Shared services and the future of CISA
Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.
The current model of how federal civilian agencies manage cybersecurity risk will change dramatically in the next five years, with some agencies embracing shared services, said Chris Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
The current model, which tasks all federal agencies with taking care of their own cybersecurity risks, is "unsustainable," said Krebs in a presentation at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security on Aug. 22.
"At the end of the day, [federal civilian] agencies are responsible for managing their risk. I'm putting them in a position to manage their risk" with tools such as Continuous Diagnostics and Mitigation, said Krebs.
"We're risk advisors" to federal agencies on cybersecurity, he said. "My view is that that is not a defensible position in the long term. We're working with Congress, with the Office of Management and Budget to help figure out what is a better posture and solution for federal civilian network protection."
In five years, he said there may be a completely different architecture for that protection across the 99 federal civilian agencies CISA is responsible for advising.
Some agencies, he said, may hand off those cybersecurity duties to another agency to perform for them. The agency they turn to for those services, he said, could be CISA, or another agency through a quality shared-service offering.
The OMB guidance issued in April tapped DHS and three other agencies to take the lead in developing shared services as part of a Quality Service Management Office (QSMO).
Larger agencies "might figure out they can do it themselves," he said. "Whether we do it, or someone else does, it's got to change."
Under an April 26 memo from the acting OMB Director Russell Vought, DHS is responsible for taking the lead on developing cybersecurity shared services. In the same memo, OMB also identified financial management, grants management and human resources as shared services targets.
Treasury is taking over financial management, Health and Human Services gets grants management, the General Services Administration gets human resources. Each QSMO will have to submit a five-year plan for managing that shared service.