Governance
10 U.S.C. 2306c - Armed Forces - Multiyear Contracts: Acquisition of Services
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Appropriations
- Sub-Information: Multi-Year Contracting
10 United States Code (U.S.C.) 2306c, subject to subsections (d) "Restrictions Applicable Generally" and (e) "Cancellation or Termination for Insufficient Funding After First Year" authorizes the head of an agency to enter into contracts for periods of not more than five years for services described in subsection (b) "Covered Services" for which funds would otherwise be available for obligation only within the fiscal year for which appropriated whenever the head of the agency finds that -- (1) there will be a continuing requirement for the services consonant with current plans for the proposed contract period; (2) … ; and (3) the use of such a contract will promote the best interests of the United States by encouraging effective competition and promoting economies in operation.
10 U.S.C. 2410a - Armed Forces - Contracts for Periods Crossing Fiscal Years: Severable Service Contracts; Leases of Real or Personal Property
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Appropriations
- Sub-Information: 1-Year
10 United States Code (U.S.C.) 2410a, authorizes the Secretary of Defense, the Secretary of a military department, or the Secretary of Homeland Security with respect to the Coast Guard, when it is not operating as a service in the Navy, to enter into a contract for the procurement of severable services for a period that begins in one fiscal year and ends in the next fiscal year if (without regard to any option to extend the period of the contract) the contract period does not exceed one year. Funds made available for a fiscal year may be obligated for the total amount of a contract period entered into under the authority of this section.
13 CFR 121.1203(d)(3) When will a waiver of the Nonmanufacturer Rule be granted for an individual contract?
- Authorship: Small Business Administration (SBA)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Code of Federal Regulations (CFR)
- Information: Acquisitions
- Sub-Information: Acquisition Planning
The Small Business Administration (SBA) has determined that remote hosting on servers or networks, or cloud computing, should be considered a service and therefore the Nonmanufacturer Rule (NMR) would not apply.
13 CFR 121.1203(d)(3) "Subscription services, remote hosting of software, data, or other applications on servers or networks of a party other than the U.S. Government are considered by SBA to be services and not the procurement of a supply item. Therefore SBA will not grant waivers of the nonmanufacturer rule for these types of services."
13 CFR 125.6(a)(1) What are the prime contractor's limitations on subcontracting?
- Authorship: Small Business Administration (SBA)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Code of Federal Regulations (CFR)
- Information: Acquisitions
- Sub-Information: Acquisition Planning
The Small Business Administration (SBA) has determined that due to the costs and scale involved, cloud computing is generally provided by other than small business concerns and has excluded cloud computing from the limitations on subcontracting calculation, where the small business concern will perform other services that are the primary purpose of the acquisition.
13 CFR 125.6(a)(1) "In the case of a contract for services (except construction), it will not pay more than 50% of the amount paid by the government to it to firms that are not similarly situated. Any work that a similarly situated subcontractor further subcontracts will count towards the 50% subcontract amount that cannot be exceeded. Other direct costs may be excluded to the extent they are not the principal purpose of the acquisition and small business concerns do not provide the service, such as airline travel, work performed by a transportation or disposal entity under a contract assigned the environmental remediation NAICS code (562910), cloud computing services, or mass media purchases. In addition, work performed overseas on awards made pursuant to the Foreign Assistance Act of 1961 or work required to be performed by a local contractor, is excluded."
41 U.S.C. 3902 - Public Contracts - Severable Services Contracts for Periods Crossing Fiscal Years
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Appropriations
- Sub-Information: 1-Year
41 United States Code (U.S.C.) 3902 authorizes the head of an executive agency to enter into a contract for the procurement of severable services for a period that begins in one fiscal year and ends in the next fiscal year if (without regard to any option to extend the period of the contract) the contract period does not exceed one year. Funds made available for a fiscal year may be obligated for the total amount of a contract period entered into under the authority of this section.
41 U.S.C. 3903 - Public Contracts - Multiyear Contracts
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Appropriations
- Sub-Information: Multi-Year Contracting
41 United States Code (U.S.C.) 3903 authorizes executive agencies to obligate current appropriations (e.g., 1-Year, No-Year) to enter a multiyear contract for the acquisition of property or services (i.e., nonseverable, severable) for the bona fide needs of up to five fiscal years.
The executive agency may choose to obligate current appropriations for the full period of the contract or for the first fiscal year in which the contract is in effect including termination costs.
If the executive agency chooses to obligate on a fiscal year basis, the executive agency records a new obligation in each of the remaining fiscal years including termination costs.
83 FR 8166 - Commission Statement and Guidance on Public Company Cybersecurity Disclosures
- Authorship: Securities and Exchange Commission (SEC)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Federal Register
- Information: Security
- Sub-Information: Incident Response
83 FR 8166 provides guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents under the Securities Act of 1933 ("Securities Act"), the Securities Exchange Act of 1934 (Exchange Act), and periodic reports under the Exchange Act.
Although the disclosure requirements (e.g., Securities Act, Exchange Act, periodic reports) do not specifically refer to cybersecurity risks and incidents, several of the requirements impose an obligation to disclose such cybersecurity risks and incidents depending on particular circumstances.
In determining a company's cybersecurity risks and incidents disclosure obligations the company should consider the impact of identified risks or incidents on the company's operations, harm to the company’s reputation, financial performance, customer and vendor relationships, and litigation or regulatory investigations or actions.
