Shared Services to Enable Future Network Architectures

Summary of Efforts to Date

Category Management and Shared Services are both industry leading practices that help the Federal Government deliver common functions in a more effective and efficient way. Category Management allows the Government to buy more like a single enterprise by purchasing commodities and common services consistently and with minimal variation to leverage the Government’s buying power. Government-wide Category Managers identify “Best in Class” (BIC) solutions, which are contracting and acquisition designations used to denote contracts that meet rigorous category management criteria as defined by OMB. These designated BICs allow acquisition experts to take advantage of pre-vetted, Government-wide contract solutions. As stated earlier, Shared Services is the provision of consolidated capabilities or functions (services and/or IT systems) that are common across multiple agencies. Shared information technology relieves customer agencies of managing upgrade cycles, maintenance, and acquisition overhead associated with supporting duplicative mission support technologies.

Shared Services intersects with Information Technology Category Management in that common solutions developed under Category Management should be leveraged by all agencies, including organizations providing shared services. Providers assume the responsibility for customers of managing the contracts/orders, ensuring scalability and efficiency of services, holding vendors accountable for meeting performance metrics, and delivering continuous improvement of business process.

Shared services has a long history in the Federal Government and gained momentum with the establishment of functional lines of business with the E-Government Act of 2002. Building upon this progress and leveraging best practices from the private sector, in October 2015, OMB announced the formation of the Unified Shared Services Management (USSM) office within GSA to enable the delivery of high-quality, high-value shared services that improve performance and efficiency throughout the Federal Government. USSM’s mission is to transform the way Government does business internally to improve the way the Government serves the American public.

While there has long been interest in shared services for general IT needs, a perilous threat environment has resulted in a need for cybersecurity shared services as well as commercially-provided commodity IT, such as email, and the cloud. Not only would the widespread use and deployment of shared services in information security provide cost savings, they would also provide a more consistent level of security across the Federal enterprise.

Current State

Addressing security challenges is critical if the Federal Government expects to achieve strong security outcomes; however, the current model of distributed Federal IT makes tackling complex resource-intensive problems in a consistent manner challenging. Today, each agency must independently identify possible vendors, evaluate the security of the vendors, issue an ATO, integrate the solution into their own independent bespoke IT infrastructure, and allocate resources to monitor and operate that infrastructure on an ongoing basis. The combination of these factors does not achieve consistent, high-quality security outcomes.

The Federal Government is the world’s largest buyer and there is a critical need to change the way the Federal Government buys common information technology products and services. Transitioning to consolidated network architectures and shared services requires consideration of how these products or services will be acquired. Current challenges associated with use of commercial acquisition practices limit the Federal Government’s ability to achieve its modernization goals.

Significant contract duplication means that agencies award multiple contracts for similar goods and services, often leading to hundreds, if not thousands, of contracts for the same requirement with the same vendors. Additionally, there are huge price variances for the exact same item, sometimes as much as 300 - 400 percent. Agencies work highly autonomously, with only occasional collaboration across organizations and little sharing of information, standards, and best practices. This degree of fragmentation, lack of common standards, and lack of coordination drives costly redundancies and inefficiencies in procurement actions, contracting vehicles, and customization of common information technology solutions.

The existing federated and distributed approach to IT is no longer sustainable in an increasingly mobile, cloud-based, and complex digital world. Building or internally operating such security programs requires specialized cybersecurity talent and knowledge, access to a broad range of data sources to manage the latest threats, and sophisticated and costly emulation and static analysis technology. This is an immense undertaking for large departments, but even more so for smaller and non-CFO Act agencies who often struggle with basic security functions, such as vulnerability mitigation, due to resource limitations. Programs like CDM are taking steps toward deploying common tools across all agencies and integrating large and small agencies into a shared cybersecurity understanding; however, many of these programs, including CDM, have been mired by delays and have not yet yielded their full promise.

