U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Governance

If you would like to submit a relevant resource for the cloud community, please click here.


10 U.S.C. 2306c - Armed Forces - Multiyear Contracts: Acquisition of Services

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Appropriations
  • Sub-Information: Multi-Year Contracting
Description:

10 United States Code (U.S.C.) 2306c, subject to subsections (d) "Restrictions Applicable Generally" and (e) "Cancellation or Termination for Insufficient Funding After First Year" authorizes the head of an agency to enter into contracts for periods of not more than five years for services described in subsection (b) "Covered Services" for which funds would otherwise be available for obligation only within the fiscal year for which appropriated whenever the head of the agency finds that -- (1) there will be a continuing requirement for the services consonant with current plans for the proposed contract period; (2) … ; and (3) the use of such a contract will promote the best interests of the United States by encouraging effective competition and promoting economies in operation.


10 U.S.C. 2410a - Armed Forces - Contracts for Periods Crossing Fiscal Years: Severable Service Contracts; Leases of Real or Personal Property

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Appropriations
  • Sub-Information: 1-Year
Description:

10 United States Code (U.S.C.) 2410a, authorizes the Secretary of Defense, the Secretary of a military department, or the Secretary of Homeland Security with respect to the Coast Guard, when it is not operating as a service in the Navy, to enter into a contract for the procurement of severable services for a period that begins in one fiscal year and ends in the next fiscal year if (without regard to any option to extend the period of the contract) the contract period does not exceed one year. Funds made available for a fiscal year may be obligated for the total amount of a contract period entered into under the authority of this section.


13 CFR 121.1203(d)(3) When will a waiver of the Nonmanufacturer Rule be granted for an individual contract?

  • Authorship: Small Business Administration (SBA)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Code of Federal Regulations (CFR)
  • Information: Acquisitions
  • Sub-Information: Acquisition Planning
Description:

The Small Business Administration (SBA) has determined that remote hosting on servers or networks, or cloud computing, should be considered a service and therefore the Nonmanufacturer Rule (NMR) would not apply.

13 CFR 121.1203(d)(3) "Subscription services, remote hosting of software, data, or other applications on servers or networks of a party other than the U.S. Government are considered by SBA to be services and not the procurement of a supply item. Therefore SBA will not grant waivers of the nonmanufacturer rule for these types of services."


13 CFR 125.6(a)(1) What are the prime contractor's limitations on subcontracting?

  • Authorship: Small Business Administration (SBA)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Code of Federal Regulations (CFR)
  • Information: Acquisitions
  • Sub-Information: Acquisition Planning
Description:

The Small Business Administration (SBA) has determined that due to the costs and scale involved, cloud computing is generally provided by other than small business concerns and has excluded cloud computing from the limitations on subcontracting calculation, where the small business concern will perform other services that are the primary purpose of the acquisition.

13 CFR 125.6(a)(1) "In the case of a contract for services (except construction), it will not pay more than 50% of the amount paid by the government to it to firms that are not similarly situated. Any work that a similarly situated subcontractor further subcontracts will count towards the 50% subcontract amount that cannot be exceeded. Other direct costs may be excluded to the extent they are not the principal purpose of the acquisition and small business concerns do not provide the service, such as airline travel, work performed by a transportation or disposal entity under a contract assigned the environmental remediation NAICS code (562910), cloud computing services, or mass media purchases. In addition, work performed overseas on awards made pursuant to the Foreign Assistance Act of 1961 or work required to be performed by a local contractor, is excluded."


41 U.S.C. 3902 - Public Contracts - Severable Services Contracts for Periods Crossing Fiscal Years

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Appropriations
  • Sub-Information: 1-Year
Description:

41 United States Code (U.S.C.) 3902 authorizes the head of an executive agency to enter into a contract for the procurement of severable services for a period that begins in one fiscal year and ends in the next fiscal year if (without regard to any option to extend the period of the contract) the contract period does not exceed one year. Funds made available for a fiscal year may be obligated for the total amount of a contract period entered into under the authority of this section.


41 U.S.C. 3903 - Public Contracts - Multiyear Contracts

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Appropriations
  • Sub-Information: Multi-Year Contracting
Description:

41 United States Code (U.S.C.) 3903 authorizes executive agencies to obligate current appropriations (e.g., 1-Year, No-Year) to enter a multiyear contract for the acquisition of property or services (i.e., nonseverable, severable) for the bona fide needs of up to five fiscal years.

The executive agency may choose to obligate current appropriations for the full period of the contract or for the first fiscal year in which the contract is in effect including termination costs.

If the executive agency chooses to obligate on a fiscal year basis, the executive agency records a new obligation in each of the remaining fiscal years including termination costs.


83 FR 8166 - Commission Statement and Guidance on Public Company Cybersecurity Disclosures

  • Authorship: Securities and Exchange Commission (SEC)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Federal Register
  • Information: Security
  • Sub-Information: Incident Response
Description:

83 FR 8166 provides guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents under the Securities Act of 1933 ("Securities Act"), the Securities Exchange Act of 1934 (Exchange Act), and periodic reports under the Exchange Act.

Although the disclosure requirements (e.g., Securities Act, Exchange Act, periodic reports) do not specifically refer to cybersecurity risks and incidents, several of the requirements impose an obligation to disclose such cybersecurity risks and incidents depending on particular circumstances.

In determining a company's cybersecurity risks and incidents disclosure obligations the company should consider the impact of identified risks or incidents on the company's operations, harm to the company’s reputation, financial performance, customer and vendor relationships, and litigation or regulatory investigations or actions.

Companies are expected to make appropriate and timely disclosures of cybersecurity risks and incidents that are material to investors and take appropriate steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk.

Companies are also advised that internal or external (e.g., law enforcement) investigations on their own would not provide a basis for avoiding disclosures of a cybersecurity incident, and that companies have a duty to correct initial or prior disclosures.


AA-2021-02: On-Ramping Strategies for Multiple Award Vehicles

  • Authorship: General Services Administration (GSA), Office of Governmentwide Policy (OGP)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Acquisition Alert
  • Information: Acquisitions
  • Sub-Information: Acquisition Planning
Description:

The "Acquisition Alert AA-2021-02: On-Ramping Strategies for Multiple Award Vehicles" highlights strategies and flexibilities available to acquisition teams developing multiple-award contracts such as Indefinite-Delivery / Indefinite-Quantity (IDIQ) contracts, FAR Part 8 Blanket Purchase Agreements (BPAs), or other Multiple Award Vehicles (MAVs) through the use of an on-ramping mechanism.


Acquisition and Use of Commercial Cloud Computing Services

  • Authorship: Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO)
  • Publication Date:
  • Status: Rescinded, Superseded
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Acquisitions, Technology
Description:

Rescinded and Superseded by "Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO) Memorandum 2020 12 07: Department of the Navy Cloud Policy".


Additional Guidance Regarding Acquisition and Use of Commercial Cloud Computing Services in DON

  • Authorship: Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO)
  • Publication Date:
  • Status: Rescinded, Superseded
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Acquisitions, Technology
Description:

Rescinded and Superseded by "Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO) Memorandum 2020 12 07: Department of the Navy Cloud Policy".


Clinger-Cohen Act of 1996

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Governance, Management
Description:

The Clinger-Cohen Act (CCA) of 1996 became law as part of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 1996 (S. 1124), specifically Division D - Federal Acquisition Reform Act (FARA) of 1996 and Division E - Information Technology Management Reform Act (ITMRA) of 1996.

Division D: Federal Acquisition Reform - Federal Acquisition Reform Act of 1996 - Title XLI (sic): Competition - Amends the Federal Property and Administrative Services Act (FPASA) of 1949 and other Federal provisions to require the Federal Acquisition Regulation (FAR) to ensure that the requirement to obtain full and open competition is implemented in a manner that efficiently fulfills the Government's requirements. Amends the Office of Federal Procurement Policy Act (OFPPA) to require public notice of solicitations for Federal contracts for property or services expected to exceed $10,000 but not to exceed $25,000. (Currently, such notice is required for all such contracts, regardless of amount.)

