Cybersecurity standardization moves forward

The Office of Management and Budget launched a task force on cybersecurity consolidation last week with the goal of increasing computer security and cutting costs.

Tim Young, OMB's associate administrator for e-government and information technology, said at a conference in Falls Church, Va., Tuesday that the consolidation effort has strong support among agencies. He said that the question of whether agencies can share common processes associated with information technology security is meant to spark a dialogue in the IT security community.

"We want to improve our security, but we want to spend fewer dollars," Young said at a conference sponsored by Reston, Va.-based IT consulting firm INPUT. "It's a good story if you're a taxpayer, but maybe not a good story if you're supporting these back-office functions."

The task force consists of two representatives from each Cabinet-level agency. An information and budget data request is due in April. Specific goals include identifying problems and solutions for cybersecurity risks, improving cybersecurity processes and reducing costs by eliminating duplication.

The task force will analyze various elements, including training activities, threat awareness, program management and the implementation of security products.

In September 2005, the task force will send agencies' business cases to OMB as part of the fiscal 2007 budget process. By December, OMB will have reviewed the business cases and will make resource decisions.

Agencies have struggled to improve the security of their information technology systems while surveys have shown cybersecurity to be a top priority for agencies' chief information officers. A score card from the House Government Reform Committee showed that across government, cybersecurity improved slightly, but agencies such as the Energy and Homeland Security departments failed dismally.

Cybersecurity experts have said that compliance with the 2002 Federal Information Security Management Act is an expensive and frustrating process for agencies, but the results are intended to provide significant benefits to computer security. Young said a reason for exploring cybersecurity standardization is the vastly different sums of money that agencies of similar size are spending on FISMA compliance.

Despite OMB's optimism that consolidating back-office functions such as payroll and human resources will improve services and reduce costs, Young said he does not know whether cybersecurity ever will be fully consolidated. "We'll see what the task force says," he said, suggesting that a hybrid approach might be the end result.

Young said the administration's fiscal 2006 budget request--in which the percentage of funds requested for back office functions fell slightly from 32 percent to 31 percent and spending for mission areas increased slightly from 55 percent to 56 percent--shows a shift in priorities.

Young said the consolidations that started last year are seeing results, and that total spending on OMB's consolidation projects is projected to increase from $11 billion to $12.1 billion.

"Agencies are adopting the concept of shared services," Young said. "Are we outsourcing all of this? No, but in the long term? Not really, but there will be more opportunities for the private sector to offer solutions."