The Office of Management and Budget has tried at least two other times to get agencies to consolidate and optimize their security operations centers (SOC).
At some departments, there are eight or 10 SOCs, meaning there is no single pane of glass for the chief information security officer, the Department of Homeland Security, or OMB to understand what’s really going on.
Grant Schneider, the federal chief information security officer (CISO), said the latest attempt to improve the value and reduce the number of security operations centers is well underway.
“We have been looking for all agencies to raise the bar. One of the ways we know we want to do that is the focus on shared services,” Schneider said in recent interview on Ask the CIO. “With SOC-as-a-service, DHS is in the process now, as the management office, of setting the standards for what would any service provider in this space need to deliver, and what would they need to be able to achieve. This doesn’t mean DHS will be the only service provider in this space. The Department of Justice is already working to be a service provider in this space as they have a lot of expertise on that front.”
Future services may include network defense, incident management, threat intelligence, cyber supply chain risk management and several others.
Schneider said the QSMO will begin rolling out the SOCaaS in fiscal 2021.
“We are looking for a couple ways to do the service provisioning. It could be another government agency such as the Department of Justice or DHS providing those services,” he said. “DHS also is working closely with the General Services Administration so that we can contract for some service capabilities there and bring industry in as well. The QSMO role of DHS is to make sure that the level of service and standards being met on all of those capabilities will be the same. We do know industry will be a significant player in this arena.”
The need for the QSMO became evident in 2018 when OMB released the first ever cyber risk determination report, which reviewed how 96 agencies manage and mitigate these challenges.
“[M]any federal agencies report that they do not have sufficient full-time employees with the requisite skills to operate a SOC effectively, or, in some cases, agencies have multiple SOCs that employ a series of different processes and technology. The result is poor network visibility and inefficient and ineffective operations,” the report stated. “In the case of agencies with multiple SOCs, CISOs report that these SOCs do not communicate with each other and that they hoard, rather than share, threat information and intelligence. Although OMB previously worked to alleviate this issue by having agencies designate a principal SOC, which would be accountable for all incident response activities for each agency, it is clear that the problem persists.”
Schneider said while the QSMO will address some of the technical challenges of security operations centers, OMB is focused on the management side.
“We asked agencies last year to create SOC maturation plans and we have been working with agencies on where are they at on those plans,” he said. “A number of agencies have a variety of security operations centers and we are looking to have them, if not consolidate, at least ensure they have a focal one and everything from a variety of those SOCs are being rolled up and they have a centralized visibility into their operations.”
Part of how OMB will hold agencies accountable for meeting the goals of SOC maturation and consolidation and moving to shared services is through a revitalized CyberStat process.
OMB launched CyberStat in 2011 as a way to apply more directed pressure to systemic cyber problems at agencies. By 2018, it has fallen on forgotten times.
The Government Accountability Office in its report on open recommendations from May said OMB is bringing back this oversight process. OMB says it created an “updated concept of operations document that is currently in draft. To fully implement this recommendation, OMB needs to finalize and release the CyberStat concept of operations document and increase agency participation in CyberStat meetings,” GAO stated.
Schneider said there are several ways the revamped CyberStat process could work.
“Our traditional, in-depth one-on-one engagements with agencies is certainly still on our list. However, we also are trying to do a little more — and this is where SOC may be an excellent opportunity for us — is we are bringing agencies together to discuss a particular topic and have more lessons learned from various agencies and DHS to provide additional expertise,” he said.
Along with the SOCaaS and reinvigorating CyberStat, Schneider said the federal CISO Council also will continue to focus on policy changes, such as the final one expected soon on vulnerability disclosure.
Supply chain interim final rule in the works
Another area the federal CISO Council is focused on is supply chain risk management. Schneider, who also leads the Federal Acquisition Security Council, said the goal is to implement the authorities Congress gave them in the Secure Technologies Act.
“The council has been meeting for about a year. In the legislation that created the council, there were a number of homework assignments in addition to the new authorities we were granted. We have delivered to Congress the strategic plan they requested from us as well as a charter for the FASC,” he said. “The most important thing we are working on right now is the interim final rule. The interim final rule is really going to lay out the processes and procedures around how the council will go about doing a couple of things. One of our tasks is to share supply chain risk management information both within the government and outline how we will do that, and share with industry, where appropriate. We also have to identify how we will perform assessments and evaluations of potentially covered articles and then make recommendations to the secretaries of DoD, DHS and the director of National Intelligence on whether or not we think they should issue a removal order.”
And speaking of supply chain risk management, Schneider said he’s paying attention to the Defense Department’s roll out of the cybersecurity maturity model certification (CMMC) standard.
“I’m very interested to see how it progresses and the outcomes that are able to be achieved,” he said. “We’ve certainly done some thinking through of how might it apply, but we are not at all at a point though to know that we would or wouldn’t want to apply this more broadly across the government.”