OMB looks at shared-service plan for IT security functions

The Office of Management and Budget has lifted the veil on the next set of standardized functions that shared-service providers will supply across government.By spring 2007, an OMB-led task force will choose three centers of excellence in two functional areas under the IT Security Line of Business Consolidation effort. Two other functional areas are on tap to be moved to shared-service providers by 2009.OMB is focusing on agency IT se- curity requests, hoping to standardize processes and reduce duplicative spending that adds up to more than 30 percent of the $4.5 billion agencies spend on IT security.The IT security Line of Business task force submitted its business case to OMB in September. Once approved, it would be included in the 2007 budget proposal.The plan established requirements on agency shared-service providers—and, presumably, private-sector providers as well—for training, Federal Information Security Management Act reporting, situational awareness and incident response and product evaluation. The task force followed the same concept OMB is using for the financial management and human resources LOBs.“These are four areas of weaknesses across most agencies, but these also are areas where some agencies are doing it right,” John Sindelar, OMB’s project executive for the LOB initiatives, said at the Executive Leadership Conference sponsored by the Industry Advisory Council and American Council for Technology in Hershey, Pa.“This is very complex and we are doing it incrementally, and we don’t want to do more than we can at this time,” Sindelar said.The four functional areas account for about $1.4 billion in IT security spending each year, said Glenn Schlarman, chief of OMB’s information policy and technology branch.“We picked discrete areas that are the same for everyone or are a commodity,” said Schlarman. “We are introducing a service organization to take the burden off of the agency. Each system owner still would have to do their part to feed the information to the center of excellence.”When agencies submitted IT business cases with their budget re- quests in September, they could have proposed to become a center of excellence. Agencies not proposing to become centers of excellence in a given area had to include plans for transitioning those functions to a designated center when the centers open for business.The requirement for using the services of a center of excellence probably will be phased in over a two- or three-year period to allow for existing contract obligations and other commitments of agencies.And the centers of excellence will not replace existing IT security programs and resources, such as the U.S-Computer Emergency Readiness Team. It is expected that agencies applying to be centers of excellence would contract with private- sector partners to help provide a full range of tools and services.“The centers of excellence are a necessary part of the governmentwide approach to security,” said George Bonina, the Environmental Protection Agency’s chief information security officer and a member of the IT Security LOB task force. “With the National Institute of Standards and Technology framework, this helps us provide a standard approach to get better security at a reasonable cost.”Schlarman said the centers of ex- cellence also will help agencies reach OMB’s goal of certifying and accrediting 90 percent of systems.After three years of trying to reach the high-water mark, agencies still have not topped 85 percent, Schlarman said.“Maybe we collected all the low-hanging fruit,” Schlarman said. “To get to the next level, we have to improve the quality of our reporting and that is what the Line of Business will do. It will improve everyone’s performance because the baseline will be applied consistently across government.” n