IT security task force sets deadlines
- By William Jackson
- Apr 01, 2005
An interagency task force charged with identifying federal IT security functions that could be provided centrally has set an ambitious timeline for completing its work.
The Office of Management and Budget established the task force last month. It will apply the Business Reference Model, a function-focused method of describing business operations, to cybersecurity. The process can identify centers of excellence'either government or commercial'for providing common services across agencies.
The task force kicked off the six-month study March 23. It identified five activities as candidates for inclusion in the security line of business and set a schedule for agencies to develop business cases for how those activities should be carried out. Budget data requests will go out to agencies this month, along with a request for information on security practices and services to agencies and companies.
Business cases will be submitted to OMB by September, and used by OMB in making its budget review and resource decisions for the fiscal 2007 budget cycle.
Activities that could be offered by centers of excellence include:
- Training and knowledge sharing
- Threat awareness and incident response
- Program management
- Security lifecycle management
- Selection, evaluation and implementation of security products.
The budget data request and RFI are expected in the first week of April, and meetings with agencies and industry are to be held late this month. A draft of common solutions for improving security management and a concept of operations for implementing the solutions would be prepared by May 24, with a final version completed by June 3. The final joint business cases would be delivered to OMB by Sept. 1.
IT security has not been among the lines of business identified under the business reference model and has remained tied to individual agency activities.
'But you know everybody is doing it,' said Karen Evans, OMB administrator for e-government and IT. 'It has to be addressed in everything that is done, so we are going to apply the methodology to cybersecurity.'
Each agency has its own security needs and acceptable risk profiles, and the study might not support the use of common providers for IT security, Evans said. But she said there is enough common need that she doubts there is a good business case for 26 executive branch departments and agencies each going its own way for security.
William Jackson is a Maryland-based freelance writer.