Lines of Business, Relationships, and Trustability

Posted April 25th, 2007 by

I ran into an interesting scenario yesterday concerning Lines of Business and security.

In case you’ve never heard about LoB, the short story is that each government agency becomes an expert in one area and then sells their services to other agencies. This is good, it gives the executive branch as a whole some economy of scale and significant cost savings. Over the next year and beyond, the Office of Management and Budget (OMB) will be pushing agencies towards LoB offerings from other agencies.

LoB information from the Office of Management and Budget

The problem is, when it comes to the security side of LoB, I don’t think we’ve figured it out yet, and our current security governance model doesn’t work.

Here’s the typical scenario, and it will get more common: If I am an agency who is getting pushed towards using one of the other agencies as a LoB provider, then effectively I’m outsourcing. The problem comes when the provider does not have any security program at all or they do not value the service at the level that I value it at.

No big surprise, security inside the government varies widely. Love it or hate it, that’s what FISMA (the law itself) is aimed to fix, and the highly-scorned FISMA scorecards provide us with a very, very, very high-level metric on an agency-wide basis.

So how do I help/force/coerce my LoB provider to increase their security? This is where the current IT security governance model fails. There are many reasons, here is a short list:

  • Current model is focused around one agency owning a system
  • Current model does not consider jointly-owned IT systems
  • Government does not fully understand a shared service provider model

Inside the Department of Defense, they have a great way to deal with this. They have a system register and everybody puts their system and its vulnerabilities into it. Then if I want to connect or share data with somebody, I can see what all their warts are. However, the civilian agencies are not at this level of maturity.

In order to make LoB work, what needs to happen is for the agencies to learn how to become contractors. This means that if I am offering up a service under LoB and a client agency wants a higher level of security than the system currently provides, then we need to talk about how the funding works out. It doesn’t make sense for the service provider to absorb the cost of the improvements because they don’t have a need for those improvements, but on the other hand it doesn’t make sense for the client agency to pay for 100% of the improvements when the provider agency can now turn around and sell their services to other agencies at a higher rate. Probably the outcome of this discussion is a Memorandum of Agreement with the client agency funding 50% of the improvements.

Short end of this debate is that we need to start having these conversations now.

Similar Posts:

Posted in FISMA, Outsourcing | 3 Comments »

3 Responses

  1.  The Guerilla CISO » Blog Archive » One Catalog to Rule Them All Says:

    […] program and corroborated against your classified file) and to support each other as vendors under Lines of Business, which the government needs […]

  2.  The Guerilla CISO » Blog Archive » Feds to Embrace SaaS, End is Nigh for Security! Says:

    […] I think it’s also harder to accomplish than OMB might think. I’ve said this before, but information sharing, security, and SaaS doesn’t fit into The Government Way of Doing Things &#…, and that needs to get […]

  3.  Current Government Security Initiatives | The Guerilla CISO Says:

    […] Security Line of Business:  Agencies become subject-matter experts in an area and become a contractor to the other agencies.  Not a new concept, we’ve seen it elsewhere. […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: