Government Contracting by — OMB Circular & Memorandum

Mandates the use of HTTPS for all publicly accessible federal websites and web services. Requires agencies to deploy HTTPS with HSTS (HTTP Strict Transport Security) preloading. Eliminates the use of unencrypted HTTP for any government web traffic.

Establishes federal policy for preparing for and responding to PII data breaches. Defines breach response procedures, notification requirements, risk assessments, and the roles of agency breach response teams. Requires breach response plans and training.

Establishes logging maturity tiers (EL0-EL3) for federal agencies with specific requirements for log categories, retention periods (72-hour active, 12-month cold), and centralized access. Issued in response to the SolarWinds incident to improve incident investigation capabilities.

Mandates that agencies improve detection capabilities through endpoint detection and response (EDR) deployment, vulnerability disclosure policies, and improved information sharing with CISA. Requires EDR on all federal civilian endpoints.

Mandates that federal agencies achieve specific zero trust security goals by the end of FY2024 across five pillars: identity, devices, networks, applications/workloads, and data. Requires phishing-resistant MFA, encrypted DNS, and micro-segmentation.

Implements EO 14028 requirements for software supply chain security. Requires software producers to self-attest to NIST SSDF (SP 800-218) practices and provide SBOMs. Establishes timelines for critical and non-critical software attestation.

Requires federal agencies to use .gov or .mil domains for all official public-facing digital services. Mandates HTTPS, email authentication (DMARC, SPF, DKIM), and DNS security for all government domains.

Provides guidance on securely using open source software in federal systems. Requires agencies to maintain inventories of OSS, contribute to the security of critical OSS projects, and apply supply chain risk management practices to open source dependencies.

Directs agencies to consolidate and optimize federal data centers in alignment with FITARA. Establishes targets for data center closure, virtualization, server utilization, energy efficiency, and cost savings. Requires agencies to report progress quarterly.

Updates federal cloud policy from "Cloud First" to "Cloud Smart," emphasizing security, procurement, and workforce considerations alongside migration. Requires agencies to evaluate cloud readiness, address security in cloud environments, and develop cloud-skilled workforces.

Directs agencies to complete the transition to IPv6-only networks by the end of FY2025. Requires 80% of IP-enabled federal assets to operate in IPv6-only environments and mandates that all new networked federal systems and services operate on IPv6.

Directs agencies to modernize public-facing digital services following the 21st Century IDEA Act. Requires accessible, mobile-friendly websites, digitized forms and services, and consistent user experience. Establishes digital experience standards and accountability.

Provides guidance on acquiring AI capabilities in accordance with EO 14110. Addresses AI risk management in procurement, vendor evaluation criteria, and post-award oversight. Requires agencies to inventory AI use cases and designate Chief AI Officers.

Implements EO 14110 requirements for agency AI governance. Mandates AI impact assessments for rights-impacting and safety-impacting AI, establishes minimum practices for AI risk management, and requires public transparency on agency AI use cases.

Directs agencies to use voluntary consensus standards (e.g., ISO, IEEE, ASTM) rather than developing government-unique standards wherever practical. Encourages federal participation in standards development organizations and promotes consistency in conformity assessment.

Establishes policy for using value engineering (VE) to improve performance and reduce costs in federal programs. Requires agencies to include VE clauses in contracts exceeding specified thresholds and share savings from contractor-proposed VE change proposals.

Establishes the federal policy for determining whether commercial activities should be performed by government employees or contracted to the private sector. Defines the competitive sourcing process, including public-private competitions and streamlined competitions for smaller activities.

The cornerstone circular for federal information management and IT governance. Covers information resource management, privacy, security, records management, and open data. Appendices address security of federal information resources and responsibilities.

Establishes federal policy on assessing user charges for government services and resources. Requires agencies to charge fair market value for services provided to identifiable recipients, with exceptions for activities that primarily benefit the general public.

