Policymaking Offices
Executive Office of the President (EOP, a.k.a. “The White House”)
The Executive Office of the President is made up of many offices, but the following organizations are those most frequently involved in technology policymaking. IT policy typically happens in one of two ways:
1.) The current Administration voluntarily decides to work on a problem area using existing authorities. In this case, the President can direct individual offices or agencies to address specific areas of concern.
2.) Congress passes a law actively directing The Office of Management and Budget (OMB) or another agency to issue policy on a given topic.
Other offices can be created by the President on an ad-hoc basis as well, such as the Office of American Innovation, a technology-focused office that existed from 2017-2020 before being dissolved during the change in administrations.
Note: Although “The White House” is a term commonly applied to these offices collectively, The White House Office is the top office which interacts directly with the President. Staff of these other offices are referred to as working “for The White House” instead of “at The White House,” referring to the institution not the building. Staff from these offices are spread across the West Wing and East Wing at the White House proper, the Eisenhower Executive Office Building (EEOB) and the New Executive Office Building (NEOB) adjacent to the White House, and other offices nearby.
The White House itself occasionally issues IT policy, most commonly in the form of Executive Orders
Office of Management and Budget (OMB)
Most laws assign OMB to oversee & measure the implementation of the law. OMB will then set the requirements for agencies via memoranda, circulars, and other guidance. In many cases, a law has no effect without a corresponding OMB policy to implement it. OMB enacts the will of the President and their Administration and sets the direction for the entire government. For more details, consult “The Office of Management and Budget: An Insider’s Guide.”
As its name suggests, OMB is divided into two functional areas: budget and management. The budget side of the office is mainly concerned with managing agency finances, specifically towards the formulation of the annual President’s budget request to Congress. The management side is focused on general government operations, and specifically creates policies to direct agencies how to implement laws from Congress.
Within OMB there are several key offices:
Management-Side Offices
Offices on the management side of OMB report to the Deputy Director for Management (DDM), who reports to the OMB Director.
Office of the Federal Chief Information Officer (OFCIO)
Legally known as the Office of Electronic Government (or E-Gov Office), most technology policy and guidance in the executive branch comes out of this office, including data and cybersecurity policy. The head of this office is formally known as the Federal Chief Information Officer (Federal CIO), but in law is referred to as the Administrator of the Office of E-Government and Information Technology.
The Federal Chief Information Officer is the chair of the Federal CIO Council, consisting of the CIOs of the 24 large Federal agencies and a few others. This organization does not issue official policy, but collaborates on implementation of various initiatives and shared pilot programs. There is also a separate council for the Small Agencies
This office also contains the Federal Chief Information Security Officer, who is the chair of the Federal CISO Council.
OFCIO oversees most mandated IT data reporting, notably the quarterly Integrated Data Collection (IDC) which is used by the biannual FITARA Scorecard published by the Government Accountability Office. Although it is not a budget office, it also collects the monthly Capital Planning and Investment Control (CPIC) data, which includes data on all major IT investments across the government. Some, but not all, of the data collected by OFCIO is reported publicly in the form of the IT Dashboard which OFCIO is responsible for (though GSA actually runs the website).
The Federal CIO position and this office were established by the E-Government Act of 2002. Many of the Federal CIO’s assigned legal authorities state that The Office of Information and Regulatory Affairs (OIRA) must also be consulted in the creation of policies or requirements.
Office of Information and Regulatory Affairs (OIRA)
Effectively, the regulator of regulations. This office has responsibilities for many IT matters, most notably that Paperwork Reduction Act notices must be reviewed by this office. Notably, The Office of the Federal Chief Information Officer (OFCIO) is statutorily required to consult OIRA on all policy matters.
Office of Federal Procurement Policy (OFPP)
OFPP is responsible for government-wide acquisition policy. The Administrator of this office also is the chair of the Federal Acquisition Regulatory Council, responsible for management of the Federal Acquisition Regulations (FAR).
Office of Federal Financial Management (OFFM)
OFFM is responsible for directing financial management policy, such as reduction of improper payments, or grants management. Despite the name, it is not a budget-side office, and is primarily focused on policymaking not the Federal budget. Established by the Chief Financial Officers (CFO) Act of 1990.
United States Digital Service
The US Digital Service (USDS) is a team comprised of experts in technology and related practices (e.g., product design, customer experience, acquisition, hiring, etc.) which engages with agencies to support various efforts both directly through staff augmentation and indirectly through advisory roles. Before being moved directly under the Deputy Director of Management in 2016, it was originally part of OFCIO, and previously received its funding from the same source: the IT Oversight and Reform (ITOR) fund.
Although does not issue policy itself, it often collaborates with other offices on the creation of policy. USDS also engages in various pilot programs to explore flexibilities under existing authorities. A recent example is the Subject Matter Expert Qualification Assessments (SME-QA) project, which worked with OPM on improving the Federal hiring process.
