The Office of Management and Budget
The Office of Management and Budget (OMB) governs Federal security and privacy policies via the Office of the Federal Chief Information Officer (OFCIO) and the Office of Regulatory and Information Affairs (OIRA). OMB also governs the closely related fields of procurement and employee performance management via the Offices of Federal Procurement Policy (OFPP) and Performance and Personnel Management (OPPM). OFCIO plays the primary OMB role in technical security and publishes government-wide guidance in circular A-130, “Managing Information as a Strategic Asset.”
A-130 instructs agencies to follow NIST publications, but also calls on agencies to “cost-effectively manage information security and privacy risks, which includes reducing such risks to an acceptable level.” A footnote to Appendix A further states that “agencies must conduct tailoring activities in accordance with OMB policy.” Like NIST, OMB encourages agencies to reduce the number of controls in the Risk Management Framework to “an acceptable level” and not to treat the Framework as a checklist.
A-130 also guides agencies to provide role-based training to security employees, but does not directly address competencies or training requirements for Authorizing Officials. Instead, it focuses on security awareness for the larger workforce.