U.S. makes long overdue updates to federal information policy
Today, in a blog post at WhiteHouse.gov, the United States government updated its official policy for how it manages information. The document in question, “Circular A-130,” was first written in 1985. The last time significant changes were made, it was 2000. It’s been an internet millennium since then, and “managing federal information as a strategic resource” has only become more crucial as the years have gone by. Sunlight has been calling on the White House to improve federal document management since our founding, hailing improvements in federal technology strategy – while highlighting continued omissions.
The revisions to the circular reflects changes in both the law and rapid advances in technology, as detailed in the fact sheet by Tony Scott, U.S. chief information officer, Howard Shelanski, the administrator of the Office of Information and Regulatory Affairs, Anne Rung, the U.S. chief acquisition officer, and Marc Groman, the senior advisor for privacy at the White House Office of Management and Budget.
Federal circulars may feel dry to the general public, but they have immense relevance to how our government manages and discloses the expanding volumes of data it collects and protects on our behalf. That’s why updates that specifically focus on how we build and buy technology, manage records, ensure security, protect privacy, and create and release open data are all important and worth celebrating. “Real-time knowledge of the environment,” “proactive risk management” and “shared responsibility” for privacy and security are useful priorities.
We are also pleased to see that proposed updates to A-130 were made in an open and collaborative manner, using the internet as a platform for distributing proposed changes and collecting public input into policy, with the comment period extended upon request. Public comments from public interest advocates, corporations and individuals are all available for review on Github, along with discussion threads regarding the proposals. While it is no longer a novelty to see the White House soliciting, accepting and merging pull requests into a policy document in the open, the exposure of what used to be a paper-based process to public scrutiny represents valuable progress. We hope that the White House will highlight to the public where public comment led to a shift in policy more effectively in the future.
What’s missing from the White House blog post is a strong, explicit commitment to enforce this policy at all federal agencies, or acknowledgment that oversight on this count has not been rigorous over the past decade. It’s not enough to issue memoranda. Continuous monitoring of network security has been an obvious need for many years, particularly as services move to the internet, but agencies have been slow to move from checkbox compliance to ongoing risk assessments based upon threat models of state and non-state actors. While the intrusion and exfiltration of sensitive data in background checks from the Office of Personnel Management is the most high-profile, damaging example of the challenges here, particularly with respect to encrypting data at rest or in motion, every agency needs to improve its stance here.
As the nation prepares for a presidential transition, it will be critical for whoever occupies the Oval Office next to implement these updated policies with care, speed and accountability across the federal bureaucracy. Sunlight is particularly concerned about the open data provisions, which have a significant bearing on national priorities that range from public knowledge to efficient and effective governance to reducing waste and identifying corruption.
We look forward to the publication of the updated circular in the Federal Register and will link to it here and comment further, if necessary when the full document is available online.
UPDATE: Circular A-130 (PDF) remains available online through the National Archives, which provides public access to policy documents promulgated under the Obama White House.