Directs agencies to modernize FOIA processes, reduce backlogs, and proactively publish information. Emphasizes technology solutions for FOIA processing, requires agencies to maximize proactive disclosures, and directs improvements in FOIA request tracking and response.

Implements requirements from the President's Management Agenda for improving customer experience across High Impact Service Providers (HISPs). Establishes standards for CX measurement, A-11 Section 280 reporting, and service delivery improvements.

Established cost principles for federal awards to nonprofit organizations. Defined allowable direct and indirect costs, cost allocation bases, and requirements for negotiating indirect cost rates with the cognizant agency. Superseded by 2 CFR 200.

Established cost principles for federal awards to educational institutions. Defined direct costs, facilities and administrative (F&A) rate calculations, and cost allocation methodology specific to universities. Superseded by 2 CFR 200 Subpart E.

Established cost principles for determining allowable costs under federal awards to state, local, and tribal governments. Superseded by 2 CFR 200 Subpart E but defined foundational concepts for direct/indirect cost allocation and rate negotiation.

Provides guidelines for conducting benefit-cost and cost-effectiveness analyses of federal programs and projects. Establishes discount rates for evaluating government investments and decisions, including lease-purchase analyses and regulatory impact assessments.

Defines management responsibility for enterprise risk management and internal control in federal agencies. Implements requirements of the Federal Managers Financial Integrity Act (FMFIA) and integrates enterprise risk management with internal control assessment.

Implements the Payment Integrity Information Act (PIIA), requiring agencies to identify programs susceptible to significant improper payments and report error rates. Establishes requirements for payment recapture auditing and corrective action plans.

Establishes requirements for agency financial management systems to support the government-wide goal of financial management improvement. Requires systems to comply with the Federal Financial Management Improvement Act (FFMIA) and support clean audit opinions.

Established Single Audit requirements for organizations spending $750K+ in federal awards annually. Superseded by 2 CFR 200 Subpart F but established the framework for auditing federal grant recipients that remains largely intact in the Uniform Guidance.

Prescribes the form and content of agency financial statements, Performance and Accountability Reports (PARs), and Agency Financial Reports (AFRs). Updated annually to incorporate new accounting standards and reporting requirements.

The comprehensive consolidation of OMB circulars A-21, A-87, A-89, A-102, A-110, A-122, and A-133 into a single uniform guidance. Streamlines administrative requirements, cost principles, and audit requirements for all non-federal entities receiving federal awards.

Established uniform administrative requirements for grants and cooperative agreements with state and local governments. Largely superseded by 2 CFR 200 (Uniform Guidance) but historically set the foundation for federal grants management procedures.

Established uniform administrative requirements for grants to universities, hospitals, and nonprofits. Like A-102, largely superseded by 2 CFR 200 but laid the foundation for consistent grants management across the federal government.

Provides guidance on ensuring the quality, objectivity, utility, and integrity of information disseminated by federal agencies. Establishes pre-dissemination review requirements and data quality standards for influential scientific and statistical information.

Implements the Foundations for Evidence-Based Policymaking Act. Requires agencies to develop learning agendas, annual evaluation plans, and capacity assessments. Establishes Chief Evaluation Officers and mandates evidence building activities.

Directs agencies to transition to fully electronic recordkeeping by December 31, 2022. Requires agencies to manage all permanent records electronically, close agency-operated records storage facilities, and transfer records to NARA in electronic formats.

Implements the OPEN Government Data Act requirements for federal data inventories. Requires agencies to maintain comprehensive data catalogs on data.gov, make data open by default, and publish machine-readable metadata for all datasets.

Implements the Federal Data Strategy through specific actions agencies must take to leverage data as a strategic asset. Establishes actions for governance, standards, infrastructure, and workforce development to improve how agencies collect, use, and share data.

The foundational circular governing the federal budget process. Instructs agencies on how to prepare budget submissions, develop performance plans, and execute spending. Updated annually, it defines the entire lifecycle of federal funds from request through obligation and expenditure.