White House probes centralized cyber capabilities

The White House is working on a plan to create a centralized cybersecurity model for agencies that could guide federal cybersecurity efforts for the next four to eight years.

Trevor Rudolph, chief of Office of Management and Budget's Cyber and National Security Unit, said the White House is developing a shared capabilities model that agencies might use to leverage common capabilities such as the Department of Homeland Security's Einstein and Continuous Diagnostics and Mitigation (CDM) services.

In remarks at the Information Security and Privacy Advisory Board on Oct. 27 about transition plans for the Cybersecurity National Action Plan, Rudolph said his office has been involved in "an ongoing discussion with DHS and [the General Services Administration]" about the idea.

The plan, Rudolph said, would serve the next administration's IT governance of IT and cybersecurity. Coordination is also taking place with the National Institute of Standards and Technology. A fact sheet on the project is due out soon, Rudolph said.

"We're working rapidly to put together options" and guidance on how to govern such a model, as well as working on a potential legislative framework to support a wider shared capabilities model that could be used by the next administration, he said.

The wider plan, Rudolph added, could be used in the "next four to eight years."

"It's an outgrowth of CNAP," he said, referring to the Obama administration's $19 billion Cybersercurity National Action Plan that was included in the FY2017 budget submission. "The idea is not original. It goes back to [former federal CIO] Vivek Kundra," who floated an idea of an "independent agency to provide IT capabilities," he said in remarks to reporters after his ISPAB presentation.

In a federated environment, Rudolph said, "centralized IT solutions can solve a lot of legacy IT problems."

"DHS has done a phenomenal job" in getting agencies to sign on to CDM and Einstein, he added. "They have to go around and to get permission slips from agencies to provide free tools and services."

Rudolph said the White House is still working out the details of how the model could work. "I'd shy away from calling it shared services," he said in response to a question from FCW.

At a previous ISPAB meeting in June, Rudolph said shared services were one of a few critical cybersecurity efforts the White House is banking on, along with a planned IT modernization fund and DHS-based cyber defense teams.