Update A-130: Make it actionable, readable & prominent
The OMB guidance for the “Management of Information as a Strategic Resource” is six years old, far too outdated in an era of rapid technical change. OMB should update A-130 to align it with current priorities and technologies, such as the recent cybersecurity and customer experience executive orders, the findings of the Office of Science and Technology Policy’s equitable data working group, the AI Bill of Rights, as well as modern cloud and artificial intelligence capabilities. In addition, OMB should work with NIST and the CIO counsel to align agencies around common talking points regarding technical risk management.
While there is good guidance in A-130, it is neither prominent nor actionable. It is buried in definitions, appendices, and footnotes, making it difficult to find and use. OMB should highlight best practices in security more directly and in plain, directive language. If security management has strayed from the intent of NIST and OMB, OFCIO should address it directly and outline acceptable alternatives. OMB could also use A-130 to create a permissive structure for Authorizing Officials to make decisions that are in the best interests of the mission of government, shielding them from undue reprisal if they act in the national interest.
A-130 could also be used to set professional standards and create requirements or certification credentials for Authorizing Officials. This would ensure a baseline of knowledge for Authorizing Officials, greater consistency in the application of security processes, and improve discourse between security officials and private sector vendors.
Lastly, A-130 is difficult to find, even on the official cio.gov website. The link from the Federal register is no longer active and the secondary link on the OMB website links to an archived version of A-130, which appears to be the most current. The age of the document and the lack of a current copy on official websites, diminishes the authority of the guidance.