SOC-as-a-service? CDM is looking into that

DHS officials are exploring how they can use CDM's new shared services platform, including possibly offering security operations to cabinet-level agencies.
(Department of Homeland Security / Flickr)

In its ongoing efforts to provide cybersecurity shared services to the federal government, Department of Homeland Security plans to explore offering cabinet-level agencies security operations center-as-a-service capabilities.

“We’re exploring, beyond the shared services that we offer today, looking at other shared services that perhaps some of the cabinet-level agencies can take advantage of, including, as appropriate, security operations center-as-a-service,” Kevin Cox, program manager of DHS’s Continuous Diagnostics and Mitigation program, said Monday at the GITEC Summit.

Security operations centers, or SOCs, are central offices that monitor the health of an enterprise information network and respond to any cyberattacks. Several agencies have their own SOCs, but vendors also offer the operations as a contract service. In the SOC-as-a-service model, DHS would offer to perform SOC functions for other agencies.

The potential move plays into the Trump administration’s May 2017 cybersecurity executive order and its emphasis on cloud computing and shared services, Cox said.


It also comes as DHS is looking at consolidating its own 16 SOCs to a yet-to-be-determined number and could signal another pivot toward more consolidated operations and shared services in the Trump administration’s IT modernization strategy.

Jack Wilmer, the senior advisor for cybersecurity & IT modernization in the Executive Office of the President, said at the event that in crafting the President’s IT modernization report, the White House found some dissonance between cloud applications and the established federal SOCs and was examining how to apply those lessons.

“One of the things we ran into as a barrier to cloud adoption was the security operations center not understanding and not having an interest in trying to figure out how to defend applications that are in the cloud,” he said. “So the notion was, ‘Hey, instead of trying to figure out how to I can bring up this existing security operations center, maybe I can contract out with someone who really does understand how to do that and then leverage that for those applications.’”

The challenge for agencies that might consider that outsourcing, Wilmer said, is in balancing the risk of adopting a commercial option and save money versus the cost of a more government security-compliant solution.

“Are there certain things that I can accept more risk on so that I can leverage commercial provider for a significantly cheaper price out of the box,” he said. “That takes really courageous risk officials to make those decisions. Because I imagine second-guessing will happen once you make those decisions is not minimal. At the same time, I think that’s absolutely the way [to go].”


Cox also gave an update on the program’s progress earning an authority to operate for its new CDM shared services platform, which will provide a multi-tenant agency dashboard to help smaller agencies protect their networks.

The platform secured its authority to operate at the end of March, and Cox’s team is working to deploy sensors to four non-CFO Act agencies.

“By early summer, we expect to have that non-CFO, multi-tenant dashboard reporting up to the federal dashboard,” he said.

Latest Podcasts