|
13 April 2000
Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html------------------------------------------------------------------------- [Federal Register: April 13, 2000 (Volume 65, Number 72)] [Notices] [Page 19933-19941] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr13ap00-118] ======================================================================= ----------------------------------------------------------------------- OFFICE OF MANAGEMENT AND BUDGET Management of Federal Information Resources AGENCY: Office of Management and Budget, Executive Office of the President. ACTION: Proposed revision of OMB Circular No. A-130. ----------------------------------------------------------------------- SUMMARY: The Office of Management and Budget is revising Circular No. A-130, ``Management of Federal Information Resources,'' to implement provisions of the Clinger-Cohen Act (also known as ``Information Technology Management Reform Act of 1996'') and for other purposes. This notice proposes revisions to the sections of the Circular concerning information systems and information technology management to follow more closely provisions of the Clinger-Cohen Act and OMB Circular A-11, which involve the acquisition, use, and disposal of information technology as a capital asset by the Federal government to improve the productivity, efficiency, and effectiveness of Federal programs. It also makes minor technical revisions throughout the Circular (for example, changing ``senior official'' to ``Chief Information Officer''). It proposes a new Appendix II to address ``Information Technology Architectures,'' incorporates OMB guidance regarding computer security into Appendix III, and revises Appendix IV to reflect these changes. This notice also proposes revisions to the sections of the Circular concerning information management policy to follow more closely the provisions of the current OMB guidance entitled ``Implementation of the Government Paperwork Elimination Act.'' DATES: If you wish to comment on the proposed revisions to Circular No. A- [[Page 19934]] 130 please submit your comments no later than Friday, May 19, 2000. Each Department and agency should submit a single coordinated set of comments. ADDRESSES: We welcome electronic comments and will include them as part of the official record. Please send comments electronically to: A- 130@omb.eop.gov. You may address hardcopy comments to: Information Policy and Technology Branch, Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10236 New Executive Office Building, Washington, DC 20503. Electronic Availability: This document is available on the Internet at the OMB web site, http://www.whitehouse.gov/omb/fedreg/index.html and at the CIO Council home page at http://cio.gov. You can also obtain a copy of OMB Circular No. A-11, including the supplement to Part 3, ``The Programming Guide,'' at the OMB web site and the CIO Council web site, or by calling the Budget Review and Concepts Division at OMB at 202-395-3172. FOR FURTHER INFORMATION CONTACT: Tony Frater, Information Policy and Technology Branch, Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10236, New Executive Office Building, Washington, DC 20503. Telephone: (202) 395-3785. SUPPLEMENTARY INFORMATION: Background The Clinger-Cohen Act (also known as ``Information Technology Management Reform Act of 1996'') (Public Law 104-106, Division E, codified at 40 U.S.C. Chapter 25) grants to the Director of the Office of Management and Budget (OMB) various authorities for overseeing the acquisition, use, and disposal of information technology by the Federal government, so as to improve the productivity, efficiency, and effectiveness of Federal programs. It supplements the information resources management (IRM) policies contained in the Paperwork Reduction Act (PRA) (44 U.S.C. Chapter 35) by establishing a comprehensive approach to improving the acquisition and management of agency information systems through work process redesign, and by linking planning and investment strategies to the budget process. The Clinger-Cohen Act establishes clear accountability for IRM activities by creating agency Chief Information Officers (CIOs) with the authority and management responsibility necessary to advise agency heads. Among other responsibilities, CIOs oversee the design, development, and implementation of information systems. CIOs also monitor and evaluate system performance and advise agency heads to modify or terminate those systems. The Clinger-Cohen Act also directs agencies to work together towards the common goal of using information technology to improve the productivity, effectiveness, and efficiency of Federal programs and to promote an interoperable, secure, and shared government wide information resources infrastructure. To provide agencies with additional guidance on implementing the Clinger-Cohen Act, OMB proposes to revise Circular No. A-130, ``Management of Federal Information Resources'' (61 FR 6428 February 20, 1996), which contains the policy framework for the management of Federal information resources. OMB has issued previous guidance regarding the Clinger-Cohen Act implementation, including; OMB Memoranda M-96-20, ``Implementation of the Information Technology Management Reform Act of 1996;'' M-97-02, ``Funding Information Systems Investments;'' M-97-09, ``Interagency Support for Information Technology;'' M-97-15, ``Local Telecommunications Services Policy;'' M- 97-16, ``Information Technology Architectures''. Upon issuance of final revisions to the Circular, OMB will rescind those Memoranda. Future revisions to A-130 will incorporate other related OMB guidance, including issuances on computer security and agency use of electronic transactions. Since the last revision of this Circular, Congress passed, and the President signed into law, the Electronic Freedom of Information Act Amendments (Public Law 104-231). Among other changes, the E-FOIA Amendments added a new subsection (g) to the FOIA, which reinforces the preexisting requirement in the Paperwork Reduction Act for agencies to maintain an inventory of their major information systems and an information locator service. The E-FOIA Amendments also require agencies to maintain a handbook that explains how persons may obtain public information from the agency pursuant to the FOIA and the PRA. Additional text has been added to this provision in Section 9 to reflect the enactment of the E-FOIA Amendments. Also, Appendix IV has been amended to incorporate the guidance that OMB issued to agencies in April 1998 on implementing the E-FOIA's handbook requirement (OMB Memorandum M-98-09). When this guidance is incorporated into the Circular, OMB will rescind the 1998 Memorandum. In addition, in late 1997, a lawsuit was filed against several agencies (Public Citizen v. Raines) alleging that they had not complied with the requirements in the PRA and FOIA for agencies to inventory their information systems. During the course of the litigation, which is ongoing, the argument was advanced by the plaintiff that Congress in the 1995 revisions to the PRA required agencies to