OMB moves to consolidate cybersecurity

Cross-agency centers would standardize agency security processes

The Office of Management and Budget is circulating a draft business case that would consolidate four areas of information technology security services across the federal government.

The result of a joint OMB and Homeland Security Department lines of business task force assembled in March, the business case suggests that agencies, starting in fiscal 2007, should migrate four of their security functions to cross-agency service centers. Consolidating security tasks common to most agencies would prevent wasteful duplication of efforts and establish uniform standards to evaluate security performance, proponents say.

The four functions targeted for consolidation are security training, Federal Information Security Management Act reporting, situational awareness and incident response, and agency selection of security products and life cycle management. Excluded from the business case proposal is IT security program management, a function that was included in the cybersecurity line of business request for information, which the task force issued earlier this year.

"It is not the intention that the centers of excellence are going to take over the operation of agency security operations," said George Bonina, chief information security officer at the Environmental Protection Agency.

"The intent is not one-size-fits-all," he added, speaking at an ArchitecturePlus seminar in July.

Agencies that are candidates to get service center status will not be able to provide all four functions, Bonina said. Each area of security management should have three service centers, which would be federal agencies "in partnership with the private sector," he said.

Each of the four areas would require different start dates for agency migration, which would be phased in, Bonina said.

For example, starting in fiscal 2008, agencies would begin using some situation awareness and incident response products such as forensics software. In the next fiscal year, agencies would begin using cross-agency vulnerability and configuration management services.

Under no circumstances should an agency's migration to a line of business entirely supplant in-house security operations, said Paul Proctor, vice president of Gartner's risk and privacy practice.

"Organizations are different, they have different types of threats," and successfully responding to cyberthreats requires specialized knowledge of the agency's IT architecture, he said.

"We need to make sure that people don't think, 'I can just pay somebody else to go do this for me,' " Proctor said.

It's likely that service centers will focus on different portions of the government, Bonina said. The intelligence community, with its heightened need for security, for example, would have its own service centers. The Defense Department would do the same, he added.

But in standardizing agency methodology for selecting security software, the task force proposal may be breaking down a divide that so far has existed only between national security and civilian agencies, said security expert Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium.

The Computer Security Act of 1987 allows civilian agencies to purchase commercial software that hasn't gone through an extensive government evaluation process. The result is that civilian agencies often are able to purchase the most recent solutions available, and it's an advantage worth preserving, he said.

McNulty said he was surprised that identity management is not one of the areas slated for consolidation. With all the ongoing identity initiatives, including an executive order requiring federal workers and contractors to have secure identity cards, McNulty said, there should be savings through consolidation.

Resting on the shoulders of DHS

If a proposal to create cross-agency service centers for four areas of federal information technology security become a requirement of the fiscal 2007 budget, the Homeland Security Department would be responsible for its successful implementation, said John Sindelar, the project executive and General Services Administration deputy associate administrator for governmentwide policy.

DHS and the Office of Management and Budget lead the cybersecurity task force. Included in the now-circulating draft proposal is a governance structure for the line of business. Sitting at the top would be a multiagency oversight body and steering committee supervising the entire endeavor. The next layer down would be a project office to facilitate the initial operations, according to a cybersecurity line of business presentation.

Finally, individual service centers would provide security products and services used by federal agencies. Sindelar said several agencies have already expressed interest in becoming a service center.

— David Perera

About the Author

David Perera is a special contributor to Defense Systems.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group