Senate Explores Outsourcing Security Services - InformationWeek
IoT
IoT
Government // Cybersecurity
News
12/2/2014
09:06 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%
RELATED EVENTS
4 Keys to Improving Security Threat Detection
Dec 15, 2016
In this webinar, Ixia will show how to combine the four keys to improving security threat detectio ...Read More>>

Senate Explores Outsourcing Security Services

The US Senate might outsource core cyber security support to a managed security service. Candidate tasks include network security monitoring, threat analysis, incident reporting, vulnerability analysis, and security engineering and research.

H-1B Visa Program: 13 Notable Statistics
H-1B Visa Program: 13 Notable Statistics
(Click image for larger view and slideshow.)

In a break from its current in-house service delivery model, the United States Senate might use managed security services providers for some of its core cyber security support requirements.

Some of the support functions being considered as candidates for outsourcing to a third party include network security monitoring, threat analysis, incident reporting, vulnerability analysis, and security engineering and research.

The only significant support functions that are not suitable for outsourcing include program management, quality assurance management, contractor supervision, technology assessment, and security policies and standards.

[Want more on the government's attitude toward the cloud? Read DoD Changes Cloud Computing Policy.]

Details of the Senate's interest in exploring a managed service option for some security functions are contained in a notice recently posted by the Office of the Sergeant at Arms at the US Senate. The notice seeks information from vendors able to deliver the services from their own facilities.

Vendors will be required to assist the Senate's technology staff in monitoring networks for threats, provide incident reporting and analysis and research, and evaluate and test security products and technologies. In addition, they will have to be subject matter experts in areas such as advanced persistent threat (APT) detection and mitigation and be willing to assist Senate staffers in operating and maintaining enterprise vulnerability assessments tools, the notice said.

The outsourcing route is one of two options currently under consideration by the Senate. The other option is to stick mostly with the status quo, which is to procure the support services using a combination of contractor-supplied resources and in-house personnel, equipment, and security operating centers.

111th US Senate class photo.
(Image: Wikipedia)
111th US Senate class photo.
(Image: Wikipedia)

The notice does not offer any explanation for the Senate's new interest in outsourcing key security functions to third-party providers. But it makes clear that the Senate intends to exert as much control as it can over any security outsourcing arrangement. The Senate, for instance, will maintain sole custody of all data under a managed service arrangement. It will insist on access to all security metadata maintained by the service provider in order to respond to threats faster.

Any managed service provider that is selected for the task will also need to provide the services using personnel who are US citizens working in US-based facilities and on computers, storage systems, and networks located on US soil.

It's unclear how quickly, or even whether, the Senate ultimately will outsource security support functions to a third party. The notice is merely an expression of its interest in considering other options to its current security delivery model. Even so, the Senate's interest in at least exploring the option is interesting, considering that a vast majority of federal IT professionals remain wary about migrating any IT service to the cloud.

In a MeriTalk survey of 153 federal IT professionals this September, 89% expressed concern about moving to cloud services for a variety of reasons. Forty-three percent of those surveyed compared moving to the cloud to giving a teenager the keys to a new convertible.

Many cited a lack of proper data governance as a reason for their reluctance to move applications and services to the cloud. Close to 80% cited security as one of the biggest reasons for holding back from the cloud.

To meet obligations -- and avoid accusations of coverup and incompetence -- federal agencies must get serious about digitizing records. Get the No Excuse For Missing Documents Tech Digest from InformationWeek Government today (free registration required).

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KimberlyC025
50%
50%
KimberlyC025,
User Rank: Apprentice
12/9/2014 | 11:34:18 AM
Contractors are not Cheap
I work for the Federal Government and I can see a need for augmenting IT and cybersecurity with contractors. But *not* outsourcing the basic function of it. Seriously? The contractors I work with are getting paid far better than me. At least 4 were on long term contracts for a total of 15 years before the contract changed hands. Then they just moved to a different company. If the arguement against civil servants is that their benefits are too expensive, one has to wonder what is saved by hiring expensive contractors that resist government oversight. How? The government simply becomes a "customer" and the contrator- while well meaning and very skilled- proceeds to do what the company wishes for them to do- which may or may not align with the government needs/wishes. There are several times I have seen managers throw their hands up over personnel issues they are unable to rectify because the only person who has any sway with the contractors in question is the COR- who only asks if the terms of the contract are being fulfilled. Our government is putting far too much power into the hands of private vendors. We are selling our integrity.
jries921
50%
50%
jries921,
User Rank: Ninja
12/4/2014 | 11:33:08 AM
What for?
With one hundred members and thousands of employees, I think it highly likely that the US Senate has enough computer work to keep at least a small staff of professionals busy full time and if it doesn't, the Congress as a whole definitely does.  If political patronage is the issue, then I can't think it would be hard to extend reasonable civil service protections (under whatever name; but not necessarily the overwrought ones granted to executive branch employees) to career employees with no public policy making functions.  If the existing staff isn't doing its job right, then fix that problem either by giving people the time, training, and resources needed to do their jobs; and/or replacing the people who cannot or will not perform acceptably.  Then if after that, the computing staff decides that outsourcing is necessary to meet some temporary needs, then they should have the authority to make the necessary arrangements without bothering the leadership.

I see absolutely no logical reason to outsource permanent functions if there is enough work to keep someone busy full time and think it's absolutely ridiculous for government to do so; if for no other reason than that in house employees have their careers invested in the institutions that employ them, while contractors have to treat the institution as just another customer.  And contractors can be even harder to fire than career civil service people, as they can afford better lawyers and are allowed to write off lobbying as a business expense.

 
rradina
100%
0%
rradina,
User Rank: Ninja
12/2/2014 | 2:24:42 PM
Bigger Question
Why would the Senate have it's own IT?  Shouldn't this be part of a larger government entity that, because of its size, has sufficient internal talent or at least a substantially better position from which to negotiate contracts?
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll