Some chief information security officers have grown concerned that the federal government’s Security Line of Business has lost its focus. CISOs say they support the initiative but are concerned they are being asked to spend more and get less.
Agencies have until April 30 to select shared-services providers for standard security training and reporting services. As that deadline approaches, several senior information technology security managers say they support the initiative’s goal, but they are uncertain how they will pay for the services.
“We are required to pick a shared-service center and that is all well and good, but there is a huge disparity in how we fund training programs,” said Dan Pitton, the National Highway Traffic Safety Administration’s CISO. “The idea to take the current money doesn’t work. Most agencies don’t have a pool for training.”
Pitton and others are also concerned about switching to a new compliance reporting system for Federal Information Security Management Act reporting. Many agencies have paid for their current FISMA reporting systems, and now the Office of Management and Budget expects them to switch to shared-services providers at their own expense, Pitton said.
Other CISOs have similar concerns. “Many large agencies are saying we have investments and don’t want to move to a new system,” said Bill Hunteman, the Energy Department’s CISO. “The Security LOB’s fundamental problem is it is too prescriptive.”
CSIOs said officials at OMB and the Homeland Security Department, which is the managing partner for the Security LOB, are listening to their concerns. DHS recently issued guidance to help agencies in choosing shared-services providers. The guidance included information about how to apply to OMB for a waiver from the requirement.
“This is a great opportunity for the federal government,” said Dennis Heretick, the Justice Department’s CISO, referring to the governmentwide consolidation of security requirements in the Security LOB. “This will give us a way to organize information and a way to prioritize requirements that are critical to our mission. This gives us a structured way to share best practices as well.”
Justice and the Environmental Protection Agency are providing FISMA reporting services under the Security LOB program.
But some agencies say they are not ready to look outward to satisfy that and other FISMA requirements.
“The Security LOB is not fully baked yet and still mushy in the middle,” said one CISO, who requested anonymity. “When the Security LOB first started, training and reporting were fairly immature among agencies, but now they have matured and some shared-service providers are offering less than what we are doing.”
Pitton said the shared-services providers are going beyond their limited mandate for reporting FISMA statistics. He added that the providers will force agencies to change their certification and accreditation processes, in addition to how they report their inventory of systems and accomplish their plans of actions and milestones to mitigate security risks.
Pitton added that one way to solve the funding issue would be to require agencies to specify their security investments in their budgets. Security and training are built into the overall cost of a project, and separating them out is not easy, he said.
But a government official with knowledge of the LOB and who requested anonymity said the task is not that difficult. Agencies frequently must figure out how much money they spend on certain functions, and they also have experience developing interagency agreements to pay for various initiatives, the official said.