Companies are expected to make appropriate and timely disclosures of cybersecurity risks and incidents that are material to investors and take appropriate steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk.
Companies are also advised that internal or external (e.g., law enforcement) investigations on their own would not provide a basis for avoiding disclosures of a cybersecurity incident, and that companies have a duty to correct initial or prior disclosures.
AA-2021-02: On-Ramping Strategies for Multiple Award Vehicles
- Authorship: General Services Administration (GSA), Office of Governmentwide Policy (OGP)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Acquisition Alert
- Information: Acquisitions
- Sub-Information: Acquisition Planning
The "Acquisition Alert AA-2021-02: On-Ramping Strategies for Multiple Award Vehicles" highlights strategies and flexibilities available to acquisition teams developing multiple-award contracts such as Indefinite-Delivery / Indefinite-Quantity (IDIQ) contracts, FAR Part 8 Blanket Purchase Agreements (BPAs), or other Multiple Award Vehicles (MAVs) through the use of an on-ramping mechanism.
Acquisition and Use of Commercial Cloud Computing Services
- Authorship: Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO)
- Publication Date:
- Status: Rescinded, Superseded
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Acquisitions, Technology
Rescinded and Superseded by "Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO) Memorandum 2020 12 07: Department of the Navy Cloud Policy".
Additional Guidance Regarding Acquisition and Use of Commercial Cloud Computing Services in DON
- Authorship: Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO)
- Publication Date:
- Status: Rescinded, Superseded
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Acquisitions, Technology
Rescinded and Superseded by "Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO) Memorandum 2020 12 07: Department of the Navy Cloud Policy".
Clinger-Cohen Act of 1996
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Governance, Management
The Clinger-Cohen Act (CCA) of 1996 became law as part of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 1996 (S. 1124), specifically Division D - Federal Acquisition Reform Act (FARA) of 1996 and Division E - Information Technology Management Reform Act (ITMRA) of 1996.
Division D: Federal Acquisition Reform - Federal Acquisition Reform Act of 1996 - Title XLI (sic): Competition - Amends the Federal Property and Administrative Services Act (FPASA) of 1949 and other Federal provisions to require the Federal Acquisition Regulation (FAR) to ensure that the requirement to obtain full and open competition is implemented in a manner that efficiently fulfills the Government's requirements. Amends the Office of Federal Procurement Policy Act (OFPPA) to require public notice of solicitations for Federal contracts for property or services expected to exceed $10,000 but not to exceed $25,000. (Currently, such notice is required for all such contracts, regardless of amount.)
(Sec. 4102) Raises the dollar thresholds for contracts that require the prior approval by higher level agency officials of the use of procedures other than competitive procedures.
(Sec. 4103) Allows a contracting officer, when the number of offers exceeds the number at which an efficient competition can be conducted, to limit the number of contract proposals in the competitive range to the greatest number that will permit sufficient competition among the offerors with the highest rating. Allows offerors excluded by such process to request, in writing and within three days, a debriefing of the reasons for such exclusion prior to the award of the contract. Requires the contracting officer to then make every effort to debrief such offeror, but allows the officer to refuse such request when not in the best interests of the Government at that time. Provides alternative debriefing requirements if such refusal is exercised.
(Sec. 4105) Directs the head of a Federal or defense agency to use a two-phase selection procedure for entering into a contract for the design and construction of a public building, facility, or work when it is determined that such procedure is appropriate. States that such two phases generally consist of: (1) a work statement that defines the project to offerors and provides them with sufficient information to submit proposals; and (2) selection by the contracting officer of the most highly qualified offers based on the use of solicitation evaluation factors. Requires each contract solicitation to state a maximum number of five offerors that will be selected to submit competitive proposals, unless the agency determines that a greater number is in the Government's best interest and is consistent with the purposes of the two-phase process.
Division E: Information Technology Management Reform - Information Technology Management Reform Act of 1996 - Title LI (sic): Responsibility for Acquisitions of Information Technology -
Subtitle A: General Authority - Repeals the Brooks Automatic Data Processing Act, which authorizes and directs the GSA Administrator to coordinate and provide for the economic and efficient purchase, lease, and maintenance of automatic data processing equipment by Federal agencies.
Subtitle B: Director of the Office of Management and Budget - Requires the Director of the Office of Management and Budget (OMB), with respect to information technology in the Federal Government, to: (1) exercise capital planning control; (2) promote the improvement of the acquisition, use, and disposal of such technology through the improvement of Federal programs; (3) develop as part of the budget process a process for analyzing, tracking, and evaluating the risks and results of all major capital investments in information systems by executive agencies; (4) oversee the development and implementation by the Secretary of Commerce of standards and guidelines pertaining to Federal computer systems; (5) designate executive agents for information technology acquisitions and require such agents to use best acquisition practices; (6) assess other models for managing information technology; (7) compare, and disseminate results of, various agencies' use of information technology; (8) monitor the development and implementation of training for executive personnel; (9) inform the Congress with respect to such technology in the Federal Government; and (10) coordinate the development and review of policy associated with Federal information technology acquisition.
