It seems that the Office of Management and Budget is moving towards a model for procurement that will support the Federal Enterprise Architecture(FEA) E-Gov initiatives. The fear is that Information Security is being put in a "box" for easier and more efficient ordering for federal agencies, except INTEL and DOD. They are not impacted by the latest move to a "Center of Excellence" for InfoSec.
CISO's at these federal agencies are operating with their hands tied in an effort to improve their FISMA grades with declining budgets and line items being moved from their control to the "Center of Excellence".
As a result of the FEA PMO’s analysis of the FY 2006 budget data, OMB established the IT Security Line of Business to propose common solutions and architecture strengthening the ability of all agencies to identify vulnerabilities, defend against threats and manage resulting risks. The FEA PMO will guide this LoB initiative through development of a common solution architecture by:
• Providing initial direction on EA work products (i.e., common solutions and target architecture);
• Reviewing EA work products and providing feedback;
• Reviewing service components developed by the LoB;
• Identifying areas for reuse or standardization across agency architectures; and
• Identifying agency movement toward LoB standards and services in their EA
The FEA PMO and the LoB task force will collaborate on identifying potential common solutions (e.g., training/awareness, incident response, certification and accreditation, the selection of security products, reporting, implementation of security configurations, policy and budget coordination, disaster recovery, contingency planning, and access controls), and will identify business processes and systems impacted if a security service is standardized or outsourced.
Use of the FEA Practice and reference models to identify areas for reuse and standardization will result in better and more consistent security management processes and controls across the Federal government.
Has the cost of war finally gotten to the point where we have finally made "Information Security" and "Contingency Planning" a commodity to be put in a box? Not until the agencies are standardized on configurations, hardware/software and other baseline security appliances and applications will you have the ability to do what is initially intended by the initiative. To save money, resources and redundancy.
Information and Physical security is a moving target for a reason. It evolves in response to attackers new tools and exploits probing to find the latest vulnerabilities. We wish the non-INTEL and DOD agencies luck in their new mission to secure their respective enterprises.