Major Information System

Last reviewed: November 17, 2025

Summary

Note: This article primarily concerns information security and privacy requirements; other concerns (e.g., earlier major information system investment requirements) only addressed in passing.

The term “major information system” was introduced in the Paperwork Reduction Act of 1980 (PRA), a law requiring, among numerous other things, that federal agencies maintain a list of the “major” information systems under their control and audit said systems. While “major information system” was never defined in statute, subsequent Office of Management and Budget (OMB) policy generally defined it as an information system that is important to an agency’s mission or has a significant cost or impact.

As the federal government began implementing newly required information security policies throughout the 1980s and 1990s, “major information systems” (as opposed to all information systems) increasingly became the core recipient of security requirements. In 2002, the Federal Information Security Management Act (FISMA), included as a title within a broader law on the federal government’s approach to the “computer age,” applied such security requirements to all federal systems — major or otherwise — reducing the importance of the term.

Today, a system being designated as a “major information system” only implies two unique requirements that are not duplicated elsewhere:

  • First, the Electronic Freedom of Information Act of 1996 requires agencies to make public a list of their major information systems, to include descriptions of the systems. Often, this list is made public by the agency’s Freedom of Information Act (FOIA) office (example).
  • Second, the Office of Management and Budget (OMB) memorandum M-03-22 requires that Privacy Impact Assessments (PIAs) for major information systems be done with greater thoroughness than non-major systems.

Other than these two requirements, the term “major information system,” while still on-the-books, has dwindled in importance.

Discussion

The term “major information system” was first used in the Paperwork Reduction Act of 1980 (PRA), a law that aimed to reduce paperwork burdens and improve the federal government’s information management activities.1 The PRA required the Office of Management and Budget (OMB) to “establish standards and requirements for agency audits of all major information systems” with exceptions for systems used to conduct criminal investigations or intelligence activities, and required each federal agency to “systematically inventory its major information systems and periodically review its information management activities[.]”2

The PRA did not define what constituted a “major information system” and instead only defined “information systems” as meaning “management information systems.” The first definition of a major information system (as could be located) was instead provided in 1985 in the issuance of OMB Circular A-130, Management of Federal Information Resources, which defined a major information system as:

An information system that requires special continuing management attention because of its importance to an agency mission; its high development, operating or maintenance costs; or its significant impact on the administration of agency programs, finances, property, or other resources.

A decade later, the PRA’s successor, the Paperwork Reduction Act of 1995, was signed into law.3 Most notably, the updated PRA now required that OMB work in consultation with the National Institute of Standards and Technology (NIST) to:

Develop and oversee the implementation of policies, principles, standards, and guidelines for information technology functions and activities of the Federal Government, including periodic evaluations of major information systems.

The 1995 edition of the PRA also directed federal agencies to take responsibility for their major information systems and their outcomes, requiring said agencies to:

Assume responsibility for maximizing the value and assessing and managing the risks of major information systems initiatives through a process that is integrated with the budget, financial, and program management decisions and used to select, control, and evaluate the results of major information systems initiatives.

Following the PRA update in 1995, the Electronic Freedom of Information Act of 1996 amended the Freedom of Information Act (FOIA) and codified in 5 U.S.C § 552(g) a new requirement relating to major information systems, stating:

The head of each agency shall prepare and make available for public inspection and in electronic format, reference material or a guide for requesting records or information from the agency, subject to the exemptions in subsection (b), including—

(1) an index of all major information systems of the agency;

(2) a description of major information and record locator systems maintained by the agency[.]4

In November 2002, the Homeland Security Act of 2002 (HSA) codified a requirement for agencies to maintain an inventory of information systems, with no “major” qualifier, in 44 U.S.C. § 3505(c). Interestingly, less than a month later, and likely in error, the Federal Information Security Management Act (FISMA) resulted in a duplicate § 3505(c) being codified, with the sole difference being that FISMA’s version of § 3505(c) specifies “major” information systems. In both cases, § 3505(c) requires that federal agencies develop and maintain an inventory of (major) information systems that is updated annually, made available to the Comptroller General, and used to support information resource management activities.5 OMB annual guidance on FISMA throughout the 2000s seemed to treat FISMA’s § 3505(c) as controlling (only requiring agencies to maintain inventories of major information systems).6 However, starting in 2012, OMB’s FISMA guidance dropped the “major” qualifier. Because FISMA applies to all information systems regardless, agencies functionally were, and are, required to maintain an inventory of all systems to meet compliance with FISMA.7

There was initial ambiguity after FISMA’s enactment as to whether systems other than major information systems were required to have their security posture assessed and authorized (then referred to as “certified and accredited”).8 However, as clarified by OMB by memoranda, FISMA’s annual-assessment and authorization requirements applied to all systems, “major” or not.9

FISMA was included in the broader E-Government Act of 2002, which also included a provision (often referred to as Section 208) requiring Privacy Impact Assessments (PIAs) to be conducted on certain federal information systems. This provision required OMB to release guidance on its implementation, which OMB did in 2003 through its memorandum M-03-22.10 OMB’s implementation guidance singled out major information systems for more in-depth assessments, requiring that such PIAs:

Reflect more extensive analyses of (1) the consequences of collection and flow of information; (2) the alternatives to collection and handling as designed; (3) the appropriate measures to mitigate risks identified for each alternative; and (4) the rationale for the final design choice or business process.