Resource Management Offices (RMO)
(also known as the Budget Offices)
The RMOs are divided into topical areas, each which oversee the budgets for the related agencies under their purview. These include:
- Natural Resource Programs
- Energy, Science & Water Division
- Natural Resources Division
- Education, Income Maintenance And Labor
- Health
- General Government Programs
- Transportation, Homeland, Justice & Services Division
- Housing, Treasury, & Commerce Division
- National Security Programs
- International Affairs Division
- National Security Division
OMB Support Offices
There are also several support offices within OMB - such as Legislative Affairs, and the General Counsel - which are similar to those at other agencies.
Of these offices, the Office of Performance and Personnel Management frequently is involved in IT policy matters such as Customer Experience (CX). Note that this office is often referred to as PPM, and occasionally OPPM. It should not be confused with OPM.
Office of Science and Technology Policy (OSTP)
OSTP sits adjacent to OMB in the EOP hierarchy, and shares one of the same buildings (EEOB). It oversees a number of different policy areas, but currently is focused on the science side rather than technology.
Under President Obama, OSTP was the public face of technology efforts in government, and the role of the Federal Chief Technology Officer was created in this office. However, under the Trump Administration, the staff and budget were gutted, leaving less than a third of the original staff, and most of the IT policy work was shifted back to OFCIO. President Biden has started to restore the office, but IT policy remains centered in OFCIO.
National Security Council (NSC)
The NSC is primarily a group of Cabinet members and other senior executives who advise the president on national security and foreign policy matters. They frequently have a role in cybersecurity activities.
Office of the National Cyber Director (ONCD)
The ONCD is a very new agency, established by the 2021 NDAA. The National Cyber Director’s responsibilities are effectively those previously held by the Federal Chief Information Security Officer (FCISO) within OFCIO overseeing cybersecurity policy efforts for the federal government. However, the FCISO position still exists and currently also acts as the Deputy National Cyber Director.
As the ONCD received only minimal appropriations, many cybersecurity policy efforts are still run by OFCIO.
Other Offices
There are many other smaller organizations under the White House, though most of them do not have a role in IT policy. These may change with each Administration. A full list of these offices is available on the White House website.
Non-White House Agencies
Department of Homeland Security (DHS)
Cybersecurity and Infrastructure Security Agency (CISA)
CISA is an agency under the Department of Homeland Security (DHS) tasked with managing government-wide cybersecurity implementation. Over the last few years, more and more legislation tasks the agency with roles traditionally assigned to solely OMB.
Recent draft legislation being circulated currently would expand its powers into more oversight, but these have not yet been signed into law.
Office of the Director of National Intelligence (ODNI)
The Director of National Intelligence serves as the lead of US government intelligence community (IC). Their office is an independent agency which frequently coordinates cybersecurity efforts.
Office of Personnel Management (OPM)
OPM oversees various human resources policy areas for the government. Notably, it sets hiring policies and pay scales, which are frequent friction points in IT.
The Director of OPM acts as the chair of the Federal Chief Human Capital Officers Council (CHCO Council), while the OMB Deputy Director for Management is the Vice-Chair.
Despite the name, this is an independent agency, not directly part of the White House.
National Institute of Standards and Technology (NIST)
NIST is an agency under the Department of Commerce, and responsible for a variety of standards-making operations. Importantly, it publishes a series of information technology standards, the 800 series, the most commonly referenced is the 800-53 cybersecurity standard, which are the controls required by FISMA.
General Services Administration (GSA)
GSA can be considered a sort of contractor inside of government, providing a variety of services to federal, state, local, and tribal agencies. It is generally best known for managing federal real estate, but has several key government-wide IT functions. Most importantly, it provides contract vehicles for many services and products, including of IT software and services via Schedule 70.
The following offices also have roles in IT policy:
The Technology Transformation Services (TTS)
TTS provides a variety of contracting services to the rest of government, including products such as login.gov and cloud.gov. It is the parent of 18F, a well-known digital service team similar to USDS but with additional functions, such as specializations for acquisition & contracting. (18F is not an acronym, but rather the location of the building that is the GSA headquarters, at 18th St NE and F St NE in Washington DC)
The **Office of Government-wide Policy (OGP)
Despite its name, OGP does not have a policymaking function. However, it fulfills a number of intergovernmental functions, such as organizing the Federal CIO Council and the working groups beneath, and running the Federal IT Dashboard for OMB.
National Archives and Records Administration (NARA)
NARA is responsible for maintaining government and historical records. This includes keeping copies of all Federal agencies documents as required by the Federal Records Act and Presidential Records Act. NARA also runs the Federal Register, the public website where agencies are required to post policy changes for public comment, including System of Records Notice (SORN)s on the collection of personal data. NARA also occasionally is tasked with issuing records-related policy, such as on Controlled Unclassified Information (CUI).
Government Accountability Office (GAO)
GAO is an independent agency that acts as an oversight body, directed by Congress to report on the efficacy of a policy implementation. Although they do not make policy themselves, they do issue recommendations on improving existing policies, or guidance to agencies on how to implement the policies. Agencies are not usually legally required to follow these recommendations, but failure to do so often results in Congressional hearings on the topic.