The Department of Agriculture is consolidating its security operations center by transitioning select personnel from eight mission areas to its Kansas City-based facility starting Oct. 22.
A consolidated SOC means one point of contact and one dashboard when Chief Information Security Officer Venice Goodwine wants to know what’s on the network, who’s doing what and who’s logged in from where — a big change from when she arrived last December.
“When I had a particular vulnerability I needed to check across the enterprise, I had to ask eight people,” she said. “I don’t have to do that in my new consolidated operations center.”
When Goodwine left the Pentagon for USDA, the department had already started SOC consolidation. But Goodwine wanted all SOC functions in one place and position descriptions standardized in accordance with the National Initiative for Cybersecurity Education (NICE) workforce framework, which she carried over from her time at the Department of Defense.
“I want to change the mindset that whenever my mission areas decide they need a new toy or capability, they need to ask me and it’s defensible,” Goodwine said at an ACT-IAC event. “Part of that is: Do I have the workforce to support what you’re trying to bring into the organization?”
While there’s been “a lot of contention” around moving some mission areas to the consolidated SOC, establishing its workforce went over well because of the methodical process, she said.
USDA reviewed all information security work roles, identified the tasks they were performing and gave them NICE codes — some of which designated them for the SOC. The SOC currently has 42 federal employees with 42 position descriptions and a career path laid out for all 52 NICE work roles, Goodwine said.
“Certifications are mandatory because I come from an environment where — depending on how close you were to the computing environment or whether you had elevated abilities — you had to have that elevated knowledge, which is what a certification provides to you,” she said.
Consolidating capabilities has been “more deliberate,” Goodwine said. Mission areas had their own processes based on how they interpreted USDA’s policies, so the department has taken a “best of breed” approach to consolidating tools for things like vulnerability management, scanning and incident response.
For instance, USDA discovered seven different antivirus solutions across the enterprise. One was selected and collapsed, and the contract increased, for mission areas already using the solution.
In the case of mission areas not using the same tool, the contract of whatever product they’re using is reviewed and a transition timeline established. And if a mission area lacks a tool entirely, the capability is funded.
When establishing new capabilities, the Continuous Diagnostics and Mitigation program’s tool wins — assuming it has one for that need, Goodwine said.
Funding capabilities presents another challenge because some mission areas rely on a fee for service, while others rely on working capital funds and shared services. So far if a mission area needs a replacement tool, it’s covered through reimbursement because the service is already being funded or charged for by them.
In 2021, Goodwine wants to charge Greenbook fees — reimbursable agreements providing for the transfer of funds — for cybersecurity capabilities.