• Overview
• Public policy as opposing forces
• Policy types
• Binding vs. non-binding policies
• Types of binding policies
• Laws or statutes
• Learn about federal laws and regulations
• Regulations
• Executive orders
• Types of non-binding policies
• Guidance
• Priorities and plans
• Understand the players
• From executive priority to product
• Identifying how policy interacts with product
• Information collection
• What is the PRA?
• Why the PRA exists
• Understanding when PRA applies
• Recent guidance on PRA
• Understand how your agency approaches PRA
• Conclusion
• Accessibility
• Why is accessibility important?
• Why Section 508 exists
• Design for all users
• Design for all situations
• Design for accessible and successful experiences
• Explore accessibility resources
• Privacy and security
• What is the Privacy Act?
• What is FISMA?
• Conclusion
• Policy advice for technologists

Overview

Shipping user-centered products in government requires understanding public policy. U.S. Digital Corps Fellows, who quickly learned how policy impacted the work led by their teams and other technology teams across the federal government, created this six-part guide, “Building by the rules: A crash course for federal technologists,” to explore why public policy matters, share the different types of public policy, and discuss a case study for navigating three key federal policies most relevant for web and digital teams across government.

Public policy as opposing forces

When government technology teams consider a change to a government service or information technology system, policy may be a force for or against that change. There are many frameworks for understanding this concept, including Kurt Lewin’s force field analysis [1]. The diagram below is a high-level adaptation of Lewin’s analysis.

Public policy as a force for change grants permission to innovate or improve. For example:

• The 21st Century Integrated Digital Experience Act (21st Century IDEA) requires executive branch agencies to modernize their websites, digitize services and forms, accelerate the use of e-signatures, improve customer experience, and standardize and transition to centralized shared services.
• Executive Order 14058, Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government directs agencies to employ a customer experience approach that ensures the public is able to do basic tasks with the government in a manner that is simple, seamless, and secure.

Public policy as a force against change places constraints or conditions on how innovation takes place, often in a tradeoff with other important considerations. For example:

• The Privacy Act of 1974 protects personally identifiable information (PII) and prohibits disclosure of protected information without consent. For instance, this may preclude use of software tools available to the private sector or limit access to data for secondary or experimental uses.
• The Paperwork Reduction Act of 1995 requires that agencies obtain Office of Management and Budget (OMB) approval before requesting most types of information from the public. As public servants, we must make sure the data we collect from the public is accurate, helpful, and a good fit for its proposed use.

Overall, public policy plays a vital role in how federal agencies serve the public. There are hundreds of requirements for federal websites and digital services. As web and digital practitioners in government, we need to keep in mind different circumstances where policy serves as a potential accelerator or blocker to innovation.

Keep reading to learn more about the different types of policies and useful frameworks for understanding how they work.

Footnotes 1. University of Cambridge. 2016. “Force Field Analysis.” Cam.ac.uk. University of Cambridge. 2016. https://www.ifm.eng.cam.ac.uk/research/dstools/force-field-analysis/. ↩

1. 1. University of Cambridge. 2016. “Force Field Analysis.” Cam.ac.uk. University of Cambridge. 2016. https://www.ifm.eng.cam.ac.uk/research/dstools/force-field-analysis/. ↩

Policy types

Learn about different types of public policy, and explore the policy framing for Findsupport.gov as a case study.

In the overview section, we discussed why policy matters. Now, we’ll explore the types of policies and useful frameworks for understanding how they work.

Web and digital practitioners who work with or for federal agencies are often tasked with implementing products within the bounds of existing policies. Knowing the difference between various types of policies proves useful when engaging with stakeholders.

Binding vs. non-binding policies

All policies can be categorized as binding or non-binding. Binding policies carry the force of law. They serve as contracts between you and the government. There are usually penalties or consequences for breaking or dishonoring a binding policy. Non-binding policies offer contracts that carry no legal weight for carrying or not carrying out their terms.

Types of binding policies

Laws or statutes

In the context of the federal government, laws govern agency activities. This includes both financial appropriations and “authorizing or appropriating statutes,” which create new powers or permit something previously prohibited. In short, laws establish broad goals or principles, assign authority or responsibility, and provide resources. Congress — and legislatures at the state or local level — can enact laws through committees, hearings, debates, and votes. In most cases, a chief executive (such a president, governor, or mayor) must sign laws passed by a legislature before they take effect.

