Nearly a year to the date of launching its new approach to shared services, the Office of Management and Budget moved the first offering from interim to permanent.
This decision means this new approach to shared services also can finally move from theory to practice.
Suzette Kent, the federal chief information officer, said the designation of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency as a cybersecurity shared service center is an important milestone for the government for many reasons.
“What the formal designation recognizes is it’s a statement internally and externally with our vendors that DHS is managing the marketplace for those specific new security services that were outlined. It formalizes their role to ensure that the products and services that we use across the entire federal government in this space not only meet standards, but they are part of a customer-centric dialogue,” Kent said during an interview on Ask the CIO. “So it’s important for both clarity and pace. We expect we will be able to bring new services to the marketplace faster and have more visibility to meeting standards.”
Future services may include network defense, incident management, threat intelligence, cyber supply chain risk management and several others.
In April 2019, OMB designated DHS has an interim shared service provider under their revamped strategy that focused more on standards and inclusion, and less on creating public or private sector service providers. The eventual decision to offer SOC standards comes from the 2018 report OMB did on governmentwide risk management that found
Over the last year, DHS created a five-year strategic plan, which described the services and standards it would oversee, and set up its office.
CISA received a huge boost in the fiscal 2020 budget when Congress allocated $25 million for the shared services center.
The Senate, which initially appropriated $26 million, said, the money was to “set up the office and looking at couple of services and defining what those standards are and how they will be delivered.”
Giving agencies more flexibility
Kent said the difference with the QSMO approach is agencies are no longer buying a single solution, but multiple ones that satisfy the requirements laid out by DHS.
“That solution set may be smaller when we start and may broaden as we learn,” she said. “In conversations with DHS and with agencies, what’s interesting is they want to buy differently. In some cases, it may be a software product, while in other cases it may be a software and other services that are linked with it. The model under the QSMO has much more flexibility than some of the things we are currently offering today.”
At the same time, agencies who want to improve their security operations centers or address vulnerability management standards must start with DHS or explain to OMB why they can’t.
Kent said at the same time, it doesn’t mean agencies have to choose a specific solution offered through the shared services center, but it gives DHS and OMB visibility into what’s being selected and ensure that the tools or services are meeting the standards.
Through the QSMO, agencies may eventually have access to federal or private sector shared services, or just implement specific tools that meet the standards.
“This construct will actually help ensure when we do offer something in the marketplace, it has been fully vetted against those standards and agencies can move quickly and with confidence for that reason,” Kent said. “There is a standards definition process that multiple agencies participate in, it’s managed as part of the General Services Administration’s Office of Governmentwide Policy processes for shared services. So the defining of the standards and the constant maintenance of the something that is an all of government process.”
By creating these standards and having governmentwide agreement on them, Kent said agencies will move faster to fill specific cyber gaps as compared to each agency addressing the challenges on their own.
Multiple oversight approaches
Kent said her office, the CIO Council and the shared service governance board will provide one oversight mechanism to ensure the QSMO is making progress. But she also said agencies play a key role in how they interact with CISA.
“There is a senior accountable point of contact for each agency, who is their shared services person. They are the coordination point across their own agency. They are supposed to drive adoption of shared services, interactions and escalations, or even new things they want. Those leaders are critical as well,” she said. “We put an infrastructure in place to support agencies who are developing the QSMOs, but we also have the reciprocal side who are in charge of making sure adoption happens and we are getting good feedback from those who are getting served.”
These are two of the other big differences in OMB’s latest attempt to get shared services moving. Previous attempts relied on CFOs or chief human capital officers to be the champions, which didn’t work for most agencies.
Under this approach, the senior accountable official is for all shared services, not just for cyber or human resources.
“This is ensuring when agencies go into this relationship that it’s two-sided. The success of QSMOs is about the quality of product that are delivered and the value that they are adding to agencies,” Kent said. “This senior accountable official is on-point to have a view about what’s going on at their agency and what’s coming, what they are interested in and what that looks like for their agency so we are ensuring the products and services that are delivered are going to meet that value.”
More formal designations coming
Kent said OMB expects to formally designate human resources and financial management QSMOs later this year. The one for grants management may take a bit longer to receive the final approval.
“All of these services are different. Some of them are newer and it’s easier implement something that is new rather than deconstruct and remodel,” she said. “Agencies are at different points of need so we are trying to look at the types of service and capabilities agencies need in the near term timeline.”
The payroll modernization initiative, called NewPay and run by GSA, is furthest along aside from cyber. The Technology Modernization Fund gave the initiative $20.6 million in February 2019 to jumpstart the development of the standards and technology. So far, NewPay received $16 million and spent $10 million, according to the TMF website.
“We are in the development phase and that is both standing up the solutions themselves based on the standards. Specific agencies are also part of planning what their transition will look like. Those are at different paces,” she said. “Obviously with what’s going on right now, has put some disruption in that. But something that is going on right now as part of COVID-19 response that emphasizes how desperately we need to move to a more modern, more consistent ways to pay federal employees is we are operating with five different payroll providers today and there have been some instances where some of the guidance and things have allowed for different types of leave options. We wanted to capture what employees were doing in different ways so we had to put those changes in five payroll systems and 127 different time and attendance systems. That’s not fast.”