Security officials get a case of nerves about LOB

Reprogramming existing training money is not an easy option for many agencies

OMB looks at shared-service plan for IT security functions

Some chief information security officers have grown concerned that the federal government’s Security Line of Business has lost its focus. CISOs say they support the initiative but are concerned they are being asked to spend more and get less.

Agencies have until April 30 to select shared-services providers for standard security training and reporting services. As that deadline approaches, several senior information technology security managers say they support the initiative’s goal, but they are uncertain how they will pay for the services.

“We are required to pick a shared-service center and that is all well and good, but there is a huge disparity in how we fund training programs,” said Dan Pitton, the National Highway Traffic Safety Administration’s CISO. “The idea to take the current money doesn’t work. Most agencies don’t have a pool for training.”

Pitton and others are also concerned about switching to a new compliance reporting system for Federal Information Security Management Act reporting. Many agencies have paid for their current FISMA reporting systems, and now the Office of Management and Budget expects them to switch to shared-services providers at their own expense, Pitton said.

Other CISOs have similar concerns. “Many large agencies are saying we have investments and don’t want to move to a new system,” said Bill Hunteman, the Energy Department’s CISO. “The Security LOB’s fundamental problem is it is too prescriptive.”

CSIOs said officials at OMB and the Homeland Security Department, which is the managing partner for the Security LOB, are listening to their concerns. DHS recently issued guidance to help agencies in choosing shared-services providers. The guidance included information about how to apply to OMB for a waiver from the requirement.

“This is a great opportunity for the federal government,” said Dennis Heretick, the Justice Department’s CISO, referring to the governmentwide consolidation of security requirements in the Security LOB. “This will give us a way to organize information and a way to prioritize requirements that are critical to our mission. This gives us a structured way to share best practices as well.”

Justice and the Environmental Protection Agency are providing FISMA reporting services under the Security LOB program.

But some agencies say they are not ready to look outward to satisfy that and other FISMA requirements.

“The Security LOB is not fully baked yet and still mushy in the middle,” said one CISO, who requested anonymity. “When the Security LOB first started, training and reporting were fairly immature among agencies, but now they have matured and some shared-service providers are offering less than what we are doing.”

Pitton said the shared-services providers are going beyond their limited mandate for reporting FISMA statistics. He added that the providers will force agencies to change their certification and accreditation processes, in addition to how they report their inventory of systems and accomplish their plans of actions and milestones to mitigate security risks.

Pitton added that one way to solve the funding issue would be to require agencies to specify their security investments in their budgets. Security and training are built into the overall cost of a project, and separating them out is not easy, he said.

But a government official with knowledge of the LOB and who requested anonymity said the task is not that difficult. Agencies frequently must figure out how much money they spend on certain functions, and they also have experience developing interagency agreements to pay for various initiatives, the official said.
Agencies have security LOB deadlinesThe Office of Management and Budget has named five shared-services providers to offer security training and reporting services for the federal government’s Security Line of Business. OMB also set security deadlines for agencies to meet. The deadlines and goals they must adhere to include:

April 30
Choose shared-services providers for security training and reporting. Each agency must also name someone to coordinate activities with the shared-services provider.

June 29
Complete interagency and service-level agreements for security reporting required by the Federal Information Security Management Act.

Sept. 30, 2008
Complete the transition to shared-services providers — one for security training and another for FISMA reporting.
— Jason Miller

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above