Shared services and the future of CISA
- By Mark Rockwell
- Aug 22, 2019
CISA chief Chris Krebs said in an Aug. 22 speech that many federal agencies will be outsourcing cyber to a shared service provider in the future.
The current model of how federal civilian agencies manage cybersecurity risk will change dramatically in the next five years, with some agencies embracing shared services, said Chris Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
The current model, which tasks all federal agencies with taking care of their own cybersecurity risks, is "unsustainable," said Krebs in a presentation at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security on Aug. 22.
"At the end of the day, [federal civilian] agencies are responsible for managing their risk. I'm putting them in a position to manage their risk" with tools such as Continuous Diagnostics and Mitigation, said Krebs.
"We're risk advisors" to federal agencies on cybersecurity, he said. "My view is that that is not a defensible position in the long term. We're working with Congress, with the Office of Management and Budget to help figure out what is a better posture and solution for federal civilian network protection."
In five years, he said there may be a completely different architecture for that protection across the 99 federal civilian agencies CISA is responsible for advising.
Some agencies, he said, may hand off those cybersecurity duties to another agency to perform for them. The agency they turn to for those services, he said, could be CISA, or another agency through a quality shared-service offering.
The OMB guidance issued in April tapped DHS and three other agencies to take the lead in developing shared services as part of a Quality Service Management Office (QSMO).
Larger agencies "might figure out they can do it themselves," he said. "Whether we do it, or someone else does, it's got to change."
Under an April 26 memo from the acting OMB Director Russell Vought, DHS is responsible for taking the lead on developing cybersecurity shared services. In the same memo, OMB also identified financial management, grants management and human resources as shared services targets.
Treasury is taking over financial management, Health and Human Services gets grants management, the General Services Administration gets human resources. Each QSMO will have to submit a five-year plan for managing that shared service.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.