(Sec. 5113) Requires the OMB Director to: (1) encourage performance- and results-based management in fulfilling his responsibilities; and (2) evaluate the information resources management practices of the executive agencies with respect to the performance and results of investments made in information technology. Provides enforcement authority for the Director in the accountability of agency heads for information resources management and investments.
Subtitle C: Executive Agencies - Requires the head of each executive agency to design and implement in such agency a process for maximizing the value and assessing and managing the risks of information technology acquisitions. Directs such agency heads to utilize the same performance- and results-based management practices as encouraged by the OMB Director, and to prepare an annual report to the Congress concerning progress in achieving such goals. Provides specific authority of such agency heads with respect to information technology acquisitions.
(Sec. 5125) Designates a Chief Information Officer (currently, a senior official) within each executive agency, with appropriate duties relating to information technology acquisition and management.
(Sec. 5126) Requires the head of each agency, in consultation with the Chief Information Officer and Chief Financial Officer of such agency, to establish policies and procedures to ensure the integration within such agency of financial and information systems.
(Sec. 5127) Requires agency heads to identify any major information technology acquisition program, or phase or increment of such program, that has significantly deviated from its cost, performance, or schedule goals.
(Sec. 5128) Authorizes agency information technology funding to be used to support jointly with other agency heads the activities of interagency groups established to advise the OMB Director in carrying out information technology responsibilities under this title.
Subtitle D: Other Responsibilities - Directs the Secretary of Commerce to promulgate standards and guidance pertaining to the efficiency, security, and privacy of Federal computer systems. Authorizes the President to disapprove or modify such standards. Authorizes an agency head to employ more stringent standards as long as such standards contain at least those standards made compulsory and binding by such Secretary. Authorizes the Secretary to waive such standards when compliance would adversely affect the mission of a computer operator or cause a major adverse financial impact on such operator which is not offset by Government-wide savings.
(Sec. 5132) Expresses the sense of the Congress that, during the five-year period beginning with 1996, executive agencies should achieve each year at least a five percent decrease in information technology O&M costs, as well as a five percent increase in efficiency of operations.
Subtitle E: National Security Systems - Excludes, with exceptions, national security systems from the provisions of this title.
Computer Security Act of 1987
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Governance, Security, Workforce
Computer Security Act of 1987 - Directs the National Bureau of Standards, renamed the National Institute of Standards and Technology (NIST) in 1988, to establish a computer standards program for federal computer systems, including guidelines for the security of such systems. Sets forth authorities of the Bureau in implementing such standards. Requires the Bureau to draw upon computer system technical security guidelines developed by the National Security Agency regarding protecting sensitive information.
Establishes a Computer System Security and Privacy Advisory Board within the Department of Commerce to: (1) identify, and advise the Bureau and the Secretary of Commerce on, issues relating to computer systems security and privacy; and (2) report findings to the Secretary, the Director of the Office of Management and Budget, the Director of the National Security Agency, and the appropriate congressional committees.
Amends the Federal Property and Administrative Services Act of 1949 to require the Secretary to promulgate standards and guidelines pertaining to federal computer systems on the basis of standards developed by the Bureau. Authorizes the President to disapprove or modify such standards and guidelines if such action would be in the public interest. Requires that notice of such disapproval or modification be submitted to the House Committee on Government Operations and the Senate Committee on Governmental Affairs and published in the Federal Register. Directs the Secretary to rescind or modify such standards or guidelines as directed by the President.
Requires each agency to provide mandatory periodic training in computer security, under guidelines developed by the Bureau, for all employees involved with the management, use, or operation of computer systems. Authorizes the use of an approved alternative training program determined by the agency head to meet the objectives of such guidelines.
Requires each agency with a federal computer system to establish a plan for the security and privacy of sensitive information. Requires the submission of such plans to the Bureau and the National Security Agency for advice and comment. Subjects such plans to disapproval by the Office of Management and Budget.
Provides that nothing in this Act shall be construed to: (1) constitute authority to withhold information sought under the Freedom of Information Act; or (2) authorize any federal agency to limit, restrict, regulate, or control the collection, maintenance, disclosure, use, transfer, or sale of any information that is privately-owned information, information disclosable under the Freedom of Information Act or other law requiring or authorizing the public disclosure of information, or information in the public domain.
Department of Defense (DoD) Memorandum of Reciprocity for FedRAMP Authorized Moderate Baseline Cloud Service Offerings (CSO) at Impact Level 2 (IL2)
- Authorship: Department of Defense (DoD), Defense Information Systems Agency (DISA)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Governance, Security
- Sub-Information: Training
The "Department of Defense (DoD), Defense Information Systems Agency (DISA) Memorandum 2019 08 15: Department of Defense (DoD) Memorandum of Reciprocity for FedRAMP Authorized Moderate Baseline Cloud Service Offerings (CSO) at Impact Level 2 (IL2)" authorizes Cloud Service Offerings (CSOs) that have: (1) demonstrated compliance with the Federal Risk and Authorization Management Program (FedRAMP) Moderate Baseline, and (2) has been granted a FedRAMP Joint Authorization Board (JAB) or Agency authorization (based on an assessment and Authorization To Operate (ATO) issued by a government agency where the Cloud Service Provider (CSP) was assessed by a FedRAMP accredited/approved Third Party Assessment Organization (3PAO) is hereby designated as DoD Impact Level 2 (IL2) CSOs via reciprocity (unless specifically revoked).