Future State & Objectives

In order to reduce cost, improve operational efficiencies and cybersecurity, the Federal Government must shift toward a consolidated IT model. This includes adopting shared services for non-mission specific functions, as well as BIC contracts, commodity IT, such as email, and other collaboration productivity, and security tools. This approach will help the Federal Government rapidly deploy new capabilities that will enhance agencies’ abilities to perform their missions and secure their networks. The Federal Government must embrace the broader use of cloud services while working to develop cloud products that meet Federal cybersecurity standards. With the proper type of cloud offering designed with an appropriate focus on security, the increased use and consolidation of IT services in multi-tenant cloud services can provide the visibility and control necessary to deploy data-level protections and automated cybersecurity outlined earlier in this report. Agencies must leverage shared services and embrace commercial technologies such as Software as a Service (SaaS) where possible, building new capabilities only when shared services and commercial technologies cannot meet mission need.

The NIST Definition of Cloud Computing (SP 800-145) establishes the essential characteristics and service model definition for cloud-based SaaS, which also serves as the definition for this Report and its implementation. Transitioning to a consumption-based service, as opposed to traditional approaches of purchasing on-premise licenses, will enable the Government to stop building systems that are expensive to maintain and modernize. Among other benefits, the Government will only pay for what it uses, better leverage its buying power, achieve the benefits of continuous modernization, and gain economies of scale from standardization.

As Federal agencies increase their investment in commercial cloud services, promoting vendor interoperability and avoidance of “vendor lock-in” will continue to be important priorities. Where feasible and appropriate, the use of tools and platforms that can be used portably across multiple underlying cloud service providers is encouraged. Agencies of any significant size, such as CFO Act agencies, are generally expected to authorize and make use of multiple independent cloud environments. At the same time, agencies are encouraged to make use of the best and most cutting-edge services that cloud service providers have available. This can include services that may be specific to individual providers’ and which are optimized for their strengths.

In general, agencies should avoid unhealthy levels of dependence on specific vendors, while taking advantage of the best technologies the commercial market has to offer.

In order to achieve the desired future state, the Government must address the current impediments in policy, resource allocation, Government-wide business standards, and disparate agency interpretations of statutes and guidance, in addition to other considerations that are obstacles to agencies’ adoption of shared and cloud services. Such obstacles include statutory and regulatory requirements that prevent the use of accepted commercial best acquisition practices. Changes and modifications to the existing acquisition requirements could be implemented to achieve efficiencies while maintaining the core tenet of fairness. Rather than relying on often outdated and agency-specific systems, the Government should speak with one voice to providers to obtain systems and services that offer world-class levels of functionality that meets the Government-wide business standards, achieve cost-effectiveness through economies of scale, and are secure.

Implementation Plan

Both the short- and long-term steps outlined in this section will result in greater innovation across the Federal enterprise, decrease costs, and dramatically improve services provided to both agencies and citizens. These interventions will allow agencies, and particularly smaller agencies, to more easily acquire and adopt commodity cloud infrastructure products, while leveraging the Federal Government’s buying power to produce economies of scale. Additionally, these efforts will augment existing agency-specific technology to improve both visibility and security. This implementation plan focuses on three key areas viewed as pivotal for accelerating the move to shared services: (1) enabling the use of commercial cloud services and infrastructure; (2) accelerating adoption of cloud email and collaboration tools; and (3) providing additional and improving existing shared services.

1. Enable the Use of Commercial Cloud Services and Infrastructure

Major commercial cloud infrastructure providers offer excellent levels of functionality, cost effectiveness, and security because of their ability to aggregate demand across a broad range of customers. There are a wide range of ways each of the models outlined below can drive cloud adoption by Government customers; however, it is generally helpful to think about the options as one default approach and a second option when security requirements require it.

In order to ensure a smooth adoption of cloud technologies across the Government, it is important to understand the various models that are available for utilizing cloud services. The following two options describe the main approaches in which the Government has adopted cloud services and how these models could be adjusted moving forward.

Bring Government to the Cloud: Vendor-owned and operated servers and applications — Software as a Service (SaaS)

This is the ubiquitous public cloud model used by the vast majority of private sector cloud providers, and is in use by some Federal agencies today. Among other uses, this model may be appropriate for modern cloud-hosted email, productivity, and collaboration tools and mission support services.

Many agencies have already fully embraced vendor-operated, cloud-based collaboration and productively tools, and, depending on the agency, may have several such tools based on commercial SaaS in use today in their environment. It is important for the rest of Government to migrate from legacy offerings to take advantage of the increased productivity and innovation that these cloud based services offer.

