OMB Circular A-71 Transmittal Memorandum No. 1

Summary

The Office of Management and Budget (OMB) Circular No. A-71, Transmittal Memorandum No. 1 (TM1), Security of Federal Information Systems, is the initial federal guidance mandating computer security requirements for federal information systems outside of agencies associated with military and intelligence activities. This Circular mandates, among other things, that agencies establish computer security programs, implement security controls for computer systems that contain sensitive data, and assess and authorize such computer systems at least every three years.

Much of today’s federal information security requirements, such as the performance of periodic assessments and authorizations and the establishment of system contingency plans, can be sourced from this Circular. The contents of this Circular would eventually be superseded by OMB’s Circular A-130 (1985), which built upon the foundations laid by Circular A-71 TM1.

Section-by-Section Analysis

The following sections summarize the contents of each section of the Circular.

Section 1. Purpose

The purpose of the Office of Management and Budget (OMB) Circular No. A-71, Transmittal Memorandum No. 1, was “to promulgate policy and responsibilities for the development and implementation of computer security programs by executive branch departments and agencies.”

Specifically, Circular A-71:

  1. Defined computer security responsibilities to the Department of Commerce (DOC), the General Services Administration (GSA), the Civil Services Commission (now, the Office of Personnel Management), and all other federal agencies;
  2. Established requirements for the development of security controls to safeguard sensitive data in federal computer systems;
  3. Required agencies to implement a computer security program and abide by a minimum set of security controls to be applied;
  4. Required DOC to develop and issue security standards and guidelines;
  5. Required GSA to issue policies and regulations regarding the physical security of computer rooms; ensure that federal computer acquisitions contain security requirements; and assure that all GSA procurements meet the security requirements established by the agency seeing the procurements; and.
  6. Required the Civil Services Commission to establish personnel security policies regarding computer systems.

Section 2. Background

OMB states it issued Circular A-71 TM1 due to “public concerns” regarding the risks associated with computer systems regarding sensitive data. In addition, OMB notes that computers are misused “to perpetuate crime.” OMB notes that poorly designed computer systems have resulted in “unnecessary purchases and other improper actions.”

Section 3. Definitions

The following definitions are provided:

Automated decisionmaking systemsComputer applications which issue checks, requisition supplies, or perform similar functions based on programmed criteria, with little human intervention.
Contingency plansPlans for emergency response, back-up operations, and post-discovery recovery.
Security specificationsA detailed description of the safeguards required to protect a sensitive computer application.
Sensitive applicationA computer application which requires a degree of protection because it processes sensitive data or because of the risk and magnitude of loss or harm that could result from improper operation or deliberate manipulation of the application (e.g., automated decisionmaking systems).
Sensitive dataData which requires a degree of protection due to the risk and magnitude of loss or harm which could result from inadvertent or deliberate disclosure, alternation, or destruction of the data (e.g., personal data, proprietary data).

Section 4. Responsibility of the Heads or Executive Agencies

The heads of executive agencies are assigned the responsibility of “assuring an adequate level of security for all agency data whether processed in-house or commercially.” Specifically, this is inclusive of data that is sensitive but “not subject to national security regulations.”

Agency heads are required to assign responsibility for the security of each computer system operated by the agency, including those operated directly or on behalf of the agency (e.g., government-owned contractor-operated facilities). The responsibility must be assigned to “a management official knowledgeable in data processing and security matters.”

Agencies must establish personnel security policies for screening individuals involved in designing, operating, and/or maintaining computer systems or who have access to federal data in computer systems. Such personnel screening must generally be “Commensurate with the sensitive of the data to be handled and the risk and magnitude of loss or harm that could be caused by the individual.” Policies should be established for both government and contractor personnel. The policies must be consistent with policies issued by the Civil Service Commission.

