OMB Circular A-130, Managing Information as a Strategic Resource (July 28, 2016)
This Circular establishes general policy for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services. Among other things, it establishes that Federal agencies’ privacy programs have responsibilities under the Risk Management Framework.
OMB Circular A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control (July 15, 2016)
This Circular defines management’s responsibilities for enterprise risk management (ERM) and internal control. The Circular provides updated implementation guidance to Federal managers to improve accountability and effectiveness of Federal programs and mission-support operations through implementation of ERM practices and by establishing, maintaining, and assessing internal control effectiveness. Among other things, it provides considerations for managing privacy risks in Federal programs.
OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy (September 15, 2016)
This Memorandum revises policies on the role and designation of the SAOP. Among other things, it require the SAOP to manage privacy risks associated with any agency activities that involve the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems.
OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003)
This Memorandum provides information to agencies on implementing the privacy provisions of the E-Government Act of 2002. Among other things, it includes policies and guidelines for when and how to conduct a PIA.
A PIA is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
NIST Special Publication 800-37 (Rev. 2), Risk Management Framework for Information Systems and Organizations (December 20, 2018)
This Special Publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. Among other things, it describes the relationship between information security programs and privacy programs under the RMF.