The IT Law Wiki


Office of Management and Budget, OMB Circular No. A-130: Management of Federal Information Resources (July 28, 2016) (full-text).


OMB Circular No. A-130 establishes policies for the management of federal information resources, as required by the Paperwork Reduction Act of 1980.[1]

General policies[]

The Circular sets forth a number of general policies concerning the protection of personal privacy by the federal government:

  • The individual’s right of privacy must be protected in federal government information activities involving personal information.[2]
  • Agencies shall consider the effects of their actions on the privacy rights of individuals and ensure that appropriate legal and technical safeguards are implemented.[3]
  • Agencies have a responsibility to provide information to the public consistent with their missions. Agencies shall discharge this responsibility by providing (a) information as required by law. . .; and (b) access to agency records under provisions of FOIA and the Privacy Act, subject to the protections and limitations provided for in these Acts.[4]
  • Agencies shall limit the collection of information that identifies individuals to that which is legally authorized and necessary for the proper performance of agency functions.[5]
  • Agencies shall provide individuals, upon request, access to records about them maintained in Privacy Act systems of records, and permit them to amend such records as are in error consistent with the provisions of the Privacy Act.[6]

2016 Revision[]

In 2016, the OMB revised the Circular to reflect changes in law and advances in technology. The revisions also ensure consistency with executive orders, presidential directives, recent OMB policy, and National Institute of Standards and Technology standards and guidelines.

The Circular establishes general policy for information governance, acquisitions, records management, open data, workforce, security, and privacy. It also emphasizes the role of both privacy and security in the Federal information life cycle. Importantly, it represents a shift from viewing security and privacy requirements as compliance exercises to understanding security and privacy as crucial elements of a comprehensive, strategic, and continuous risk-based program at Federal agencies.

When implemented by agencies, these revisions to the Circular will promote innovation, enable appropriate information sharing, and foster the wide-scale and rapid adoption of new technologies while strengthening protections for security and privacy.

Appendix I[]

Appendix I to OMB Circular No. A-130 ("Federal Agency Responsibilities for Maintaining Records About Individuals") describes agency responsibilities relating to the Privacy Act, as amended by the Computer Matching and Privacy Protection Act of 1988, for maintaining records about individuals. This guidance establishes policies for the management of federal information resources, as required by the Paperwork Reduction Act of 1980, as amended.

Appendix I requires the head of the agency to review the following:

  • every 2 years, a random sample of agency contracts that provide for the maintenance of a system of records to ensure the contract makes the Privacy Act provision binding on the contractor and his or her employees;
  • every 4 years, the routine use disclosures associated with each system of records to ensure the recipient’s use of such records are compatible with the purpose for which the disclosing agency collected the information; and
  • biennially, agency training practices in order to ensure that agency personnel are familiar with the act and the agency’s implementing regulation.[7]

Appendix III[]

Appendix III to OMB Circular No. A-130 ("Security of Federal Automated Information Systems") describes a minimum set of controls to be included in federal automated information security programs; assigns federal agency responsibilities for the security of automated information; and links agency automated information security programs and agency management control systems established in accordance with OMB Circular No. A-123.


  1. Pub. L. No. 96-511, as amended.
  2. OMB Circular No. A-130, §7g (Feb. 1996).
  3. Id. §8a1(i).
  4. Id. §8a5.
  5. Id. §8a9(b).
  6. Id. §8a9(d).
  7. See Section 3 of Appendix I to OMB Circular No. A-130 for a complete list of reviews an agency is to conduct relating to the Privacy Act.