I ran into an interesting scenario yesterday concerning Lines of Business and security.
In case you’ve never heard about LoB, the short story is that each government agency becomes an expert in one area and then sells their services to other agencies. This is good, it gives the executive branch as a whole some economy of scale and significant cost savings. Over the next year and beyond, the Office of Management and Budget (OMB) will be pushing agencies towards LoB offerings from other agencies.
The problem is, when it comes to the security side of LoB, I don’t think we’ve figured it out yet, and our current security governance model doesn’t work.
Here’s the typical scenario, and it will get more common: If I am an agency who is getting pushed towards using one of the other agencies as a LoB provider, then effectively I’m outsourcing. The problem comes when the provider does not have any security program at all or they do not value the service at the level that I value it at.
No big surprise, security inside the government varies widely. Love it or hate it, that’s what FISMA (the law itself) is aimed to fix, and the highly-scorned FISMA scorecards provide us with a very, very, very high-level metric on an agency-wide basis.
So how do I help/force/coerce my LoB provider to increase their security? This is where the current IT security governance model fails. There are many reasons, here is a short list:
- Current model is focused around one agency owning a system
- Current model does not consider jointly-owned IT systems
- Government does not fully understand a shared service provider model
Inside the Department of Defense, they have a great way to deal with this. They have a system register and everybody puts their system and its vulnerabilities into it. Then if I want to connect or share data with somebody, I can see what all their warts are. However, the civilian agencies are not at this level of maturity.
In order to make LoB work, what needs to happen is for the agencies to learn how to become contractors. This means that if I am offering up a service under LoB and a client agency wants a higher level of security than the system currently provides, then we need to talk about how the funding works out. It doesn’t make sense for the service provider to absorb the cost of the improvements because they don’t have a need for those improvements, but on the other hand it doesn’t make sense for the client agency to pay for 100% of the improvements when the provider agency can now turn around and sell their services to other agencies at a higher rate. Probably the outcome of this discussion is a Memorandum of Agreement with the client agency funding 50% of the improvements.
Short end of this debate is that we need to start having these conversations now.