Coolcaesar, CC BY-SA 4.0 DEED

Learn about federal laws and regulations

Visit USA.gov to learn more about how laws are made.

Browse the United States Code to learn more about all the general and permanent U.S. laws. It is organized into 54 broad titles according to subject matter. For example, the U.S. Department of Health and Human Services (HHS) laws fall under “Title 42: The Public Health and Welfare.”

Visit Regulations.gov to learn more about regulations.

Regulations

Regulations, also known as rules, implement laws. Unlike laws passed by Congress, executive branch agencies put forward regulations and enforce them. Most rules go through a public notice and comment period, also known as a rulemaking process. The process is governed by laws including but not limited to the Administrative Procedure Act (APA) (5 U.S.C. Chapter 5), Congressional Review Act, Paperwork Reduction Act, and the Regulatory Flexibility Act. The process is broken down into three stages: the pre-rule stage, the proposed rule stage, and the final rule stage. As federal web and digital practitioners, it helps to know how your agency rules interact with your work.

Let’s consider an example: the Federal Acquisition Regulation (FAR). All executive agencies abide by the FAR when buying supplies and services with appropriated funds. 41 U.S. Code § 1303 (Functions and authority) is the law that grants the General Services Administration (GSA), the Department of Defense (DOD), and the National Aeronautics and Space Administration (NASA) the authority to maintain the FAR system.

Executive orders

Consider executive orders as “technically” a type of regulation. An executive order is issued by the White House and is used to direct actions for any executive branch agency of the U.S. government. Executive orders are often used to manage operations and respond to emergencies. They may only require internal clearance or communications review. They are exempt from the rulemaking process due to “expressed powers” outlined in the U.S. Constitution.

A recent executive order relevant to federal web and digital practitioners is the Executive Order 14058, Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government. This order directs agencies to take accountability for designing and delivering services with a focus on the actual public experience. It asks agencies to provide direct lines of feedback and mechanisms for engaging with the public in designing government programs, products, and services.

Types of non-binding policies

Guidance

Guidance defines standard practice and clarifies ambiguities. It is non-binding in the sense that it is subject to regulations. Subject matter experts write guidance and it may be distributed as a guide, training, or technical assistance. The Office of Management and Budget (OMB) issues guidance for federal policies as memoranda (or memos).

For example, in September 2023, OMB issued M-23-22, Delivering a Digital-First Public Experience, offering policy guidance on how federal agencies should fully implement the 21st Century Integrated Digital Experience Act (21st Century IDEA).

This guidance required that agencies take the following six steps:

1. Identify a digital experience delivery lead
2. Identify public-facing websites
3. Identify and assess top websites
4. Assess common questions and top content for deduplication and search engine optimization (SEO)
5. Assess top tasks for self-service optimization
6. Inventory public services

The law and policy guidance in the memo collectively establish a framework and the requirements for a digital-first public experience. Check out Digital.gov policy page for more information about the requirements for delivering a digital-first public experience.

Priorities and plans

Priorities and plans convey the government’s intentions with respect to a certain topic or challenge. They are written and published by agencies and typically require communications review.

Since 2001, each administration has released a President’s Management Agenda (PMA) to improve how the government operates and performs.

The Biden-Harris PMA established three priorities:

1. Strengthen and Empower the Federal Workforce
2. Improve Customer Experience
3. Manage the Business of Government

At Performance.gov, learn more about the Biden-Harris PMA vision.

Understand the players

Case Study: FindSupport.gov

Now that you understand the different types of policy levers that exist, let us dive into a real-world case study and product example. As part of continuing efforts by the Biden-Harris Administration to increase access to mental health and substance use resources, the U.S. Department of Health and Human Services (HHS) launched FindSupport.gov, a new user-friendly website, designed for the general public, to help people identify available resources, explore unbiased information about various treatment options, and learn how to reach out to get the support they need for issues related to mental health, drugs, or alcohol.

From executive priority to product

In his first State of the Union address, President Biden announced his administration’s strategy to address the national mental health crisis. Specifically, this administrative priority tasked the Substance Abuse and Mental Health Administration (SAMHSA) with building “new easy-to-access, user-friendly online treatment locator tools so Americans can find care when they need it, where they need it, with the click of a button.” SAMHSA partnered with the Centers for Medicare and Medicaid Services (CMS) and the Digital Service at CMS to tackle this opportunity as a cross-agency team.

