want to be especially mindful of the changes which affect the implementation of security and privacy controls. The Office of Management and Budget (OMB) is the driver behind A-130, and is expecting compliance. That said, OMB has put in place a practical means by which waiver’s may be requested for entities which are unable to be compliant.
Security and Privacy of Personal Identifying Information (PII)
The first appendix is dedicated to the handling of PII. While many will view this as a bit oxymoronic given the rash of government wide breaches (Office of Personnel Management for example), the guidance within the appendix is sound. Specifically, if an entity is collecting PII, they must factor into the mix the “potential risk to the individual privacy from the collection, creation, use, dissemination, and maintenance of the PII.”
Entities operating under a Facility Clearance have already been asked to create the position of “Insider Threat Program Senior Official” (ITPSO) as discussed in Creating an Insider Threat Program – Adjustments for Change 2 to the NISPOM. Now government entities are being asked to also create the senior position of Senior Agency Official for Privacy (SAOP), who will have agency-wide responsibility and accountability in the implementation of privacy controls and protections.
Government FSOs must understand the full lifecycle of the information they collect and appropriately safeguard the PII. All FSOs should plan on being asked to conduct privacy impact assessments (PIA) and minimally understand the scope of the SAOP role and thus how it may impact their operations. (see Appendix One)
Protecting Government Information Resources
The third appendix is dedicated to protecting the information of the Nation. It appropriately notes the need to have a proactive and dynamic mindset when it comes to assessing threats, “as technologies and services continue to change, so will the threat environment” and continues, “programs must have the capability to address new and emerging threats.” Clearly noting this is not a snap-shot in time exercise. This will require entities to factor into their day-to-day operations the analysis of the threat environment. And in so doing, identifying any unmitigated risks, putting a plan together for closing those risks, and closely monitoring to ensure the identified risks are not exploited by an adversary of the Nation.
While the A-130 is directed to agency and departments, the trickle down, especially in the protection of government information to the FSO level will be substantial. For the contractor facilities dealing with classified materials, changes to process and procedure can be expected. As noted above, Change 2 to the NISPOM has already levied the requirement for the establishment of an ITPSO. (See Appendix Three)
In sum, the A-130 is a timely document which pushes change upon how agencies, departments and those entities supporting their mission will need to adjust their operations to ensure the privacy of the individual’s information, but also to affect the protection of the government’s information as a whole.
