Agency Cyber Pros Welcome DHS’ Leadership If It’s Not One-Size-Fits-All

Under the White House’s new shared services policy, the Homeland Security Department has been chosen as the official lead agency for all cybersecurity acquisitions, programs and standards across government. Security leaders at federal agencies say they’re on board with this structure, so long as Homeland Security officials don’t try to force everyone into the same box.

Homeland Security was named as the Quality Services Management Office for cybersecurity, a new designation that puts the department at the center of all cybersecurity decisions governmentwide. As agencies improve their existing capabilities or stand up new ones, Homeland Security will have authority to set the standards by which those agencies operate.

“I actually appreciate the top-cover,” said Eric Rippetoe, chief information security officer for the Federal Energy Regulatory Commission. “A lot of these things that they’re telling us to do, I’ve been trying to do anyway.”

Rippetoe was one of a handful of federal cybersecurity officials at a roundtable discussion Wednesday ahead of the Thales Data Security Summit. Despite having the cover of Chatham House rules—wherein the information can be used but cannot be attributed to specific individuals—most participants were willing to share their thoughts on the record.

“I do have great support from our executive already” when it comes to implementing best practices communicated by Homeland Security today, Rippetoe said. “But translating those recommendations—they ask if it’s actually required and I’m like, ‘No, but it’s the best thing to do, though.’ So, I don’t mind the top-cover from DHS.”

But the department has stumbled before in its efforts to unify federal security operations, including in the early rollout of the Continuous Diagnostics and Mitigation, or CDM, program, which established a contract with a set of cybersecurity tools agencies could buy.

“A lot of agencies suffered because there was a lack of understanding by DHS of their cultures,” said Tarrazzia Martin, a government digital technology expert.

“I think what happened was there’s a translation issue but there was also a technical prowess issue,” she added, offering her own perspective and not that of her agency. “Many of the DHS technical experts … were at a different level of understanding and technical prowess than many of the civilian agencies were used to. So, there was a communication breakdown. It took a long time to even know how to spell CDM.”

Those issues have improved, according to a federal cybersecurity acquisition official who asked to remain anonymous.

“That’s probably the most important thing of a QSMO approach—or a shared services approach—is recognizing that there’s not a single template, there’s not a one-size-fits-all,” the official said. “DHS is not going to suddenly turn the [National Cybersecurity and Communications Integration Center] into the Federal [Computer Emergency Response Team]. It’s not going to happen that way. And they recognize that, as well.”

Martin said she hopes Homeland Security officials have learned that lesson.

“I think DHS has to consider that many of these agencies are infants in their understanding and take their time to make sure things actually happen as they’re supposed to and they don’t get left behind,” she said. “Don’t come in like a bulldozer but actually understand those cultures. It’s a very big deal for acceptance.”

While the new shared services policy only covers civilian agencies, defense agencies are all too familiar with what happens when organizations try to scale specific requirements.

“Being a government organization, how we acquire, how we get to singular solutions, those acquisition and other challenges at scale become really, wicked hard,” said Air Force Deputy Chief Information Officer Bill Marion, noting the service has almost 1 million endpoints on the unclassified network alone.

“There’s a certain level of standardization we want to drive. But be careful: The all-in model in the government never works,” he said. If they do take that tack, officials should expect the program to fail “not on the technical front, but all the secondary fronts on how you acquire and deliver it.”