Department of Defense Core Enterprise Technology Agreements for Microsoft 365/ Office 365 and On-Premises Products
- Authorship: Department of Defense (DoD), Chief Information Officer (CIO)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Acquisitions
- Sub-Information: Acquisition Planning
The "Department of Defense (DoD), Chief Information Officer (CIO) Memorandum 2021 08 09: Department of Defense Core Enterprise Technology Agreements for Microsoft 365/ Office 365 and On-Premises Products" identifies the Defense Enterprise Office Solution (DEOS) Program and the DoD Enterprise Software Agreement (ESA) as the preferred purchasing vehicles for all Microsoft (MS) software: Microsoft 365/ Office 365 cloud capabilities and procurement and maintenance of on-premise Microsoft software.
DEOS and DoD ESA are in the process of being designated as Core Enterprise Technology Agreements (CETAs). Once finalized, these purchasing vehicles will be mandatory for all DOD components and agencies. In anticipation of CETA approval, components and agencies are directed to transition to DEOS and DoD ESA at the earliest opportunity or as existing contracts expire.
Department of the Navy Cloud Policy
- Authorship: Department of Defense (DoD), Department of the Navy (DON), Assistant Secretary of the Navy (Research Development & Acquisitions), Chief Information Officer (CIO)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Acquisitions, Governance, Management, Operations
The "Department of Defense (DoD), Department of the Navy (DON), Chief Information Officer (CIO) Memorandum 2020 12 07: Department of the Navy Cloud Policy" provides updated policy for the accelerated promotion, acquisition, and consumption of cloud services in the Department of the Navy in direct support of the DON Information Superiority Vision.
Executive Order 13103: Computer Software Piracy
- Authorship: President of the United States of America (POTUS)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Executive Order
- Information: Governance, Management, Operations
It shall be the policy of the United States Government that each executive agency shall work diligently to prevent and combat computer software piracy in order to give effect to copyrights associated with computer software by observing the relevant provisions of international agreements in effect in the United States, including applicable provisions of the World Trade Organization Agreement on Trade-Related Aspects of Intellectual Property Rights, the Berne Convention for the Protection of Literary and Artistic Works, and relevant provisions of Federal law, including the Copyright Act.
(a) Each agency shall adopt procedures to ensure that the agency does not acquire, reproduce, distribute, or transmit computer software in violation of applicable copyright laws.
(b) Each agency shall establish procedures to ensure that the agency has present on its computers and uses only computer software not in violation of applicable copyright laws. These procedures may include:
(1) preparing agency inventories of the software present on its computers;
(2) determining what computer software the agency has the authorization to use; and
(3) developing and maintaining adequate recordkeeping systems.
(c) Contractors and recipients of Federal financial assistance, including recipients of grants and loan guarantee assistance, should have appropriate systems and controls in place to ensure that Federal funds are not used to acquire, operate, or maintain computer software in violation of applicable copyright laws. If agencies become aware that contractors or recipients are using Federal funds to acquire, operate, or maintain computer software in violation of copyright laws and determine that such actions of the contractors or recipients may affect the integrity of the agency's contracting and Federal financial assistance processes, agencies shall take such measures, including the use of certifications or written assurances, as the agency head deems appropriate and consistent with the requirements of law.
(d) Executive agencies shall cooperate fully in implementing this order and shall share information as appropriate that may be useful in combating the use of compute software in violation of applicable copyright laws.
Executive Order 14028: Improving the Nation's Cybersecurity
- Authorship: President of the United States of America (POTUS)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Executive Order
- Information: Governance, Operations, Security
The Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States' ability to respond to incidents when they occur.
Sec 2: Remove Barriers to Threat Information Sharing Between Government and the Private Sector. The Executive Order ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information.
Sec 3. Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period.
Sec 4. Improve Software Supply Chain Security. The Executive Order will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.
Sec 5. Establish a Cybersecurity Safety Review Board. The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.
Sec 6. Create a Standard Playbook for Responding to Cyber Incidents. The Executive Order creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. Organizations cannot wait until they are compromised to figure out how to respond to an attack.
Sec 7. Improve Detection of Cybersecurity Incidents on Federal Government Networks. The Executive Order improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government.
Sec 8. Improve Investigative and Remediation Capabilities. The Executive Order creates cybersecurity event log requirements for federal departments and agencies.
Federal Cloud Computing Strategy, Cloud First
- Authorship: Office of Management and Budget (OMB), Office of the Federal Chief Information Officer (OFCIO)
- Publication Date:
- Status: Rescinded, Superseded
- Resource Type: Governance
- Sub-Resource Type: Policy
- Information: Governance, Management, Operations
Rescinded and Superseded by the Federal Cloud Computing Strategy, Cloud Smart.
Federal Cloud Computing Strategy, Cloud Smart
- Authorship: Office of Management and Budget (OMB), Office of the Federal Chief Information Officer (OFCIO)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Policy
- Information: Acquisitions, Governance, Management, Operations, Security, Technology, Workforce
The Federal Cloud Computing Strategy, Cloud Smart, is a long-term, high-level strategy to drive cloud adoption in federal agencies. This cloud policy offers a path forward for agencies to migrate to a safe and secure cloud infrastructure. Cloud Smart encompasses several key components of IT modernization including security, procurement, and workforce. Historically, policies have isolated these areas, creating confusion and a misunderstanding of requirements, mission, and needs. However, they are deeply linked, and require an integrated, interdisciplinary approach, rather than a one-size-fits-all approach to IT modernization. Cloud Smart combines these disciplines together into a cohesive strategy that provides savings, security, and faster delivery of mission-serving solutions.