maintain an inventory of all of their information systems, rather than only their major information systems. OMB responded by expressing its view that, in revising the PRA in 1995, Congress did not require agencies to inventory all of their information systems. Instead, consistent with the PRA as originally enacted in 1980 and amended in 1986, Congress in 1995 continued to require an agency to inventory its ``major'' information systems. This legislative intent is reflected in Section 3511(a) of the 1995 PRA (which requires an inventory of an agency's major information systems) and also in Section 3506(b)(4), which cross- references that requirement in Section 3511. A continuing PRA focus on the agency's ``major'' information systems is also consistent with the later-enacted 1996 E-FOIA Amendments, in which Congress required agencies to make available to the public their inventories of major information systems. Finally, in terms of the agency's activities in managing its information resources, which is the overall subject of Section 3506(b), OMB believes that an agency needs to focus its management attention on its ``major'' information systems, and for this reason an inventory that includes those major systems (but not all systems) makes the most sense for improving agency management. Therefore, in addition to reflecting the passage of the E-FOIA Amendments, the proposed revisions to Section 9 also make clearer the agencies' obligations under the PRA and FOIA in this area. These revisions reiterate the pre-existing requirement in Section 9 for each agency to maintain an inventory of its major information systems (these systems may be electronic or paper--the Circular's definition of ``major information systems'' is format neutral). The revisions also clarify that each agency, under Section 3506(b)(4) of the PRA, needs to maintain as well an inventory of its other ``information resources'' (such as personnel and funding) at the level of detail that the agency's managers believe is most appropriate for them to use in their management of the agency's information resources. [[Page 19935]] What Sections of Circular No. A-130 Are Proposed for Revision? Section 3. Authorities. This section is amended to cite, and to incorporate changes necessitated by the Clinger-Cohen Act, the Government Performance and Results Act (GPRA), and Executive Order 13011. Section 5. Background. A discussion of the basic principles and goals of the Clinger-Cohen Act is added. Section 6. Definitions. The terms ``Chief Information Officers Council'' and ``Information Technology Resources Board'' are introduced to reflect the interagency support structures established by Executive Order 13011. The term ``executive agency'' is introduced to reflect the definition found in the Clinger-Cohen Act. The term ``information technology'' is amended to reflect definitional changes made by the Clinger-Cohen Act, and is supplemented by the limiting term ``national security system'' to clearly identify those systems to which the Circular applies. The term ``capital planning and investment control process'' is introduced to assist agencies in the reporting requirements of the Clinger-Cohen Act. Section 7. Basic Considerations and Assumptions. The existing basic considerations and assumptions are supplemented with a modified subsection (i) and new subsection (r) to reflect the relevant goals and purposes of the Clinger-Cohen Act and Executive Order 13011. Section 8a. Information Management Policy. Sections 8a(3) is proposed to be revised to reflect the Government Paperwork Elimination Act (Public Law 105-277, Title XVII), which was enacted in October 1998. OMB issued proposed guidance to implement the GPEA on March 5, 1999 (64 FR 10896), and is preparing the final guidance, to be issued shortly. Section 8b. Information Systems and Information Technology Management. This section is substantially revised to implement the policies of the Clinger-Cohen Act and the principles of Executive Order 13011. Sections 8b(1), 8b(2), 8b(3) have been merged to better integrate requirements under Clinger-Cohen Act, the Government Performance and Results Act (Public Law 103-62), and revisions to OMB Circular A-11. New section 8b(1) is revised to provide guidance on both strategic and operational IRM planning by integrating the agency's information resources management plans, strategic plans, performance plans, financial management plans, and budget processes, as discussed in OMB Circular A-11, Sec 210.8. This new section outlines three components: selection, control, and evaluation. It is also stresses the need to redesign work processes before making significant investments in automation, and the need to evaluate commercial off-the-shelf ``COTS'' software as part of the capital planning process. Additionally, this section contains revisions that incorporate requirements for IT accessibility by persons with disabilities that had previously resided in the Federal Information Resource Management Regulations (FIRMR, 41 CFR 201). Section 8b(2), previously 8b(4), is assigned a new heading ``What is an ITA.'' This section is modified, and includes relevant concepts from the previous section. Section 8b(3), previously 8b(5), is modified to promote the structuring of major information systems into modules that will reduce risk, promote flexibility and interoperability, increase accountability, and better match mission needs with current technology and market conditions. Section 9. Assignment of Responsibilities. Subsection 9a, All Federal Agencies, is changed to reflect the new Chief Information Officer (CIO) position created by the Clinger-Cohen Act, and reflects developments since the Circular was last revised in February 1996.. A new subsection 9a(3) is inserted to reflect CIO responsibilities. Old subsections 9a(3)-(8) are renumbered to become 9a(4)-(9). Existing Section 9a(5)--which would be renumbered as Section 9a(7)--is proposed to be revised to make clearer the agencies' obligations under the Paperwork Reduction Act and the Freedom of Information Act (as discussed above). A new Subsection 9a(10) is added to ensure cross agency cooperation. 