Shared services and the future of CISA

CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019 

CISA chief Chris Krebs said in an Aug. 22 speech that many federal agencies will be outsourcing cyber to a shared service provider in the future.

The current model of how federal civilian agencies manage cybersecurity risk will change dramatically in the next five years, with some agencies embracing shared services, said Chris Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.

The current model, which tasks all federal agencies with taking care of their own cybersecurity risks, is "unsustainable," said Krebs in a presentation at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security on Aug. 22.

"At the end of the day, [federal civilian] agencies are responsible for managing their risk. I'm putting them in a position to manage their risk" with tools such as Continuous Diagnostics and Mitigation, said Krebs.

"We're risk advisors" to federal agencies on cybersecurity, he said. "My view is that that is not a defensible position in the long term. We're working with Congress, with the Office of Management and Budget to help figure out what is a better posture and solution for federal civilian network protection."

In five years, he said there may be a completely different architecture for that protection across the 99 federal civilian agencies CISA is responsible for advising.

Some agencies, he said, may hand off those cybersecurity duties to another agency to perform for them. The agency they turn to for those services, he said, could be CISA, or another agency through a quality shared-service offering.

The OMB guidance issued in April tapped DHS and three other agencies to take the lead in developing shared services as part of a Quality Service Management Office (QSMO).

Larger agencies "might figure out they can do it themselves," he said. "Whether we do it, or someone else does, it's got to change."

Under an April 26 memo from the acting OMB Director Russell Vought, DHS is responsible for taking the lead on developing cybersecurity shared services. In the same memo, OMB also identified financial management, grants management and human resources as shared services targets.

Treasury is taking over financial management, Health and Human Services gets grants management, the General Services Administration gets human resources. Each QSMO will have to submit a five-year plan for managing that shared service.


About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.