Identifying how policy interacts with product

Not every federal statute greatly impacts product development and maintenance. However, as web and digital practitioners we must be aware about policy, ask questions about how it works, and be proactive in understanding how it may impact our work.

The remainder of this guide focuses on four key federal statutes and considerations they aim to address, as outlined in the below table. After introducing each, we use FindSupport.gov as a case study to demonstrate how policy and product development interact. These considerations are useful for framing how tech teams in government approach product development.

Check out the next section that discusses information collection and the Paperwork Reduction Act.

Information collection

The Paperwork Reduction Act (PRA) is a key federal statute. Learn when and how it applies.

In the previous section, we discussed the types of policy and a case study on FindSupport.gov that we will use to frame the remainder of this guide. Now, we will focus on the Paperwork Reduction Act (PRA) by covering why it exists, when it applies, tips for designing research studies with PRA in mind, and user research insights from the FindSupport.gov team.

What is the PRA?

The PRA is a federal law designed to “maximize the practical utility and public benefit from information collected by and for the Federal government.” In other words, the PRA asks: “How might the federal government reduce burden on the public?”

Why the PRA exists

At a high level, the PRA reduces burden on the public by:

• Discouraging redundant information requests
• Managing the information agencies can request from the public
• Stressing meaningfulness and accuracy
• Allowing government to assess how its collecting information
• Protecting information privacy
• Helping agencies make decisions based on high-quality data

The Paperwork Reduction Act of 1980 established a broad mandate for agencies to perform their information activities in an efficient, effective, and economical manner. Amended during the Clinton administration, the PRA focused on reducing public burden and established the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget (OMB). As President Clinton explained during the Act’s signing ceremony, he saw the PRA as a way to reduce the number of time-intensive forms that small businesses and the public are required to complete.

Alt text: In the picture on the left, former President Clinton points to a thick stack of three large white binders full of papers that make up one federal government information collection process. In the picture on the right, he holds up a floppy disk to illustrate the contrast in time and burden.

Understanding when PRA applies

A PRA clearance is approval to conduct an information collection activity. Relevant examples of information collections include:

• Reports
• Forms
• Applications
• Surveys
• User interviews
• Focus groups
• Public disclosures
• Recordkeeping requirements

The following scenarios describe circumstances when PRA clearance may be needed.

• Speaking with more than 10 people at a time
• Voluntary, mandatory, or necessary requests for the public’s information
• Research studies and focus groups with the same set of structured sets of questions
• Asking demographic information

For more information about the PRA, check out PRA.digital.gov and connect with your agency’s PRA contact.

Recent guidance on PRA

In April 2022, the Office of Management and Budget (OMB) published a memo, M-22-10, Improving Access to Public Benefits Programs Through the Paperwork Reduction Act (PDF, 616 KB, 18 pages), about how to improve access to public benefits programs through the PRA. As we mentioned in the last post on types of policies, OMB guidance clarifies the PRA and how agencies should embrace the law. Specifically, the guidance in the memo affirmed that conducting research is not a violation of the PRA. OMB recommended that agencies “use leading design practices to assess, evaluate, and then improve forms and information collection experiences.”

OMB offered the following tips for designing research studies with PRA in mind:

• Use direct observation (usability testing and card sorts)
• Ask open-ended questions (consider using Touchpoints to create and manage surveys)
• Limit studies to fewer than 10 participants at a time (assuming that 10 participants does not represent the majority of the population you are surveying)
• Avoid questions asking for personally identifiable information (PII), including demographic information
• Focus on digital service delivery and customer experience
• Consider multiple studies and embrace agile development practices
• Information collection from federal employees or federal contractors is exempt

Understand how your agency approaches PRA

Each agency may manage PRA differently and have their own resources to help people understand and navigate the PRA clearance process. For example, the 18F User Experience Guide offers a legal section that covers the PRA based on shared understanding between 18F, GSA’s Privacy Office, and GSA’s Office of General Counsel. It is worth seeing if your agency holds similar resources including but not limited to an internal guide, a service blueprint describing the PRA process, or tips on designing

CaseStudy: Navigating PRA for FindSupport.gov To achieve the administration priority and build this product, understanding our users was extremely important. When it came to FindSupport.gov, our team quickly learned that navigating behavioral health issues is a complex and personal process. With a deadline within one year, the team designed research studies that did not require seeking PRA clearance. This included using the tips listed in the OMB memo, M-22-10, Improving Access to Public Benefits Programs Through the Paperwork Reduction Act (PDF, 616 KB, 18 pages).