9a(11) is added to encourage agencies to permit other agencies to place orders for information technology against its contracts to the extent practicable. Subsections 9a(3), (12), (13), (14), and (15) are added to describe the CIO's responsibilities under the Clinger-Cohen Act. Subsection 9b, Department of State, is revised to reflect responsibilities described in the Clinger-Cohen Act and Executive Order 13011. These include liaison, consultation, and negotiation with foreign governments and intergovernmental organizations on matters related to information resources management as well as the State Department's advisory role in developing U.S. positions and policies on international information policy and technology issues affecting the Federal government. Subsection 9c(1), Department of Commerce, is supplemented to reflect that agencies and the Chief Information Officers Council will make recommendations, as appropriate, to the Secretary of Commerce regarding standards development. Subsection 9e, General Services Administration (GSA), is changed to reflect that with the enactment of the Clinger-Cohen Act, GSA will no longer perform policy and oversight functions. GSA will continue to provide services, training, and assistance as requested by the agencies and OMB. Subsection 9h, Office of Management and Budget, is changed to reflect that OMB will provide guidance to the Boards established by Executive Order 13011, and may from time to time designate executive agents for government-wide procurement of information technology. Accordingly, Circular No. A-130 (61 FR 6428, February 20, 1996) is proposed to be amended as set forth below. John T. Spotila, Administrator, Office of Information and Regulatory Affairs. Proposed Amendments to OMB Circular No. A-130 1. Section 3, ``Authorities,'' is revised to read as follows: 3. Authorities: This Circular is issued pursuant to the Paperwork Reduction Act (PRA) of 1980, as amended by the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35); the Clinger-Cohen Act (also known as ``Information Technology Management Reform Act of 1996'') (Public Law 104-106, Division E); the Privacy Act, as amended (5 U.S.C. 552a); the Chief Financial Officers Act (31 U.S.C. 3512 et seq.); the Federal Property and Administrative Services Act, as amended (40 U.S.C. 487); the Computer Security Act (Public Law 100-235); the Budget and Accounting Act, as amended (31 U.S.C. Chapter 11); Executive Order 12046 of March 27, 1978; Executive Order 12472 of April 3, 1984; and Executive Order 13011 of July 17, 1996. 2. Section 5, ``Background,'' is amended by adding the following new paragraph: The Clinger-Cohen Act supplements the information resources management policies contained in the PRA by establishing a comprehensive approach for executive agencies to improve the acquisition and management of their information resources, through: (1) Focusing information resource planning to support the agency's strategic missions; (2) Implementing a capital planning and investment control process that links to budget formulation and execution; and [[Page 19936]] (3) Rethinking and restructuring the way agencies do their work before investing in information systems. 3. Section 6, ``Definitions,'' is amended by making the following revisions: definitions are added for ``capital planning and investment control process,'' ``Chief Information Officers Council,'' ``executive agency,'' ``Information Technology Resources Board,'' and ``national security system''. The definition for ``information technology'' is revised, and the remaining definitions are redesignated accordingly. The new and revised definitions are as follows: c. The term ``capital planning and investment control process `` means a management process for ongoing identification, selection, control, and evaluation of investments in information resources. The process is linked to budget formulation and execution, and is focused on agency missions and achieving specific program outcomes. d. The term ``Chief Information Officers Council'' (CIO Council) means the Council established in Section 3 of Executive Order 13011. f. The term ``executive agency'' has the meaning defined in section 4(1) of the Office of Federal Procurement Policy Act (41 U.S.C. 403(1)). t. The term ``information technology'' means any equipment or interconnected system or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which (i) requires the use of such equipment, or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term ``information technology'' includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. The term ``information technology'' does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract. u. The term ``Information Technology Resources Board'' (Resources Board) means the board established by Section 5 of Executive Order 13011. w. The term ``national security system'' means any telecommunications or information system operated by the United States Government, the function, operation, or use of which (1) involves intelligence activities; (2) involves cryptologic activities related to national security; (3) involves command and control of military forces; (4) involves equipment that is an integral part of a weapon or weapons system; or (5) is critical to the direct fulfillment of military or intelligence missions, but excluding any system that is to be administrative and business applications (including payroll, finance, logistics, and personnel management applications). The policies and procedures established in this Circular shall apply to national security systems in a manner consistent with the applicability and related limitations regarding such systems set out in Section 5141 of the Clinger-Cohen Act (Pub. L. 104-106). Applicability of Clinger-Cohen Act to national security systems shall include budget document preparation requirements set forth in OMB Circular A-11. The resultant budget document may be classified in accordance with the provisions of Executive Order 12958. 4. Section 7, ``Basic Considerations and Assumptions,'' is amended by revising Sections 7i and by adding 7r to read as follows: i. Strategic planning improves the operation of government programs. The agency strategic plan will shape the redesign of work processes and guide the development and maintenance of a capital planning and investment control process. This management approach promotes the appropriate application of Federal information resources. r. The development and operation of interagency and interoperable shared information resources to support the performance of government missions should be supported by the Chief Information Officers Council and the Information Technology Resources Board. 5. Section 8, ``policy,'' is amended by revising Section 8a(3) to read as follows: 3. Electronic Information Collection. Executive agencies under Sections 1703 and 1705 the Government Paperwork Elimination Act (GPEA), Public Law 105-277, Title XVII. are required to provide, by October 21, 2003, the (1) option of the electronic maintenance, submission, or disclosure of information, when practicable as a substitute for paper; and (2) use and acceptance of electronic signatures, when practicable. Agencies will follow the provisions in OMB guidance, Implementation of the Government Paperwork Elimination Act. 6. Section 8, ``Policy,'' is amended by revising Section 8b(1) to read as follows: b. How Should Agencies Manage Information Systems and Information Technology? (1) Capital Planning and Investment Control. Agencies must establish and maintain a capital planning and investment control process that links mission needs, information, and information technology in an effective and efficient manner. The process should guide both strategic and operational IRM planning by integrating the agency's information resources management plans, strategic plans prepared pursuant to the Government Performance and Results Act of 1993 (5 U.S.C. 306), performance plans prepared pursuant to Government Performance and Results Act of 1993 (31 U.S.C. 1115), financial management