(Sec. 4102) Raises the dollar thresholds for contracts that require the prior approval by higher level agency officials of the use of procedures other than competitive procedures.

(Sec. 4103) Allows a contracting officer, when the number of offers exceeds the number at which an efficient competition can be conducted, to limit the number of contract proposals in the competitive range to the greatest number that will permit sufficient competition among the offerors with the highest rating. Allows offerors excluded by such process to request, in writing and within three days, a debriefing of the reasons for such exclusion prior to the award of the contract. Requires the contracting officer to then make every effort to debrief such offeror, but allows the officer to refuse such request when not in the best interests of the Government at that time. Provides alternative debriefing requirements if such refusal is exercised.

(Sec. 4105) Directs the head of a Federal or defense agency to use a two-phase selection procedure for entering into a contract for the design and construction of a public building, facility, or work when it is determined that such procedure is appropriate. States that such two phases generally consist of: (1) a work statement that defines the project to offerors and provides them with sufficient information to submit proposals; and (2) selection by the contracting officer of the most highly qualified offers based on the use of solicitation evaluation factors. Requires each contract solicitation to state a maximum number of five offerors that will be selected to submit competitive proposals, unless the agency determines that a greater number is in the Government's best interest and is consistent with the purposes of the two-phase process.

Division E: Information Technology Management Reform - Information Technology Management Reform Act of 1996 - Title LI (sic): Responsibility for Acquisitions of Information Technology -

Subtitle A: General Authority - Repeals the Brooks Automatic Data Processing Act, which authorizes and directs the GSA Administrator to coordinate and provide for the economic and efficient purchase, lease, and maintenance of automatic data processing equipment by Federal agencies.

Subtitle B: Director of the Office of Management and Budget - Requires the Director of the Office of Management and Budget (OMB), with respect to information technology in the Federal Government, to: (1) exercise capital planning control; (2) promote the improvement of the acquisition, use, and disposal of such technology through the improvement of Federal programs; (3) develop as part of the budget process a process for analyzing, tracking, and evaluating the risks and results of all major capital investments in information systems by executive agencies; (4) oversee the development and implementation by the Secretary of Commerce of standards and guidelines pertaining to Federal computer systems; (5) designate executive agents for information technology acquisitions and require such agents to use best acquisition practices; (6) assess other models for managing information technology; (7) compare, and disseminate results of, various agencies' use of information technology; (8) monitor the development and implementation of training for executive personnel; (9) inform the Congress with respect to such technology in the Federal Government; and (10) coordinate the development and review of policy associated with Federal information technology acquisition.

(Sec. 5113) Requires the OMB Director to: (1) encourage performance- and results-based management in fulfilling his responsibilities; and (2) evaluate the information resources management practices of the executive agencies with respect to the performance and results of investments made in information technology. Provides enforcement authority for the Director in the accountability of agency heads for information resources management and investments.
Subtitle C: Executive Agencies - Requires the head of each executive agency to design and implement in such agency a process for maximizing the value and assessing and managing the risks of information technology acquisitions. Directs such agency heads to utilize the same performance- and results-based management practices as encouraged by the OMB Director, and to prepare an annual report to the Congress concerning progress in achieving such goals. Provides specific authority of such agency heads with respect to information technology acquisitions.

(Sec. 5125) Designates a Chief Information Officer (currently, a senior official) within each executive agency, with appropriate duties relating to information technology acquisition and management.

(Sec. 5126) Requires the head of each agency, in consultation with the Chief Information Officer and Chief Financial Officer of such agency, to establish policies and procedures to ensure the integration within such agency of financial and information systems.

(Sec. 5127) Requires agency heads to identify any major information technology acquisition program, or phase or increment of such program, that has significantly deviated from its cost, performance, or schedule goals.

(Sec. 5128) Authorizes agency information technology funding to be used to support jointly with other agency heads the activities of interagency groups established to advise the OMB Director in carrying out information technology responsibilities under this title.

Subtitle D: Other Responsibilities - Directs the Secretary of Commerce to promulgate standards and guidance pertaining to the efficiency, security, and privacy of Federal computer systems. Authorizes the President to disapprove or modify such standards. Authorizes an agency head to employ more stringent standards as long as such standards contain at least those standards made compulsory and binding by such Secretary. Authorizes the Secretary to waive such standards when compliance would adversely affect the mission of a computer operator or cause a major adverse financial impact on such operator which is not offset by Government-wide savings.

(Sec. 5132) Expresses the sense of the Congress that, during the five-year period beginning with 1996, executive agencies should achieve each year at least a five percent decrease in information technology O&M costs, as well as a five percent increase in efficiency of operations.

Subtitle E: National Security Systems - Excludes, with exceptions, national security systems from the provisions of this title.


Computer Security Act of 1987

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Governance, Security, Workforce
Description:

Computer Security Act of 1987 - Directs the National Bureau of Standards, renamed the National Institute of Standards and Technology (NIST) in 1988, to establish a computer standards program for federal computer systems, including guidelines for the security of such systems. Sets forth authorities of the Bureau in implementing such standards. Requires the Bureau to draw upon computer system technical security guidelines developed by the National Security Agency regarding protecting sensitive information.

Establishes a Computer System Security and Privacy Advisory Board within the Department of Commerce to: (1) identify, and advise the Bureau and the Secretary of Commerce on, issues relating to computer systems security and privacy; and (2) report findings to the Secretary, the Director of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate congressional committees.

Amends the Federal Property and Administrative Services Act of 1949 to require the Secretary to promulgate standards and guidelines pertaining to federal computer systems on the basis of standards developed by the Bureau. Authorizes the President to disapprove or modify such standards and guidelines if such action would be in the public interest. Requires that notice of such disapproval or modification be submitted to the House Committee on Government Operations and the Senate Committee on Governmental Affairs and published in the Federal Register. Directs the Secretary to rescind or modify such standards or guidelines as directed by the President.

Requires each agency to provide mandatory periodic training in computer security, under guidelines developed by the Bureau, for all employees involved with the management, use, or operation of computer systems. Authorizes the use of an approved alternative training program determined by the agency head to meet the objectives of such guidelines.

Requires each agency with a federal computer system to establish a plan for the security and privacy of sensitive information. Requires the submission of such plans to the Bureau and the National Security Agency for advice and comment. Subjects such plans to disapproval by the Office of Management and Budget.

Provides that nothing in this Act shall be construed to: (1) constitute authority to withhold information sought under the Freedom of Information Act; or (2) authorize any federal agency to limit, restrict, regulate, or control the collection, maintenance, disclosure, use, transfer, or sale of any information that is privately-owned information, information disclosable under the Freedom of Information Act or other law requiring or authorizing the public disclosure of information, or information in the public domain.


Department of Defense (DoD) Memorandum of Reciprocity for FedRAMP Authorized Moderate Baseline Cloud Service Offerings (CSO) at Impact Level 2 (IL2)

  • Authorship: Department of Defense (DoD), Defense Information Systems Agency (DISA)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Governance, Security
  • Sub-Information: Training
Description:

The "Department of Defense (DoD), Defense Information Systems Agency (DISA) Memorandum 2019 08 15: Department of Defense (DoD) Memorandum of Reciprocity for FedRAMP Authorized Moderate Baseline Cloud Service Offerings (CSO) at Impact Level 2 (IL2)" authorizes Cloud Service Offerings (CSOs) that have: (1) demonstrated compliance with the Federal Risk and Authorization Management Program (FedRAMP) Moderate Baseline, and (2) has been granted a FedRAMP Joint Authorization Board (JAB) or Agency authorization (based on an assessment and Authorization To Operate (ATO) issued by a government agency where the Cloud Service Provider (CSP) was assessed by a FedRAMP accredited/approved Third Party Assessment Organization (3PAO) is hereby designated as DoD Impact Level 2 (IL2) CSOs via reciprocity (unless specifically revoked).


