NOC and SOC together: DHS moves to new model for operations, incident response

No more taking systems offline while security analysts work, said the new department CIO.
Karen Evans, DOE
Karen Evans at the 2019 Cybersecurity Leadership Forum. (FedScoop)

The Department of Homeland Security is consolidating its network and security operations centers to ensure services remain available when analysts must investigate a cybersecurity incident, according to the department’s new chief information officer.

The resulting network operations security center (NOSC) model represents a shift from traditional cyber incident response, where the SOC’s goal typically is to take the system offline until the problem can be identified and fixed.

“It’s not just consolidation for consolidation’s sake,” CIO Karen Evans said during an ACT-IAC event Wednesday. “It’s the next evolution of providing and managing risk to keep the business going while we are then analyzing, being aware of and being able to protect our operations.”

Evans said she held planning sessions internally, as well as with the department’s CIO Council. The department is currently considering how best to staff the NOSC in terms of the ratio of federal to contract employees, she said.


DHS also has a “pretty robust” Continuous Diagnostics and Mitigation implementation underway, and those cybersecurity tools will feed data about IT assets and access to NOSC’s dashboard for display before being sent on to the federal dashboard, Evans said.

The department also has other responsibilities before, during and after cybersecurity incidents. Its Cybersecurity and Infrastructure Security Agency analysts work together with the intelligence community (IC) to identify systemic issues and determine if they’re affecting other federal agencies in their offices at home and abroad.

Federal employees need the right skills to use the software developed by contract workers, and the Office of the Chief Human Capital Officer continues to develop the new Cybersecurity Talent Management System (CTMS) to hone them, Evans said.

CTMS participants will take part in assessments like capture the flag that are mapped to the Cybersecurity Workforce Framework. If the NOSC requires more forensics analysis expertise, that career path will be mapped and compared with industry to ensure government is offering commensurate pay for the same skill levels.

“There’s a certain set of skillsets that we need to be able to have there, and there has to be a balance between the federal workforce and contracting workforce,” Evans said. “We are really taking and really analyzing what is that balance.”

Latest Podcasts