You are currently browsing the tag archive for the ‘federal government’ tag.

Just wrote up a review/comments on the new 2013 NIPP released by DHS at the end of December for work. While the NIPP isn’t cybersecurity specific, it is still the policy environment in which non-regulatory critical infrastructure cyber security work happens. Some excerpts most pertinent to this blog are below, but you can (and should!) read the whole thing here: http://www.energysec.org/blog/jack-whitsitt-comments-on-the-new-nipp/

“…the language used in the new NIPP implies a (positive) evolutionary shift in collective thinking…”
“…It seems like, some of the lessons from the EO and the Framework development process may have influenced the writing of this document…”
“…it does appear that the new NIPP will maintain support of existing public/private partnership mechanisms such as Sector Coordinating Councils (SCC), Government Coordinating Councils (GCC), Critical Infrastructure Protection Advisory Council (CIPAC), Information Sharing and Analysis Centers (ISAC)… Still, it is exceedingly good to see that these mechanisms will not be the *only* ways to partner.”
“…There are a number of stakeholders who, up to this point, have not been part of this dialogue and it would be valuable if they found a way in…The two that come immediately to mind are “The Public” and “Unaffiliated Security Subject Matter Experts (SME).” First, “The Public” is critical infrastructure – at least as customers of risk management – and currently, they have little voice here. Second, most smart hacker or security types, if they are involved at all, are filtered through the business and political realities of their parent organizations and their industry associations. It would be nice to find away to add those voices to the mix, if only to offer a reality check to things like the #NISTCSF.”
“…More serious than the Risk Management Lifecycle problem, however, is what appears to be a philosophical miss.  It is good that cyber and physical security should be more integrated. The change in tone and apparent improvement in flexibility is appreciated, and outcome goals are absolutely a minimum requirement for driving effective security initiatives. However, the new NIPP still doesn’t effectively deal with the overall immaturity of the cybersecurity discipline itself – particularly when compared to the physical space.  It feels like there is an assumption that someone knows the right answers and all we have to do is implement them, but that’s not true.  In fact, the entire problem space needs reframing away from how the security industry has defined it for us over the past 10 years into something with a business quality assurance baseline that is then supported by risk management…”
“The NIPP and related public/private partnership mechanisms could do with more methods for and focus on the definition of  successful cyber security paths forward to meeting collaborative outcome goals, rather than a focus on selecting and then implementing existing paths.”
Advertisements

UPDATE: Please use the following link for the current agenda. The one in the post is outdated: https://sintixerr.files.wordpress.com/2011/10/cyber-program_1020.pdf

Progress! As you can see below, we’ve confirmed several additional speakers such as Tony Stramella from the NSA and Steve Carmel from Maersk (who was a fantastic speaker last year – he talked about his experiences with maritime piracy and pirates! Did I mention he talked about pirates??).

The Offensive perspective panel (Kevin Finisterre, Ruben Santamarta/Reversemode, and hopefully Josh Wright) is going to rock out with some talented vulnerability researchers and Mark Fabro will do his always brilliant job of improving the discourse. 

We’ll be excited to hear Bryan Sartin discuss the past year’s data breaches and front-line experts in the field let us know how the stuff you’ve heard in the news might apply to you (Scot Terban, Liam from Symantec, and the now-short-haired Adam Meyers). 

Boeing and Darryl Song from Volpe are going to dish on transportation-specific concerns, and the CTO of the CIA will drive home the need for security to be data-centric. 

Mike Murray will be both entertaining and captivating – even if I dont know his talk yet – and Russell Thomas will bring a much needed formal perspective to risk management and cyber security. 

Patrick Gray gives a lightning fast, but insightful presentation on social media, Jack Johnson will help us understand financial issues facing organizations today, and Amit Yoran will talk about…whatever. He’s just a smart guy.

Hope you can make it. If you’re interested in attending, the registration link is here: Invitation.

(Please, if you’re a vendor and plan on selling, we’ll take a pretty dim view of that at this particular conference. )

November 1

Talk

Speaker 1

Speaker 2

Speaker 3

Moderator

Introductory Remarks

Dr. Emma Garrison-Alexander, TSA CIO

 

Keynote

Anthony Stramella, NSA

Verizon Data Breach Incident Report

Bryan Sartin/ Verizon Business

Break

Industry Case Study 1: Boeing

Mike Garrett/ Boeing

 

Panel: Offensive Perspectives

Kevin Finisterre

Ruben Santamarta

Josh Wright (Tentative)

Mark Fabro

Lunch

Social Media

Patrick Gray/Cisco

 

Panel: Maritime

Steve Carmel, Mearsk

RDML Robert Day, USCG

RADM James Watson, USCG

TBD (Speaker)

Break 1B

Panel: Threats in the News

Scot Terban
(Anonymous)

Liam O Murchu
/ Symantec (Stuxnet)

Adam Meyers (APT)

TBD/ Industry

Industry Case Study 2: Transportation
Control Systems

Darryl Song/ Volpe

 

         

November 2

Talk

Speaker 1

Speaker 2

Speaker 3

Moderator

Introductory Remarks

TBD

 

Keynote

Vice Admiral Parker/ USCG

DHS CARMA

TBD

Break

Panel: Executive Perspectives

Amit Yoran/
Netwitness

Gus Hunt/CTO of CIA

TBD/ Industry

TBD/ Industry

TSA & DHS Joint Sector
Collaboration

TSA Cyber security Awareness &
Outreach Branch

 

Lunch

Users & Awareness

Mike Murray/MAD Security

 

Industry Case Study 3: TBD

TBD

Break

Panel: Risk Management

Jack Johnson/ PWC

Russell Thomas

TBD/ Industry

Jack Whitsitt

Industry Case Study 4: TBD

TBD

 

Follow me on Twitter

My Art / Misc. Photo Stream

Advertisements