Private-sector shared-services providers must be FISMA-compliant
- By Jason Miller
- Dec 01, 2006
Karen Evans has a message for industry about being a shared-services provider to the government for human resources or financial management services: She doesn't care what you call yourself'center of excellence or shared-services provider or whatever'but don't bother jumping into the scrum if you don't comply with the Federal Information Security Management Act.
While it is obvious that agencies have to comply with the computer security mandate, Evans, the Office of Management and Budget's administrator for e-government and IT, said there have been a lot of questions about exactly what being FISMA compliant means.
'Vendors' shared-services providers need to have their systems certified and accredited under the FISMA guidelines,' said Evans after speaking at an event on the Financial Management Line of Business in Washington sponsored by IBM Corp. and SAP of America Inc. of Newton Square, Pa. 'Agencies and their inspector[s] general need to check to make sure contractors have met FISMA.'
But, she added, it is incumbent on agency officials to ask vendors for the documentation that proves FISMA compliance. Evans said it also will show how much 'residual risk' the systems have.
Evans said the foundation for the lines of business have been laid, and now it is a matter of moving to them. She said that while the focus has been on larger departments, the smaller agencies have benefited most from the shared-services provider concept.
'The service centers help small agencies accelerate ' [their] compliance with financial-management requirements,' Evans said.
Evans also pointed to the Interior Department's recent launch
of its new financial management system as a good example of a public-private partnership. Interior partnered with IBM to implement its Financial Business Modernization System at two bureaus last month.
'I was there when it came up live, and it was a noneventful event, which is what we like,' she said. 'We got to see the policies operationalized, and that was exciting.'