MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES
Jacob J. Lew
Incorporating and Funding Security in Information Systems Investments
This memorandum reminds agencies of the Office of Management and Budget's (OMB)
principles for incorporating and funding security as part of agency information technology
systems and architectures and of the decision criteria that will be used to evaluate security for
information systems investments. The principles and decision criteria are designed to highlight
our existing policy and thereby foster improved compliance with existing security obligations;
this memorandum does not constitute new security policy. OMB plans to use the principles as
part of the FY 2002 budget process to determine whether an agency's information systems
investments include adequate security plans.
Protecting the information and systems that the Federal government depends on is important as
agencies increasingly rely on new technology. Agencies are working to preserve the integrity,
reliability, availability, and confidentiality of important information while maintaining their
information systems. The most effective way to protect information and systems is to
incorporate security into the architecture of each. This approach ensures that security supports
agency business operations, thus facilitating those operations, and that plans to fund and manage
security are built into life-cycle budgets for information systems.
This memorandum is written pursuant to the Information Technology Management Reform Act
(the Clinger-Cohen Act) which directs OMB to develop, as part of the budget process, a
mechanism to analyze, track, and evaluate the risks and results of major capital investments made
by an executive agency for information systems. Additionally, the Clinger-Cohen Act calls for
OMB to issue clear and concise direction to ensure that the information security policies,
processes, and practices of the agencies are adequate. These criteria will be incorporated into
future revisions of OMB Circular A-130 ("Management of Federal Information Resources") and
should be used in conjunction with previous OMB guidance on sound capital planning and
investment control in OMB Memorandum 97-02, "Funding Information Systems Investments";
OMB Memorandum 97-16, "Information Technology Architectures"; and subsequent updates.
Security programs and controls implemented under this memorandum should be consistent with
the Computer Security Act, the Paperwork Reduction Act, the Clinger-Cohen Act, and OMB
Circular A-130. They should also be consistent with security guidance issued by the National
Institute of Standards and Technology (NIST). Security controls for national security
telecommunications and information systems should be implemented in accordance with
appropriate national security directives.
The principles outlined below will support more effective agency implementation of both agency
computer security and critical information infrastructure protection programs. In terms of Federal
information systems, critical infrastructure protection starts with an effort to prioritize key
systems (e.g., those that are most critical to agency operations). Once systems are prioritized,
agencies apply OMB policies and, for non-national security applications, NIST guidance to
achieve adequate security commensurate with the level of risk and magnitude of likely harm.
Agencies should develop security programs and incorporate security and privacy into information
systems with attention to the following principles:
Effective security is an essential element of all information systems.
Effective privacy protections are essential to all information systems, especially those that
contain substantial amounts of personally identifiable information. The use of new
information technologies should sustain, and not erode, the privacy protections provided in all
statutes and policies relating to the collection, use, and disclosure of personal information.
The increase in efficiency and effectiveness that flows from the use of interconnected
computers and networks has been accompanied by increased risks and potential magnitude of
loss. The protection of Federal computer resources must be commensurate with the risk of
harm resulting from any misuse or unauthorized access to such systems and the information
flowing through them.
Security risks and incidents must be managed in a way that complements and does not
unnecessarily impede agency business operations. By understanding risks and implementing
an appropriate level of cost-effective controls, agencies can reduce risk and potential loss
A strategy to manage security is essential. Such a strategy should be based on an ongoing
cycle of risk management and should be developed in coordination with and implemented by
agency program officials. It should identify significant risks, clearly establish responsibility
for reducing them, and ensure that risk management remains effective over time.
Agency program officials must understand the risk to systems under their control and
determine the acceptable level of risk, ensure that adequate security is maintained to support
and assist the programs under their control, and ensure that security controls comport with
program needs and appropriately accommodate operational necessities. In addition, program
officials should work in conjunction with Chief Information Officers and other appropriate
agency officials so that security measures support agency information architectures.
Security should be built into and funded as part of the system architecture. Agencies should make
security's role explicit in information technology investments and capital programming. These
actions are entirely consistent with and build upon the principles outlined in OMB Memorandum
97-02. Accordingly, investments in the development of new or the continued operation of
existing information systems, both general support systems and major applications, proposed for
funding in the President's budget must:
1. Be tied to the agency's information architecture. Proposals should demonstrate that the
security controls for components, applications, and systems are consistent with and an integral
part of the information technology architecture of the agency.
2. Be well-planned, by:
a) Demonstrating that the costs of security controls are understood and are explicitly
incorporated in the life-cycle planning of the overall system in a manner consistent with
OMB guidance for capital programming.
b) Incorporating a security plan that discusses:
the rules of behavior for the system and the consequences for violating those rules;
personnel and technical controls for the system;
methods for identifying, appropriately limiting, and controlling interconnections with other
systems and specific ways such limits will be monitored and managed;
procedures for the on-going training of individuals that are permitted access to the system;
procedures for the on-going monitoring of the effectiveness of security controls;
procedures for reporting and sharing with appropriate agency and government authorities
indications of attempted and successful intrusions into agency systems;
provisions for the continuity of support in the event of system disruption or failure.
3. Manage risks, by:
a) Demonstrating specific methods used to ensure that risks and the potential for loss are
understood and continually assessed, that steps are taken to maintain risk at an acceptable
level, and that procedures are in place to ensure that controls are implemented effectively
and remain effective over time.
b) Demonstrating specific methods used to ensure that the security controls are
commensurate with the risk and magnitude of harm that may result from the loss, misuse,
or unauthorized access to or modification of the system itself or the information it
c) Identifying additional security controls that are necessary to minimize risks to and
potential loss from those systems that promote or permit public access, other externally
accessible systems, and those systems that are interconnected with systems over which
program officials have little or no control.
4. Protect privacy and confidentiality, by:
a) Deploying effective security controls and authentication tools consistent with the
protection of privacy, such as public-key based digital signatures, for those systems that
promote or permit public access.
b) Ensuring that the handling of personal information is consistent with relevant
government-wide and agency policies, such as privacy statements on the agency's web
5. Account for departures from NIST Guidance. For non-national security applications, to
ensure the use of risk-based cost-effective security controls, describe each occasion when
employing standards and guidance that are more stringent than those promulgated by the National
Institute for Standards and Technology.
In general, OMB will consider new or continued funding only for those system investments that
satisfy these criteria and will consider funding information technology investments only upon
demonstration that existing agency systems meet these criteria. Agencies should begin now to
identify any existing systems that do not meet these decision criteria. They should then work
with their OMB representatives to arrive at a reasonable process and timetable to bring such
systems into compliance. Agencies should begin with externally accessible systems and those
interconnected systems that are critical to agency operations. OMB staff are available to work
with you if you or your staff have questions or need further assistance in meeting these