OMB to study consolidation of IT security functions
The Office of Management and Budget expects this month to launch a six-month study of whether some federal IT security functions could be provided centrally by agencies or commercial vendors.
Karen Evans, OMB administrator for e-government and IT, said Tuesday at the GCN Cybersecurity Conference in Washington that a task force would complete its work by September so that guidance would be available to agencies for the fiscal 2007 budget cycle. “We’re on a fast timeline,” Evans said.
The study will apply the Business Reference Model, a function-focused method for describing business operations, to cybersecurity.
The BRM is a part of the federal enterprise architecture, intended to transcend stovepiped agency-oriented frameworks for performing common business functions. It identifies 39 lines of business common to agencies, grouped in four broad business areas: service to citizens, mode of delivery of these services, delivery of services to support federal operations and management of government resources.
The BRM can be used to identify centers of excellence—either government or commercial—for providing these common services. When centers of excellence are identified, agencies that are not among the providers must move to a recognized provider at some significant point in the service lifecycle.
Missing from the lines of business identified in the BRM is cybersecurity, which has remained tied to individual agency activities, Evans said.
“But you know everybody is doing it,” she said of cybersecurity. “It has to be addressed in everything that is done. So we are going to apply the methodology to cybersecurity.”
Each agency has its own security needs and acceptable risk profiles, and the study might not support the use of common providers for IT security, according to Evans. But she said there is enough common need that she doubts there is a good business case for 26 executive branch departments and agencies each going its own way for security.
The study is part of a broader move by OMB toward focusing on the outcome of IT security management. The Federal Information Security Management Act calls for IT security to be incorporated into agency business plans and requires IT systems to be certified and accredited.
Only 77 percent of systems were certified and accredited as of fiscal 2004, but business plans now are in place, and Evans said her office now wants to see agency IT portfolios performing.
“For the first three years we focused on planning,” she said. “Now we need to measure real outcomes.”
Connect with the GCN staff on Twitter @GCNtech.