GSA Blog

A Federal Perspective on Security Operations Centers as a Service (SOCaaS)

Earlier this summer, Dan Jacobs, Cybersecurity Coordinator for GSA’s Federal Identity, Credential, and Access Management (FICAM) Team, presented on Security Operations Centers as a Service (SOCaaS) in the federal space at Gartner's Security & Risk Management Summit 2018. Here is a summary of the presentation highlighting the importance of SOCaaS.

What is SOCaaS?

It’s no secret that, with advancements in security technology and processes, it is critical for federal agencies to examine security operations and improve the way they protect sensitive information. IT modernization continues to remain a priority for the federal government. SOCaaS is one way that agencies can improve how they manage security operations.

Traditionally, a Security Operations Center (SOC) [PDF] is a facility where security information is housed, monitored and analyzed to protect data from cybersecurity threats. As security operations have evolved, and technology (including cloud) has advanced, more agencies are outsourcing their security capabilities. The result is SOCs may no longer consist of an onsite, dedicated team providing continuous support.

Why Consider this Approach?

Agencies spend a significant portion of their IT budget to satisfy security mandates, including outsourcing teams to monitor these mandates. Due to systemic budget issues and the need for skilled workers in cybersecurity, agencies need to consider the reality of centralizing security operations across the federal government. If agencies contract out security operations, they are using SOC "as a service," and can leverage this model to streamline security operations.

What Would SOCaaS Look Like?

There are two scenarios that illustrate this. In a probable scenario, a large organization, or Tier 1 SOC, provides 80 percent of security operations required by all agencies, with Tier 2 and Tier 3 SOCs (smaller to medium-sized organizations) providing any specific capabilities not covered by the Tier 1 SOC. However, the most likely outcome is for a Tier 1 SOC to provide a limited amount of services which can be used by all agencies, with Tier 2 and 3 SOCs assuming the majority of security operations tailored to their specific needs. In both cases, the goal is to combine the capabilities and services provided by a "best of breed" organization, with GSA’s ability to build these services into acquisition vehicles which can be purchased by the federal government. Yet this possible outcome is still years away from becoming reality.

Implementation and Recommendations

What would a centralized model for SOCaaS mean for federal agencies? Under a centralized model, a best of breed/larger organization is the Tier 1 SOC provider, with security operations standardized across the federal government within a structured cost model.

The following steps are recommended to prepare your agency to adopt the SOCaaS model:

1. Get leadership buy-in. Make sure that your chief information officer (CIO), chief information security officer (CISO) and executive board are aligned on mission and goals. Strong support from leadership is critical for your agency to prepare to move to SOCaaS.
2. Establish an understanding of your data. Know your data, and refresh governance processes and policies in line with this change. The more mature your processes, the easier is it to gather requirements that will drive better services (service management), risk/compliance posture and savings.
3. Conduct due diligence tied to agency goals. Create a realistic timeline to fully implement SOCaaS. Include training execution, conducting a gap analysis (resourcing), modelling, testing, and evaluation. Make sure this plan is realistic and that your agency can deliver on its goals to better manage changes to security operations.
4. Determine what "right" looks like for your agency. Remember, these are only recommendations to implement SOCaaS. Define detailed milestones (informed by due diligence and metrics/analysis) to paint a roadmap to meet agency goals. Connect with agencies who have already done this to learn and share best practices.

Next Steps

Centralized security operational services (e.g., SOCaaS) are likely to become a reality over the next several years. While some agencies already have capabilities and services to improve management of security operation, many have not yet started down this path. Agencies should take time to scope down processes, and gain a complete understanding of their data, services and security capabilities, to better manage security operations.

To find out more about SOCaaS and what this could mean for your agency, reach out to GSA’s Cybersecurity Program at cyberportfolio@gsa.gov.