OMB created a task force earlier this year to examine areas of potential standardization and consolidation of agencies' cybersecurity efforts. The task force recommended the creation of multi-agency service centers for four areas starting in fiscal 2007: cybersecurity training for agency employees; Federal Information Security Management Act reporting; situational awareness and incident response; and agency selection and management of security software.
Under the approach, agencies would completely transfer by 2012 work in those four areas to third-party service centers, which could be other agencies or private-sector companies. This would ensure a higher level of overall government security while saving money, proponents say.
"Some security simply is a commodity," said Glenn Schlarman, OMB's branch chief for information policy and technology, speaking Monday at the Executive Leadership Conference. Transferring some functions outside would in no way decrease individual agency responsibility, Schlarmann added. "It's the same thing as if you had XYZ Corporation running a managed security service for you. The responsibility and accountability remains on your shoulders."
The Executive Leadership Conference is presented by the American Council for Technology and the Industry Advisory Council. Government Executive is a co-sponsor of the event.
Congressional appropriators recently have insisted on greater oversight of OMB's move to consolidate information technology functions within service centers. Heads of appropriations subcommittees say OMB is attempting to circumvent their authority by requiring agencies to divert appropriated dollars to other agencies outside the subcommittees' purview.
"We may run into that problem, yes," said John Sindelar, the General Services Administration's deputy associate administrator for governmentwide policy.
Two issues in particular could emerge as sticking points. OMB officials have said that an agency volunteering to act as a multi-agency service center would likely have to bear the transition costs of customer agencies unhappy with their service. But if service center agencies dip into their own appropriated dollars to pay for unhappy customers in other agencies to get service elsewhere, they run the risk of upsetting members of Congress.
Another option is to build transition costs into the fees charged for providing service. But that could result in satisfied customer agencies subsidizing the transition costs of unhappy customers.
Those issues all are "part of creating a shared service environment," Sindelar said. "You can't get around it."
Proponents of the shared service approach say Congress should measure by how well the plan provides service and lowers the overall costs of IT functions. Continuing to allow agencies to have individual IT infrastructures "given what technology can provide today, is not the right [way] to get us to save taxpayer dollars," Sindelar said.