Department of Defense Core Enterprise Technology Agreements for Microsoft 365/ Office 365 and On-Premises Products

  • Authorship: Department of Defense (DoD), Chief Information Officer (CIO)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Acquisitions
  • Sub-Information: Acquisition Planning
Description:

The "Department of Defense (DoD), Chief Information Officer (CIO) Memorandum 2021 08 09: Department of Defense Core Enterprise Technology Agreements for Microsoft 365/ Office 365 and On-Premises Products" identifies the Defense Enterprise Office Solution (DEOS) Program and the DoD Enterprise Software Agreement (ESA) as the preferred purchasing vehicles for all Microsoft (MS) software: Microsoft 365/ Office 365 cloud capabilities and procurement and maintenance of on-premise Microsoft software.

DEOS and DoD ESA are in the process of being designated as Core Enterprise Technology Agreements (CETAs). Once finalized, these purchasing vehicles will be mandatory for all DOD components and agencies. In anticipation of CETA approval, components and agencies are directed to transition to DEOS and DoD ESA at the earliest opportunity or as existing contracts expire.


Department of the Navy Cloud Policy

  • Authorship: Department of Defense (DoD), Department of the Navy (DON), Assistant Secretary of the Navy (Research Development & Acquisitions), Chief Information Officer (CIO)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Acquisitions, Governance, Management, Operations
Description:

The "Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO) Memorandum 2020 12 07: Department of the Navy Cloud Policy" provides updated policy for the accelerated promotion, acquisition, and consumption of cloud services in the Department of the Navy in direct support of the DON Information Superiority Vision.


E-Government Act of 2002

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Governance, Management, Operations, Security, Workforce
Description:

Title I: Office of Management and Budget Electronic Government Services -

(Sec. 101) Establishes in the Office of Management and Budget (OMB) an Office of Electronic Government, headed by an Administrator appointed by the President. Requires the Administrator to assist the Director and Deputy Director for Management and work with the Administrator of the Office of Information and Regulatory Affairs in setting strategic direction for implementing electronic Government under relevant statutes, including the Privacy Act, the Government Paperwork Elimination Act, and the Federal Information Security Management Act of 2002. Defines "electronic Government" (E-Government) as the use by Government of web-based Internet applications and other information technologies, combined with processes that implement these technologies, to: (1) enhance the access to and delivery of Government information and services; or (2) bring about improvements in Government operations.

Directs the Administrator to work with offices within OMB to oversee implementation of E-Government in areas including: (1) capital planning and investment control for information technology (IT); (2) the development of enterprise architectures; (3) information security; (4) privacy; (5) access to, dissemination of, and preservation of Government information; and (6) accessibility of IT for persons with disabilities.

Directs the Administrator to assist the Director by performing E-Government functions, including: (1) advising on the resources required to develop and effectively administer E-Government initiatives; (2) recommending changes relating to government-wide strategies and priorities for E-Government; (3) providing overall leadership and direction to the executive branch on E-Government; (4) promoting innovative uses of IT by agencies; (5) overseeing the distribution of funds from, and ensuring appropriate administration and coordination of, the E-Government Fund (established by this Act); (6) coordinating with the Administrator of General Services regarding programs undertaken by the General Services Administration (GSA) to promote E-Government and the efficient use of information technologies by agencies; (7) leading the activities of the Chief Information Officers Council (established by this Act) on behalf of the Deputy Director for Management (who shall chair the council); (8) assisting in establishing policies which shall set the framework for Government IT standards developed by the National Institute of Standards and Technology (NIST) and promulgated by the Secretary of Commerce; (9) coordinating with the Administrator for Federal Procurement Policy to ensure effective implementation of electronic procurement initiatives; and (10) assisting Federal agencies in implementing accessibility standards under the Rehabilitation Act of 1973 and ensuring compliance with those standards.

Establishes in the executive branch a Chief Information Officers Council. Designates the Council as the principal interagency forum for improving agency practices related to the design, acquisition, development, modernization, use, operation, sharing, and performance of Federal Government information resources.

Requires the Council to perform functions that include: (1) developing recommendations for the Director on Government information resources management policies and requirements; (2) sharing experiences, ideas, best practices, and innovative approaches related to information resources management; (3) assisting the Administrator in the identification, development, and coordination of multi-agency projects and other innovative initiatives to improve Government performance through the use of IT; (4) promoting the development and use of common performance measures for agency information resources management; (5) working with NIST and the Administrator to develop recommendations on IT standards; (6) working with the Office of Personnel Management (OPM) to assess the hiring, training, classification, and professional development needs of the Government related to information resources management; and (7) working with the Archivist of the United States on how the Federal Records Act can be addressed effectively by Federal information resources management activities.

Establishes in the U.S. Treasury the E-Government Fund to support projects to expand the Government's ability to conduct activities electronically, including efforts to: (1) make Government information and services more readily available to members of the public; (2) make it easier for the public to conduct transactions with the Government; and (3) enable Federal agencies to take advantage of IT in sharing information and conducting transactions with each other and with State and local governments.

Requires the Administrator to: (1) establish procedures for accepting and reviewing proposals for funding; and (2) assist the Director in coordinating resources that agencies receive from the Fund with other resources available to agencies for similar purposes. Sets forth provisions regarding procedures the Administrator shall incorporate, criteria to be considered in determining which proposals to recommend for funding, and permissible uses of funds.

Directs the Administrator to: (1) establish a Government-wide program to encourage contractor innovation and excellence in facilitating the development and enhancement of E-Government services and processes, under which the Administrator shall issue announcements seeking unique and innovative solutions to facilitate such development and enhancement; and (2) convene a multi-agency technical assistance team to assist in screening solution proposals.

Requires the Director to submit an annual E-Government status report.

(Sec. 102) Requires the Administrator of General Services to consult with the Administrator of the Office of Electronic Government on programs undertaken by GSA to promote E-Government and the efficient use of IT by Federal agencies.

Title II: Federal Management and Promotion of Electronic Government Services -

(Sec. 202) Makes the head of each agency responsible for: (1) complying with the requirements of this Act, the related information resource management policies and guidance established by the Director of OMB, and the related IT standards promulgated by the Secretary of Commerce; (2) communicating such policies, guidance, and related IT standards to all relevant agency officials; and (3) supporting the efforts of the Director and the Administrator of GSA to develop, maintain, and promote an integrated Internet-based system of delivering Government information and services to the public.

Requires agencies to: (1) develop performance measures that demonstrate how E-Government enables progress toward agency objectives, strategic goals, and statutory mandates; (2) rely on existing data collections in measuring performance under this section; (3) link performance goals to key groups, including citizens, businesses, and other governments, and to internal Government operations; and (4) work collectively in linking performance goals to such groups and to use IT in delivering Government information and services to those groups. Includes customer service, agency productivity, and adoption of innovative IT as areas of performance measurements that agencies should consider.

Requires: (1) agency heads, when promulgating policies and implementing programs regarding the provision of Government information and services over the Internet, to consider the impact on persons without Internet access; (2) all actions taken by Federal departments and agencies under this Act to comply with the Rehabilitation Act; and (3) agencies to sponsor activities that use IT to engage the public in the development and implementation of policies and programs.

Makes the Chief Information Officer (CIO) of each of the designated agencies responsible for: (1) participating in the functions of the Chief Information Officers Council; and (2) monitoring the implementation of IT standards promulgated by the Secretary of Commerce, including common standards for interconnectivity and interoperability, categorization of Government electronic information, and computer system efficiency and security.
Requires each agency to submit to the Director an annual E-Government status report.

Makes this title inapplicable to national security systems, with exceptions.

(Sec. 203) Requires: (1) each executive agency to ensure that its methods for use and acceptance of electronic signatures are compatible with the relevant policies and procedures issued by the Director; and (2) the Administrator of General Services to support the Director by establishing a framework to allow efficient interoperability among executive agencies when using electronic signatures.

(Sec. 204) Requires the Director to work with the Administrator of GSA and other agencies to maintain and promote an integrated Internet-based system of providing the public with access to Government information and services, based on specified criteria.

