An audio review of 2011 Federal Cybersecurity Conference and Workshop (FCSCW) highlights and what can be expected during 2012.
Christine Feldt: Hello, and welcome to this conversation looking back on the 2011 Federal Cybersecurity Conference and Workshop. This is a retrospective discussion on the events. For those who wanted to learn a little bit more about it, here are some highlights and some great points that will be shared by our track leads.
Let me hand this to the group now, and let them introduce themselves.
Antione Manson: Thank you Christine. My name is Antione Manson. I'm a program manager, as well as the 2011 conference program director for the Federal Network Security Branch at the Department of Homeland Security.
Debbie Taylor-Moore: Hello, I'm Debbie Taylor-Moore, and I'm the president of CyberZephyr. And I worked with the Emerging Technology Track.
Karen Evans: Hello, I'm Karen Evans. I'm the national director for the U.S. Cyber Challenge, and I was the track lead for the Policy and Management Track.
Jim Cebula: Hello, I'm Jim Cebula from Carnegie Mellon. And I'm going to talk with you about the Risk and Resilience Track.
Christine Feldt: Unfortunately our track lead for Collaboration Initiatives, Mark Crouter, was unable to join us. But Antione Manson will cover those highlights for us.
Antione Manson: Sure. Thank you. Just to give you a little bit of a highlight of how the conference-- what happened and flowed. The 2011 Federal Cybersecurity Conference and Workshop was a four-day event. It was held on October the 3rd, and it ran until to the 6th. It was held in Baltimore at the Sheraton Inner Harbor.
The structure for the conference was a workshop day; which was all day on the 3rd. It featured several collaborative meetings and pre-conference workshops for participants looking to receive specialized training with respect to resiliency- risk resiliency management, insider threat and to be informed, as well as meet with the information security line of business portfolio owners.
The conference structure. Excuse me. The conference itself actually kicked off on the 4th of October and ran through the 6th. Each morning we had a keynote speaker from senior leadership across government, industry and academia. The conference broke into four different theme tracks-- Risk and Resilience; Emerging Technology; Collaboration Initiatives; and Policy and Management-- which we'll have some highlights from.
In addition to all of this, on the Wednesday afternoon we had a cyber awards ceremony that took place where we recognized the dedication and hard work of agencies, as well as individual staff members in cyber security.
As a part of the Department of Homeland Security's efforts for improving the cybersecurity posture across the federal government, we leveraged the FISMA data from CyberScope for Physical Year 2010, to do a calculation of the self-reported responses for FISMA metrics to recognize a small and a large agency for doing a job well done.
The awardees for this conference were-- for the large agency it was the Social Security Administration; and for the smaller agency it was the National Science Foundation.
Christine Feldt: Let's go back to the track leads and ask them to give us highlights about their respective tracks. So let's start with Jim and the Risk and Resilience Track.
Jim Cebula: Okay, thank you Christine. So the Risk and Resilience track spanned all three days of the conference, as well as the pre-conference workshop day that Antione spoke about.
So on the workshop day, we provided two offerings of a tutorial on the CERT Resilience Management Model.
Christine Feldt: Could you explain briefly what CERT RMM is?
Jim Cebula: Sure. So CERT RMM, or the CERT Resilience Management Model, it forms the foundation for a process improvement approach covering the disciplines of security, operations, business continuity and IT operations management. And it helps an organization to establish a resilience measurement process, and provides a collection of capabilities that the organization performs to ensure that its important assets remain productive in helping the business to support its critical processes and services.
Then within the model there's guidance for measuring the current competency or achievement level in these capabilities, setting some improvement targets and establishing plans of action to close gaps or to carry out some of these improvement efforts within the organization.
And so within the tutorial, on the workshop day we actually worked the participants through a hands-on example. And within the model there's a collection of 26 broad areas of focus called Process Areas. And one of the examples, or one of the objectives of the example in the tutorial, was to help the participants work through a scoping exercise to scale down that broad coverage of 26 areas down to a few areas that they might want to target to resolve a particular issue within their organization.
And I think the content there was pretty well received in the two tutorial sessions, and we got some pretty good dialogue going with the class; which is always helpful.
And then in addition to the tutorial that really covered CERT RMM proper, there were a lot of interesting sessions over the three days of the main conference. We had sessions in the Risk and Resilience Track dealing with digital personas, spearphishing.
There were sessions talking about issues related to the advanced persistent threat, or APT. There was a panel discussion with representatives from NIST talking about the intersection between the NIST's Risk Management Hierarchy, as it's laid out in Special Publication 8039, and the CERT RMM model that I just mentioned briefly.
There were sessions on mobile devices, insider threat; and some others beyond that.
