Sponsored by Maximus

GSA’s SOC formalizing framework to distribute incident response authorities

While some incidents need to be elevated to the CISO, allowing SOC analysts to take actions during lower-level incidents can prevent them from escalating.

The General Services Administration has found a unique working model for its security operations center (SOC): By focusing on integration of related shared services, it’s delivering SOC capabilities more like a product than a service. That provides greater accountability, transparency and input for stakeholders, while better integrating federal employees with contractors. Now, GSA’s next step is experimenting with the way it delegates authorities within the SOC.

GSA is in the process of formalizing an authorities framework that dictates what decisions and actions can be taken by an analyst, and what has to flow upwards from there. Providing teams the capability to respond to lower-level incidents prevents them from escalating, but some things require the input of the incident commander, the product owner, the SOC director, or even GSA’s Chief Information Security Officer, Bo Berlas. For example, taking any system offline always rises to the CISO level.

“The only exception is when there is a clear and imminent threat and where we have to take a site offline in coordination, and the time that it takes to facilitate that coordination would result in a negative impact to the agency and the program at large, in which case those calls are made directly by me,” Berlas said on Federal Monthly Insights –Securing the Nation: A deep dive into federal security operations.

That’s all in service to the SOC’s formalized incident response program, which includes coordination across all the stakeholders, including GSA’s legal, client and privacy teams, and its business executives. Berlas said that integration has helped communicate more broadly the need for the SOC. GSA has already answered common questions around what it is, the integrations and tools it uses, and what its responsibilities.

SOC’s mission

That allows the SOC to focus on its organizing principles.

“We follow a one-GSA, one-cyber model. It’s focused on achieving unified defense for all our information systems and within the enterprise,” Berlas said on the Federal Drive with Tom Temin. “We do not like silos. We’re all integrated and must act as one. Visibility is something that we do not compromise on. It’s required at the agency level versus at the system level. And what that means is every information system must report and integrate into the top line agency security operations center and deeply, deeply integrate with the corresponding set of cybersecurity tooling.”

That’s helping GSA meet the requirements of a number of recent cybersecurity regulations, including the cybersecurity executive order and the numerous memos that have followed. But achieving that level of compliance is only half the battle; Berlas said it’s just as important to ensure that compliance leads to actual cyber resiliency. That’s why the SOC works within the agency, as well as with the Cybersecurity and Infrastructure Security Agency, to ensure proper interpretation of all the regulations.

Finding the right SOC skills

Berlas said in recruiting, hiring and retaining SOC personnel, certifications matter, but they’re notall that matters. GSA’s SOC personnel, an integrated mixture of contractors and federal employees, are all screened for both the standard background checks and for technical prowess.

“Ultimately speaking, I think we live in an age where certification is important, but your ability, your tech ability is, equally, if not more important. So we don’t essentially go through and discount the fact that somebody lacks a certification,” Berlas said. “We essentially go through and do deep dive interviews with our teams, ensuring that we’re able to have them ask and answer really technical questions that you either know or you don’t know. And a study exam-prep-type answer probably will not be able to cut it. And I think that’s where we really need to focus based more on skills than we do on certifications. But certifications are also important. They do essentially speak to a certain level of commitment to your craft. And having one, I think, is a sign or indication of that. And it’s certainly valued, but it’s not the driving factor.”

One way GSA’s SOC ensures team members have those skills, while also ensuring the seamless employee-contractor integration is by pairing new staff members with existing ones as they’re onboarding. That way GSA prevents anyone from falling behind, and ingrains collaboration from day one.

Choosing the right SOC tools

Berlas said contractors often bring their own tools along, but GSA maintains the final decision over what tools are used.

“Tooling is always defined at the program level by leadership, by my directors,” he said. “Challenges corresponding to the flavor-of-the-day tools presses and creates all kinds of challenges because they’re tied to a given contractor with unique competencies or background in a given toolset. We’re really thinking more strategically. What I mean by that is we provide a shared service to the GSA, and GSA provides a shared service to the rest of the government. And I’m focused on making sure that we’re effectively integrated and working very closely with that. Any product service capability that CISA has, I’ll be first in line to effectively leverage today.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories