Measure in-house abilities against requirements
- By Jason Miller
- Jan 22, 2003
With all the worries about a pending work force shortage and the talk about agencies sticking to their missions, security remains the one IT service federal managers have yet to relinquish to the private sector.
Most agencies have outsourced at least pieces of their security operation, but government employees still retain a majority of the control. Neverhteless, agencies slowly are turning their trust toward the private sector because of the complexity of the security services needed.
John C. Johnson, assistant commissioner for the General Services Administration's Federal Technology Service Office of Service Development, said GSA's research shows agencies need assistance to meet their security needs. So Johnson is leading an effort to add four levels of security offerings to the FTS 2001 and Metropolitan Area Acquisitions governmentwide contracts.
'We are attempting to develop a commercial solution with wider applicability,' Johnson said. 'It gives us the ability to infuse security improvements in short order and allows the customer to buy security as a part of a package of solutions. We want to enhance IT services with security technologies appropriate for all mission sensitivity and locality.'
The four tiers of security are standard, protected, high assurance and network high. Each is slightly higher and more secure depending on an agency's need, Johnson said.Moving on up
GSA isn't limiting its efforts to network security. Johnson said the agency also is working to add security features to governmentwide acquisitions contracts for comanaged network services, IT integration, wireless, security testing and evaluation, and policy development.
'In general, many agencies do not have the skill set needed to define and implement their security needs,' he said. 'We are identifying requirements and seeing if industry can meet them.'
Dennis McCallam, a technical fellow with Northrop Grumman Information Technology of Herndon, Va., also said the contracting of services is going to a managed-services approach, which includes assessing and certifying systems, fixing vulnerabilities and protecting networks.
Northrop is providing these services to the Army, Marine Corps and other agencies, McCallam said.
'We've gotten to the point where we have to integrate our cyberdefense with our physical security defenses,' he said. 'We must be able to fuse data across a number of security components.'
McCallam, who also was the co-chairman of an information assurance study by the Government Electronics and Information Technology Association, said the shortage of skilled security people is forcing agencies to outsource security services more often.
Alan Chvotkin, senior vice president for the Professional Services Council, an industry association, said agencies need to understand their risk tolerance.
'This creates some real challenges from an architecture and application and integration standpoint,' he said.
He said the Navy-Marine Corps Intranet project is a good example of a program that mitigates its security risks because the network is being built in modules.