Current, former feds spot gaps in A-130 revision
The revisions proposed to the Office of Management and Budget’s A-130 Circular seemingly ignore some technology trends that would help the government achieve the goals it sets out, say some current and former federal technology officials.
The A-130 revision is the first time the circular, which governs the federal use of IT, has been updated since 2000, and the draft rewrite incorporates a number of new federal policies and standards that have been created over the past 15 years. However, in comments on the document’s GitHub page and in interviews with FedScoop, current and former feds expressed concern over the missed opportunities to encourage modernization of agency’s systems.
“It’s silent on innovation,” said Van Hitch, who served as the chief information officer for the Justice Department from 2002 to 2011. “From a policy standpoint, it would be good to encourage prudent and controlled ventures into innovation.”
Hitch said any policy dedicated to innovation should have “a balance,” but it is important to include to “breathe new life” into an organization.
“The last thing anyone wants to do with a budget that exceeds $80 billion a year is to encourage non-essential things,” Hitch, who now serves as a senior adviser for Deloitte, told FedScoop. “But I do think a certain amount of innovation is essential to the thriving of IT in any organization. I don’t know that anything I’ve seen encourages that as much as it should.”
In the public comments posted on the A-130’s GitHub page, Noah Kunin, an 18F staffer based in California, asked why one of the documents that encourages innovation, the Digital Services Playbook, wasn’t cited anywhere in the document’s 70-plus pages.
“By not placing the Playbook in what I call the ‘official’ Federal Compliance Architecture, of which most documents trace back to A-130 (and/or a statute), the possibility for meaningful enforcement or acceleration of the playbook’s precepts are removed,” Kunin writes. “Many people across government, especially within OMB, did exceptionally difficult work over many years to diagnose what was causing government digital technology to fail, and to prescribe solutions. To not begin to require the use of the Playbook (itself a living document that can evolve on a faster time scale than A-130), or even mention it in the memo is shocking.”
Kunin also points out while the document tells agencies to build security plans that allow for agencies to adjust for modern threats, it relies on security practices that supposedly have been in place during some of the worst breaches the government has seen.
“Nothing in the memo makes ‘built-in’ protection any more likely that it was 15 years ago,” Kunin writes “A-130 effectively maintains the current policy framework, without any notable policy change, around NIST SPs and FIPS.”
“The memo makes no mention of net-new technologies that we can and should avail ourselves today, like password-less logins, immutable infrastructures, infrastructure as code, or network-less designs,” Kunin continues. “Nor does it mention actually how to set up a continuous authorization, and the reference to NIST 800-137 is absolutely buried as item z in the References section.”
NIST 800-137 is a document that lays down standards for continuous monitoring of federal computer systems.
Hitch said any new form of security is going to take time because this revision is playing catch-up on everything that agencies have tried to deal with over the past 15 years.
“I think for the legacy systems, it’s a much harder chore, and you have to get their gradually, but they are trying to achieve some of the goals of continuous monitoring the best they can,” he said
More so, Hitch said the continuous policy updates related to security and privacy norms give leeway to both OMB and the agencies on their ability to adjust.
“What [OMB] is saying is when [agencies] are developing [their] processes and procedures associated with this, don’t think it is a one-time deal,” Hitch said. “It’s an ongoing process, you have to be constantly on the lookout for these things as much as possible. I think that’s aspirational, but it’s a goal.”
Even as the document is general amalgam of federal standards and statutes, Hitch said it was important for OMB to codify so it becomes a part of federal IT processes and systems for their entire lifespan.
“This is an integrating document that brings an update to policy and practices, integrating a lot of other rules and regs and guidelines that are in practice already,” he said. “This doesn’t go into great detail, but brings them into the overall information development process from cradle to grave.”
The revised circular is still a proposed draft, with comments open until Nov. 20. The document will not be finalized until December, which gives OMB a chance to address any of these issues that arise.
Comments can be made on the document’s GitHub page.