Federal Information Security Management Act (FISMA) of 2002
- Authorship: United States Congress
- Publication Date:
- Status: Amended
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Governance, Management, Operations, Security
Amended by the Federal Information Security Modernization Act (FISMA) of 2014.
Federal Information Security Management Act (FISMA) of 2002 became law as part of the E-Government Act of 2002 (Title III, H.R. 2458):
(Sec. 301) Requires the Director of OMB to oversee agency information security policies and practices, including by: (1) developing and overseeing the implementation of policies, principles, standards, and guidelines on information security; (2) requiring agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems used or operated by an agency or by a contractor on behalf of an agency; (3) coordinating the development of standards and guidelines under the National Institute of Standards and Technology Act with agencies exercising control of national security systems to assure that such standards and guidelines are complementary with those developed for national security systems; (4) overseeing agency compliance with this Act; (5) reviewing at least annually, and approving or disapproving, agency information security programs; (6) coordinating information security policies and procedures with related information resources management policies and procedures; (7) overseeing the operating of the Federal information security incident center; and (8) reporting to Congress by March 1 of each year on agency compliance with this Act.
Sets forth provisions regarding delegation of the Director's authority regarding certain systems operated by the Department of Defense and by the Central Intelligence Agency.
Directs the head of each agency to: (1) be responsible for providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access and for complying with information security standards and guidelines; (2) ensure that senior agency officials provide information security for the information and information systems that support operations and assets; (3) delegate to the agency CIO the authority to ensure compliance with the regulations imposed under this Act; (4) ensure that the agency has trained personnel sufficient to assist the agency in complying with Act requirements; and (5) ensure that the agency CIO reports annually on the effectiveness of the agency information security program.
Requires each agency to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support operations and assets. Requires such program to include: (1) periodic risk assessments; (2) policies and procedures that ensure that information security is addressed throughout the life cycle of each agency information system; (3) subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems; (4) security awareness training; (5) periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices; (6) a process for planning, implementing, evaluating, and documenting remedial action to address deficiencies; (7) procedures for detecting, reporting, and responding to security incidents; and (8) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.
Requires each agency to: (1) report annually to the Director, specified congressional committees, and the Comptroller General on the adequacy and effectiveness of information security policies, procedures, and practices and on compliance with this Act; (2) address such adequacy and effectiveness in plans and reports relating to annual agency budgets, information resources management, IT management, program performance, financial management, financial management systems, and internal accounting and administrative controls; and (3) report any significant deficiency.
Sets forth requirements regarding performance plans, and public notice and comment. Requires each agency to have performed an annual independent evaluation.
Requires the Director to: (1) summarize the results of the evaluations and report to Congress; and (2) ensure the operation of a central Federal information security incident center. Requires each agency exercising control of a national security system to share information about information security incidents, threats, and vulnerabilities with the center to the extent consistent with standards and guidelines for national security systems).
(Sec. 302) Directs that standards and guidelines for national security systems be developed, prescribed, enforced, and overseen as otherwise authorized by law and as directed by the President.
Requires the Secretary to make standards prescribed for Federal information systems compulsory and binding as necessary to improve the efficiency of operation or security of such systems. Requires that the decision by the Secretary regarding the promulgation of standards under this section occur within six months of submission of the proposed standard by NIST.
(Sec. 303) Amends the National Institute of Standards and Technology Act to provide that NIST shall: (1) have the mission of developing standards, guidelines, and associated methods and techniques for information (currently, computer) systems; (2) develop standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor on behalf of an agency, other than national security systems; and (3) develop standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets.
(Sec. 304) Renames the Computer System Security and Privacy Advisory Board as the Information Security and Privacy Advisory Board. Includes among its duties to advise the Director (currently limited to the Institute and the Secretary) on information security and privacy issues pertaining to Government information systems.
(Sec. 305) Amends the Paperwork Reduction Act to require each agency head to develop and maintain an inventory of major information systems (including major national security systems) operated or under the control of such agency, including an identification of the interfaces between each such system and all other systems or networks. Requires such inventory to be: (1) updated at least annually; (2) made available to the Comptroller General; and (3) used to support information resources management.
Federal Information Security Modernization Act (FISMA) of 2014
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Governance, Management, Operations, Security
Federal Information Security Modernization Act of 2014 - Amends the Federal Information Security Management Act of 2002 (FISMA) to: (1) reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information security policies and practices, and (2) set forth authority for the Secretary of Homeland Security (DHS) to administer the implementation of such policies and practices for information systems.
Requires the Secretary to develop and oversee implementation of operational directives requiring agencies to implement the Director's standards and guidelines for safeguarding federal information and systems from a known or reasonably suspected information security threat, vulnerability, or risk. Authorizes the Director to revise or repeal operational directives that are not in accordance with the Director's policies.
Requires the Secretary (currently, the Director) to ensure the operation of the Federal Information Security Incident Center (FISIC).