Bring Government to the Cloud: Vendor-owned and operated servers and Government-operated applications with networks that utilize a secure connection — Infrastructure as a Service

Some service needs can only be met by developing custom software, or by buying software not available as a service. With this model, a cloud vendor owns and operates servers in a private sector data center, but connected through a secure connection. Secure connections could include HTTPS, TLS, peering, etc. This provides an infrastructure upon which agencies deploy applications that they create or acquire. This model can be utilized for secure, critical applications that are only available to Government users on a virtual private network (VPN) or other network-level isolation.

Because Infrastructure as a Service gives customers control over many low-level details, it can entirely replace the need for a traditional on premise data center. Agencies can often move existing services from legacy on premise data centers to cloud infrastructure with some software modifications.

These applications can be public services used by the general public or private internal services used by agency employees. In either case, agencies may consider cloud infrastructure as a service to be an extension of their existing private enterprise network, or they may treat it as a separate, isolated network. Regardless, users access the service through secure connections, which could include HTTPS, TLS, VPN, or a dedicated line.

Infrastructure as a service excels at providing a platform for creating and deploying the digital services that are core to an agency’s mission. These models are already in use by agencies in a wide range of use cases including benefits processing for veterans, immigration, and healthcare, as well as data processing and software testing in the Department of Defense community.

Bring the Cloud to Government: Government-owned data center buildings with vendor-owned and operated services

For certain applications where using the Internet is not a viable option, commercial providers can operate infrastructure in Government-owned facilities. This is attractive for classified systems that cannot be connected to the public Internet. For example, the intelligence community was the original adopter of a model in which vendor-owned and operated services were based out of Government-owned data center buildings. An example of this approach is the Intelligence Community Information Technology Enterprise (IC ITE) Commercial Cloud Services.

This model is much more expensive than fully commercial cloud services, and cannot keep pace with the innovation of public cloud solutions. As such, it is only appropriate where the Government absolutely must retain physical control over the infrastructure.

It is important to be wary of on premise solutions that are sold with cloud terminology that do not actually meet the NIST Essential Characteristics of Cloud Computing. Often, products that claim to offer private cloud infrastructure fail to deliver on these promises, missing key aspects such as rapid elasticity, on-demand self-service, or resource pooling.

Bring the Cloud to Government: Vendor-owned and operated data centers with servers dedicated for Government use

Many cloud service providers offer Government-dedicated versions of their services, where the provider builds segregated space for Government use so that agency customers only share logical space (possibly including servers, buildings, networks, personnel) with other Government customers. This allows a provider to more easily meet Government-specific compliance requirements for securing sensitive data.

This model provides a middle ground between public shared cloud infrastructure and costly on premise infrastructure. It is used by many agencies today to house applications where legal, compliance, or security reasons preclude the use of shared servers.

This model, which is already in use, could be particularly useful and appropriate for hosting Government websites and services for infrastructure that may have sensitivities for which public servers would not be appropriate.

Recommendations:

Cloud is not a one-size-fits-all solution, and offers a multitude of options for agencies based on their needs and preferences. While it is important to ensure flexibility across the Federal Government, there are a few models that can cover the majority of Federal use cases. As such, the Government should invest in two to three cloud models to support the differing security and risk-tolerance postures of agencies and leverage shared services. Further, agencies should work cooperatively and collaboratively to build trust within their own enterprise and between agencies so that Federal programs and system owners can make maximum use of authorization packages, compliance materials, and any other documents or process that promotes reuse and appropriate risk acceptance when deciding to bring new systems online or evaluate legacy systems for migration or decommissioning.

In particular, the Government should expand its use of the “Bring the Government to the Cloud” models, as these best balance the benefits of cloud computing—including improved performance and cost-savings—with outsourced security and control. While the impending revisions to the TIC policy and guidance will affect some of the eventual business decisions surrounding cloud options, agencies should begin working to determine how best to use the models outlined above.

