Skip to page navigation
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

OPM.gov / Cybersecurity / Cyber Policy at-a-glance /
Skip to main content

Cyber Policy at-a-glance

Cybersecurity and privacy are critical areas for OPM, as attacks against IT systems and the data they process continue to increase and become more complex. Protection against these attacks requires a resilient execution of cybersecurity and privacy measures to manage the risks related to the creation, collection, use, processing, storage, and transmission of OPM data.

  • Confidentiality. Ensuring authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information. Private or confidential information is not disclosed to unauthorized individuals while in storage, during processing, or in transit.
  • Integrity. Guarding against improper modification or destruction of information, ensuring information integrity and authenticity. Resources of the IT system must operate according to requirements, design documents, and best practices. Unauthorized personnel must not be able to create, alter, copy, or delete data utilized by the system. 
  • Availability. Ensuring timely and reliable access to and use of information. The system works promptly, and service is not denied to authorized users. Systems and data are available for intended use only. The system must be ready for use by authorized users when needed to perform their duties.
  • Accountability. Accountability must be to the individual level. Only personnel with proper authorization and need-to-know must be allowed access to data processed, handled, or stored on IT system components. A key principle is that authority may be delegated, but the accountability cannot be delegated.
  • Assurance. Confidence that the four cybersecurity objectives above have been met. The cybersecurity and privacy mechanisms work as intended, are effective in protecting the system and the information it processes and are measurable. This assurance is provided through monitoring and review of controls.
  • Intelligence. Proactive monitoring of Cyber Threat Intelligence (CTI) sources for situational and ongoing knowledge of active or emerging threats and threat actors.
  • Federal Information Security Modernization Act (FISMA) of 2014. 
  • Federal Information Technology Acquisition Reform Act (FITARA) of 2014. 
  • EO 14028: Improving the Nation’s Cybersecurity. 
  • EO 13694: Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending EO 14144. 
  • EO 14179: Removing Barriers to American Leadership in Artificial Intelligence  
  • OMB Circular A-130, Management of Federal Information Resources. 
  • OMB Circular A-123, Management’s Responsibility for Enterprise Risk management and Internal Control. 
  • OMB M 19-17: Enabling Mission Delivery through Improved Identity, Credential, and Access Management. 
  • OMB M-21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents. 
  • OMB M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. 
  • OMB M-25-21: Accelerating Federal Use of AI through Innovation, Governance, and Public Trust 
Control Panel