I'll take just a few minutes and give you a highlight or two about the CERT RMM tutorial- or CERT RMM and NIST's Risk Management Hierarchy panel discussion.
So the panelists in that discussion were myself and Dr. Ron Ross from NIST. And we talked to the audience about looking at this enterprise level view that's spelled out in NIST 8039, dealing with risk management really at an enterprise level, and having an organizational risk tolerance; a defined process for managing risk in key individuals, in the senior management of the organization that have a view and understand what risks the organization has accepted, and whether those are in alignment with the thresholds that the organization has put forward.
We talked about that in conjunction with certain of these process area coverage from CERT RMM, in areas like enterprise focus and monitoring tips; to give two examples.
And then at the conference we introduced, and had available as a takeaway for the participants, a poster sized view of the goals and practices out of each of these 26 process areas in CERT RMM against a number of the NIST Special Publication documents; including some of their big ones, such as 800-39, 800-37 and of course 800-53, the Controls Catalog.
And I was gratified by the panel in the sense that I think the audience did more of the talking than the panelists. So it was really-- it was well engaged and I think well received.
Christine Feldt: Thank you Jim for that recap and sharing the highlights on the panel.
Debbie, would you mind taking a couple of minutes to talk about the Emerging Technology Track and any highlights?
Debbie Taylor-Moore: Absolutely. Thanks a lot Christine.
In terms of emerging technologies, I think that this particular track offered a very unique opportunity to see the public and private partnership at work in cybersecurity.
Some of the areas that were of particular note was-- one of them was work that DoJ is doing in the area of continuous monitoring. I was really impressed with the generosity with which they shared information with other agencies regarding the technologies that they both selected, as well as implemented, that have helped them to enhance their continuous monitoring program.
And as a lot of agencies are asking themselves questions about how to go forward with this program, it was nice to have one that's in place and working well in an agency be discussed; and people had the opportunity to ask questions about it.
Another area that I thought was a particular standout was the Fishnet Security Group and their panel, which included the SOC manager for DHS Customs and Border Patrol, Alma Cole.
And the Fishnet Security Group is pretty unique in that they work with all types of cyber technologies, and they are completely agnostic in terms of their approach to the different technologies.
But what they did was they took a look at the defense-in-depth paradigm, and how many layers of technologies that are in use in all federal agencies and companies and organizations around the world today, and how there are so many vulnerabilities at each layer.
And it gave a pretty chilling look into how important it is for agencies to sort of understand the work and have a working knowledge of what they have in place and how well it's affecting them today; and also sort of a look into the future in terms of what more cutting-edge technologies will have to offer.
And then one area that I particularly enjoyed was the discussion between Xceedium Technology's and DHS's Jim Quinn on Identity and Access Management.
For the most part, I've been working in the area of Identity and Access Management for what seems to be a long time. But there are still a few OMB Directives that are upcoming and present. The State Agency is in this arena. And they did a very good job of bringing to light how groundbreaking technologies can help in this area.
And then of course it wouldn't be complete- a complete discussion around technologies without some mention of the cloud. And there's been quite a few studies out there, as well as surveys recently, that certainly express that one of the major concerns around cloud computing is the security aspect of it.
And in this particular session, the provider, SecureInfo Corporation, who've done a lot of work, pre-FedRAMP, to establish cloud security for a number of CSPs, was present, along with cloud service providers-- Microsoft and Terremark. And they had a very lively exchange with the audience.
And I think that the thing that I was struck by was the level of security and flexibility that these cloud security providers offer agencies. And that really kind of will ultimately take many of the cloud security concerns off the table. They both have a great deal of experience in implementing security safeguards in this space.
And it's my understanding-- and Karen, you could probably speak more to this-- that the FedRAMP Memorandum is now in place.
Karen Evans: Well thank you Debbie for bringing that up.
This was really exciting. The Policy and Management Tack really covered a lot of highlights. But we were fortunate to have Kathy Conrad, who's an associate administrator from the General Services Administration, and Van Hitch, formerly of the Department of Justice, who also worked on the CIO Council Group for Fed-RAMP.
And what they provided to the conference participants were their insights of how Fed-RAMP should work. They talked about the governance process. They talked about many things; of how this was going to work and how it was going to be beneficial to the Agencies, which really gave the participants some insight.
And when the policy came out last week, I was happy to read that everything that they covered at the conference was exactly in the policy, the way that they said that they thought it was going to be signed off. So that was pretty exciting.
Other things that we covered in the Policy and Management Track. We had people from the Congressional Staffers, who are key to legislative changes. And one of the highlights in that area was Mike Seeds from Congressman Thornberry's staff provided the participants a lot of insight into the report that was being released by the Republican Cybersecurity Committee that day. So they got a heads up of things that they were going to see out in the press.
