Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

RFC 003 - TTS Senior Cybersecurity Advisor

The problem / situation / context

In May 2021, The White House issued an Executive Order on Improving the Nation’s Cybersecurity. This EO outlined a few things to government agencies:

  • Improving Policy
  • Removing Barriers to Sharing Threat Information
  • Modernizing Federal Government Cybersecurity
  • Enhancing Software Supply Chain Security
  • Establishing a Cyber Safety Review Board
  • Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  • Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Improving the Federal Government’s Investigative and Remediation Capabilities

Technology Transformation Services (TTS) is/has been creating systems, applications and programs that are at the forefront of technology in government (e.g. Cloud.gov, Login.gov, USWDS). However, TTS has limited expertise in cybersecurity. With the aim for continued growth of TTS in FY22 (and beyond), it is imperative that we grow the skills and expertise to support a clear, unified direction for best practices and operations in cybersecurity.

The proposed path forward

RFC 002 received feedback from across GSA with agreement that we should invest in security. One of the conclusions in this RFC was to create a TTS security lead position to coordinate security approaches/activities across TTS programs.

Proposed path forward: ADD a Senior Cybersecurity Advisor in the TTS Front Office.

From @mzia:

Person should be skilled to understand compliance security and translating them into technological solutions for product teams and helping chart/strategize their way to a deliverable product. If the person’s knowledge is just dealing with compliance check-boxing and nothing along the lines of how it maps to modern tech and security practices or patterns to SDLC then it’s just not going to work. The opposite is true as well.

The individual must be a strong communicator who also knows how to navigate the federal landscape and build working relationships within and outside of GSA, laser focused around cybersecurity.

Why should we do this

Adding a Senior Cybersecurity Advisor to the TTS Front Office is beneficial for the following reasons:

  1. Cybersecurity point of contact at TTS. The Senior Cybersecurity Advisor will assist in bridging our communications throughout GSA in regards to security and privacy in our organization. For example, they will work with both the Information Security and Privacy Offices at GSA to continue the existing collaboration we have with these offices. This will not exclude the ability for individual teams to interact with these offices.
  2. Creates and delegates TTS-wide services that will enhance cybersecurity. The Senior Cybersecurity Advisor will lead the effort in cybersecurity services and best practices that will create a better cybersecurity ecosystem at TTS, as well as ensuring teams have uninterrupted access to security and privacy tools and services they need.
  3. Collaborate and advise on cybersecurity hiring needs at TTS. The Senior Cybersecurity Advisor will work transparently with TTS leadership, Talent and our various programs to determine any hiring and staffing needs for TTS. This will be in collaboration with our ISO and Privacy offices.
  4. Communicates and consults with various programs and guilds on cybersecurity. Work closely with the TTS-wide program leads and the Security and Compliance Guild to continuously share information between programs and concerns and maintain a holistic view of the security needs of TTS.
  5. Identifies and shares cybersecurity training opportunities for TTS.. Identifies opportunities for training within TTS, which could encompass career-track training for those interested, and broadly applicable training for the folks in the trenches, like incident response.

Why shouldn’t we do this

Having a single point of contact for cybersecurity could lead to bottlenecks in all of the ways our organization is trying to move forward in cybersecurity mentioned above. It will be important that this role delegates and collaborates with others across GSA to ensure that the work is not silo’d to a single person/group.

From @ryanhofdotgov:

What I would hope to avoid is the anti-pattern we see at many of our partner agencies – medium-sized security teams at lower offices (in addition to larger ones at their top-level agency), with atrophied skills and unnecessarily divergent policies and practices.

It is important to note that there may be issues if this role is not provided the budget and staff required to do this work. While the initial part of this role will be to determine a budget, staff and hiring, a funding source for this role should be identified. This will help to avoid any additional burden to teams with any specific tasks this role may have for TTS programs.

Alternatives considered

  1. Current TTS Leadership, ISO + Privacy Office continues to collaborate on cybersecurity at TTS.
  2. Each TTS program/team continues to perform their own cybersecurity direction, inline with their own SSPs and collaboration with the GSA ISO and Privacy Offices.

Equity and Inclusion

It is imperative that this role should take equity and inclusion in to consideration to ensure that candidates from all races, cultures and backgrounds are taken in to account. There should also be direct DEIA outreach and recruiting to candidates within cybersecurity profession.

Premortem / Review

This proposal is one of many other conclusions that came out of RFC 002:

  • Get additional engineering (of all kinds, including security) and subject matter expertise into program teams where unique use cases exist
  • Merge product teams (that are currently small) to create better coverage, particularly in terms of engineering, and also being able to justify a full-time security person
  • Provide TTS-wide services that will enhance security via the proposed Delivery Team

These should also be taken in to consideration when reading through this RFC.