[ISN] Security LOB wakes up from hibernation

From: InfoSec News (alerts@private)
Date: Tue Aug 15 2006 - 01:39:19 PDT


By Jason Miller
GCN Staff
08/14/06 issue

Of the $5.5 billion agencies plan to spend on IT security this year,
25 percent - almost $1.4 billion—is slated for training and reporting.

But by standardizing how agencies conduct training and reporting,
Office of Management and Budget officials believe a good chunk of that
money could be reprogrammed for other mission-critical systems.

To get agencies to move money around, OMB and the Homeland Security
Department are giving agencies until Dec. 15 to decide how they will
standardize those processes through a shared-services center under the
Security Line of Business initiative.

The program, which aims to standardize security awareness training and
Federal Information Security Management Act reporting, will set up
shared-services providers by October and require agencies to commit to
one of them by mid-December.

"Agencies will begin migrating to shared-services centers ... in April
2007," said a DHS official involved with the line of business, who
requested anonymity.

Six agencies - the departments of Homeland Security and Justice,
Treasury's Bureau of Public Debt, the Agency for International
Development, the Environment Protection Agency and the Office of
Personnel Management - submitted business cases last September to
become shared-services centers.

Statement of capability

"For the fiscal 2008 budget, the Information Systems Security LOB will
request interested agencies to submit the statement of capability in
lieu of the Exhibit 300 business case," the DHS official said.  
"Agencies that did not previously submit a proposal to become a
shared-services center, but would now like to be considered as an ISS
LOB provider, have the opportunity to complete the statement of
capability template."

While the broad goal for the security LOB is similar to the financial
and human resources management LOBs, officials don't envision agencies
giving up control of their security training or reporting functions.

"It is not where we will consolidate around a center of excellence,
but [rather] some standards and low-cost options for agencies to adopt
over time," said John Sindelar, acting associate administrator in the
General Services Administration's Office of Governmentwide Policy and
program executive for the LOB initiatives.

OMB kicked off the Security Line of Business in February 2005 with the
fiscal 2006 budget submission. An interagency task force came up with
four areas -training, FISMA reporting, situation awareness and
lifecycle management - that agencies could standardize on and save
money. After further discussions, OMB and DHS decided that FISMA
reporting and training could be done immediately, while the task force
needed to do more research on the other two.

But then the task force disbanded and the LOB went dormant for much of
this year. Over the last month, OMB and DHS have reinvigorated the
security LOB by hiring a contractor, CapGemin of New York, which
subcontracted to SiloSmashers Inc. of Fairfax, Va., to provide program
management support, and by establishing a timeline for agencies to
standardize the two processes.

Bruce Higgins, SiloSmashers' senior vice president for business
development, said the contract was awarded through a blanket
purchasing agreement and would be for one base year with four one-year

SiloSmashers will provide support services to the program management
office, which includes assisting with the development of the business
case, the capital planning and investment control process, and helping
with risk management issues, Higgins said.

DHS established a program management office in June and an
implementation workgroup in July. The working group includes security
and privacy experts from 11 agencies and the small agency CIO Council,
including the National Security Agency, the Director of National
Intelligence, the Defense Department and the National Institute of
Standards and Technology.

"The implementation workgroup is in the process of completing a
statement of capability template for FISMA reporting and security
awareness training," the DHS official said. "The SOC is the document
that agencies will complete to describe the type of products or
services that would be offered by their shared-services center. The
implementation workgroup will also assist in developing scoring
criteria for agency proposals."

The program management office also will establish working groups to
further define situational awareness and lifecycle management, the
official said.

"These two areas are presently scheduled for implementation in fiscal
2008," the official said. "Additional information on situational
awareness and incident response, as well as evaluating and selecting
security products and services, will be available early next year."

Visit the InfoSec News store!

This archive was generated by hypermail 2.1.3 : Tue Aug 15 2006 - 01:49:49 PDT