The Crossroads of IT Modernization and Cybersecurity
The 7th annual Cyber Resilience Summit hosted by CISQ will take place on October 16, 2019 at the Army Navy Country Club in Arlington, VA.
As the journey to secure our nation’s IT cyber infrastructure gains momentum, it is important to apply proven standards and methodologies that reduce risk and help us meet objectives for acquiring, developing and sustaining secure and reliable software-intensive systems. Defending the network is NOT enough. The most damaging of system failures and security breaches are caused by vulnerabilities lurking inside the network at the application layer.
The Cyber Resilience Summit agenda includes sessions on software engineering, supply chain risk management, and acquisition best practices. Policy makers present updates on the rollout of FITARA, MGT Act, and programs targeting security and supply chain risk management.
DATE: October 16, 2019 from 8:00am - 3:00pm
VENUE: Army Navy Country Club, 1700 Army Navy Drive, Arlington, VA. Parking is complimentary.
REGISTRATION: The registration fee is $195.00 and includes lunch and refreshments. Government employees, not-for-profit organizations, and universities may receive a complimentary pass by applying the code CISQGOVF19 at registration.
8:00: WELCOME TO THE CYBER RESILIENCE SUMMIT
David Norton, Executive Director, Consortium for Information & Software Quality (CISQ)
8:15: KEYNOTE ADDRESS
Bob Kolasky, Assistant Director of the National Risk Management Center, Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security
The National Risk Management Center (NRMC) is CISA’s planning, analysis, and collaboration center working to identify and address the most significant risks to the Nation’s critical infrastructure. The NRMC works in close coordination with the private sector and other key stakeholders in the critical infrastructure community to Identify, Analyze, Prioritize, and Manage the most strategic risks to our National Critical Functions — the functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating impact on security, national economic security, national public health or safety, or any combination.
Mr. Kolasky will brief attendees on key efforts underway at DHS including the ICT Supply Chain Risk Management Task Force.
8:45: HOW TO QUERY, QUALIFY, AND QUANTIFY THE QUALITIES QUAGMIRE
Dr. Barry Boehm, Chief Scientist, SERC; TRW Professor of Software Engineering and Director, Center for Software Engineering, University of Southern California
Systems and software qualities are also known as non-functional requirements. Where functional requirements specify what a system should do, the non-functional requirements specify how well the system should do them. Many of them, such as Reliability, Availability, Maintainability, Usability, Affordability, Interoperability, and Adaptability, are often called “ilities,” but not to the exclusion of other software qualities such as Safety, Security, Resilience, Robustness, Accuracy, and Speed.
Dr. Boehm will summarize the Department of Defense SysE Research Center (SERC) System Qualities Ontology, Tradespace, and Affordability (SQOTA) project, and research tools developed by the SERC universities to enable software quality tradespace analysis, analysis of a project’s quality shortfalls, and avenues of improvement.
9:15: SCALED AGILE FRAMEWORK (SAFE)
Isaac Montgomery, Senior Consultant and SPCT, Scaled Agile, Inc.
The Scaled Agile Framework (SAFe) has become the de facto standard framework for lean/agile development in the Department of Defense. While SAFe is often credited with improving the speed and responsiveness of development programs, these benefits cannot come at the expense of quality, predictability or effective risk management. Fortunately they do not. In fact, when properly applied, the lean/agile methods that comprise SAFe improve the manageability of program risk and quality throughout the development lifecycle.
In this session, we will discuss how to build trust in the Agile and DevOps processes to show what is being produced is conformant. Isaac will demonstrate how SAFe is being used to make programs more manageable and less risky.
9:45: Refreshment Break & Networking
10:00: TITANS OF CYBER: CRITICAL SUCCESS FACTORS FOR REDUCING RISK IN DEVELOPMENT AND ACQUISITION
The infamous Titans of Cyber power-panel will discuss priorities, policy, and plans for government IT modernization and cybersecurity. Among the topics discussed is the next generation of FITARA and measurement of cyber outcomes, rollout of the IT-heavy President’s Management Agenda, IT Modernization Centers of Excellence at GSA, and the role of standards in technology development and the supply chain.
11:00: NIST 800-160, 800-53, AND 800-171
Victoria Yan Pillitteri, Cybersecurity Researcher, NIST
Preview the latest revision to draft NIST Special Publication 800-160 for Systems Security Engineering with updates on cyber resiliency considerations for the engineering of trustworthy secure systems. This publication addresses the engineering-driven actions necessary to develop defensible and survivable cyber systems. Vicky will also update on NIST SP 800-53, SP 800-171, and SP 800-171B.
11:30: BEYOND THE CHECKLIST: CYBER - PAST, PRESENT AND FUTURE
Bobbie Stempfley, Director of SEI's CERT Division
Our nation’s dominance in cyberspace is a national security priority that demands more than conventional cyber hygiene. In this presentation, Bobbie Stempfley, director of the Carnegie Mellon University Software Engineering Institute’s CERT Division, will address how the SEI currently supports DoD and industry in building and sustaining the nation’s competitive advantage.
Looking toward the future, Stempfley will identify five challenges on the horizon:
- The growing role of operational data
- The integration of AI
- The use of more dynamic development and delivery partnerships
- The role of operational feedback in triggering shifts in requirements and specifications, in near real time
- The need to address new adversarial operations that strike at the heart of our new capabilities
12:00: LUNCH AND KEYNOTE ADDRESS - CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC)
Katie Arrington, Special Assistant for Cybersecurity in the Office of the Under Secretary of Defense for Acquisition and Sustainment
We will discuss the Cybersecurity Maturity Model Certification (CMMC) roadmap and how DoD contractors can prepare for certification.
To secure the Department of Defense (DoD) Supply Chain, the DoD is creating the Cybersecurity Maturity Model Certification program in collaboration with Johns Hopkins Applied Physics Lab, Carnegie Mellon Software Engineering Institute, and industry. The CMMC firmly establishes security as the foundation to acquisition and as something that cannot be traded along with cost, schedule, or performance. Furthermore, the CMMC combines the various cybersecurity standards into a unified standard that will serve as a requirement to do business with the Department.
The requirement for CMMC is the Department’s first step in enhancing the security, visibility, and situational awareness of the Defense Industrial Base and the 300,000 organizations that make up the DoD Supply Chain. To ensure scalability, the DoD, in partnership with the Defense Contract Management Agency and the Defense Counterintelligence Security Agency, will incorporate tools to conduct audits, collect metrics, and inform risk mitigation. Additionally, the Department will outsource assessments to independent 3rd party organizations.
1:15: REDUCING IT RISK WITH SUPPLIERS BY REDUCING ARCHITECTURAL AND TECHNICAL DEBT
David Norton, Executive Director, Consortium for Information & Software Quality (CISQ)
Between 84% to 92% of the total cost of a system is operating expense (opex). But still most organizations focus on the initial 8% to 16% initial capital expense (capex). Not only does this increase cost, it also leads to the organization having to deal with an increasing portfolio of poor performing and vulnerable systems. The key is to work with your suppliers from day one on to reduce technical and architectural debt, and lower the total cost of ownership and risk.
1:45: REGULATORS ROUNDTABLE
The Regulators Roundtable panel will discuss how cyber risk is measured and how cyber policy is set and implemented in the industries they regulate. What can agencies learn from each other in addressing the challenges of regulating industries? How do agencies strike the right balance in protecting citizens without stifling the pace of industry and innovation? What can government learn from industry’s cyber practices?
2:30: SUMMARY OF THE DAY AND CLOSING REMARKS
Tony Scott, Managing Partner, RIDGE-LANE Managing Partners
former Federal CIO under President Obama