(Sec. 205) Directs the Chief Justice of the United States, the chief judge of each circuit and district and of the Court of Federal Claims, and the chief bankruptcy judge of each district to cause to be established and maintained a court website that contains specified information or links to websites, including location and contact information for the courthouse, local rules, access to docket information, access to the substance of all written opinions issued by the court, access to documents filed with the courthouse in electronic form, and other information deemed useful to the public. Requires the information and rules on each website to be updated regularly.

Requires each court to make any document that is filed electronically publicly available online, with exceptions (such as sealed documents). Directs the Supreme Court to prescribe rules to protect privacy and security concerns relating to electronic filing of documents and their public availability, providing for uniform treatment of privacy and security issues throughout the Federal courts, taking into consideration best practices in Federal and State courts, and meeting requirements regarding the filing of an unredacted document under seal.

Sets forth provisions regarding the issuance by Judicial Conference of the United States of interim and final rules on privacy and security. Directs the Judicial Conference to explore the feasibility of technology to post online dockets with links allowing all filings, decisions, and rulings in each case to be obtained from the docket sheet of that case.

Amends the Judiciary Appropriations Act, 1992 to authorize (currently, requires) the Judicial Conference to prescribe reasonable fees for collection by the courts for access to information available through automatic data processing equipment.

Requires the websites to be established within two years of this title's effective date, except that access to documents filed in electronic form shall be established within four years.

Authorizes the Chief Justice, a chief judge, or a chief bankruptcy judge to submit a notification to the Administrative Office of the United States Courts to defer compliance with any requirement of this section with respect to that court, subject to specified requirements. Sets forth reporting requirements regarding notifications.

(Sec. 206) Requires that each agency, subject to a specified timetable and limitations: (1) ensure that a publicly accessible Government website includes all information about that agency required to be published in the Federal Register under the Freedom of Information Act; (2) accept submissions by electronic means; (3) ensure that a publicly accessible Government website contains electronic dockets for rule-makings.

(Sec. 207) Requires the Director to establish the Interagency Committee on Government Information to: (1) engage in public consultation, including with interested communities such as public and advocacy organizations; (2) conduct studies and submit recommendations to the Director and Congress; and (3) share effective practices for access to, dissemination of, and retention of Federal information.

Requires the Committee to submit recommendations to the Director on: (1) the adoption of standards to enable the organization and categorization of Government information in a way that is searchable electronically and in ways that are interoperable across agencies; (2) the definition of categories of Government information which should be classified under the standards; and (3)determining priorities and developing schedules for initial implementation of the standards by agencies. Requires the Director to issue policies to effectuate such recommendations.

Requires the Committee to submit recommendations to the Director and the Archivist of the United States on, and directs the Archivist to require, the adoption by agencies of policies and procedures to ensure that specified Federal statutes are applied effectively and comprehensively to Government information on the Internet and to other electronic records Requires the Director to promulgate guidance for agency websites that includes: (1) requirements that websites include direct links to descriptions of the mission and statutory authority of the agency, information made available under the Freedom of Information Act, information about the organizational structure of the agency, and the strategic plan of the agency; and (2) minimum agency goals to assist public users to navigate agency websites, including goals pertaining to the speed of retrieval of search results, the relevance of the results, tools to aggregate and dis-aggregate data, and security protocols to protect information.

Requires each agency to: (1) solicit public comment; (2) establish a process for determining which Government information the agency intends to make available to the public on the Internet and by other means; (3) develop priorities and schedules for making Government information available and accessible; (4) make such final determinations available for public comment; (5) post such final determinations on the Internet; and (6) report such final determinations, to the Director.

Requires the Director and each agency to: (1) establish a public domain directory of public Government websites; and (2) post the directory on the Internet with a link to the integrated Internet-based system. Requires the Administrator of the Office of Electronic Government to update the directory at least every six months and solicit interested persons for improvements to the directory.

Requires the Director of OMB to ensure the development and maintenance of: (1) a repository that fully integrates information about research and development (R&D) funded by the Federal Government; and (2) one or more websites upon which all or part of the repository of Federal R&D shall be made available to and searchable by Federal agencies and non-Federal entities, including the general public, to facilitate the coordination of Federal R&D activities, collaboration among those conducting Federal R&D, the transfer of technology among Federal agencies and between Federal agencies and non-Federal entities, and access by policymakers and the public to information concerning Federal R&D activities.

Authorizes appropriations.

(Sec. 208) Requires each agency to conduct a privacy impact assessment, ensure the review of that assessment by the Chief Information Officer or equivalent official, and make such assessment publicly available, before: (1) developing or procuring IT that collects, maintains, or disseminates information that is in an identifiable form; or (2) initiating a new collection of information that will be collected, maintained, or disseminated using IT and that includes any information in an identifiable form permitting the physical or online contacting of a specified individual if identical questions have been posed to, or identical reporting requirements have been imposed on, ten or more persons other than Federal agencies, instrumentalities, or employees.
Sets forth provisions regarding modifying or waiving requirements of this section for security reasons or to protect classified, sensitive, or private information.

Requires the Director to issue guidance to agencies specifying the required contents of a privacy impact assessment. Requires the guidance to: (1) ensure that a privacy impact assessment is commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form, and the risk of harm from unauthorized release of that information; and (2) require that such assessment address what information is to be collected, why it is being collected, the intended use of the information, with whom it will be shared, what notice or opportunities for consent would be provided to individuals, how the information will be secured, and whether a system of records is being created under the Privacy Act. Requires the Director to: (1) develop policies and guidelines on conducting such assessments; (2) oversee implementation of the assessment process throughout the Government; and (3) require agencies to conduct assessments of existing information systems or ongoing collections of information that is in an identifiable form.

Requires the Director to develop guidance for privacy notices on agency websites used by the public.

(Sec. 209) Requires the Director of OPM to: (1) analyze, on an ongoing basis, the personnel needs of the Government related to IT and information resource management; (2) identify where current IT and information resource management training do not satisfy such needs; (3) oversee the development of curricula, training methods, and training priorities that correspond to the projected needs; and (4) assess the training of Federal employees in IT disciplines to ensure that information resource management needs of the Government are addressed.

Requires each agency head to establish and operate IT training programs that: (1) have curricula covering a broad range of IT disciplines corresponding to the specific IT and information resource management needs; (2) are developed and applied according to rigorous standards; and (3) are designed to maximize efficiency through the use of self-paced courses, on-the-job training, and the use of remote instructors.

Requires the Director of OPM to: (1) issue policies to promote the development of performance standards for training and uniform implementation of this section by executive agencies; and (2) evaluate implementation.

Sets forth provisions regarding chief information officer authorities and responsibilities, IT training reporting, authority to detail employees to non-Federal employers, and employee participation. Authorizes appropriations.

Authorizes an agency head to arrange for the assignment of an agency employee to a private sector organization or of an employee of such an organization to the agency. States that an eligible employee is one who works in the IT management field, is considered an exceptional performer by the individual's current employer, is expected to assume increased IT management responsibilities in the future, and is employed at the GS-11 level or above. Sets forth provisions regarding assignment agreements, termination and duration of assignments, assistance in maintaining lists of potential candidates, and considerations in exercising authority under this section.

Authorizes the Chief Technology Officer of the District of Columbia to arrange for such an assignment in the same manner as the head of an agency.

Sets forth provisions regarding reporting requirements, regulations prescribed by the Director of OPM, and ethics provisions (including restrictions on the disclosure of confidential communications, contract advice by former detailees, and the disclosure of procurement information).

(Sec. 210) Authorizes an agency head to enter into a share-in-savings contract for IT in which the Government awards a contract to improve mission-related or administrative processes, or to accelerate the achievement of its mission, and to share with the contractor savings achieved through contract performance. Limits such a contract to a five year period, with exceptions. Sets forth reporting requirements by the Director of OMB and by the Comptroller General regarding such contracts. Repeals the share-in-savings pilot program.

(Sec. 211) Authorizes the Administrator to provide for the use by State or local governments of Federal supply schedules of GSA for automated data processing equipment, software, supplies, support equipment, and services.