plans prepared pursuant to the Chief Financial Officer Act of 1990 (31 U.S.C. 902a5), and the agency's budget formulation and execution processes. The capital planning and investment control process includes all stages of capital programming, including planning, budgeting, and procurement. As outlined below in section (B), the capital planning and investment control process has three components: selection, control, and evaluation. The process should be iterative, with inputs coming from the agency strategic plan and the outputs feeding into the budget and investment control processes. The goal is to link resources to results. For further guidance on Capital Planning refer to OMB Circular A-11. (A) What components are expected in the Information Resources Management Plan? As a product of the capital planning and investment control process, agencies must develop and maintain the agency Information Resource Management Plan (IRM) (also known as the IT Capital Plan), as required by 44 U.S.C. 3506(b)(2). The IRM Plan will include both Strategic and Operational IRM Plans. Specifically, the IRM Plan must include: (i) A component derived from the agency strategic plan as required by the Government Performance and Results Act. Specifically, an analysis detailing the information resource investment particulars contained within the agency Strategic Plan. These particulars should focus on the strategic implementation of IT to achieve the overall missions and goals of the agency and describe the linkage between the investment and the agency's missions, as required by OMB Circular A-11; (ii) A component derived from the agency annual performance plan as required by the Government Performance and Results Act. Specifically, an analysis describing the information resource investment particulars contained within the agency annual Performance Plan. These particulars should describe the quantifiable performance measures used in evaluating the implementation of specific IT initiatives and should provide metrics to assess progress towards achieving performance goals; (iii) A component derived from the agency annual program performance report as required by the Government Performance and Results Act. Specifically, an accountability report comparing actual performance to expected performance as expressed in the annual goals established in the agency Performance Plans. Progress should be detailed in OMB Circular A-11 Exhibit 300B submissions as part of the annual budget process; and (iv) A component derived from the agency security plan as required by the Computer Security Act. Specifically, the summary plan included in the agency's five-year plan as required by 44 U.S.C. 3505 and Appendix III of this Circular. (B) What must an agency do as part of the selection component of the capital planning process? (i) Evaluate each investment in information resources to determine whether the investment will support core mission functions that must be performed by the Federal government; (ii) Ensure that improvements to existing information systems or the development of [[Page 19937]] new information systems are initiated because no alternative private sector or governmental source can efficiently support the function; (iii) Support work processes that have been simplified or otherwise redesigned to reduce costs, improve effectiveness, and make maximum use of commercial, off-the-shelf technology; (iv) Reduce risk by avoiding or isolating custom designed components, using components that can be fully tested or prototyped prior to production, and ensuring involvement and support of users; (v) Demonstrate a projected return on the investment that is clearly equal to or better than alternative uses of available public resources. The return may include improved mission performance in accordance with GPRA measures, reduced cost, increased quality, speed, or flexibility; and increased customer and employee satisfaction. The return should be adjusted for such risk factors as the project's technical complexity, the agency's management capacity, the likelihood of cost overruns, and the consequences of under- or non-performance. Return on investment should, where appropriate, be demonstrated by actual returns observed through pilot projects and prototypes; (vi) Prepare and update a benefit-cost analysis (BCA) for each information system throughout its life cycle. A BCA will provide a level of detail proportionate to the size of the investment; rely on systematic measures of mission performance; and be consistent with the methodology described in OMB Circular No. A-94, ``Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs''; (vii) Prepare and maintain a portfolio of major information systems that monitors investments and prevents redundancy of existing or shared systems. The portfolio should provide information demonstrating the impact of alternative IT investment strategies and funding levels, identify opportunities for sharing resources, and consider the agency's inventory of information resources; (viii) Ensure consistency with Federal, agency, and bureau information architectures; (ix) Ensure that improvements to existing information systems and the development of planned information systems do not unnecessarily duplicate information systems within the same agency, from other agencies, or from the private sector; (x) Ensure that the selected system or process maximizes the usefulness of information, minimizes the burden on the public, and preserves the appropriate integrity, availability, and confidentiality of information throughout its life cycle. This portion shall specifically address the planning and budgeting for the information collection burden imposed on the public as defined by 5 CFR part 1320; (xi) Establish oversight mechanisms, consistent with Appendix III of this Circular, to systematically evaluate and ensure the continuing security and availability of systems and their data; (xii) Ensure that Federal information system requirements do not unnecessarily restrict the prerogatives of state, local and tribal governments; (xiii) Ensure that the selected system or process facilitates accessibility pursuant to the Rehabilitation Act of 1973, as amended (Public Law 105-220, 29 U.S.C.794d). (C) What must an agency do as part of the control component of the capital planning process? (i) Institute performance measures and management processes that monitor actual performance compared to expected results. Agencies must use a performance based management system that provides timely information regarding the progress of an information technology investment. The system must also measure progress towards milestones in an independently verifiable basis, in terms of cost, capability of the investment to meet specified requirements, timeliness, and quality; (ii) Establish oversight mechanisms that require periodic review of information systems to determine how mission requirements might have changed, and whether the information system continues to fulfill ongoing and anticipated mission requirements. These mechanisms must also require information regarding the future