The federal government is a sprawling entity, and not every agency has the resources of the Defense Department. Providing effective cybersecurity to all agencies — especially smaller, non-CFO Act agencies — will require investment in shared services for IT security.
That was a key takeaway from current and former government cybersecurity leaders who spoke on a panel earlier this week at the 2017 Symantec Government Symposium in Washington, D.C.
Grant Schneider, the acting federal CISO, said that smaller agencies often do not have the resources or personnel to effectively provide cybersecurity on their own, certainly not compared to a behemoth agency. “We’re never — certainly in government and also in industry — going to be able to get the workforce we need … to defend all of these different systems,” Schneider said. “Quite frankly, we just end up stealing each other’s employees.”
Both Schneider and Michael Daniel, former cybersecurity coordinator in the Obama administration and now the president of the Cyber Threat Alliance, said that shared services can help ensure that agencies without the adequate funding or resources can still provide effective cybersecurity.
Use Shared Services to Address Cybersecurity
The Trump administration has been promoting shared services as a way to deliver IT in a more cost-effective manner. Shared services consolidate common government operations such as IT management, finance, human resources and other functions into centralized service providers.
The Trump administration’s draft report on IT modernization, which was released at the end of August, notes that the General Services Administration’s $50 billion Enterprise Infrastructure Solutions telecommunications contract is designed to “address all aspects of agency telecommunications and network infrastructure requirements while also leveraging the bulk purchasing power” of the government.
EIS, the report says, “can be leveraged to help address some of the unique challenges faced by small agencies, a community that typically lags behind the large agencies in terms of cybersecurity capabilities.”
Smaller and non-CFO Act agencies often struggle to attract and retain top information security personnel and lack the expertise to fully manage their IT security programs, which hurts the government’s ability to gain a full understanding of the risk to federal networks. “EIS can be leveraged to consolidate acquisition activities and other security services for small agency networks,” the report says.
Schneider said that a final version of the report that incorporates feedback from industry will be released soon. A key goal of the report and the administration’s efforts on IT modernization and shared services, Schneider said, is to not force smaller agencies to procure all of their IT and cybersecurity products and services.