(Sec. 212) Requires the Director to: (1) oversee a study and report to specified congressional committees on progress toward integrating Federal information systems across agencies; and (2) designate a series of no more than five pilot projects that integrate data elements.

(Sec. 213) Directs the Administrator to: (1) ensure that a study is conducted to evaluate the best practices of community technology centers that have received Federal funds; (2) work with other relevant Federal agencies and other interested persons to assist in the implementation of recommendations and to identify other ways to assist community technology centers, public libraries, and other institutions that provide computer and Internet access to the public; and (3) develop an online tutorial that explains how to access Government information and services on the Internet and that provides a guide to available online resources. Authorizes appropriations.

(Sec. 214) Directs the Administrator to: (1) ensure that a study is conducted on using IT to enhance crisis preparedness, response, and consequence management of natural and manmade disasters; and (2) initiate and cooperate with other agencies and appropriate State, local, and tribal governments in initiating pilot projects or report to Congress on other activities aimed at maximizing the utility of IT in disaster management.

(Sec. 215) Directs the Administrator of GSA to request that the National Academy of Sciences, acting through the National Research Council, enter into a contract to conduct a study on disparities in Internet access for online Government services.

(Sec. 216) Requires the Administrator to facilitate the development of common protocols for the development, acquisition, maintenance, distribution, and application of geographic information.

Title III: Information Security - Federal Information Security Management Act of 2002 -

(Sec. 301) Requires the Director of OMB to oversee agency information security policies and practices, including by: (1) developing and overseeing the implementation of policies, principles, standards, and guidelines on information security; (2) requiring agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems used or operated by an agency or by a contractor on behalf of an agency; (3) coordinating the development of standards and guidelines under the National Institute of Standards and Technology Act with agencies exercising control of national security systems to assure that such standards and guidelines are complementary with those developed for national security systems; (4) overseeing agency compliance with this Act; (5) reviewing at least annually, and approving or disapproving, agency information security programs; (6) coordinating information security policies and procedures with related information resources management policies and procedures; (7) overseeing the operating of the Federal information security incident center; and (8) reporting to Congress by March 1 of each year on agency compliance with this Act.
Sets forth provisions regarding delegation of the Director's authority regarding certain systems operated by the Department of Defense and by the Central Intelligence Agency.

Directs the head of each agency to: (1) be responsible for providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access and for complying with information security standards and guidelines; (2) ensure that senior agency officials provide information security for the information and information systems that support operations and assets; (3) delegate to the agency CIO the authority to ensure compliance with the regulations imposed under this Act; (4) ensure that the agency has trained personnel sufficient to assist the agency in complying with Act requirements; and (5) ensure that the agency CIO reports annually on the effectiveness of the agency information security program.

Requires each agency to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support operations and assets. Requires such program to include: (1) periodic risk assessments; (2) policies and procedures that ensure that information security is addressed throughout the life cycle of each agency information system; (3) subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; (4) security awareness training; (5) periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices; (6) a process for planning, implementing, evaluating, and documenting remedial action to address deficiencies; (7) procedures for detecting, reporting, and responding to security incidents; and (8) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.
Requires each agency to: (1) report annually to the Director, specified congressional committees, and the Comptroller General on the adequacy and effectiveness of information security policies, procedures, and practices and on compliance with this Act; (2) address such adequacy and effectiveness in plans and reports relating to annual agency budgets, information resources management, IT management, program performance, financial management, financial management systems, and internal accounting and administrative controls; and (3) report any significant deficiency.

Sets forth requirements regarding performance plans, and public notice and comment. Requires each agency to have performed an annual independent evaluation.

Requires the Director to: (1) summarize the results of the evaluations and report to Congress; and (2) ensure the operation of a central Federal information security incident center. Requires each agency exercising control of a national security system to share information about information security incidents, threats, and vulnerabilities with the center to the extent consistent with standards and guidelines for national security systems).

(Sec. 302) Directs that standards and guidelines for national security systems be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President.

Requires the Secretary to make standards prescribed for Federal information systems compulsory and binding as necessary to improve the efficiency of operation or security of such systems. Requires that the decision by the Secretary regarding the promulgation of standards under this section occur within six months of submission of the proposed standard by NIST.
(Sec. 303) Amends the National Institute of Standards and Technology Act to provide that NIST shall: (1) have the mission of developing standards, guidelines, and associated methods and techniques for information (currently, computer) systems; (2) develop standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor on behalf of an agency, other than national security systems; and (3) develop standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets.

(Sec. 304) Renames the Computer System Security and Privacy Advisory Board as the Information Security and Privacy Advisory Board. Includes among its duties to advise the Director (currently limited to the Institute and the Secretary) on information security and privacy issues pertaining to Government information systems.

(Sec. 305) Amends the Paperwork Reduction Act to require each agency head to develop and maintain an inventory of major information systems (including major national security systems) operated or under the control of such agency, including an identification of the interfaces between each such system and all other systems or networks. Requires such inventory to be: (1) updated at least annually; (2) made available to the Comptroller General; and (3) used to support information resources management.

Title IV: Authorization of Appropriations and Effective Dates -

(Sec. 401) Authorizes appropriations to carry out titles I and II for FY 2003 through 2007.

Title V: Confidential Information Protection and Statistical Efficiency - Confidential Information Protection and Statistical Efficiency Act of 2002 -

(Sec. 503) Authorizes agencies to promulgate rules to implement this title. Requires the Director to: (1) coordinate and oversee the confidentiality and disclosure policies established by this title; and (2) review any rules proposed by an agency pursuant to this title. Sets forth reporting requirements.

(Sec. 504) Prohibits data or information acquired by the Energy Information Administration under a pledge of confidentiality and designated by that Administration to be used for exclusively statistical purposes from being disclosed in identifiable form for non-statistical purposes under specified energy statutes.

Subtitle A: Confidential Information Protection -

(Sec. 512) Directs that data or information acquired by an agency under a pledge of confidentiality and for exclusively statistical purposes be used by officers, employees, or agents of the agency exclusively for statistical purposes.

Bars the use of data or information acquired by an agency under a pledge of confidentiality for exclusively statistical purposes from being disclosed by an agency in identifiable form for use other than an exclusively statistical purpose, except with the respondent's informed consent.

Requires a statistical agency or unit to clearly distinguish data or information it collects for non-statistical purposes (as authorized by law) and provide notice to the public, before it is collected, that it could be used for non-statistical purposes.

Allows a statistical agency or unit to designate agents who may perform exclusively statistical activities, subject to specified limitations and penalties.

(Sec. 513) Sets penalties for willfully disclosing information to a person or agency not entitled to receive it.

Subtitle B: Statistical Efficiency -

Requires the head of each of the Designated Statistical Agencies (DSA) (defined as the Bureau of the Census and the Bureau of Economic Analysis of the Department of Commerce and the Bureau of Labor Statistics of the Department of Labor) to: (1) identify opportunities to eliminate duplication and otherwise reduce reporting burden and cost imposed on the public in providing information for statistical purposes; (2) enter into joint statistical projects to improve the quality and reduce the cost of statistical programs; and (3) protect the confidentiality of individually identifiable information acquired for statistical purposes by adhering to safeguard principles.

(Sec. 524) Allows a DSA to provide business data in an identifiable form to another DSA under the terms of a written agreement.

(Sec. 525) Requires: (1) business data provided by a DSA pursuant to this subtitle to be used exclusively for statistical purposes; and (2) publication of data acquired by a DSA in a manner whereby the data furnished by any particular respondent are not in identifiable form.


Executive Order 13103: Computer Software Piracy

  • Authorship: President of the United States of America (POTUS)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Executive Order
  • Information: Governance, Management, Operations
Description:

It shall be the policy of the United States Government that each executive agency shall work diligently to prevent and combat computer software piracy in order to give effect to copyrights associated with computer software by observing the relevant provisions of international agreements in effect in the United States, including applicable provisions of the World Trade Organization Agreement on Trade-Related Aspects of Intellectual Property Rights, the Berne Convention for the Protection of Literary and Artistic Works, and relevant provisions of Federal law, including the Copyright Act.