Next steps to support the above recommendations are as follows:

Within 30 days of the date of issuance of this final report:

Pursuant to its statutory authorities and in execution thereof, OMB will conduct a data call requesting that agencies identify systems that may be ready for cloud migration and can be migrated securely but have not yet migrated due to perceived or encountered difficulties. At the conclusion of this data call, OMB and GSA will review the impediments to moving to the cloud outlined by agencies and will prioritize an infusion of technical talent, capital, and updated security policy (developed iteratively to solve agency-specific issues) as needed to enable prioritized cloud migrations. This task is described in more detail in the following section.

Within 90 days of the date of issuance of this final report:

GSA will work with volunteer agencies to pilot new initiatives to improve the speed, reliability, reusability, and risk acceptance transparency for cloud-based SaaS and shared services ATOs. Initial pilots will test new authorities and tools for authorization processes as automation of the new NIST Risk Management Framework for select information systems, implementing the new FedRAMP Tailored baseline for low-impact SaaS products, and leveraging Authorizations to Use for shared services based on commercial cloud offerings.

Based on the combined efforts, including lessons learned and best practices for extending these pilot activities to a Federal civilian-wide scale, GSA will work with OMB to develop any necessary plans or policy for promoting these initiatives and any other innovative FedRAMP, shared services, or agency-specific efforts across the Federal enterprise.

Within 120 days of the date of issuance of this final report:

Pursuant to its statutory authorities and in execution thereof, OMB, in coordination with DHS, GSA, and its Federal partners, will update the Federal Cloud Computing Strategy (“Cloud-First”). This strategy will provide additional guidance to agencies on the most impactful use cases for cloud adoption and how best to conduct appropriate operational security in cloud environments.

Additionally, OMB will conduct a thorough review of all relevant policies pertaining to IT modernization, cloud migration, infrastructure consolidation, and shared services, among others, and will initiate revisions, rescissions, or other rapid policy updates that may improve the ability of agencies to modernize effectively, securely, and efficiently. If necessary, OMB will issue further guidance that will augment and enhance existing Federal technology and information security policy.

OMB, working with the Federal Acquisition Regulation (FAR) Council, GSA, and DHS will develop clauses that define consistent requirements for security, privacy, and access to data for use in cloud contracts. These clauses will ensure uniformity in contract language and provide rigor to standard Government terms, which would be particularly valuable to agencies lacking relevant technical, legal, or acquisitions expertise to craft, out of whole cloth, such language in their cloud procurements.

Within 180 days of the date of issuance of this final report:

OMB, working with the Federal Acquisition Regulatory Council (FAR Council) and DHS will develop clauses that define consistent requirements for security, privacy, and access to data for use in cloud contracts. These clauses will ensure uniformity in contract language and clear direction in standard Government terms, which would be particularly valuable to agencies lacking relevant technical, legal, or acquisitions expertise to craft, out of whole cloth, such language in their cloud procurements.

These actions are in addition to OMB’s ongoing work with the FAR Council to reduce regulatory burden on federal IT contractors pursuant to E.O. 13771, as well as efforts with members of the Chief Acquisition Officers Council to identify statutory or administrative changes to align federal procurement practices with successful commercial buying strategies and collaboration with agency Acquisition Innovation Advocates to apply modernized processes to improve the acquisition system’s ability to support the goals of this report.

2. Accelerate Adoption of Cloud Email and Collaboration Tools

Accelerated adoption of tools like cloud email and collaboration applications is an essential element to achieving timely collaboration capability across the Government. Deploying these tools for the Federal Government sooner rather than later minimizes exposure of one the most prominent cyberattack methods in modern society. Targeted, email-based spear phishing attacks using malicious attachments and links are the primary attack vector for compromising individuals and organizations.

Accelerated rollout of cloud email and collaboration is urgent given the number of duplicative legacy systems and their associated cybersecurity risks. In addition, even within cloud-based email, there still exists price variance. Agencies generally negotiate as individual organizations - thus limiting the potential economy of scale that could have been achieved negotiating through the Government Enterprise. Buying power through Government-wide price negotiations will achieve efficiencies of cost savings and therefore benefit American taxpayers.