Our early user research insights indicated that a broad locator tool may not clearly meet the needs of those experiencing behavioral health issues. Many research participants shared that they experienced difficulty knowing how to start seeking care, figuring out how to cope, and finding a reliable resource that could cover information about mental health and substance use issues. Without conducting user research, we may have not designed a product that could truly meet people where they were.

Conclusion

The spirit of the PRA aligns closely with digital service delivery goals to improve the public’s digital experience. As government web and digital practitioners, it is important to understand how and when PRA clearance may be required to understand and better meet user needs.

In the next section, we will discuss another key federal statute for government web and digital practitioners: Section 508 of the Rehabilitation Act of 1973.

Accessibility

An introduction to Section 508 of the Rehabilitation Act of 1973, and related laws and policies.

In the previous section, we discussed the Paperwork Reduction Act (PRA) — specifically why it exists, when it applies, tips for designing research studies with PRA in mind, and user research insights from the FindSupport.gov team. Now, we will touch on Section 508 of the Rehabilitation Act of 1973 and the importance of building accessible digital products.

Why is accessibility important?

Tim Berners Lee, credited as the founder of the internet, once said “The power of the web is in its universality. Access by everyone regardless of disability is an essential aspect.” [1] In short, accessibility ensures all users can access a product or service.

Why Section 508 exists

The Rehabilitation Act of 1973 is a federal law that prohibits federal discrimination based on disability status. Section 508 requires that all federal agencies make all information and communication technology accessible to people with disabilities. This includes, but is not limited to, the following:

• Government websites
• Applications
• Emails
• Multimedia
• Electronic media

Consider Section 508 as part of a collection of federal policies that maximize the accessibility of government. This includes but is not limited to the following:

• Section 503 of the Rehabilitation Act of 1973
• Sections 501 and 505 of the Rehabilitation Act of 1973
• Americans with Disabilities Act of 1990, as amended
• Section 255 of the Telecommunications Act of 1996
• Assistive Technology Act of 1998
• Plain Language Act of 2010
• Agency accessibility policies

Design for all users

As web and digital practitioners in government, it is important to consider all users when building products or services.

Disability is a mismatch between a person and their environment. For the person who isn’t able to do something, it’s this mismatch that impairs an individual. It’s important to understand that everyone experiences some form of disability and reframe our idea of disability.

See the below table for a short list of disability types.

Design for all situations

See the below table for a short list of different types of situations to consider when building and designing products in government. Although these conditions are not explicitly outlined in Section 508, they remain important barriers to consider when building products in government.

Design for accessible and successful experiences

When it comes to accessible digital experiences, the Web Content Accessibility Guide 2.0 (WCAG 2.0) outlines four principles for designing accessible web content. The guidelines state that all web content must be perceivable, operable, understandable, and robust—otherwise, users with disabilities cannot access the web. Embracing these principles aligns with Section 508 requirements.

Explore accessibility resources

Overall, accessible design represents the first step to universal design. By accounting for all types of disabilities and circumstances, government web and digital practitioners can improve how their products serve the public. Section508.gov offers information on accessibility policies, acquisition resources, and content creation tools.

For more information about how different product team roles play in making federal resources accessible and inclusive, browse the Accessibility for Teams guide on Digital.gov. Additionally, the Technology Accessibility Playbook on Section508.gov offers 12 key plays for ensuring that U.S. government technology is accessible for people with disabilities.

Case Study: Baking accessibility into FindSupport.gov The FindSupport team frequently tested with people with disabilities to ensure FindSupport.gov met Section 508 requirements.

Focusing on our product roadmap, the Substance Abuse and Mental Health Administration (SAMHSA) and Centers for Medicare and Medicaid Services (CMS) teams took the following steps to center accessible experiences into the site’s design and functionality. This included:

• Creating automated and manual testing plans
• Setting regular cadence for testing accessibility
• Accounting for accessibility when creating and estimating user stories
• Prioritizing new accessibility issues
• Outlining team accessibility roles

Footnotes 1. “World Wide Web Consortium Launches International Program Office for Web Accessibility Initiative.” 1997. W3C. October 22, 1997. https://www.w3.org/press-releases/1997/ipo-announce/. ↩

1. 1. “World Wide Web Consortium Launches International Program Office for Web Accessibility Initiative.” 1997. W3C. October 22, 1997. https://www.w3.org/press-releases/1997/ipo-announce/. ↩

Privacy and security

Public policy influences technology projects as a force both for and against change.