Directs the Secretary to administer procedures to deploy technology, upon request by an agency, to assist the agency to continuously diagnose and mitigate against cyber threats and vulnerabilities.
Requires the Director's annual report to Congress regarding the effectiveness of information security policies to assess agency compliance with OMB data breach notification procedures.
Provides for OMB's information security authorities to be delegated to the Director of National Intelligence (DNI) for certain systems operated by an element of the intelligence community.
Directs the Secretary to consult with and consider guidance developed by the National Institute of Standards and Technology (NIST) to ensure that operational directives do not conflict with NIST information security standards.
Directs agency heads to ensure that: (1) information security management processes are integrated with budgetary planning; (2) senior agency officials, including chief information officers, carry out their information security responsibilities; and (3) all personnel are held accountable for complying with the agency-wide information security program.
Provides for the use of automated tools in agencies' information security programs, including for periodic risk assessments, testing of security procedures, and detecting, reporting, and responding to security incidents.
Requires agencies to include offices of general counsel as recipients of security incident notices. Requires agencies to notify Congress of major security incidents within seven days after there is a reasonable basis to conclude that a major incident has occurred.
Directs agencies to submit an annual report regarding major incidents to OMB, DHS, Congress, and the Comptroller General (GAO). Requires such reports to include: (1) threats and threat actors, vulnerabilities, and impacts; (2) risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; (3) detection, response, and remediation actions; (4) the total number of incidents; and (5) a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information.
Authorizes GAO to provide technical assistance to agencies and inspectors general, including by testing information security controls and procedures.
Requires OMB to ensure the development of guidance for: (1) evaluating the effectiveness of information security programs and practices, and (2) determining what constitutes a major incident.
Directs FISIC to provide agencies with intelligence about cyber threats, vulnerabilities, and incidents for risk assessments.
Directs OMB, during the two-year period after enactment of this Act, to include in an annual report to Congress an assessment of the adoption by agencies of continuous diagnostics technologies and other advanced security tools.
Requires OMB to ensure that data breach notification policies require agencies, after discovering an unauthorized acquisition or access, to notify: (1) Congress within 30 days, and (2) affected individuals as expeditiously as practicable. Allows the Attorney General, heads of elements of the intelligence community, or the DHS Secretary to delay notice to affected individuals for purposes of law enforcement investigations, national security, or security remediation actions.
Requires OMB to amend or revise OMB Circular A-130 to eliminate inefficient and wasteful reporting.
Directs the Information Security and Privacy Advisory Board to advise and provide annual reports to DHS.
Federal Information Technology Acquisition Reform Act (FITARA) Enhancement Act of 2017
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Governance, Management, Operations, Workforce
The Federal Information Technology Acquisition Reform Act (FITARA) Enhancement Act of 2017:
(Sec. 2) Repeals the expiration date of (thus making permanent) provisions of the Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act (NDAA) for Fiscal Year 2015 that require: (1) the Office of Management and Budget (OMB) to make available to the public a list of each major information technology investment made by a covered agency for information technology, including data on cost, schedule, and performance; (2) the Chief Information Officer of each covered agency and the program manager of the investment within the agency to conduct a risk management review of those investments that have received a high risk rating for four consecutive quarters; and (3) the implementation by OMB of a process to assist the covered agencies in reviewing their portfolio of information technology investments.
(Sec. 4) Amends such Act to extend the Federal Data Center Consolidation Initiative through FY2020.
Federal Information Technology Acquisition Reform Act (FITARA) of 2015
- Authorship: United States Congress
- Publication Date:
- Status: Amended
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Governance, Management, Operations, Workforce
Amended by the Federal Information Technology Acquisition Reform Act (FITARA) Enhancement Act of 2017.
Amended by the National Defense Authorization Act (NDAA) for Fiscal Year 2020 (Title VIII, Subtitle D, S. 1790).
The Federal Information Technology Acquisition Reform Act (FITARA) became law as a part of the National Defense Authorization Act (NDAA) for Fiscal Year 2015 (Title VIII, Subtitle D, H.R. 3979):
(Sec. 831) Requires specified federal agencies to ensure that the Chief Information Officer (CIO) of the agencies has specified authorities and responsibilities in planning, programming, budgeting, and executing processes related to information technology.
(Sec. 832) Requires the Office of Management and Budget (OMB) to make the cost, schedule, and performance data of specified information technology investments publicly available. Requires the CIO of each agency to categorize the investments according to risk and review those that have a high level of risk.
(Sec. 833) Requires OMB to implement a process to assist specified agencies in reviewing their portfolio of information technology investments, including the development of standardized cost savings and cost avoidance metrics and performance indicators. Requires the CIO of each agency to conduct an annual review of the information technology portfolio and requires the Administrator of the Office of Electronic Government to submit a quarterly report to Congress identifying cost savings and reductions in duplicative investments identified by the review.
(Sec. 834) Provides for the consolidation of federal data centers.
(Sec. 835) Requires OMB to work with federal agencies to update their acquisition human capital plans to address how the agencies are meeting their human capital requirements to support the timely and effective acquisition of information technology.
(Sec. 836) Directs OMB to prescribe regulations requiring a comparative value analysis to be included in the contract file when the federal government purchases services and supplies offered under the Federal Strategic Sourcing Initiative from sources outside the Initiative.
