Security officials get a case of nerves about LOB

Reprogramming existing training money is not an easy option for many agencies

OMB looks at shared-service plan for IT security functions

Some chief information security officers have grown concerned that the federal government’s Security Line of Business has lost its focus. CISOs say they support the initiative but are concerned they are being asked to spend more and get less.

Agencies have until April 30 to select shared-services providers for standard security training and reporting services. As that deadline approaches, several senior information technology security managers say they support the initiative’s goal, but they are uncertain how they will pay for the services.

“We are required to pick a shared-service center and that is all well and good, but there is a huge disparity in how we fund training programs,” said Dan Pitton, the National Highway Traffic Safety Administration’s CISO. “The idea to take the current money doesn’t work. Most agencies don’t have a pool for training.”

Pitton and others are also concerned about switching to a new compliance reporting system for Federal Information Security Management Act reporting. Many agencies have paid for their current FISMA reporting systems, and now the Office of Management and Budget expects them to switch to shared-services providers at their own expense, Pitton said.

Other CISOs have similar concerns. “Many large agencies are saying we have investments and don’t want to move to a new system,” said Bill Hunteman, the Energy Department’s CISO. “The Security LOB’s fundamental problem is it is too prescriptive.”

CSIOs said officials at OMB and the Homeland Security Department, which is the managing partner for the Security LOB, are listening to their concerns. DHS recently issued guidance to help agencies in choosing shared-services providers. The guidance included information about how to apply to OMB for a waiver from the requirement.

“This is a great opportunity for the federal government,” said Dennis Heretick, the Justice Department’s CISO, referring to the governmentwide consolidation of security requirements in the Security LOB. “This will give us a way to organize information and a way to prioritize requirements that are critical to our mission. This gives us a structured way to share best practices as well.”

Justice and the Environmental Protection Agency are providing FISMA reporting services under the Security LOB program.

But some agencies say they are not ready to look outward to satisfy that and other FISMA requirements.

“The Security LOB is not fully baked yet and still mushy in the middle,” said one CISO, who requested anonymity. “When the Security LOB first started, training and reporting were fairly immature among agencies, but now they have matured and some shared-service providers are offering less than what we are doing.”

Pitton said the shared-services providers are going beyond their limited mandate for reporting FISMA statistics. He added that the providers will force agencies to change their certification and accreditation processes, in addition to how they report their inventory of systems and accomplish their plans of actions and milestones to mitigate security risks.

Pitton added that one way to solve the funding issue would be to require agencies to specify their security investments in their budgets. Security and training are built into the overall cost of a project, and separating them out is not easy, he said.

But a government official with knowledge of the LOB and who requested anonymity said the task is not that difficult. Agencies frequently must figure out how much money they spend on certain functions, and they also have experience developing interagency agreements to pay for various initiatives, the official said.
Agencies have security LOB deadlinesThe Office of Management and Budget has named five shared-services providers to offer security training and reporting services for the federal government’s Security Line of Business. OMB also set security deadlines for agencies to meet. The deadlines and goals they must adhere to include:

April 30
Choose shared-services providers for security training and reporting. Each agency must also name someone to coordinate activities with the shared-services provider.

June 29
Complete interagency and service-level agreements for security reporting required by the Federal Information Security Management Act.

Sept. 30, 2008
Complete the transition to shared-services providers — one for security training and another for FISMA reporting.
— Jason Miller

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group