Policies
Review the federal policies that impact and shape the implementations of ICAM programs and systems.
This memorandum sets forth _temporary procedures_ for the vetting and appointment of federal personnel, collection of biometrics for federal employment, and employment authorization and eligibility.
This memorandum directs that agencies utilize technology to the greatest extent practicable to support mission continuity during the national emergency. By aggressively embracing technology to support business processes, the federal government is better positioned to maintain the safety and well-being of the federal workforce and the American public while supporting the continued delivery of vital mission services. The set of _frequently asked questions_ are intended to provide additional guidance and further assist the IT workforce as it addresses impacts.
This memorandum sets forth the federal government’s ICAM policy. To ensure secure and efficient operations, agencies of the federal government must be able to identify, credential, monitor, and manage subjects that access federal resources. This includes information, information systems, facilities, and secured areas across their respective enterprises. In particular, how agencies conduct identity proofing, establish enterprise digital identities, and adopt sound processes for authentication and access control significantly affects the security and delivery of their services as well as individuals’ privacy.
With the creation of the HVA initiative in 2015, the federal government's CFO Act agencies took a pivotal step toward the identification of its most critical assets. DHS, in coordination with OMB, established a capability to assess agency HVAs, resulting in the identification of critical areas of weakness and plans to remediate those areas of weakness. It established three possible categories for designating federal information or a federal information system as an HVA: Informational Value, Mission Essential, or Federal Civilian Enterprise Essential (FCEE). It also updates the required approach for agencies to report, assess, and remediate HVAs to protect against cyberattacks.
This executive order authorizes federal agency CIOs to ensure that agency IT systems are as modern, secure, and well-managed as possible to reduce costs, mitigate cybersecurity risks, and deliver improved services to the American people.
This executive order places an emphasis on modernizing and securing federal networks and critical infrastructure from the ever-growing threat of cyberattacks.
This circular describes agency responsibilities for implementing the review, reporting, and publication requirements of the Privacy Act of 1974 and related OMB policies.
Information and IT resources are critical to the U.S. social, political, and economic well-being. They enable the federal government to provide quality services to citizens, generate and disseminate knowledge, and facilitate greater productivity and advancement as a nation. It is important for the federal government to maximize the quality and security of federal information systems and to develop and implement uniform and consistent information resources management policies in order to inform the public and improve the productivity, efficiency, and effectiveness of agency programs. Additionally, as technology evolves, it is important that agencies manage information systems in a way that addresses and mitigates security and privacy risks associated with new IT resources and new information processing capabilities.
The policy changes in this circular modernize existing efforts by requiring agencies to implement an ERM capability coordinated with the strategic planning and strategic review process established by the Government Performance and Results Act Modernization Act (GPRAMA) and the internal control processes required by the Federal Managers' Financial Integrity Act (FMFIA) and the Government Accountability Office (GAO)'s Green Book. This integrated governance structure will improve mission delivery, reduce costs, and focus corrective actions toward key risks.
OMB M-15-13 calls for all publicly accessible Federal websites and web services to only provide service through a secure connection (Hypertext Transfer Protocol Secure; HTTPS) and to use <a href="https://https.cio.gov/hsts/" target="_blank" rel="noopener noreferrer">HTTP Strict Transport Security (HSTS)</a> to ensure this. The requirement applies to all public domains and subdomains operated by the federal government, regardless of the domain suffix, as long as they are reachable over HTTP/HTTPS on the public internet. The <a href="https://https.cio.gov/guide/#are-federally-operated-certificate-revocation-services-crl-ocsp-also-required-to-move-to-https" target="_blank" rel="noopener noreferrer">Compliance Guide":" HTTPS-Only Standard</a> provides implementation guidance from the White House Office of Management and Budget for agencies as they manage their transition to HTTPS.
This executive order requires agencies to strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system.
This memorandum provides final government-wide credentialing standards to be used by all federal departments and agencies in determining whether to issue or revoke PIV credentials to their employees and contractor personnel, including those who are non-United States citizens.
This memorandum provides implementation instructions for HSPD-12 and Federal Information Processing Standards (FIPS) 201.
HSPD-12 calls for a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and employees of federal contractors for access to federally controlled facilities and networks.
