CISA cleared to share cybersecurity services as first official QSMO
The Cybersecurity and Infrastructure Security Agency became the first official quality services management office (QSMO) Monday, one year after the Trump administration issued a governmentwide memo for standardizing shared services.
In the memo, the Office of Management and Budget named CISA one of four QSMOs tapped to operate federal marketplaces, in this case, for cybersecurity services.
OMB formally designated CISA the QSMO for security operation center and vulnerability management standardization, as well as Domain Name System resolution on Monday.
“We plan to leverage successes and lessons learned from programs like Continuous Diagnostics and Mitigation and the National Cybersecurity Protection System to deliver high-quality, cost-effective shared services to federal agencies,” said Bryan Ware, assistant director for cybersecurity at CISA, in the announcement. “In partnership with OMB and our partner QSMOs, we stand ready to create efficiencies in government and optimize the federal workforce by shifting resources to higher value work and reducing duplication across agencies.”
Agencies can now partner with CISA to incrementally share cyber technologies and services.
To achieve its long-term QSMO designation, CISA had to complete a marketplace implementation plan proposing service offerings, an acquisition strategy, governance, financial infrastructure and organization.
The three other QSMOs that have yet to be formally designated are the General Services Administration for human resources, the Department of the Treasury for financial services, and the Department of Health and Human Services for grants management.
OMB targeted the bigger, back-office lines of business — financial services and grants management — first to develop a replicable process for creating QSMO marketplaces. GSA awarded two multi-million dollar task orders in September for its NewPay Initiative moving agencies off aging payroll systems to Software-as-a-Service solutions.
Still, CISA beat them to formal designation.
Federal CIO Suzette Kent said in November not to expect results for a few years because funding, personnel and pace must align between QSMOs and customer agencies. Grants management is particularly challenging because it lacked a preexisting shared services model like the other areas, so HHS took longer engaging customer agencies about potential impacts.
Currently, customer agencies are expected to pay for the services, like NewPay, that are delivered, but that model could change in time, Kent said.
OMB intends to identify more QSMOs over time in areas like assisted acquisition, contract writing, customer experience, the Freedom of Information Act management, travel, and real property management.
“This an important step in the path to modernization of the federal government,” Kent said in a statement. “By designating CISA as QSMO for cyber services, the federal government will be able to leverage their expertise, contracts and solutions to offer a robust marketplace of cybersecurity capabilities that will benefit all agencies.”
