Security LOB wakes up from hibernation

Of the $5.5 billion agencies plan to spend on IT security this year, 25 percent—almost $1.4 billion—is slated for training and reporting.But by standardizing how agencies conduct training and reporting, Office of Management and Budget officials believe a good chunk of that money could be reprogrammed for other mission-critical systems.To get agencies to move money around, OMB and the Homeland Security Department are giving agencies until Dec. 15 to decide how they will standardize those processes through a shared-services center under the Security Line of Business initiative.The program, which aims to standardize security awareness training and Federal Information Security Management Act reporting, will set up shared-services providers by October and require agencies to commit to one of them by mid-December.“Agencies will begin migrating to shared-services centers ... in April 2007,” said a DHS official involved with the line of business, who requested anonymity.Six agencies—the departments of Homeland Security and Justice, Treasury’s Bureau of Public Debt, the Agency for International Development, the Environment Protection Agency and the Office of Personnel Management—submitted business cases last September to become shared-services centers.“For the fiscal 2008 budget, the Information Systems Security LOB will request interested agencies to submit the statement of capability in lieu of the Exhibit 300 business case,” the DHS official said. “Agencies that did not previously submit a proposal to become a shared-services center, but would now like to be considered as an ISS LOB provider, have the opportunity to complete the statement of capability template.”While the broad goal for the security LOB is similar to the financial and human resources management LOBs, officials don’t envision agencies giving up control of their security training or reporting functions.“It is not where we will consolidate around a center of excellence, but [rather] some standards and low-cost options for agencies to adopt over time,” said John Sindelar, acting associate administrator in the General Services Administration’s Office of Governmentwide Policy and program executive for the LOB initiatives.OMB kicked off the Security Line of Business in February 2005 with the fiscal 2006 budget submission. An interagency task force came up with four areas—training, FISMA reporting, situation awareness and lifecycle management—that agencies could standardize on and save money. After further discussions, OMB and DHS decided that FISMA reporting and training could be done immediately, while the task force needed to do more research on the other two.But then the task force disbanded and the LOB went dormant for much of this year. Over the last month, OMB and DHS have reinvigorated the security LOB by hiring a contractor, CapGemin of New York, which subcontracted to SiloSmashers Inc. of Fairfax, Va., to provide program management support, and by establishing a timeline for agencies to standardize the two processes.Bruce Higgins, SiloSmashers’ senior vice president for business development, said the contract was awarded through a blanket purchasing agreement and would be for one base year with four one-year options.SiloSmashers will provide support services to the program management office, which includes assisting with the development of the business case, the capital planning and investment control process, and helping with risk management issues, Higgins said.DHS established a program management office in June and an implementation workgroup in July. The working group includes security and privacy experts from 11 agencies and the small agency CIO Council, including the National Security Agency, the Director of National Intelligence, the Defense Department and the National Institute of Standards and Technology.“The implementation workgroup is in the process of completing a statement of capability template for FISMA reporting and security awareness training,” the DHS official said. “The SOC is the document that agencies will complete to describe the type of products or services that would be offered by their shared-services center.The implementation workgroup will also assist in developing scoring criteria for agency proposals.”The program management office also will establish working groups to further define situational awareness and lifecycle management, the official said.“These two areas are presently scheduled for implementation in fiscal 2008,” the official said. “Additional information on situational awareness and incident response, as well as evaluating and selecting security products and services, will be available early next year.”