From: GovWin/Federal Industry Analysis: Analysts Perspectives Blog
The remaining weeks of the government fiscal year (FY) are known for their push to finish up IT acquisitions before the September 30th deadline and the beginning of fiscal 2013 on October 1st. But running in parallel with this is the development by federal departments and agencies of their FY 2014 budgets that will culminate in the annual request to Congress in February 2013. It is no news that IT budgets are expected to be pressed, but some IT budget guidance recently released by OMB suggests that even areas seemingly as safe as information security may not be immune to budget trimming.
In their latest annual Guidance on Exhibits 53 and 300 – Information Technology and E-Government, OMB gave the requisite federal departments and agencies updated directives on how they should prepare and submit their OMB IT budget artifacts for FY 2014, including specific new content elements and structures.
As part of their overall submission, each agency prepares an Agency IT Security Portfolio (Exhibit 53B). Included in the 53B, agencies report to OMB their average cost per government full-time equivalent (FTE) staff with information security responsibilities (53B, row 3) as well as the average cost per contractor FTE for information security responsibilities (53B, row 5). (Agencies also report the respective number of FTEs as well.) Further, departments and agencies report individual cost estimates for the following IT security activities:
- Costs for NIST 800-37 implementation (53B, row 7);
- Costs for annual FISMA testing (53B, row 9);
- Costs for network penetration testing activities (53B, row 10);
- Security awareness training costs (53B, row 11); and
- Security training costs for employees with significant security responsibilities (53B, row 12).
New IT Security Budget Reporting Elements for FY 2014What is new in the FY 2014 guidance affecting each agency’s submissions of their Exhibit 53B is that OMB is requiring information that ties in IT security personnel costs – whether government or contractor personnel – with these specific IT security activities listed above.
For FY 2014, OMB adds two new lines to the 53B that ask for:
- The number of government FTEs included in costs for each row above (i.e. NIST 800-37, etc.); and
- The number of contractor FTEs included in costs for each row above.
For both new lines (53B, rows 13 and 14) agencies are to report the number of FTEs with information security responsibilities, including the fractional portion of those who devote a percentage of their time to the responsibilities included in the costs reported in the above IT security activities (emphasis added). OMB goes on to say that the associated government and/or contractor FTE costs, based on the average costs reported by the agency (in 53B, rows 3 and 5), will be subtracted from the total IT security cost to avoid any double-counting.
Implications Clearly, this is a move to drive out any potential inflation of IT security personnel costs in agencies’ IT budget requests. What is yet unclear is how this scrutiny will impact federal efforts to beef up their ranks of skilled IT security professionals and further improve the government’s overall security posture. Could it further underscore the need and bolster the budget rationale in support of these areas? Could it possibly be used to put further scrutiny on contracted services spending like we have seen in broader OMB policies?
This latest element of OMB’s ongoing drive to push IT budget savings further underscores the budgetary environment in which we now exist. Areas that quite recently were viewed as relatively safe from the budget axe are appearing to receive greater and greater scrutiny.
Leave a Reply