In order to support agencies in moving away from their own email servers and solutions, a set of secure, easy-to-maintain, and cost-effective solutions must be available. Industry is well positioned to provide effective security controls, especially when paired with NCPS capabilities and to enable agencies to leverage improved mobile, tablet, and productivity operating environments. There are currently only two hosted solutions deployed in the Federal Government, though additional competitors could emerge. Regardless, a requirement to make better use of cloud-based email and collaboration services increases the Government’s leverage in obtaining farther reaching innovative solutions and better pricing.

While the benefits are worthwhile, ranging from cost savings to improved security, the migration itself to cloud-based tools can be costly and burdensome, particularly for smaller agencies. In order to support agencies in their migration, a set of secure, easy-to-maintain, and cost-effective solutions must be made available.

The Government must pursue new acquisition strategies to obtain cloud email and collaboration tools and services. In furtherance of this objective, pilots such as the example outlined in Appendix D may be executed to decrease the administrative acquisition burden, specifically for smaller agencies who cannot leverage large volume discounts or who have acquisition workforce constraints. Additional pilots may include the ability to purchase cloud services on a consumption basis and coordinated purchasing to obtain tiered-based pricing.

One of the fundamental advantages the Government has in seeking products and services is that its size should allow it to leverage competing market forces to drive Government-wide volume pricing and increase the overall speed of migration. The goal would be to incentivize providers through tiered pricing, business strategies, and service level agreements that would produce insight and transparency into any agreement made to obtain cloud email and collaboration tools by the Government.

This would mark a significant departure from existing acquisition marketplaces where existing models are laborious for both Government and industry and fail to truly capture and make transparent items such as volume spending as an aggregated value. In addition, the current process does not always offer sufficient transparency, allowing some agencies to pay less than others. Often, it is the small agencies, who can least afford higher prices, that are penalized.

Next steps to support the above recommendations are as follows:

Within 30 days of the date of issuance of this final report:

OMB will conduct a data call to agencies regarding their current email contracts, prices, and number of mailboxes. It is imperative that the Government obtain an accurate measurement of the market size of agencies who have not yet migrated to cloud email. While there are clear data on the current need among CFO Act agencies, there is currently no definitive data regarding the adoption of cloud-based email solutions at small and independent agencies. Understanding the full size of the marketplace will enable the Government to maximize its leverage in negotiations with cloud collaboration vendors.

OMB will convene a task force of agencies to finalize a standard set of requirements for cloud email, including both low and moderate security postures for email and cloud collaboration. These requirements, which will build upon previously completed work, will be circulated to all agencies for comment and serve as the basis for acquisition.

Within 60 days of the date of issuance of this final report:

OMB will establish a comprehensive strategy for driving the accelerated migration of agency email and collaboration tools to the cloud for departments and agencies who have still not adopted cloud-based email. This strategy should emphasize achieving both cost savings and improved security.

Within 75 days of the date of issuance of this final report:

OMB will issue updated identity policy guidance for public comment that will reduce agency burden and recommend identity service areas suitable for shared services. GSA will provide a business case to the Federal CIO on the consolidation of existing identity services to improve usability and drive secure access and interoperability. This action will enable secure access and collaboration as a service in a way that improves existing agency-specific implementations, which often have various levels of security and do not include interoperability.

Within 90 days of the date of issuance of this final report:

OMB will assemble an Acquisition Tiger Team (ATT), which will be charged with drafting and disseminating a “quick start” acquisition package that can help agencies facilitate rapid license and migration service acquisitions. This will make it possible for agencies to award licenses and services that may presently have difficulty doing so. The “quick start” package would include market research, acquisition plans, templates for requesting quotes, identified sources of supply, and Independent Government Cost Estimate calculation templates (based on already completed acquisitions).

The ATT, working through the appropriate executive agent, will send out Requests for Information (RFIs) or conduct other market research activities to find qualified small business and socio-economic concerns to leverage set aside programs and other authorities to streamline the migration acquisitions to the greatest extent possible. For example, using the 8(a) Digital Service Initiative or vehicles that have resulted from Category Management efforts in this space.