In the previous section, we touched on Section 508 of the Rehabilitation Act of 1973 and the importance of building accessible digital products and federal resources. Now, we will cover how the Privacy Act of 1974 and the Federal Information Security Modernization Act (FISMA) work and share resources to learn more.

What is the Privacy Act?

The Privacy Act respects the public’s privacy by limiting government use, reuse, and disclosure of personally identifiable information (PII). Specifically it outlines the following:

• Requires agencies to give public notice about record-keeping systems
• Establishes fair information practices for managing data
• Limits agencies’ ability to share data
• Grants the public access to their own records

The following items illustrate some things you can do to respect the public’s privacy:

• Tell users what information you are collecting from them, and why
• Minimize collecting information where possible; consider public burden
• Conduct Privacy Impact Assessments (PIAs) for systems with PII
• For agency information exchanges – consider pursuing a Computer Matching Agreement
• Agencies must publish notice of its systems of records (also known as System of Records Notice or SORN) in the Federal Register
• Abide by agency and federal disclosure rules
• Consider the Health Insurance Portability and Accountability Act (HIPAA) implications if applicable

Visit Justice.gov to learn more about the Privacy Act of 1974. You may also visit your agency website. For example, the Department of Health and Human Services (HHS) publishes agency-specific Privacy Act information on HHS.gov.

What is FISMA?

The Federal Information Security Modernization Act requires agencies to protect federal information by:

• Creating a cybersecurity plans
• Conducting regular risk assessments
• Implementing cybersecurity controls
• Continuously monitoring their systems for vulnerabilities and attacks

For more information, see the Centers for Medicare and Medicaid Services’ helpful one-pager on FISMA.

To use, buy, or build software for the government, you need an authorization to operate (ATO). This process mostly comes from FISMA. For an overview of ATOs, read An introduction to ATOs.

Federal security compliance is based on evaluating security criteria. Those criteria are a wide-ranging set of considerations called controls. The National Institute for Standards and Technology (NIST) defines these controls in a special publication (SP) called NIST SP 800-53 (Revision 5), Security and Privacy Controls for Information Systems and Organizations. Read An introduction to security and privacy controls for a brief explainer of NIST’s 800-53 control families for information systems and organizations.

The Federal Risk and Authorization Management Program (FedRAMP) is a governmentwide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services. Visit FedRAMP.gov to learn more about the FedRAMP program basics.

Case Study: Considering privacy and security for FindSupport.gov

For context, we cover these two policies to highlight their importance. Although FindSupport.gov did not go through all the steps listed above, the team maintained awareness for how such policies could impact product development.

The FindSupport.gov team used SAMHSA’s existing content management system, removing the requirement for the team to seek a new ATO. Additionally, all user research sessions required asking for verbal and written consent from participants, and using approved tools to store research and de-identified participant information.

Conclusion

Overall, building products and services in government requires understanding how public policy impacts government technology design and implementation. This guide serves as an introductory crash course into how you can engage your teammates in understanding how policy may interact with your team’s design, engineering, product, and security considerations.

Policy advice for technologists

1. Befriend the policy people: For major statutes and regulations, subject matter policy experts ensure agency offices and groups remain in compliance. We encourage you to get to know those individuals within your organization.
2. Read the policy yourself: There may be flexibilities in certain laws. In some cases, what people think of as policy could be “the way we’ve always done it.” By reading the policy yourself, you unlock new questions and gain insights on how policies impact your implementation efforts.
3. Pick your battles: Know whether you’re dealing with a law (very hard to change) or a priority (potential room for interpretation).
4. Know your boundaries: As technologists, recognize when best to divert questions to your policy colleagues and subject matter experts.

As public servants, we understand that the government serves the public. In turn, public policy should serve the public interest. This framing provides an opportunity for federal technologists to center the public’s voice when creating and improving federal websites and digital services.

We hope this guide provides you the confidence to ask questions and engage in policy conversations with your colleagues and stakeholders.