In a break from its current in-house service delivery model, the United States Senate might use managed security services providers for some of its core cyber security support requirements.
Some of the support functions being considered as candidates for outsourcing to a third party include network security monitoring, threat analysis, incident reporting, vulnerability analysis, and security engineering and research.
The only significant support functions that are not suitable for outsourcing include program management, quality assurance management, contractor supervision, technology assessment, and security policies and standards.
[Want more on the government's attitude toward the cloud? Read DoD Changes Cloud Computing Policy.]
Details of the Senate's interest in exploring a managed service option for some security functions are contained in a notice recently posted by the Office of the Sergeant at Arms at the US Senate. The notice seeks information from vendors able to deliver the services from their own facilities.
Vendors will be required to assist the Senate's technology staff in monitoring networks for threats, provide incident reporting and analysis and research, and evaluate and test security products and technologies. In addition, they will have to be subject matter experts in areas such as advanced persistent threat (APT) detection and mitigation and be willing to assist Senate staffers in operating and maintaining enterprise vulnerability assessments tools, the notice said.
The outsourcing route is one of two options currently under consideration by the Senate. The other option is to stick mostly with the status quo, which is to procure the support services using a combination of contractor-supplied resources and in-house personnel, equipment, and security operating centers.
The notice does not offer any explanation for the Senate's new interest in outsourcing key security functions to third-party providers. But it makes clear that the Senate intends to exert as much control as it can over any security outsourcing arrangement. The Senate, for instance, will maintain sole custody of all data under a managed service arrangement. It will insist on access to all security metadata maintained by the service provider in order to respond to threats faster.
Any managed service provider that is selected for the task will also need to provide the services using personnel who are US citizens working in US-based facilities and on computers, storage systems, and networks located on US soil.
It's unclear how quickly, or even whether, the Senate ultimately will outsource security support functions to a third party. The notice is merely an expression of its interest in considering other options to its current security delivery model. Even so, the Senate's interest in at least exploring the option is interesting, considering that a vast majority of federal IT professionals remain wary about migrating any IT service to the cloud.
In a MeriTalk survey of 153 federal IT professionals this September, 89% expressed concern about moving to cloud services for a variety of reasons. Forty-three percent of those surveyed compared moving to the cloud to giving a teenager the keys to a new convertible.
Many cited a lack of proper data governance as a reason for their reluctance to move applications and services to the cloud. Close to 80% cited security as one of the biggest reasons for holding back from the cloud.
To meet obligations -- and avoid accusations of coverup and incompetence -- federal agencies must get serious about digitizing records. Get the No Excuse For Missing Documents Tech Digest from InformationWeek Government today (free registration required).