levels of maintenance necessary to ensure the information system meets mission requirements cost effectively; (iii) Ensure that major information systems proceed in a timely fashion towards agreed-upon milestones in an information system life cycle. Information systems must also continue to deliver intended benefits to the agency and customers, meet user requirements, and identify and offer security protections; (iv) Prepare and update a strategy that identifies and mitigates risks associated with each information system. (v) Ensure that financial management systems conform to the requirements of OMB Circular No. A-127, ``Financial Management Systems.'' (D) What must an agency do as part of the evaluation component of the capital planning process? (i) Conduct post-implementation reviews of information systems and information resource management processes to validate estimated benefits and costs, and document effective management practices for broader use; (ii) Evaluate systems to ensure positive return on investment and decide whether continuation, modification, or termination of the systems is necessary to meet agency mission requirements. (iii) Document lessons learned from the post-implementation reviews. Redesign oversight mechanisms and performance levels to incorporate acquired knowledge. (2) What is an ITA? Consistent with Appendix II of this Circular, agencies will create an Information Technology Architectures (ITA). This framework should document linkages between mission needs, information content, and information technology capabilities. An ITA should also guide both strategic and operational IRM planning. It should be supported by a complete inventory of the agency information resources, including personnel, equipment, and funds devoted to information resources management and information technology, at a level of detail appropriate to support the ITA. It should also address steps necessary to create an open systems environment. Agencies will implement the following principles: (a) Develop information systems that facilitate interoperability, application portability, and scalability of computerized applications across networks of heterogeneous hardware, software, and communications platforms; (b) Meet information technology needs through cost effective intra-agency and interagency sharing, before acquiring new information technology resources; and (c) Establish a level of security for all information systems that is commensurate to the risk and magnitude of the harm resulting from the loss, misuse, unauthorized access to, or modification of the information stored or flowing through these systems. (1) How Should Agencies Acquire Information Technology? Agencies will: (a) Make use of adequate competition, allocate risk between government and contractor, and maximize return on investment when acquiring information technology; (b) Structure major information systems into useful segments with a narrow scope and brief duration. This will reduce risk, promote flexibility and interoperability, increase accountability, and better match mission need with current technology and market conditions; (c) Acquire off-the-shelf software from commercial sources, unless the cost effectiveness of developing custom software is clear and has been documented through pilot projects or prototypes; and (d) Ensure accessibility of acquired information technology pursuant to the Rehabilitation Act of 1973, as amended (Pub. Law 105-220, 29 U.S.C.794d). 7. Section 9, ``Assignment of Responsibilities,'' is amended by making the following revisions to Section 9a, ``All Federal Agencies'': delete subparagraphs (9)-(10), renumber subparagraphs (3)-(8) to become subparagraphs (5)-(10), insert new subparagraphs (3)-(4), revise new subparagraph (7), and insert (11)-(15) to read: (3) Appoint a Chief Information Officer, as required by 44 U.S.C. 3506(a), who must report directly to the agency head to carry out the responsibilities of the agencies listed in Executive Order 13011. The head of the agency will consult with the Director of OMB prior to appointing a Chief Information Officer, and will advise the Director on matters regarding the authority, responsibilities, and organizational resources of the Chief Information Officer. For purposes of this paragraph, military departments and the Office of the Secretary of Defense may each appoint one official. The Chief Information Officer shall, among other things: (a) Be an active participant during all agency strategic management activities, [[Page 19938]] including the development, implementation, and maintenance of agency strategic and operational plans; (b) Be an active participant throughout the annual agency budget process in establishing investment priorities for agency information resources; (c) Advise the agency head on information resource implications of strategic planning decisions; (d) Monitor and evaluate the performance of information resource investments through a capital planning and investment control process, and advise the agency head on whether to continue, modify, or terminate a program or project; (e) Advise the agency head on budgetary implications of information resource decisions; and (f) Advise the agency head on the design, development, and implementation of information resources. (4) Direct the Chief Information Officer, appointed pursuant to 44 U.S.C. 3506(a), to monitor agency compliance with the policies, procedures, and guidance in this Circular. Acting as an ombudsman, the Chief Information Officer will consider alleged instances of agency failure to comply with section 8(a) of this Circular, and recommend or take appropriate corrective action. The Chief Information Officer will report instances of alleged failure and their resolution annually to the Director of OMB, by February 1st of each year. (7) Maintain the following, as required by the Paperwork Reduction Act (44 U.S.C. 3506(b)(4) and 3511) and the Freedom of Information Act (5 U.S.C. 552(g)): an inventory of the agency's major information systems, holdings, and dissemination products; an agency information locator service; a description of the agency's major information and record locator systems; an inventory of the agency's other information resources, such as personnel and funding (at the level of detail that the agency determines is most appropriate for its use in managing the agency's information resources); and a handbook for persons to obtain public information from the agency pursuant to these Acts. (11) Ensure that the agency; (a) cooperates with other agencies in the use of information technology to improve the productivity, effectiveness, and efficiency of Federal programs; (b) promotes a coordinated, interoperable, secure, and shared government wide infrastructure that is provided and supported by a diversity of private sector suppliers; and (c) develops a well-trained corps of information resource professionals. (12) Use the guidance provided in OMB Circular A-11, ``Planning, Budgeting, and Acquisition of Fixed Assets,'' to promote effective and efficient capital planning within the organization; (13) Ensure that the agency provides budget data pertaining to information resources to OMB, consistent with the requirements of OMB Circular A-11, (14) Permit, to the extent practicable, the use of one agency's contract by another agency or the award of multi-agency contracts, provided the action is within the scope of the contract and consistent with OMB guidance; and (15) As designated by the Director of OMB, act as executive agent for the government-wide acquisition of information technology. 