OMB wants cybersecurity service consolidated

Federal information technology security services are the latest cross-agency function slated for consolidation under the Office of Management and Budget’s lines of business initiative.

Agencies would begin migrating certain common IT security functions starting in fiscal 2007 under a business case drafted by the cybersecurity line of business task force, which is in circulation in its draft form by OMB.

The four areas targeted for consolidation are:

* Security training.

* Federal Information Security Management Act reporting.

* Situational awareness and incident response.

* Agency selection of security products and lifecycle management.

“It is not the intention that the centers of excellence are going to take over the operation of agency security operations,” said George Bonina, chief information security officer at the Environmental Protection Agency. “The intent is not once size fits all,” he added, while speaking today at an Architecture Plus seminar.

Candidate agencies for service center status will not be able to apply to provide all four functions, Bonina said. Each area of security management should have three service centers, which would be federal agencies “in partnership with the private sector,” he said.

Each of the four areas would require different start dates for agency migration, which would be phased over time, Bonina said.

For example, starting in fiscal 2008, agencies would begin utilizing some situation awareness and incident response products such as forensics software. Next fiscal year agencies would begin using cross agency vulnerability and configuration management services.

It’s likely that different service centers will service different portions of the government, Bonina added. The intelligence community, with its heightened need for security when compared to civilian agencies, for example, would have its own service centers. The Defense Department would do the same, he added.