Security controls must be incorporated into all new computer applications and any significant modifications to existing computer applications. Sensitive computer applications (i.e., “those which will process sensitive data or which will have a high potential for loss”), must include, at a minimum, the following:

  1. Defined and approved security specifications prior to the initial programming of the application or in changes thereafter.
  2. Conducting and approving design reviews and application tests prior to operation. The results of such reviews and tests must be “fully documented and maintained as part of the official records of the agency.” After such tests are conducted, an agency official must “certify that the system meets the documented and approved system security specifications, meets all applicable Federal policies, regulations, and standards, and that the results of the test demonstrate the security provisions are adequate for the application.”1

An agency-wide program for conducting periodic audits or evaluations must be established, to include the recertification of the adequacy of the security safeguards of each operational sensitive application. Such audits must be conducted by an organization independent of “the user organization and computer facility manager.” Recertifications must be documented and maintained as part of the agency’s official records. Audits and recertification must be performed at least every three years.

Security requirements must be included acquisitions of computer systems or related services (e.g., equipment and facilities). The official assigned over a computer system is responsible for reviewing and approving acquisitions to certify that the included security requirements are “reasonably sufficient” and “comply with current Federal computer security policies, procedures, standards and guidelines.”

Periodic risk analyses for each computer system must be performed. The risk analysis should “provide a measure of the relative vulnerabilities at the installation so that security resources can effectively be distributed to minimize the potential loss.” Risk analyses must be performed:

  1. Prior to the approval of design specifications for new computer installations;
  2. Whenever the is a significant change to the facility, hardware, or software, with the definition of “significant change” being determined by agencies in a way “commensurate with the sensitivity of the information processed”; and
  3. At periodic internals but no less frequently than every five years.

Contingency plans must be developed in accordance with agency-established policies and responsibilities. Contingency plans should “provide reasonable continuity of data processing support should events occur which prevent normal operations.” Such plans “should be reviewed and tested at periodic intervals commensurate with the risk and magnitude of loss or harm which could result from disruption of data processing support.”2

Section 5. Responsibility of the Department of Commerce

The Secretary of the Department of Commerce (DOC) must develop and issue standards and guidelines for assuring the security of computer systems. Such standards must identify:

  1. Whether the standard is mandatory or voluntary;
  2. Specific implementation actions agencies are required to take;
  3. The time at which implementation is required;
  4. A process for monitoring implementation of each standard and evaluating its use;
  5. A process for monitoring implementation of each standard and evaluating its use; and
  6. The procedure for agencies to obtain a waiver to the standard and the conditions or criteria under which it may be granted.

Section 6. Responsibility of the General Services Administration

The General Services Administration (GSA) must:

  1. Issue policies and regulations, consistent with any relevant DOC-issued standards and guidelines, for the physical security of computer rooms in federal buildings;
  2. Ensure agency procurement requests for computers and related equipment and services include security requirements certified by a responsible agency official;
  3. Ensure that specification for computer hardware, software, related services, or the construction of computer facilities are consistent with DOC-issued standards and guidelines.
  4. Ensure that computer equipment, software, facilities, services, and related items procured by GSA on behalf of an agency meet the security requirements of the agency and the security requirements of other applicable policies and procedures issued by the Office of Management and Budget (OMB), the Civil Service Commission, and DOC.

Section 7. Responsibility of the Civil Service Commission

The Chairman of the Civil Service Commission must establish personnel security policies for federal personnel associated with the design, operation, or maintenance of federal computer systems. The policies “should emphasize personnel requirements to adequately protect personnel, proprietary or other sensitive data,” as well as “other sensitive applications not subject to national security regulations.” The policies should vary commensurate with the sensitivity of the data and the risk and magnitude of loss or harm that could be caused by the individual. Checks can range from normal re-screening procedures to full background investigations.

Section 8. Reports

Within 60 days of the issuance of the Circular, the Department of Commerce (DOC), General Services Administration (GSA), and Civil Service Commission were required to submit “plans and associated resource estimates for fulfilling the responsibilities specifically assigned in this memorandum” to OMB.

Within 12 days of the issuance of the Circular, each executive branch agency was required to submit “plans and associated resource estimates for implementing a security program consistent with the policies specified herein” to OMB.

Section 9. Inquiries

This section directs those with questions regarding the Circular to contact OMB’s Information Systems Policy Division via phone.

  1. Today, this activity is referred to assessment and authorization, and such an “agency official” is referred to as an authorizing official. ↩︎
  2. Unlike other activities in Circular A-71 TM1, no minimum frequency is defined for contingency plan testing. ↩︎