Cybersecurity has been one of the fastest growing sectors in the federal government over recent years, with round-the-clock threats in an online world. In fact, the Government Accountability Office (GAO) reported in June that “the number of cyber incidents reported by federal agencies increased in fiscal year 2013 significantly over the prior three years,” and that “24 major federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents.”
At more than 46,000 cyber incidents in FY13 and growing, greater assets will be required to fund these programs. Have you asked your team: “What are we doing to ensure budget allocation for cyber security not only today, but in the coming years?” The best way to justify return on investment (ROI) in cybersecurity programs is the development of a business case through the Capital Planning and Investment Control (CPIC) process. And as I describe in this week’s Federal Times Solutions & Ideas section (p. A22), the best time to finesse business cases through CPIC is right now. Here’s why and how.
CPIC Sets the Foundation
Even with the growing cyber threat, in this era of ever increasing financial pressure, agencies are being asked to defend their IT Portfolios and adapt new technologies in order to reduce their IT Spending. Cybersecurity teams must advocate for their programs and be able to defend the business case and the need for funding for development, implementation, and maintenance. That is accomplished through the CPIC process.
In its Circular A-11 Guidance, the Office of Management and Budget (OMB) mandates that agencies develop an annual business case (formerly known as the Exhibit 300). To help agencies meet these requirements, OMB uses the structured process known as CPIC. OMB expects agencies to submit business cases for review and inclusion on the Federal IT Dashboard, the public-facing website owned and operated by OMB.
In September, agencies submitted their IT Portfolios, including budget requests and initial BY16 business cases. The interim between initial and final submission, is when agencies should thoroughly review their IT portfolios to assess their current and future state. It is the time to ask, “Do we as an agency have the right investments for the future?” For Cybersecurity professionals, it is a time to reevaluate the future needs for their programs and ask, “Do we have adequate funding to protect the agency from online attacks now and in the future?”
In a complex business and IT environment, the repeatable CPIC Process enables the Federal Government to control its IT funding and manage IT Programs. In layman’s terms the CPIC Process can be thought of as a three-legged stool – budget planning and implementation, program management and control, and management and oversight. Each leg is critical in order to support the stool.
Budget: The first leg is where agency budget staff sets aside the funding and communicates funding levels for current and future years to programs. They also submit the formal funding request as a part of the federal budget process.
Program Management: This second leg is at the heart of any program. The program manager establishes, executes, and controls the program baseline based on a clear understanding of the requirements and scope.
Leadership and Oversight: The third leg establishes and reviews an agency’s portfolio. Agency leadership will work with program managers and budget staff on the investments that will be submitted for funding. It is leadership that has final authorization on the portfolio and what is reported outside of the agency.
Portfolio Reviews Can Identify Potential Cyber Weaknesses
Cybersecurity professionals should ask questions such as: Are resources in place to ensure that these programs can operate in a high threat environment? Is funding in place to support current and future program requirements? This is more than examining last year’s budget to see how much was spent on cybersecurity and then allocating a nominal funding increase for future years. That is not effective planning and potentially increases risks to the programs. If the program needs are not in place, program professionals need to communicate this to leadership and budget.
Agency leaders need to have a full understanding of their business environment to include the organizational missions, portfolios, architecture, capabilities, resources, assumptions, and constraints so that they can make hard decisions if resources need to be reallocated. That also means that leaders, budget, and program professionals need to understand the cybersecurity universe, not only within the federal sector but also to the extent possible how the private sector is planning and budgeting to meet online threats. That may require agency leaders to completely rethink and reassess their programs.
CPIC Supports Forward Planning
CPIC was envisioned to be a process that links budget planning and strategic planning to a specific program and its performance. By leveraging the OMB Business Case, the output of the CPIC process, agencies have at their fingertips a multi-year budget plan, justified investment portfolio and business case, and efficient plan for resource allocation.
The beginning of the new fiscal year provides that time-frame for all three parts of the CPIC stool to engage and analyze the data that was submitted to OMB in early September. Doing so will make a stronger case for the cybersecurity programs that will be a major requirement for the future. Now is the time to ask and answer the question, “Does our agency’s IT program make the budget case to counter expected cybersecurity threats?”
