Major Information System

Summary

Status: Barely Active

The term “major information system” was introduced in a 1980 law to require federal agencies to maintain a list of the important information systems under their control. While the term itself was never defined in law, Office of Management and Budget (OMB) policy generally defined it as an information system that is important to an agency’s mission or has a significant cost or impact.

Originally, the term “major information system” was used to designate the subset of the agency’s systems that were “significant” in some way. In particular, agencies were required to maintain an inventory of such systems and to keep the inventory updated. In addition, early management requirements, such as ensuring the security of information systems, only covered “major” information systems. However, subsequent laws, such as the Federal Information Security Management Act of 2002 (FISMA), and guidance from OMB eventually enforced these requirements on all systems, major or not.

Today, a system being designated as a “major information system” generally only implies two unique requirements that haven’t been duplicated in other laws or federal requirements:

  1. Per the Electronic Freedom of Information Act of 1996, an agency’s list of major information systems, to include descriptions of such systems, must be made publicly available. Such lists are generally made public via agencies’ Freedom of Information Act (FOIA) departments (example).
  2. Per OMB M-03-22, Privacy Impact Assessments (PIAs) on major information systems must be done with greater thoroughness, per OMB guidance.

Discussion

The term “major information system” was first used in the Paperwork Reduction Act of 1980 (PRA), the law that aimed to reduce paperwork burdens and improve the federal government’s information management activities. The PRA required OMB to “establish standards and requirements for agency audits of all major information systems” with exceptions for systems used to conduct criminal investigations or intelligence activities, and required each federal agency to “systematically inventory its major information systems and periodically review its information management activities[.]”1

Importantly, the PRA did not actually define “major information system” and instead only defined “information systems” as meaning “management information systems.” Instead, the first definition of a major information system was provided in 1985 in the first issuance of OMB Circular A-130, Management of Federal Information Resources, which defined a major information system as:

An information system that requires special continuing management attention because of its importance to an agency mission; its high development, operating or maintenance costs; or its significant impact on the administration of agency programs, finances, property, or other resources.

The concept of major information systems received little legislative attention until a decade later, when the PRA’s successor, the Paperwork Reduction Act of 1995, was signed into law.2 The updated PRA directed OMB, in consultation with the National Institute of Standards and Technology (NIST), to:

Develop and oversee the implementation of policies, principles, standards, and guidelines for information technology functions and activities of the Federal Government, including periodic evaluations of major information systems.

The 1995 edition of the PRA also directed federal agencies to:

Assume responsibility for maximizing the value and assessing and managing the risks of major information systems initiatives through a process that is integrated with the budget, financial, and program management decisions and used to select, control, and evaluate the results of major information systems initiatives.

Following the PRA update in 1995, the Electronic Freedom of Information Act of 1996 amended the Freedom of Information Act (FOIA) and codified in 5 U.S.C § 552(g) the requirement that:

The head of each agency shall prepare and make available for public inspection and in electronic format, reference material or a guide for requesting records or information from the agency, subject to the exemptions in subsection (b), including—

(1) an index of all major information systems of the agency;

(2) a description of major information and record locator systems maintained by the agency[.]3

In November 2002, the Homeland Security Act of 2002 (HSA) codified a requirement for agencies to maintain an inventory of information systems, with no “major” qualifier, in 44 U.S.C. § 3505(c). Less than a month later, and likely in error, the Federal Information Security Management Act (FISMA) resulted in a duplicate § 3505(c) being codified, with the sole difference being that FISMA’s version of § 3505(c) specifies “major” information systems. In both cases, § 3505(c) requires that federal agencies develop and maintain an inventory of (major) information systems that is updated annually, made available to the Comptroller General, and used to support information resource management activities.4 OMB annual guidance on FISMA throughout the 2000s treated FISMA’s § 3505(c) as controlling (only requiring agencies to maintain inventories of major information systems).5 However, starting in 2012, OMB’s FISMA guidance dropped the “major” qualifier. Because FISMA applies to all information systems regardless, agencies functionally were, and are, required to maintain an inventory of all systems to meet compliance with FISMA.6