(Sec. 837) Requires the General Services Administration to develop a strategic sourcing initiative to enhance government-wide acquisitions, shared use, and dissemination of software, as well as compliance with end use license agreements.
Information Technology Modernization Centers of Excellence Program Act
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Governance, Management, Operations, Security, Technology
The Information Technology Modernization Centers of Excellence Program Act requires the General Services Administration (GSA) to establish an Information Technology Modernization Centers of Excellence Program to facilitate the adoption of modern technology by executive agencies.
The GSA shall (1) coordinate with the Department of Homeland Security in establishing the program to ensure that the technology, tools, and frameworks facilitated for executive agencies by the program provide sufficient cybersecurity and maintain the integrity, confidentiality, and availability of federal information; and (2) report to Congress.
M-15-14: Management and Oversight of Federal Information Technology
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Acquisitions, Governance, Management, Operations, Workforce
The "Office of Management and Budget (OMB) Memorandum M-15-14: Management and Oversight of Federal Information Technology" provides implementation guidance for the Federal Information Technology Acquisition Reform Act (FITARA) and related information technology (IT) management practices.
M-16-12: Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Acquisitions, Governance, Management, Operations, Workforce
The "Office of Management and Budget (OMB) Memorandum M-16-12: Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing" provides guidance for the acquisition, management (e.g., costs, inventory, utilization) of software licenses and subscriptions (e.g., Software as a Service (SaaS)), and the appointment of a software manager responsible for agency-wide software agreements and licenses.
M-16-19: Data Center Optimization Initiative (DCOI)
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Rescinded, Superseded
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Governance, Management, Operations, Security, Technology
Rescinded and Superseded by the "Office of Management and Budget (OMB) Memorandum M-19-19: Update to Data Center Optimization Initiative (DCOI)".
M-18-12: Implementation of the Modernizing Government Technology Act
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Governance, Management, Operations, Security, Technology
The "Office of Management and Budget (OMB) Memorandum M-18-12: Implementation of the Modernizing Government Technology (MGT) Act" provides guidance to all agencies regarding the Technology Modernization Fund (TMF), project proposal submissions to the Technology Modernization Board, and guidance to Chief Financial Officers (CFO) Act agencies regarding the administration and funding of Information Technology (IT) Working Capital Funds (WCFs).
M-19-19: Update to Data Center Optimization Initiative (DCOI)
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Governance, Management, Operations, Security, Technology
The "Office of Management and Budget (OMB) Memorandum M-19-19: Update to Data Center Optimization Initiative (DCOI)" provides updated requirements in alignment with the Federal Cloud Computing Strategy, Cloud Smart, and the President's Management Agenda to include reporting on their data center consolidation strategies and optimization targets and metrics; continued optimization of existing facilities (e.g., automation, availability, server utilization, virtualization ), application rationalization, and application portfolio management; improve security posture; transition to more efficient infrastructures, such as cloud services, inter / intra-agency shared services, and colocated data centers; leverage technology advancements to optimize infrastructures; and to provide quality services for the public good.
M-21-05: Extension of Data Center Optimization Initiative (DCOI)
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Governance, Management, Operations, Security, Technology
The "Office of Management and Budget (OMB) Memorandum M-21-05: Extension of Data Center Optimization Initiative (DCOI)" extends the requirements of "Office of Management and Budget (OMB) Memorandum M-19-19: Update to Data Center Optimization Initiative (DCOI)" through 2022 10 01.
M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Security
The "Office of Management and Budget (OMB) Memorandum M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents" was developed in accordance with "Executive Order 14028: Improving the Nation's Cybersecurity" and defines the requirements for Federal Information Systems (IS) logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise Security Operations Center (SOC) of each agency. The memorandum establishes requirements for agencies to share of log information, as needed and appropriate, to accelerate incident response efforts and to enable more effective defense of Federal Information Systems (IS) and data.
M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Governance, Security, Technology
- Sub-Information: Authentication and Authorization, Encryption, Identity Access Management (IAM), Multi-Factor Authentication (MFA), Architecture, Zero Trust Architecture (ZTA)
The “Office of Management and Budget (OMB) Memorandum M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles" sets forth a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns. Those campaigns target Federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in Government.
M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP)”
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Governance, Management, Operations, Security
The White House Office of Management and Budget (OMB) released M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP)” which establishes FedRAMP’s strategic goals and calls for significant shifts in FedRAMP operations to accelerate agencies’ secure adoption of cloud services. The guidance clearly positions FedRAMP as a security and risk management program, with a focus on significantly scaling the FedRAMP marketplace, and streamlining and automating more of the authorization process.
The updated policy further reinforces the priorities we highlighted in March in FedRAMP’s public roadmap, which has been driving the recent work of the program.
Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016 (MEGABYTE Act of 2016)
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Governance, Management, Operations, Technology
The Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016 (MEGABYTE Act of 2016):
(Sec. 2) Requires the Office of Management and Budget (OMB) to issue a directive to require the Chief Information Officer (CIO) of each executive agency to develop a comprehensive software licensing policy, which shall: identify clear roles, responsibilities, and central oversight authority within the agency for managing enterprise software license agreements and commercial software licenses; and require each CIO to establish a comprehensive inventory of software licenses, track and maintain such licenses, analyze software usage to make cost-effective decisions, provide software license management training, establish goals and objectives of the agency's software license management program, and consider the software license management life cycle phases to implement effective decision-making and incorporate existing standards, processes, and metrics. Each CIO shall report to OMB in each of the six fiscal years after this bill's enactment on the savings from improved software license management.
