CIO Council seeks to clarify boundaries

CIO Council members may institute a formal process for industry organizations to legitimately claim the council's support.

"What I think you're going to see is better rules of the road because of what's happened in this particular environment," said Karen Evans, the Office of Management and Budget's administrator for e-government and information technology. Evans is also the council's director.

The council recently withdrew its participation from the Chief Information Security Officer (CISO) Exchange, a for-profit initiative led by Steve O'Keeffe, principal of marketing firm O'Keeffe and Co. O'Keeffe ended his efforts to promote the CISO Exchange April 14, shortly after OMB officials issued a statement to announce that the council would withdraw from the organization.

"We're looking to have a little more distance between the council and specific events," said Marty Wagner, a General Services Administration associate administrator and ex officio liaison to the council. Issues needing clarification include when private-sector initiatives can display the council's logo and what constitutes "an event that we are glad is occurring, but we're not supporting it per se," he said.

Council members may set up an application process for organizations seeking their support, said Vance Hitch, the Justice Department's chief information officer, who was listed as a co-chairman of the CISO Exchange.

Such a process might require "asking some of the harder questions that you typically wouldn't ask off the top of your head, like, 'How do you make your money and what do you do with it?' " Hitch said.

Although the CIO Council neither formally endorsed nor sponsored the CISO Exchange, Hitch's participation as advisory board co-chairman created the impression that the council sponsored the initiative, Evans said.

"There is an implication of CIO Council sponsorship because he's our official liaison for cybersecurity," she said. Participants cut ties to the exchange when government and industry officials said the organization appeared to sell access to policy-makers. A select number of companies were to pay $75,000 for full memberships, while others could have paid $25,000 or $5,000 for restricted memberships.

Council endorsement carries more weight than support, said Dan Matthews, the council's vice chairman. When council members endorse, "they're in essence putting their reputation behind" something, Matthews said. The council is not in the business of endorsing the private sector, he added.

Hitch said he made a presentation to the council's executive committee about a need for a forum in which officials from the public and private sectors could exchange best cybersecurity practices. But he said he was unaware of O'Keeffe's three-tiered structure for access to the exchange.

"That's something that I didn't even know until the information came out," he said. O'Keeffe's statements about the exchange's structure were premature, Hitch added.

Council members continue to believe a cybersecurity best practices organization is a pressing need, Matthews said. But "then the Web site went up saying it was going to collect this kind of money, and that's when we said, 'That's interesting, tell me more,'" he said. Hitch's presentation made no reference to O'Keeffe, Matthews said.

O'Keeffe said he cleared a CISO Exchange press release with the council. He had no comment on whether he considered the council a sponsor.

Determining which private-sector organizations can legitimately claim council backing is complicated because a majority of federal IT workers are contractors, said Mark Forman, Evans' predecessor.

"You want to make an environment where people want to contribute, but people have to understand that lurking in the shadows of the desire to contribute are people that would like to abuse the opportunities to contribute," he said.