Security LOB to focus on training, reporting

Over the next seven months, the Office of Management and Budget and the Department of Homeland Security will focus on two of the four areas originally chosen for the Security Line of Business initiative.OMB said it would set up centers of excellence later this year for training and security reporting for mandates such as the Federal Information Security Management Act in the fiscal 2007 budget submitted to Congress earlier this month.Karen Evans, OMB’s administrator for IT and e-government, said the interagency task force will continue to work on the other two areas, product evaluation and incident response, to figure out where the opportunities exist.The task force these four areas were ripe for savings and standardization last year. But reporting and training were the best place to get started right away, Evans said.“Reporting and training are the easier ones, as well as the ones where there is a huge amount of dollars going out,” Evans said during a budget briefing with reporters last week. “We are saying there is a better way to deliver cross-the-board training to new employees, for example.”Evans, who also spoke about the IT budget today at a luncheon in Washington sponsored by the Association for Federal Information Resource Managers, said some agencies have security training that consists of one screen, while other agencies’ security training is much more extensive.Of the $5.2 billion agencies plan to spend on IT security next year, 25 percent of that goes for reporting and training, Evans added.“Everyone has to do FISMA reporting, so they are spending money on it,” Evans said. “It makes sense to see who has done what, and if more agencies can implement it.”Incident response and product evaluation are far more complex and a fundamental part of agency control processes, said Glenn Schlarman, chief of the OMB information policy and technology branch, at the budget briefing.“The task force didn’t feel it had enough information or collective expertise to begin the transition of fundamental security processes,” Schlarman said. “Reporting and training will give us more than enough work over the next year.”Evans added there is no timetable for naming the centers of excellence.