Migration Guidance for Department of the Air Force Enterprise Cloud Services
- Authorship: Department of Defense (DoD), Department of the Air Force (DAF), Chief Information Officer (CIO)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Acquisitions, Governance, Operations
- Sub-Information: Acquisition Planning, Agile Development, Development Security Operations (DevSecOps)
The "Department of Defense (DoD), Department of the Air Force (DAF) Memorandum 2021 06 21: Migration Guidance for Department of the Air Force Enterprise Cloud Services" mandates that Cloud One shall be used for Unclassified workloads that have not already begun migrating to the cloud and Cloud One shall have first right of refusal for Secret workloads. DAF teams that require new capabilities shall collaborate with Cloud One to make those capabilities available in Cloud One and to the entire enterprise.
Modernizing Government Technology (MGT) Act
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Appropriations, Governance, Management, Operations, Technology
The Modernizing Government Technology (MGT) Act became law as a part of the National Defense Authorization Act (NDAA) for Fiscal Year 2018 (Title X, Subtitle G, H.R. 2810):
(Sec. 1077) Establishment of agency information technology systems modernization and working capital funds.
(Sec. 1078) Establishment of technology modernization fund and board.
National Defense Authorization Act (NDAA) for Fiscal Year 2020
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Acquisitions, Governance, Management, Operations, Workforce
The National Defense Authorization Act (NDAA) for Fiscal Year 2020 (Title VIII, Subtitle D, S. 1790) amends the Federal Information Technology Acquisition Reform Act (FITARA) of 2015.
(Sec. 824) Extends the sunset provision for the Federal Data Center Consolidation Initiative through FY2022.
Paperwork Reduction Act of 1995
- Authorship: United States Congress
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Legislation
- Information: Governance, Management
Paperwork Reduction Act (PRA) of 1995:
(1) Minimize the paperwork burden for individuals, small businesses, educational and nonprofit institutions, Federal contractors, State, local and tribal governments, and other persons resulting from the collection of information by or for the Federal Government;
(2) Ensure the greatest possible public benefit from and maximize the utility of information created, collected, maintained, used, shared and disseminated by or for the Federal Government;
(3) Coordinate, integrate, and to the extent practicable and appropriate, make uniform Federal information resources management policies and practices as a means to improve the productivity, efficiency, and effectiveness of Government programs, including the reduction of information collection burdens on the public and the improvement of service delivery to the public;
(4) Improve the quality and use of Federal information to strengthen decision making, accountability, and openness in Government and society;
(5) Minimize the cost to the Federal Government of the creation, collection, maintenance, use, dissemination, and disposition of information;
(6) Strengthen the partnership between the Federal Government and State, local, and tribal governments by minimizing the burden and maximizing the utility of information created, collected, maintained, used, disseminated, and retained by or for the Federal Government;
(7) Provide for the dissemination of public information on a timely basis, on equitable terms, and in a manner that promotes the utility of the information to the public and makes effective use of information technology;
(8) Ensure that the creation, collection, maintenance, use, dissemination, and disposition of information by or for the Federal Government is consistent with applicable laws, including laws relating to--
(A) Privacy and confidentiality, including section 552a of title 5;
(B) Security of information, including the Computer Security Act of 1987 (Public Law 100-235); and
(C) Access to information, including section 552 of title 5;
(9) Ensure the integrity, quality, and utility of the Federal statistical system;
(10) Ensure that information technology is acquired, used, and managed to improve performance of agency missions, including the reduction of information collection burdens on the public; and
(11) Improve the responsibility and accountability of the Office of Management and Budget and all other Federal agencies to Congress and to the public for implementing the information collection review process, information resources management, and related policies and guidelines established under this chapter.
Principles of Federal Appropriations Law
- Authorship: Government Accountability Office (GAO)
- Publication Date:
- Status: Active
- Resource Type: Governance
- Sub-Resource Type: Policy
- Information: Acquisitions, Appropriations, Governance
The Government Accountability Office (GAO), "Principles of Federal Appropriations Law", also known as the Red Book, is GAO's multi-volume treatise concerning federal fiscal law. The Red Book provides text discussion with reference to specific legal authorities to illustrate legal principles, their application, and exceptions. These references include GAO decisions and opinions, judicial decisions, statutory provisions, and other relevant sources.
Security Authorization of Information Systems in Cloud Computing Environments
- Authorship: Office of Management and Budget (OMB)
- Publication Date:
- Status: Superseded
- Resource Type: Governance
- Sub-Resource Type: Memorandum
- Information: Governance, Management, Operations, Security
Superseded by M-24-15, “Modernizing the Federal Risk and Authorization Management Program (FedRAMP)”
The "Office of Management and Budget (OMB) Memorandum 2011 12 08: Security Authorization of Information Systems in Cloud Computing Environments" establishes the Federal policy for the protection of Federal information in cloud services; describes the key components of Federal Risk and Authorization Management Program (FedRAMP) and its operational capabilities; defines the Executive department and agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and defines the requirements for Executive departments and agencies using FedRAMP in the acquisition of cloud services.