And it went all the way through to issues on procurement. There was a specific panel that talked about supply chain risk management.
And then we also had insights from the National Security Staff where Andy Ozment came and talked specifically about what the intent was for the White House around continuous monitoring; how to address the risk profiles for the Agencies.
And lastly, what I really thought was great, was a lot of discussion around information sharing and the international issues associated with cybersecurity. So we had a really distinguished panel that ranged from State Department participation; all the way through Department of Homeland Security's international aspect of how they're dealing with data sharing, information sharing. The program manager from the information sharing environment was there. And they talked about the challenges that are involved to ensure data security, cybersecurity, identity management, law enforcement issues.
So it really was very helpful for the Agency participants at the conference to really see what kind of policy issues are on the table and what is being discussed.
Christine Feldt: Thank you Karen for sharing all of that about Policy and Management.
Antione, would you like to take a minute and touch on the Collaboration Initiative highlights on behalf of Mark? Antione?
Antione Manson: I'm sorry. I was talking and I was on mute. I do apologize.
Like everyone was saying, the overarching theme for the conference, in addition to cybersecurity, was information sharing. And one of Homeland Security's huge missions in the Quadrennial Homeland Security Report is in fact information sharing.
And the Collaboration Initiative Track provided an opportunity to showcase just that; the partnerships, with all of the different various federal agencies that represented the panels that have been discussed, as well as people from the intelligence community.
The Defense Department was very instrumental in being a part of this conference, as well as reaching out to our key industry partners.
I'd just like to say that this I believe proved really, really to the point of what we were trying to make it, and that it was an actionable conference. In fact, Karen spoke to the FedRAMP Memo. In addition to that, I believe there was a memo that came out around information sharing.
So I think a lot of the conversation across most of the track areas was very, very heartfelt, very, very insightful, and very aligned with the time, in terms of some actionable things happening in this space.
That's all for me.
Christine Feldt: Thanks Antione. Just to let everyone know, who's wondering what's happening for next year, the planning for the 2012 conference is underway, and announcements will be made as soon as the location is determined.
But the Federal Network Security Branch will also be sponsoring a one-day (inaudible) Workshop at the Eighth Annual GFIRST Conference, which is going to be in August of 2012 in Atlanta, Georgia. So please stay tuned; along with the GFIRST planning as well.
Why don't we take a minute and just discuss the 2012 highlights that we're planning? Jim, can you touch on Risk and Resilience once again for next year?
Jim Cebula: Yes. Thanks Christine. So in 2012 I think the key thing that we're going to be looking to highlight in the materials that we present would be building on some research that we have going on in specific ways to measure resilience; the measurement analysis piece. So we've covered the foundational principles, and we want to get into actually how you measure this in an organization.
Debbie Taylor-Moore: Also too, from the Emerging Technology perspective, I think one of the key things that we definitely want to get involved in next year would be to step a bit beyond the mature technologies that are in place today, and really take a look at very cutting edge innovation, and have an opportunity to have a chance for folks to come in and actually learn a bit through maybe sort of a technology innovation lounge concept, where not only can these solutions be exhibited but also demonstrated live for participants. What about you Karen?
Karen Evans: Well I think in the Policy and Management Track-- I'm really looking forward to it. Because I actually think with the legislative calendar that Senator Reid has indicated that it will include cybersecurity; that they are going to pass something bipartisan in cybersecurity this year. So I'm sure when this conference comes about, we'll be talking about the changes made to FISMA.
Debbie Taylor-Moore: That'll be exciting.
Christine Feldt: And Antione, any closing thoughts on the Collaboration Initiatives Track?
Antione Manson: Sure. I think what we want to do here is continue to push for collaboration; continue to bring and get more federal Agencies involved. So the intent around this is to go out and really, really round out and make the job a lot easier for the Advisory Council in terms of soliciting for more key people from the federal government to be represented at the conference; hence being able to have a more enterprise perspective, and a more holistic conference around the good things that are happening, and perhaps some of the challenges that are happening, and maybe even some lessons learned about how people were able to overcome some of the challenges.
Christine Feldt: Well thank you. I wanted to thank all of our track leads today for taking a few minutes out of their busy schedules to sit down and talk about the 2011 Conference, for those that weren't able to listen and would like to get a little information about it.
I wanted to let you know that we look forward to seeing you at the 2012 Federal Cybersecurity Conference and Workshop. Please bookmark the FNS website. Check back frequently for conference updates. We expect to be moving forward with the planning in the future. So thank you.