July 15, 2016 By Larry Loeb 4 min read

Sharing IT operations between government departments is gaining steam after a recent effort by the administration to encourage this collaboration. The powers that be think departments can share services and profit from it.

In a way, this shift reflects some actual compromises that get done in any governmental department’s day-to-day operations. For example, IT may be trying to achieve a worthy goal such as compliance only to learn that there are limited resources available for that initiative. Departments have an overall cap, and money used for IT or any other operational expense may come out of the funds that would otherwise be used for program fulfillment.

The push to work smarter is on.

Working Smarter With Collaboration

Sharing services aims for a cost-effective, multicustomer delivery of back-office administrative services that can include human resources, financial management and purchasing — in other words, the necessary-but-boring stuff. The Shared Services Leadership Coalition (SSLC) is an industry group that brings together companies, nonprofits and individuals seeking to advance shared services implementations in the federal government.

But the possibility of sharing threats along with the information is a concern for some companies involved in sharing services. One such company, CGI, partnered with the SSLC to present a public forum about this particular concern on June 17 in Washington, D.C. The event was titled “Share Your Services, Not Your Threats.”

“As more federal agencies share services, they need to have the policies, procedures and technology capabilities in place to assure that they are not also sharing threats,” said CGI Senior Vice President Stephanie Mango in an email. “CGI is pleased to partner with SSLC and help move this important and timely conversation forward.”

Participants at the event were:

  • Carlos Solari, CIO for Mission Secure and former White House CIO;
  • Tony Cossa, director of Cloud Strategy and Policy for the USDA;
  • Christopher Lowe, CISO for the USDA; and
  • Rich Bissonette, vice president, Emerging Technologies Practice for CGI.

The video of the entire panel session can be found here.

A Bigger Push to Share Services

Solari noted that this kind of effort had been ongoing for at least a decade, from the days when he was CIO for the White House.

“We were trying to develop capabilities and then share them with government agency A, B and so on,” he said. “Not only technology, but we eventually got to the idea, ‘Wouldn’t it be great if everyone didn’t have to run their own HR system or finance system and all these administrative systems?’ Like a lot of things in government, shared systems have been around for a while. They reinvent themselves and take on a new energy.”

He was also adamant about the future, claiming, “We can solve the security problems.”

Cossa was asked to comment about managing security for shared services. “I don’t know that it is all that different from how we manage things today,” he explained. “The differences are not in the compliance areas. How we approach the architecture, technology and controls that we use for shared services are really the critical areas. We need to approach the control from a behavioral standpoint. Who are the users? What are they doing? These have to be considered in an architecture. Applying the controls and considering where they come from is where the critical components come from. You have to think how you are sharing data while considering how you are protecting the control sets within the architecture.”

This highlights an important characteristic of shared services: Regulations are generally written assuming that there is one authority over the data, but that is not true in a shared services environment. Even though a department is a client of the shared service, each one will have its own constraints on data and how it may be shared and used.

All shared services require that the client put trust in a designated services provider. The mechanics of enforcing data rules that apply to the designated service can get interesting — perhaps interesting enough to require the installation of additional hardware. But to be able to share the services effectively, departments must do it the provider’s way. Otherwise, the associated change costs end up a line item in the departmental budget and could potentially cancel out the financial benefits of sharing services.

Challenges to the Process

How to demonstrate end-result process transparency inside the shared services environment is a challenge. The technology, processes or rule sets may not have been designed to consider the sophistication of shared services. Compliance programs require just this sort of information, so it has to be generated by someone.

The panel took a broad view of where threats lie for a shared system. They counseled that in a shared environment there is no “inside versus outside” threat evaluation since all users must be considered a threat vector. Insiders and demilitarized zones should get no special preferential treatment. The perimeter of a shared system will bypass the old constructs like firewalls, extending themselves ever outward.

When a person in the audience asked about drilling down security to the device level to mitigate a perimeter breach, Cossa’s response reinforced this concept. “A threat is not an internal or external threat,” he said. “It’s a threat. The controls are managed based on how we see the threat. There’s not a separation of that anymore. Eventually your firewall will be traversed by someone who is trying to get inside.”

Lowe agreed with those remarks. “At some point, you stop doing perimeter defense,” he said. “You need to instrument everything that is moving within your network and get some basic security telemetry back from it to know what is going on, to see if something is moving laterally that shouldn’t be moving that way. Part of that challenge is that you need to have a sense of where normal is, where the baseline is, so you can do analysis to see what has shifted off that baseline.”

He also said the USDA is working with DARPA on a big data analysis of its network to discover triggers that it should be watching. While he thinks the project shows some great promise, right now, it’s more a proof-of-concept effort.

Shared systems offer departments the promise of lowered operational expenses, but the conversion can bring its own particular problems that must be considered. But as this panel and other efforts spread the word about shared services and more departments embrace it, security frameworks and best practices could be established, smoothing the path for future participants.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today