(a) Each agency shall adopt procedures to ensure that the agency does not acquire, reproduce, distribute, or transmit computer software in violation of applicable copyright laws.

(b) Each agency shall establish procedures to ensure that the agency has present on its computers and uses only computer software not in violation of applicable copyright laws. These procedures may include:
(1) preparing agency inventories of the software present on its computers;
(2) determining what computer software the agency has the authorization to use; and
(3) developing and maintaining adequate recordkeeping systems.

(c) Contractors and recipients of Federal financial assistance, including recipients of grants and loan guarantee assistance, should have appropriate systems and controls in place to ensure that Federal funds are not used to acquire, operate, or maintain computer software in violation of applicable copyright laws. If agencies become aware that contractors or recipients are using Federal funds to acquire, operate, or maintain computer software in violation of copyright laws and determine that such actions of the contractors or recipients may affect the integrity of the agency's contracting and Federal financial assistance processes, agencies shall take such measures, including the use of certifications or written assurances, as the agency head deems appropriate and consistent with the requirements of law.

(d) Executive agencies shall cooperate fully in implementing this order and shall share information as appropriate that may be useful in combating the use of compute software in violation of applicable copyright laws.


Executive Order 14028: Improving the Nation's Cybersecurity

  • Authorship: President of the United States of America (POTUS)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Executive Order
  • Information: Governance, Operations, Security
Description:

The Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States' ability to respond to incidents when they occur.

Sec 2: Remove Barriers to Threat Information Sharing Between Government and the Private Sector. The Executive Order ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information.

Sec 3. Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period.

Sec 4. Improve Software Supply Chain Security. The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.

Sec 5. Establish a Cybersecurity Safety Review Board. The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.

Sec 6. Create a Standard Playbook for Responding to Cyber Incidents. The Executive Order creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. Organizations cannot wait until they are compromised to figure out how to respond to an attack.

Sec 7. Improve Detection of Cybersecurity Incidents on Federal Government Networks. The Executive Order improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government.

Sec 8. Improve Investigative and Remediation Capabilities. The Executive Order creates cybersecurity event log requirements for federal departments and agencies.


Federal Cloud Computing Strategy, Cloud First

  • Authorship: Office of Management and Budget (OMB), Office of the Federal Chief Information Officer (OFCIO)
  • Publication Date:
  • Status: Rescinded, Superseded
  • Resource Type: Governance
  • Sub-Resource Type: Policy
  • Information: Governance, Management, Operations
Description:

Rescinded and Superseded by the Federal Cloud Computing Strategy, Cloud Smart.


Federal Cloud Computing Strategy, Cloud Smart

  • Authorship: Office of Management and Budget (OMB), Office of the Federal Chief Information Officer (OFCIO)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Policy
  • Information: Acquisitions, Governance, Management, Operations, Security, Technology, Workforce
Description:

The Federal Cloud Computing Strategy, Cloud Smart, is a long-term, high-level strategy to drive cloud adoption in federal agencies. This cloud policy offers a path forward for agencies to migrate to a safe and secure cloud infrastructure. Cloud Smart encompasses several key components of IT modernization including security, procurement, and workforce. Historically, policies have isolated these areas, creating confusion and a misunderstanding of requirements, mission, and needs. However, they are deeply linked, and require an integrated, interdisciplinary approach, rather than a one-size-fits-all approach to IT modernization. Cloud Smart combines these disciplines together into a cohesive strategy that provides savings, security, and faster delivery of mission-serving solutions.


Federal Information Security Management Act (FISMA) of 2002

  • Authorship: United States Congress
  • Publication Date:
  • Status: Amended
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Governance, Management, Operations, Security
Description:

Amended by the Federal Information Security Modernization Act (FISMA) of 2014.

Federal Information Security Management Act (FISMA) of 2002 became law as part of the E-Government Act of 2002 (Title III, H.R. 2458):

(Sec. 301) Requires the Director of OMB to oversee agency information security policies and practices, including by: (1) developing and overseeing the implementation of policies, principles, standards, and guidelines on information security; (2) requiring agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems used or operated by an agency or by a contractor on behalf of an agency; (3) coordinating the development of standards and guidelines under the National Institute of Standards and Technology Act with agencies exercising control of national security systems to assure that such standards and guidelines are complementary with those developed for national security systems; (4) overseeing agency compliance with this Act; (5) reviewing at least annually, and approving or disapproving, agency information security programs; (6) coordinating information security policies and procedures with related information resources management policies and procedures; (7) overseeing the operating of the Federal information security incident center; and (8) reporting to Congress by March 1 of each year on agency compliance with this Act.

Sets forth provisions regarding delegation of the Director's authority regarding certain systems operated by the Department of Defense and by the Central Intelligence Agency.

Directs the head of each agency to: (1) be responsible for providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access and for complying with information security standards and guidelines; (2) ensure that senior agency officials provide information security for the information and information systems that support operations and assets; (3) delegate to the agency CIO the authority to ensure compliance with the regulations imposed under this Act; (4) ensure that the agency has trained personnel sufficient to assist the agency in complying with Act requirements; and (5) ensure that the agency CIO reports annually on the effectiveness of the agency information security program.

Requires each agency to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support operations and assets. Requires such program to include: (1) periodic risk assessments; (2) policies and procedures that ensure that information security is addressed throughout the life cycle of each agency information system; (3) subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; (4) security awareness training; (5) periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices; (6) a process for planning, implementing, evaluating, and documenting remedial action to address deficiencies; (7) procedures for detecting, reporting, and responding to security incidents; and (8) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

Requires each agency to: (1) report annually to the Director, specified congressional committees, and the Comptroller General on the adequacy and effectiveness of information security policies, procedures, and practices and on compliance with this Act; (2) address such adequacy and effectiveness in plans and reports relating to annual agency budgets, information resources management, IT management, program performance, financial management, financial management systems, and internal accounting and administrative controls; and (3) report any significant deficiency.

Sets forth requirements regarding performance plans, and public notice and comment. Requires each agency to have performed an annual independent evaluation.

Requires the Director to: (1) summarize the results of the evaluations and report to Congress; and (2) ensure the operation of a central Federal information security incident center. Requires each agency exercising control of a national security system to share information about information security incidents, threats, and vulnerabilities with the center to the extent consistent with standards and guidelines for national security systems).

(Sec. 302) Directs that standards and guidelines for national security systems be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President.

Requires the Secretary to make standards prescribed for Federal information systems compulsory and binding as necessary to improve the efficiency of operation or security of such systems. Requires that the decision by the Secretary regarding the promulgation of standards under this section occur within six months of submission of the proposed standard by NIST.

(Sec. 303) Amends the National Institute of Standards and Technology Act to provide that NIST shall: (1) have the mission of developing standards, guidelines, and associated methods and techniques for information (currently, computer) systems; (2) develop standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor on behalf of an agency, other than national security systems; and (3) develop standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets.

(Sec. 304) Renames the Computer System Security and Privacy Advisory Board as the Information Security and Privacy Advisory Board. Includes among its duties to advise the Director (currently limited to the Institute and the Secretary) on information security and privacy issues pertaining to Government information systems.

(Sec. 305) Amends the Paperwork Reduction Act to require each agency head to develop and maintain an inventory of major information systems (including major national security systems) operated or under the control of such agency, including an identification of the interfaces between each such system and all other systems or networks. Requires such inventory to be: (1) updated at least annually; (2) made available to the Comptroller General; and (3) used to support information resources management.


Federal Information Security Modernization Act (FISMA) of 2014

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Governance, Management, Operations, Security
Description:

Federal Information Security Modernization Act of 2014 - Amends the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies and practices, and (2) set forth authority for the Secretary of Homeland Security (DHS) to administer the implementation of such policies and practices for information systems.

Requires the Secretary to develop and oversee implementation of operational directives requiring agencies to implement the Director's standards and guidelines for safeguarding federal information and systems from a known or reasonably suspected information security threat, vulnerability, or risk. Authorizes the Director to revise or repeal operational directives that are not in accordance with the Director's policies.

