OMB wants to know where the security money goes
The Office of Management and Budget is trying to get a clear idea of how agencies spend about $4.2 billion on IT security.
Through the Cybersecurity Line of Business consolidation effort, OMB officials have asked CIOs and agency budget officers to estimate how much money they spend on the five functions the initiative is trying to consolidate and/or develop standards for.
“OMB is trying to establish a baseline for how much money is being spent so we know how much money potentially could be saved,” said John Sindelar, project executive for the Lines of Business initiatives.
“Some agencies will be able to do this easily, and others will not. That is why we asked for estimates,” he said.
The functions up for consolidation or standardization:
- program management
- security considerations in the information systems lifecycle
- situational awareness and incident response capability
- training and knowledge sharing
- selection, evaluation and implementation of security hardware, software and services.
The request OMB sent to agencies earlier this month specifies the areas within the five functions agencies should submit data for.
In early analysis, agencies spent about $2 billion on common security processes, said Glenn Schlarman, OMB’s chief of the Information Policy Branch in the Office of Information and Regulatory Affairs.
In the fiscal 2006 budget request President Bush sent to Congress in February, OMB said that, among civilian agencies, the Health and Human Services, Homeland Security, Justice and Veterans Affairs departments will together spend more than $188 million on cybersecurity this year. The 2006 request for security funding will increase by more than 7 percent, OMB said.
The administration sees all this security spending as an area for potential savings if agencies share common services or standardize around common processes, which is the goal of the Cybersecurity LOB.
OMB and DHS, the managing partners for the LOB initiative, held an industry day in Washington last week to detail the program’s goals and provide vendors a chance to ask questions about the request for information released earlier this month.
“We are not looking for vendors to sell us something, but want their successes and failures when standardizing certain IT security functions,” Sindelar said at the event.
Sindelar emphasized that the project managers do not want vendor brochures or marketing literature—something that was all too common with the human resources and financial management LOBs.
“We need to look at what has worked, not research and development or innovations,” said Margie Gilbert, a National Security Agency official on the task force. “We also want to look at what is going on across government and see what can be shared.”
The Cybersecurity LOB task force will submit recommendations to OMB by Sept. 1, in time for the fiscal 2007 budget request.
OMB’s ambitious schedule calls for preparation by May 24 of a draft of common solutions and a concept of operations for implementing the solutions, with a final version completed by June 3. The task force would deliver the final joint business cases to OMB by Sept. 1.
Connect with the GCN staff on Twitter @GCNtech.