Current Definition

The most recent guidance as of 2025 for major information systems comes from the 2016 revision of OMB Circular A-130, then renamed as Managing Information as a Strategic Resource. With this circular, the definition of major information system was loosened to:

A system that is part of an investment that requires special management attention as defined by OMB guidance and agency policies, a “major automated information system” as defined in 10 U.S.C. § 2445, or a system that is part of a major acquisition as defined in the OMB Circular A-11, Capital Programming Guide, consisting of information resources.

Notably, this revised definition of “major information system” included, as a footnote, the original definition of a major information system (i.e., a system that requires “special management attention”). Generally, as the Circular itself implies, the distinction between an “information system” and a “major information system” in 2016 was (and remains) slight. This is noted in the Circular itself, which states, “all information systems are subject to the requirements of [FISMA] whether or not they are designated as a major information system.”

Since 2016, there has been no legal or policy changes to major information systems or their requirements. The term itself has little existence outside of FOIA offices, who often post a listing of their agency’s major information systems online.

  1. As noted in the Purpose section of the PRA. ↩︎
  2. This specific provision was repealed in the Paperwork Reduction Act of 1995, but the inventory requirement was preserved elsewhere. This is noted in a federal court opinion: “Although the 1995 amendments repealed this provision, § 3506(b)(4) preserves the requirement that agencies inventory their major information systems by virtue of its reference to § 3511, which requires the OMB Director to establish and maintain an ‘electronic Government Information Locator Service [“GILS”] … which shall identify the major information systems, holdings, and dissemination products of each agency.'” See Public Citizen, Inc. v. Lew, 127 F. Supp. 2d 1 (D.D.C. 2000). However, note that the Government Information Locator Service (GILS) provision itself, and its use of “major information systems,” was removed by the Foundations for Evidence-Based Policymaking Act of 2018. Compare 44 U.S.C. § 3511 (2018) and 44 U.S.C. § 5311 (2024). ↩︎
  3. The Paperwork Reduction Act was reauthorized in 1986 with minor changes, which are not discussed here ↩︎
  4. OMB provided implementing guidance for this in its memorandum M-98-09. ↩︎
  5. FISMA was included as Title III of the E-Government Act of 2002, which was signed into law in December 2002 and codified in 44 U.S.C. §§ 3541–3549. The Homeland Security Act of 2002, which contained a similar version of FISMA’s contents with slight differences, was replaced by FISMA. ↩︎
  6. For example, see OMB’s FISMA reporting guidance in M-04-25. M-11-33 was the last instance of OMB’s FISMA reporting guidance specifying “major” information systems, with the next year’s guidance, M-12-20, dropping the “major” qualifier. ↩︎
  7. For example, see OMB memorandum M-11-33 (addressing the requirement to authorize systems): “Security authorizations are required for all Federal information systems. Section 3544(b)(3) of FISMA refers to “subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems” and does not distinguish between major or other applications.” (Emphasis added.) ↩︎
  8. For example, the Supplemental Guidance for the security control CA-2, Security Assessments, in the initial release of NIST SP 800-53 (2005), referenced “the FISMA requirement that the management, operational, and technical controls in each information system contained in the inventory of major information systems be tested with a frequency depending on risk, but no less than annually.” ↩︎
  9. See OMB memorandum M-06-20: “Certification and accreditation is required for all systems. Section 3544(b)(3) of FISMA refers to ‘subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems’ and does not distinguish between major or other applications.” (Emphasis added.) ↩︎
  10. Prior to the implementation of FISMA and its subsequent standards and guidelines by the NIST, federal information systems were classified as either General Support Systems or Major Applications. NIST’s guidance on creating security plans for federal systems, SP 800-18, Revision 1, states that “[m]ajor applications are by definition major information systems,” while “a general support system is considered a major information system when special management attention is required, there are high development, operating, or maintenance costs; and the system/information has a significant role in the administration of agency programs.” It further notes that if a “general support system is a major information system, the system’s FIPS 199 impact level is either moderate or high.” ↩︎