Requires the Secretary (currently, the Director) to ensure the operation of the Federal Information Security Incident Center (FISIC).

Directs the Secretary to administer procedures to deploy technology, upon request by an agency, to assist the agency to continuously diagnose and mitigate against cyber threats and vulnerabilities.

Requires the Director's annual report to Congress regarding the effectiveness of information security policies to assess agency compliance with OMB data breach notification procedures.

Provides for OMB's information security authorities to be delegated to the Director of National Intelligence (DNI) for certain systems operated by an element of the intelligence community.

Directs the Secretary to consult with and consider guidance developed by the National Institute of Standards and Technology (NIST) to ensure that operational directives do not conflict with NIST information security standards.

Directs agency heads to ensure that: (1) information security management processes are integrated with budgetary planning; (2) senior agency officials, including chief information officers, carry out their information security responsibilities; and (3) all personnel are held accountable for complying with the agency-wide information security program.

Provides for the use of automated tools in agencies' information security programs, including for periodic risk assessments, testing of security procedures, and detecting, reporting, and responding to security incidents.
Requires agencies to include offices of general counsel as recipients of security incident notices. Requires agencies to notify Congress of major security incidents within seven days after there is a reasonable basis to conclude that a major incident has occurred.

Directs agencies to submit an annual report regarding major incidents to OMB, DHS, Congress, and the Comptroller General (GAO). Requires such reports to include: (1) threats and threat actors, vulnerabilities, and impacts; (2) risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; (3) detection, response, and remediation actions; (4) the total number of incidents; and (5) a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information.

Authorizes GAO to provide technical assistance to agencies and inspectors general, including by testing information security controls and procedures.

Requires OMB to ensure the development of guidance for: (1) evaluating the effectiveness of information security programs and practices, and (2) determining what constitutes a major incident.

Directs FISIC to provide agencies with intelligence about cyber threats, vulnerabilities, and incidents for risk assessments.

Directs OMB, during the two-year period after enactment of this Act, to include in an annual report to Congress an assessment of the adoption by agencies of continuous diagnostics technologies and other advanced security tools.

Requires OMB to ensure that data breach notification policies require agencies, after discovering an unauthorized acquisition or access, to notify: (1) Congress within 30 days, and (2) affected individuals as expeditiously as practicable. Allows the Attorney General, heads of elements of the intelligence community, or the DHS Secretary to delay notice to affected individuals for purposes of law enforcement investigations, national security, or security remediation actions.

Requires OMB to amend or revise OMB Circular A-130 to eliminate inefficient and wasteful reporting.

Directs the Information Security and Privacy Advisory Board to advise and provide annual reports to DHS.


Federal Information Technology Acquisition Reform Act (FITARA) Enhancement Act of 2017

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Governance, Management, Operations, Workforce
Description:

The Federal Information Technology Acquisition Reform Act (FITARA) Enhancement Act of 2017:

(Sec. 2) Repeals the expiration date of (thus making permanent) provisions of the Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act (NDAA) for Fiscal Year 2015 that require: (1) the Office of Management and Budget (OMB) to make available to the public a list of each major information technology investment made by a covered agency for information technology, including data on cost, schedule, and performance; (2) the Chief Information Officer of each covered agency and the program manager of the investment within the agency to conduct a risk management review of those investments that have received a high risk rating for four consecutive quarters; and (3) the implementation by OMB of a process to assist the covered agencies in reviewing their portfolio of information technology investments.

(Sec. 4) Amends such Act to extend the Federal Data Center Consolidation Initiative through FY2020.


Federal Information Technology Acquisition Reform Act (FITARA) of 2015

  • Authorship: United States Congress
  • Publication Date:
  • Status: Amended
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Governance, Management, Operations, Workforce
Description:

Amended by the Federal Information Technology Acquisition Reform Act (FITARA) Enhancement Act of 2017.

Amended by the National Defense Authorization Act (NDAA) for Fiscal Year 2020 (Title VIII, Subtitle D, S. 1790).

The Federal Information Technology Acquisition Reform Act (FITARA) became law as a part of the National Defense Authorization Act (NDAA) for Fiscal Year 2015 (Title VIII, Subtitle D, H.R. 3979):

(Sec. 831) Requires specified federal agencies to ensure that the Chief Information Officer (CIO) of the agencies has specified authorities and responsibilities in planning, programming, budgeting, and executing processes related to information technology.

(Sec. 832) Requires the Office of Management and Budget (OMB) to make the cost, schedule, and performance data of specified information technology investments publicly available. Requires the CIO of each agency to categorize the investments according to risk and review those that have a high level of risk.

(Sec. 833) Requires OMB to implement a process to assist specified agencies in reviewing their portfolio of information technology investments, including the development of standardized cost savings and cost avoidance metrics and performance indicators. Requires the CIO of each agency to conduct an annual review of the information technology portfolio and requires the Administrator of the Office of Electronic Government to submit a quarterly report to Congress identifying cost savings and reductions in duplicative investments identified by the review.

(Sec. 834) Provides for the consolidation of federal data centers.

(Sec. 835) Requires OMB to work with federal agencies to update their acquisition human capital plans to address how the agencies are meeting their human capital requirements to support the timely and effective acquisition of information technology.

(Sec. 836) Directs OMB to prescribe regulations requiring a comparative value analysis to be included in the contract file when the federal government purchases services and supplies offered under the Federal Strategic Sourcing Initiative from sources outside the Initiative.

(Sec. 837) Requires the General Services Administration to develop a strategic sourcing initiative to enhance government-wide acquisitions, shared use, and dissemination of software, as well as compliance with end use license agreements.


Information Technology Modernization Centers of Excellence Program Act

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Governance, Management, Operations, Security, Technology
Description:

The Information Technology Modernization Centers of Excellence Program Act requires the General Services Administration (GSA) to establish an Information Technology Modernization Centers of Excellence Program to facilitate the adoption of modern technology by executive agencies.

The GSA shall (1) coordinate with the Department of Homeland Security in establishing the program to ensure that the technology, tools, and frameworks facilitated for executive agencies by the program provide sufficient cybersecurity and maintain the integrity, confidentiality, and availability of federal information; and (2) report to Congress.


M-15-14: Management and Oversight of Federal Information Technology

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Acquisitions, Governance, Management, Operations, Workforce
Description:

The "Office of Management and Budget (OMB) Memorandum M-15-14: Management and Oversight of Federal Information Technology" provides implementation guidance for the Federal Information Technology Acquisition Reform Act (FITARA) and related information technology (IT) management practices.


M-16-12: Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Acquisitions, Governance, Management, Operations, Workforce
Description:

The "Office of Management and Budget (OMB) Memorandum M-16-12: Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing" provides guidance for the acquisition, management (e.g., costs, inventory, utilization) of software licenses and subscriptions (e.g., Software as a Service (SaaS)), and the appointment of a software manager responsible for agency-wide software agreements and licenses.


M-16-19: Data Center Optimization Initiative (DCOI)

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Rescinded, Superseded
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Governance, Management, Operations, Security, Technology
Description:

Rescinded and Superseded by the "Office of Management and Budget (OMB) Memorandum M-19-19: Update to Data Center Optimization Initiative (DCOI)".


M-18-12: Implementation of the Modernizing Government Technology Act

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Governance, Management, Operations, Security, Technology
Description:

The "Office of Management and Budget (OMB) Memorandum M-18-12: Implementation of the Modernizing Government Technology (MGT) Act" provides guidance to all agencies regarding the Technology Modernization Fund (TMF), project proposal submissions to the Technology Modernization Board, and guidance to Chief Financial Officers (CFO) Act agencies regarding the administration and funding of Information Technology (IT) Working Capital Funds (WCFs).