8. Section 9, ``Assignment of Responsibilities,'' is further amended by revising Section 9b, ``Department of State,'' to read as follows: b. Department of State. The Secretary of State will: (1) Advise the Director of OMB on the development of United States positions and policies on international information policy and technology issues affecting Federal government activities and the development of international information technology standards; and (2) Be responsible for liaison, consultation, and negotiation with foreign governments and intergovernmental organizations on all matters related to information resources management, including federal information technology. The Secretary will also ensure, in consultation with the Secretary of Commerce, that the United States is represented in the development of international standards and recommendations affecting information technology. These responsibilities may also require the Secretary to consult, as appropriate, with affected domestic agencies, organizations, and other members of the public. 9. Section 9, ``Assignment of Responsibilities'' is further amended by making the following revision to Section 9c, ``Department of Commerce'': Subparagraph (1) is revised to read as follows: (1) Develop and issue Federal Information Processing Standards and guidelines necessary to ensure the efficient and effective acquisition, management, security, and use of information technology while taking into consideration the recommendations of the agencies and the Chief Information Officers Council; 10. Section 9, ``Assignment of Responsibilities,'' is further amended by making the following revisions to Section 9e, ``General Services Administration'': subparagraphs (1) through (5) are deleted, subparagraph (6) is renumbered as subparagraph (7); and the following new subparagraphs are added after the introductory text: (1) Continue to manage the FTS2001 program and coordinate the follow-up to that program, on behalf of and with the advice of agencies; (2) Develop, maintain, and disseminate for the use of the Federal community (as requested by OMB or the agencies) recommended methods and strategies for the development and acquisition of information technology; (3) Conduct and manage outreach programs in cooperation with agency managers; (4) Be a liaison on information resources management (including Federal information technology) with State and local governments. GSA will also be a liaison with non-governmental international organizations, subject to prior consultation with the Secretary of State to ensure consistency with the overall United States foreign policy objectives; (5) Support the activities of the Secretary of State for liaison, consultation, and negotiation with intergovernmental organizations on information resource management matters; (6) Provide support and assistance to the CIO Council and the Information Technology Resources Board. 11. Section 9, ``Assignment of Responsibilities,'' is amended by making the following revisions to Section 9h, ``Office of Management and Budget'': Subparagraph (10) is deleted, subparagraphs (11) and (12) are renumbered as subparagraphs (10) and (11), and the following new subparagraphs are added at the end: (12) Evaluate agency information resources management practices and programs and, as part of the budget process, analyze, track, and evaluate the risks and results of major capital investments in information systems; (13) Notify an agency if OMB believes that a major information system project requires outside assistance; (14) Provide guidance on the implementation of the Clinger-Cohen Act and on the management of information resources to the executive agencies, to the CIO Council, and to the Information Technology Resources Board; and (15) Designate one or more heads of executive agencies as executive agent for government-wide acquisitions of information technology. Proposed Appendix II to OMB Circular No. A-130--Information Technology Architecture This Appendix defines the minimum criteria for an agency Information Technology Architecture (ITA). Many agencies have already developed frameworks and methodologies guiding the development, implementation, and maintenance of an ITA. Therefore this guidance is intended to ensure that as agencies complete or update their ITA, critical information is included. An IT architecture in compliance with the Clinger-Cohen Act and OMB guidance will contain an Enterprise Architecture and a Technical Reference Model and Standards Profile. What Is an Enterprise Architecture? An Enterprise Architecture is the explicit description of the current and desired relationships among business and management processes and information technology. It describes the ``target'' environment which the agency wishes to create and maintain by managing its IT portfolio. The Enterprise Architecture must also provide a strategy that will enable the agency to transition from its current to its target environment. Within the Enterprise Architecture it is important that agencies identify and document: (1) the business processes, (2) the information flow and [[Page 19939]] relationships, (3) applications, (4) data descriptions, and (5) technology infrastructure, as follows: 1. Business Processes--Agencies must identify the work performed to support its mission, vision and performance goals. Agencies must also document change agents, such as legislation or new technologies, that will drive changes in the Enterprise Architecture. 2. Information Flow and Relationships--Agencies must analyze the information utilized by the agency in its business processes, identifying the information used and the movement of the information. These information flows indicate where the information is needed and how the information is shared to support mission functions. 3. Applications--Agencies must identify, define, and organize the activities that capture, manipulate, and manage the business information to support business processes. It also describes the logical dependencies and relationships among business activities. 4. Data Descriptions and Relationships--Agencies must identify how data is created, maintained, accessed, and used. At a high level, agencies define the data and describe the relationships among data elements used in the agency's information systems. 5. Technology Infrastructure--Agencies must describe and identify the functional characteristics, capabilities, and interconnections of the hardware, software, and telecommunications. What Are the Technical Reference Model and Standards Profile? Technical Reference Model (TRM)--A TRM identifies and describes the information services (such as database, communications, intranet, etc.) used throughout the agency. Standards--Agencies should define the set of IT standards that support the services articulated in the TRM. Agencies are expected to adopt standards necessary to support the entire Enterprise Architecture, and must be enforced consistently throughout the agency. Proposed Revisions to Appendix IV to OMB Circular No. A-130-- Analysis of Key Sections Revise Section 8a(5) to include: As described in Section 11 of the ``Electronic Freedom of Information Act Amendments of 1996'' (Public Law 104-231), an agency must place its index and description of major information and record locator systems in its reference material or guide. We expect that this index and description would include an agency's Government Information Locator Service (GILS) presence as well as any other major information and record locator systems the agency has identified. In addition, each agency should prepare a handbook that describes in one place the various ways by which a person can obtain public information from the agency, as well as the types and categories of information available. In preparing the handbook, each agency should review the dissemination policies contained in this Circular. The handbook should be in plain English and user-friendly. Where applicable, it should indicate that the public is encouraged to access information electronically via the agency's home page or to search in its reading room, and that the public may also submit a request to the agency under the Freedom of Information Act. ``Types and categories'' of available information will vary from agency to agency, and agencies should describe their information resources in whatever manner seems most appropriate. Although the law does not require that the handbook be available on-line, OMB encourages agencies to do so as a matter of policy. The handbook should include the following elements: 1. The location of reading rooms within the agency and within its major field offices, as well as a brief description of the types and categories of information available. 2. The location of the agency's World Wide Web home page. 3. A reference to the agency's FOIA regulations and how to get a copy. 4. A reference to the agency's FOIA annual report and how to get a copy. 5. The location of the agency's GILS page. 6. A brief description of the types and categories of information generally available from the agency. In addition, if there is an on-line version, it should have electronic links to these elements wherever they exist. Section 8b(1) What is the capital planning and investment control process? The capital planning and investment control process is a systematic approach to managing the risks and returns of IT investments. The process has three phases: select, control and evaluate. The process covers all stages of capital programming, including planning, budgeting and procurement. For additional information describing capital planning, please consult Circular A- 11. Where can I get more information about return on investment (ROI)? Agencies that would like to learn more about compiling and demonstrating projected return on investments (ROI) are encouraged to consult the Federal CIO Council document ``ROI and the Value Puzzle''. This document may be obtained at the CIO Council's web page (http://cio.gov). How should agencies incorporate security into management of information resources? Effective security is an essential element of all information systems. A process assuring adequate security must be integrated into the agency's management of information resources. This process should be a component of the both capital planning process and the information technology architecture. A system's security requirements must be supported by the agency ITA in order for it to be considered during the select phase of the capital planning process. Agencies will use the control and evaluate phases of capital planning to ensure these security requirements are met throughout the system's life cycle. For more information on computer security please read Appendix III of this Circular. How will agencies use the information collected during the capital planning process? As a quick guide, this table summarizes the information trail and describes how certain types of information will be utilized throughout the capital planning process. ---------------------------------------------------------------------------------------------------------------- Components of the capital planning process Required information -------------------------------------------------------------------------- Select (planned) Control (actual) Evaluate (variance) ---------------------------------------------------------------------------------------------------------------- Justification and descriptive Provided as part of the Reviewed and reported Reported annually as information. pre-screening process systematically to part of the Capital and documents the ensure business needs Asset Plan and business case are being met. Justification (Exhibit justification for the 300B). investment. [[Page 19940]] Summary of spending by project Provided as part of the Reviewed systematically Reported annually as stages, cost, schedule, and initial planning and to ensure that costs part of the Capital performance goals. budgeting process and scheduled goals Asset Plan and using a work break- are on target. Justification (Exhibit down process. The 300B). summary reflects a life cycle project management approach for all stages of the investment, and is structured using a performance based management process (such as earned value management). Program management and contracting Provided as part of the Reviewed systematically Reported annually as information. planning phase and to ensure that part of the Capital includes information contract and Asset Plan and such as type of acquisition goals are Justification (Exhibit contract, and on target. 300B). acquisition planning information. Financial Basis for the project...... Details financial Reviewed and updated Reported annually as analysis such as systematically to part of the Capital benefits-cost analysis capture the latest Asset Plan and (BCA), return on information on ROI and Justification (Exhibit investment and other benefits and to track 300B). financial analysis financial performance. performed to justify the investment. Performance measures and goals....... Provided prior to the Monitored and reported Reported annually as selection of the systematically for part of the Capital project and performance goals and Asset Plan and establishes the the progress of Justification (Exhibit baseline for meeting the business 300B). performance measures goals and needs of an and goals whereby the agency. investment will be monitored. Costs and schedule goals............. Provided as part of the Updated systematically Reported annually as initial planning and to ensure that the part of the Capital budgeting process investment is earning Asset Plan and using a work break- at the planned rate. Justification (Exhibit down process. The 300B). goals reflect a life- cycle project management approach for all stages of the investment and is structured using an earned value management process. Risks................................ Risk assessments are Reviewed and updated Reported annually as performed and systematically to part of the Capital mitigation plans are gauge effectiveness of Asset Plan and provided as part of the mitigation plans Justification (Exhibit the initial planning and to identify any 300B). phase. Assessments new risks that may must address arise. technology, security, strategic issues, and IT architecture. Risks Assessments may also address the risk of not continuing a project. Benefits associated with the Benefits can be either Updated systematically Reported annually as investment. financial or non- to further strengthen part of the Capital financial and may also the business case for Asset Plan and be cost avoidance. The the investment or its Justification (Exhibit expected benefits are continuance and to 300B). captured as part of ensure that the the initial planning benefits are realized. phase of an investment. ---------------------------------------------------------------------------------------------------------------- Section 8b(2) What Is an ITA? An Information Technology Architecture (ITA) should guide the agency's management of information resources for agency-wide information and information technology needs consistent with Appendix II of this Circular. The ITA will help the agency cope with technology and business change by serving as a reference for updates to existing and new information systems. The ITA will also assure interoperability of business processes, data, applications and technology as agencies integrate proposed information systems projects with one another and with existing legacy systems. The agency's strategic IRM plan should describe the parameters (e.g., technical standards) of such an ITA. The ITA must also drive operational planning and describe how the agency intends to use information and information technology. Where Can I Get More Information Describing the ITA? Agencies that require additional information on developing or maintaining an ITA are encouraged to consult the Federal CIO Council document entitled ``The Federal Enterprise Architecture (FEA) Framework'' which is available on the CIO Council's web site (http:/ /cio.gov). [[Page 19941]] What Is an Open Systems Environment? An open system should be based on an architecture with published or documented interface specifications that have been adopted by a standards settings body. Ultimately, Who Determines the Acceptable Level of Security for a System? Each agency program official must understand the risk to systems under their control and determine the acceptable level of risk, ensure adequate security is maintained to support and assist the programs under their control, ensure that security controls comport with program needs and appropriately accommodate operational necessities. In addition, program officials should work in conjunction with Chief Information Officers and other appropriate agency officials so that security measures support agency information architectures. Section 8b(3) What Should agencies Consider Before Acquiring a COTS Solution? COTS products can provide agencies a cost effective and efficient solution. However, often COTS products require customization for seamless use. Therefore agencies must still thoroughly examine the impact of a COTS product selection. A lessons-learned guide describing the risks of COTS products has been published by the Information Technology Resources Board (ITRB). The guide, entitled ``Assessing the Risks of Commercial-Off-The-Shelf (COTS) Applications,'' is available on the ITRB web site (http:// itrb.gov). Section 9a(3). Chief Information Officer (CIO) To Whom Does the CIO Report? Each agency must appoint a Chief Information Officer, as required by 44 U.S.C. 3506(a), who will report directly to the agency's head to carry out the responsibilities of the agency under the PRA. What Are the CIO's Responsibilities in Regards to Financial Management Systems? The head of the agency is responsible for defining the operating relationship between the CIO and CFO functions and ensuring coordination in the implementation of the Clinger-Cohen Act, the PRA, the Chief Financial Officers Act, and the Government Performance and Results Act. The Clinger-Cohen Act encourages the CIO and CFO to work together under the direction of the agency head to ensure that the agency's information systems provide reliable, consistent, and timely program performance information. What Is the CIO's Role in the Capital Planning Process? The CIO will ensure that a capital planning process is established and rigorously used to define and validate all information resource investments. Through this process, the CIO shall monitor and evaluate the performance of the information technology portfolio of the agency and advise the agency head whether to continue, modify, or terminate a program or project. The CIO will have accountability and authority over continuation or termination of information resource investments. Additionally, the CIO will establish a board composed of senior level managers who will have the responsibility of making key business recommendations on information resource investments, and who will be continuously involved. Many agencies will institute a second board, composed of program or project level managers, with more detailed business and information resource knowledge. They will be able to provide technical support to the senior level board in proposing, evaluating, and recommending information resource investments. What Is the CIO's Role in the Annual Budget Process? The CIO will be an active participant during all agency annual budget processes and strategic planning activities, including the development, implementation, and maintenance of agency strategic plans. The CIO's role is to provide leadership and a strategic vision for using information technology to transform the agency. CIO's must also ensure that all information resource investments deliver a substantial mission benefit to the agency and/or a substantial ROI to the taxpayer. Additionally, the CIO will ensure coordination of information resource planning processes and documentation with the agency's strategic, performance and budget process. Section 9a(4) Why Is the CIO Considered an Ombudsman? The CIO designated by the head of each agency under 44 U.S.C. 3506(a) is charged with carrying out the responsibilities of the agency under the PRA. Agency CIOs are responsible for ensuring that their agency practices are in compliance with OMB policies. It is envisioned that the CIO will work as an ombudsman to investigate alleged instances of agency failures to adhere to the policies set forth in the Circular and to recommend or take corrective action as appropriate. Agency heads should continue to use existing mechanisms to ensure compliance with laws and policies. [FR Doc. 00-9077 Filed 4-12-00; 8:45 am] BILLING CODE 5110-01-P