There was initial ambiguity after FISMA as to whether systems other than major information systems were required to be assessed and authorized (then, “certified and accredited”).7 However, as clarified by OMB in subsequent guidance, FISMA’s annual-assessment and authorization requirements applied to all systems, “major” or not.8

OMB’s guidance on the E-Government Act’s requirement to conduct Privacy Impact Assessments (PIAs), OMB M-03-22, specifically required that PIAs conducted for major information systems:

Reflect more extensive analyses of (1) the consequences of collection and flow of information; (2) the alternatives to collection and handling as designed; (3) the appropriate measures to mitigate risks identified for each alternative; and (4) the rationale for the final design choice or business process.

The most recent guidance as of 2024 for major information systems comes from the 2016 revision of OMB Circular A-130, then renamed as Managing Information as a Strategic Resource. With this circular, the definition of major information system was loosened to:

A system that is part of an investment that requires special management attention as defined by OMB guidance and agency policies, a “major automated information system” as defined in 10 U.S.C. § 2445, or a system that is part of a major acquisition as defined in the OMB Circular A-11, Capital Programming Guide, consisting of information resources.

Interestingly, this revised definition of “major information system” included, as a footnote, the original definition of a major information system (i.e., a system that requires “special management attention”). Generally, as the Circular itself implies, the distinction between an “information system” and a “major information system” in 2016 is slight given that, as the Circular states, “all information systems are subject to the requirements of [FISMA] whether or not they are designated as a major information system.”

Since 2016, there has been no legal or policy changes to major information systems or their requirements. The term itself has little existence outside of FOIA offices, who often post a listing of their agency’s major information systems online.

  1. This specific provision was repealed in the Paperwork Reduction Act of 1995, but the inventory requirement was preserved, given the remaining “requirement that agencies inventory their major information systems by virtue of its reference to § 3511, which requires the OMB Director to establish and maintain an ‘electronic Government Information Locator Service [“GILS”] … which shall identify the major information systems, holdings, and dissemination products of each agency.'” See Public Citizen, Inc. v. Lew, 127 F. Supp. 2d 1 (D.D.C. 2000). The Government Information Locator Service (GILS) provision itself — and its use of “major information systems” — was removed by the Foundations for Evidence-Based Policymaking Act of 2018. Compare 44 U.S.C. § 3511 (2018) and 44 U.S.C. § 5311 (2024). ↩︎
  2. The Paperwork Reduction Act was reauthorized in 1986 with minor changes, which are not discussed here. See Public Law 99-500. ↩︎
  3. OMB provided implementing guidance for this in M-98-09. ↩︎
  4. FISMA was included as Title III of the E-Government Act of 2002, which was signed into law in December 2002 and codified in 44 U.S.C. §§ 3541–3549. The Homeland Security Act of 2002, which contained a similar version of FISMA’s contents with slight differences, was replaced by FISMA. ↩︎
  5. For example, see OMB’s FISMA reporting guidance in M-04-25. M-11-33 was the last instance of OMB’s FISMA reporting guidance specifying “major” information systems, with the next year’s guidance, M-12-20, dropping the “major” qualifier. ↩︎
  6. For example, see OMB M-11-33 (addressing the requirement to authorize systems): “Security authorizations are required for all Federal information systems. Section 3544(b)(3) of FISMA refers to “subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems” and does not distinguish between major or other applications.” (Emphasis added.) ↩︎
  7. For example, the Supplemental Guidance for the security control CA-2, Security Assessments, in the initial release of NIST SP 800-53 (2005), referenced “the FISMA requirement that the management, operational, and technical controls in each information system contained in the inventory of major information systems be tested with a frequency depending on risk, but no less than annually.” ↩︎
  8. See OMB M-06-20: “Certification and accreditation is required for all systems. Section 3544(b)(3) of FISMA refers to ‘subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems’ and does not distinguish between major or other applications.” (Emphasis added.) ↩︎