M-19-19: Update to Data Center Optimization Initiative (DCOI)

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Governance, Management, Operations, Security, Technology
Description:

The "Office of Management and Budget (OMB) Memorandum M-19-19: Update to Data Center Optimization Initiative (DCOI)" provides updated requirements in alignment with the Federal Cloud Computing Strategy, Cloud Smart, and the President's Management Agenda to include reporting on their data center consolidation strategies and optimization targets and metrics; continued optimization of existing facilities (e.g., automation, availability, server utilization, virtualization ), application rationalization, and application portfolio management; improve security posture; transition to more efficient infrastructures, such as cloud services, inter / intra-agency shared services, and colocated data centers; leverage technology advancements to optimize infrastructures; and to provide quality services for the public good.


M-21-05: Extension of Data Center Optimization Initiative (DCOI)

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Governance, Management, Operations, Security, Technology
Description:

The "Office of Management and Budget (OMB) Memorandum M-21-05: Extension of Data Center Optimization Initiative (DCOI)" extends the requirements of "Office of Management and Budget (OMB) Memorandum M-19-19: Update to Data Center Optimization Initiative (DCOI)" through 2022 10 01.


M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Security
Description:

The "Office of Management and Budget (OMB) Memorandum M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents" was developed in accordance with "Executive Order 14028: Improving the Nation's Cybersecurity" and defines the requirements for Federal Information Systems (IS) logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise Security Operations Center (SOC) of each agency. The memorandum establishes requirements for agencies to share of log information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal Information Systems (IS) and data.


M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Governance, Security, Technology
  • Sub-Information: Authentication and Authorization, Encryption, Identity Access Management (IAM), Multi-Factor Authentication (MFA), Architecture, Zero Trust Architecture (ZTA)
Description:

The “Office of Management and Budget (OMB) Memorandum M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles" sets forth a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns. Those campaigns target Federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in Government.


M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP)”

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Governance, Management, Operations, Security
Description:

The White House Office of Management and Budget (OMB) released M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP)” which establishes FedRAMP’s strategic goals and calls for significant shifts in FedRAMP operations to accelerate agencies’ secure adoption of cloud services. The guidance clearly positions FedRAMP as a security and risk management program, with a focus on significantly scaling the FedRAMP marketplace, and streamlining and automating more of the authorization process.

The updated policy further reinforces the priorities we highlighted in March in FedRAMP’s public roadmap, which has been driving the recent work of the program.


Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016 (MEGABYTE Act of 2016)

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Governance, Management, Operations, Technology
Description:

The Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016 (MEGABYTE Act of 2016):

(Sec. 2) Requires the Office of Management and Budget (OMB) to issue a directive to require the Chief Information Officer (CIO) of each executive agency to develop a comprehensive software licensing policy, which shall: identify clear roles, responsibilities, and central oversight authority within the agency for managing enterprise software license agreements and commercial software licenses; and require each CIO to establish a comprehensive inventory of software licenses, track and maintain such licenses, analyze software usage to make cost-effective decisions, provide software license management training, establish goals and objectives of the agency's software license management program, and consider the software license management life cycle phases to implement effective decision-making and incorporate existing standards, processes, and metrics. Each CIO shall report to OMB in each of the six fiscal years after this bill's enactment on the savings from improved software license management.


Migration Guidance for Department of the Air Force Enterprise Cloud Services

  • Authorship: Department of Defense (DoD), Department of the Air Force (DAF), Chief Information Officer (CIO)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Acquisitions, Governance, Operations
  • Sub-Information: Acquisition Planning, Agile Development, Development Security Operations (DevSecOps)
Description:

The "Department of Defense (DoD), Department of the Air Force (DAF) Memorandum 2021 06 21: Migration Guidance for Department of the Air Force Enterprise Cloud Services" mandates that Cloud One shall be used for Unclassified workloads that have not already begun migrating to the cloud and Cloud One shall have first right of refusal for Secret workloads. DAF teams that require new capabilities shall collaborate with Cloud One to make those capabilities available in Cloud One and to the entire enterprise.


Modernizing Government Technology (MGT) Act

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Appropriations, Governance, Management, Operations, Technology
Description:

The Modernizing Government Technology (MGT) Act became law as a part of the National Defense Authorization Act (NDAA) for Fiscal Year 2018 (Title X, Subtitle G, H.R. 2810):

(Sec. 1077) Establishment of agency information technology systems modernization and working capital funds.

(Sec. 1078) Establishment of technology modernization fund and board.


National Defense Authorization Act (NDAA) for Fiscal Year 2020

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Acquisitions, Governance, Management, Operations, Workforce
Description:

The National Defense Authorization Act (NDAA) for Fiscal Year 2020 (Title VIII, Subtitle D, S. 1790) amends the Federal Information Technology Acquisition Reform Act (FITARA) of 2015.

(Sec. 824) Extends the sunset provision for the Federal Data Center Consolidation Initiative through FY2022.


Paperwork Reduction Act of 1995

  • Authorship: United States Congress
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Legislation
  • Information: Governance, Management
Description:

Paperwork Reduction Act (PRA) of 1995:

(1) Minimize the paperwork burden for individuals, small businesses, educational and nonprofit institutions, Federal contractors, State, local and tribal governments, and other persons resulting from the collection of information by or for the Federal Government;
(2) Ensure the greatest possible public benefit from and maximize the utility of information created, collected, maintained, used, shared and disseminated by or for the Federal Government;
(3) Coordinate, integrate, and to the extent practicable and appropriate, make uniform Federal information resources management policies and practices as a means to improve the productivity, efficiency, and effectiveness of Government programs, including the reduction of information collection burdens on the public and the improvement of service delivery to the public;
(4) Improve the quality and use of Federal information to strengthen decision making, accountability, and openness in Government and society;
(5) Minimize the cost to the Federal Government of the creation, collection, maintenance, use, dissemination, and disposition of information;
(6) Strengthen the partnership between the Federal Government and State, local, and tribal governments by minimizing the burden and maximizing the utility of information created, collected, maintained, used, disseminated, and retained by or for the Federal Government;
(7) Provide for the dissemination of public information on a timely basis, on equitable terms, and in a manner that promotes the utility of the information to the public and makes effective use of information technology;
(8) Ensure that the creation, collection, maintenance, use, dissemination, and disposition of information by or for the Federal Government is consistent with applicable laws, including laws relating to--
(A) Privacy and confidentiality, including section 552a of title 5;
(B) Security of information, including the Computer Security Act of 1987 (Public Law 100-235); and
(C) Access to information, including section 552 of title 5;
(9) Ensure the integrity, quality, and utility of the Federal statistical system;
(10) Ensure that information technology is acquired, used, and managed to improve performance of agency missions, including the reduction of information collection burdens on the public; and
(11) Improve the responsibility and accountability of the Office of Management and Budget and all other Federal agencies to Congress and to the public for implementing the information collection review process, information resources management, and related policies and guidelines established under this chapter.


Principles of Federal Appropriations Law

  • Authorship: Government Accountability Office (GAO)
  • Publication Date:
  • Status: Active
  • Resource Type: Governance
  • Sub-Resource Type: Policy
  • Information: Acquisitions, Appropriations, Governance
Description:

The Government Accountability Office (GAO), "Principles of Federal Appropriations Law", also known as the Red Book, is GAO's multi-volume treatise concerning federal fiscal law. The Red Book provides text discussion with reference to specific legal authorities to illustrate legal principles, their application, and exceptions. These references include GAO decisions and opinions, judicial decisions, statutory provisions, and other relevant sources.


Security Authorization of Information Systems in Cloud Computing Environments

  • Authorship: Office of Management and Budget (OMB)
  • Publication Date:
  • Status: Superseded
  • Resource Type: Governance
  • Sub-Resource Type: Memorandum
  • Information: Governance, Management, Operations, Security
Description:

Superseded by M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP)”
The "Office of Management and Budget (OMB) Memorandum 2011 12 08: Security Authorization of Information Systems in Cloud Computing Environments" establishes the Federal policy for the protection of Federal information in cloud services; describes the key components of Federal Risk and Authorization Management Program (FedRAMP) and its operational capabilities; defines the Executive department and agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and defines the requirements for Executive departments and agencies using FedRAMP in the acquisition of cloud services.