Within 180 days of the date of issuance of this final report:

The Government should consider incentives for early adoption (migration in the first year following the formalization of the effort), including individualized assistance tailored to a given agency’s needs. To assist in such an effort, OMB will create acquisition/migration cadres, consisting of information technology and acquisition specialists that will be sent to early adopter agencies to help with license and migration acquisitions-related challenges. Initially, these cadres would draw from agencies that have already completed their migrations, such as the Department of the Justice (DOJ) and acquisition experts from the Digital IT Acquisition Professional Training (DITAP) alumni network.

Within 240 days of the date of issuance of this final report:

OMB, with support from GSA, will pilot new acquisition tactics for cloud email and collaboration licenses including but not limited to those discussed above and outlined in Appendix D.

Other High-Level Actions:

Approved FISMA-Moderate cloud-based collaboration tools currently exist. GSA will continue to work with existing cloud email and collaboration providers, and will prioritize approval of a FISMA-High offering. At the same time, process improvements will continue iteratively to enable agencies to accelerate adoption of cloud services.

Within the Federal Government, having a qualified and agile acquisition workforce is paramount to ensure the Federal Government acquires optimal solutions to achieve successful acquisition outcomes. Providing specialized training and career development opportunities for the acquisition workforce is a critical component for ensuring tax payer dollars are effectively managed and obligated to achieve the requirements addressed in the Federal IT Modernization Report. Providing training and career development opportunities is a priority for cybersecurity adoption, cloud email, and cloud adoption. The Federal Acquisition Certification in Contracting (FAC-C) core plus specialization in digital services is under review and is a component of the DITAP development program. The DITAP program focuses on providing contracting professionals with training and experiential learning opportunities to gain the expertise necessary to better understand the market conditions and drivers, effectively manage risks to successfully plan, and negotiate and acquire digital supplies and services. Moreover, completion of the DITAP development program empowers the graduates to serve as change agents and expert business advisors to members of the integrated acquisition team (program managers, legal, finance, contracting officer’s representative and other stakeholders). Having a Government-wide, holistic and integrated training and career development approach is vital to deliver results to the American People and build a stronger more capable Federal Government.

3. Improve Existing and Provide Additional Security Shared Services

As cyberattacks have become more sophisticated, frequent, and easier for adversaries to execute, cybersecurity has continued to escalate as a primary responsibility for all individual agencies and for the Federal Government as a whole. Addressing cybersecurity threats holistically necessitates both a further consolidation of the Federal Government’s IT footprint as well as an expansion of shared, centralized services to better leverage Federal buying power, standardize security capabilities, improve the time it takes to detect and respond to incidents, and realize economies of scale from aggregating data.

Continuous Diagnostics and Mitigation (CDM)

DHS established the CDM Program in 2013 to provide Federal civilian agencies with automated continuous monitoring tools to detect vulnerabilities and potentially malicious network activity in near real-time.1 2 CDM Phase 1, which is currently being deployed, is designed to determine “what is on the network” by providing agencies with capabilities to identify and remediate vulnerabilities and ensure secure hardware and software configurations on their networks. CDM Phase 2 will focus on “who is on the network” and provide capabilities to detect and manage privileged user access and ensure that only authorized, credentialed users have access to information on the network. CDM Phase 3 will report “what is happening on the network” and provide capabilities to identify and assess anomalies that may indicate a cybersecurity compromise and to implement ongoing assessment and authorization. CDM Phase 4 will focus on expanding data protections for Government information. All CDM capabilities will feed information to both an agency- and Federal-level dashboard, enabling Government-wide visibility into the current state of Federal information security.

Up to this point, CDM has not sought to address cloud-hosted systems and has instead focused on helping agencies secure their on premise networks. While this does introduce some limitations, the program has nonetheless elevated the baseline of cybersecurity across the Government. Over the identified phases, the program will deliver capabilities through various mechanisms, including an “as-a-service model,” to ensure that additional capabilities can be provided in a more centralized and standard way.

A challenge in implementing CDM capabilities in a more cloud-friendly architecture is that security teams and security operations centers may not necessarily have the expertise available to defend the updated architecture. To support agency cybersecurity efforts, the Federal Government is working to develop this expertise and provide it across agencies through CDM. Currently, all CFO Act agencies (except the Department of Defense) participate in CDM, as do 44 of the non-CFO Act agencies in the Federal enterprise. CDM will continue to grow and provide sophisticated tools and services to current agencies, while working to onboard the other small agencies not currently served by the program.

This is imperative for enabling the Federal Government to increase security throughout the Federal enterprise. Further targeted actions by DHS’s CDM Program Office and agencies can help expedite the modernization and adoption of CDM to identify, detect, and respond to threats in the Federal Government’s increasing move to cloud environments and mobile devices.

Within 60 days of the date of issuance of this final report:

DHS, in partnership with agencies and GSA, will complete the acquisition strategy for new, long-term task orders to offer CDM lifecycle support to agencies and provide solution development and implementation for Phases 3 and 4 in addition to future work, including cloud security.

Within 125 days of the date of issuance of this final report:

DHS will leverage all available departmental resources, to the extent practicable, to obtain an initial ATO for the CDM Group F Platform. If necessary, DHS will request additional support from OMB, GSA, or other entities to ensure an efficient authorization, consistent with the appropriate security posture required of the CDM Program, potential customer agencies, and the authorizing official. Upon completion of the authorization process, DHS will begin onboarding agencies onto CDM to provide continuous monitoring as a service capabilities.

At the end of the 125 days, DHS will update OMB on the current number and status of remaining Memoranda of Agreement it has established with non-CFO Act agencies (above and beyond the current number of 44). DHS will also submit a plan to OMB that details the expectations and timelines for onboarding non-CFO Act agencies to the CDM Group F Platform.

Within 150 days of the date of issuance of this final report:

DHS will complete the data exchanges between the agency- and Federal-level dashboards to provide enterprise-wide situational awareness of an agency’s cyber posture.

Within 180 days of the date of issuance of this final report:

DHS, in partnership with the Federal CIO Council, will implement a concept of operations for the Federal dashboard to include procedures to manage cyber risks across the Federal enterprise, and other factors pertinent to the broader Federal CIO community.

Security Operations Center (SOC) as a Service

The Security Operations Center (SOC), which generally provides central visibility into the state of security on an agency’s networks, is an essential component of securing the Federal IT enterprise; however, many agencies lack the resources or expertise to establish their own agency-level SOCs. Given the vulnerability this creates, the establishment of a SOC as a service (SOCaaS) capability is essential to ensure appropriate enterprise-wide visibility, incident discovery, and information sharing among Federal agencies. Such a capability would allow agencies currently lacking such capabilities to purchase them from those agencies with sufficient capacity to offer such a service. This could allow for the creation of specialized offerings. For instance, agencies who have demonstrated expertise in defending cloud applications could expand their current SOC capabilities and offer a SOCaaS, focusing specifically on cloud applications. In addition, contracts can be established with commercial providers to provide SOCaaS offerings. Agencies lacking the requisite expertise could leverage these services to accelerate their migration to commercial cloud capabilities.

Over time, agencies offering SOCaaS could provide a full suite of capabilities to agencies that do not want or need to manage their own operations. This would align with the consolidation of existing networks. A more consolidated SOC would have broader visibility, easier communications, and the ability to add tools not available in a more distributed model.

Specifically, SOC as a Service capabilities could:

Within 180 days of the date of issuance of this final report:

OMB, DHS, and GSA will identify potential offerings to provide SOC as a Service capabilities to other agencies across the Federal Government. Additionally, GSA, in coordination with OMB and DHS, will lead contracting efforts to also offer commercially available SOC as a Service capabilities to Federal agencies.

Within 210 days of the date of issuance of this final report:

Any agency that plans to offer SOC as a Service capabilities will provide to OMB and DHS a pricing model in alignment with the cloud migration strategy and timeline outlined above. Additionally, OMB will designate a slate of agencies with insufficient SOC capabilities and require them to establish plans for transitioning to SOC as a Service, whether it is Government or private sector provided.

Other High-Level Actions:

DHS will work with SOC as a Service providers, be it a Government or private sector provider, to ensure that NCPS and CDM capabilities and outcomes can be achieved and that the visibility remains aggregated across cloud and on premise security capabilities. Additionally, agencies designated as potential SOC as a Service providers will establish pilots involving agencies designated by OMB as possessing insufficient SOC capabilities.