8:00am: Welcome to the Cyber Resilience Summit

• Dr. Bill Curtis, Executive Director, Consortium for Information & Software Quality (CISQ)
• Luke McCormack, retired, former CIO, U.S. Department of Homeland Security

Welcome to the 8th annual Cyber Resilience Summit hosted by CISQ and the cyber risk standards community. Dr. Curtis and Mr. McCormack introduce this year’s theme, “From Securing the Supply Chain to Enterprise DevSecOps,” and walk through the agenda for the day.

Download CISQ opener

Robert Kolasky, Director, National Risk Management Center, Cybersecurity and Infrastructure Agency, U.S. Department of Homeland Security

As the nation’s risk advisor, CISA’s mission is to ensure the security and resiliency of our critical infrastructure. However, in today’s digitizing world, as organizations are increasingly integrating cyber systems into their operations, they are also facing more diverse, sophisticated threats— cyber, physical, technological, or natural—that may have cross-sector impacts. Housed within CISA, the National Risk Management Center (NRMC)  leverages sector and stakeholder expertise to identify the most significant risks to the nation. Top NRMC initiatives include 5G, election security, electromagnetic pulses, national critical functions, pipeline cybersecurity, and more.

Mr. Kolasky briefed on election security, election preparedness, and the #protect2020 initiative. View https://www.cisa.gov/election-security.

• Jeff Dalton, Director, CMMC Accreditation Body
• Phyllis Schneck, Vice President and Chief Information Security Officer, Northrop Grumman
• John Weiler, Vice Chair, IT Acquisition Advisory Council (IT-AAC) and Chairman of the Board, CMMC Center of Excellence
• Robert Morgus, Senior Director, U.S. Cyberspace Solarium Commission

DoD’s Cybersecurity Maturity Model Certification (CMMC) program aims to strengthen cybersecurity throughout the defense industrial base by certifying the security risk of suppliers in the supply chain. More specifically, CMMC certification focuses on the protection of controlled unclassified information throughout the supply chain and is based on NIST 800-171 for data privacy and protection.

We discussed the “State of the State” of CMMC, how to implement CMMC knowing what we know today, and its next phase of deployment. Could the next phase be product assessment, and rolling out CMMC on the civilian side?

Jeff Dalton Slides  Dr. Phyllis Schneck Slides  John Weiler Slides

• Joe Jarzombek, Director for Government & Critical Infrastructure Programs, Synopsys and CISQ Board Member
• Dr. Bill Curtis, Executive Director, Consortium for Information & Software Quality (CISQ)

CISQ has developed a new measure based on a collection of software weaknesses that can be used to support enterprise and supply chain needs in protecting data, confidential information, IP, and privacy. This new measure will be highly relevant to GDPR, CCPA, as well as CMMC for CUI protection. As organizations undergo process assessments associated with CMMC, GDPR, CCPA, ISO 27001, NIST SP 800-53 r5, NIST SP 800-171, etc., scanning code that will run or is running in enterprises (on systems and devices that process or transmit data) can determine if the systems or devices enable data leakage based on detection of the critical weaknesses.

This session introduced the Automated Source Code Data Protection Measure - the latest measure in a set of code quality standards from CISQ used in product assessment, RFPs, and supply chain risk management.

Dr. Bill Curtis also previewed CISQ’s next project on DevOps flow metrics.

Dr. Curtis Slides  Joe Jarzombek Slides  Download CWEs in Data Protection Measure

Grant Schneider, former Federal CISO and Senior Director for Cybersecurity Policy at the White House, now at law firm, Venable

The growth of 5G is critical to our nation's prosperity. We discussed the national strategy to secure 5G networks and the supply chain. While there is black listing, how can we get better at white listing? Mr. Schneider also shared updates from his work with the Federal Acquisition Security Council.

• Dr. Allan Friedman, Director of Cybersecurity Initiatives, Department of Commerce, NTIA
• Robert Martin, Senior Principal Engineer, MITRE

A joint working group of CISQ and the Object Management Group (OMG) defined an exchangeable tool-to-tool Software Bill of Materials (SBOM) metamodel. This work leverages the efforts of the National Telecommunications and Information Agency’s (NTIA’s) Software Component Transparency initiative with a focus on the exchange of SBOMs between and among the software development tools that create, revise, manage, orchestrate, and/or otherwise manipulate software.

Like a bill of materials for physical items, the SBOM is a comprehensive inventory of the software raw materials, subassemblies, parts and components, needed to create a software product. This session introduced the SBOM specification being submitted to become a standard this year.

Dr. Allan Friedman Slides     Bob Martin Slides

• Nicolas Chaillan, Chief Software Officer, U.S. Air Force
• Dr. Ron Ross, Fellow, National Institute of Standards and Technology

The DoD’s Enterprise DevSecOps Initiative is a joint program with OUSD (A&S), DoD CIO, U.S. Air Force, DISA and the Military Services. Mr. Chaillan, co-lead of the DevSecOps initiative, shared DoD use cases. Dr. Ron Ross supported Mr. Chaillan's viewpoints and talked about the upcoming DevSecOps Framework from NIST. The NIST framework will apply DevSecOps to the software development process, as well as the broader system-level view.

Nicolas Chaillan Slides     Dr. Ron Ross Slides

• Dr. Barry Boehm, Distinguished Professor of Computer Science, Industrial and Systems Engineering and Astronautics, University of Southern California
• Elaine Venson, PhD Student, University of Southern California

As security becomes more and more an Achilles’ heel for software development, information to support decision-makers about the costs and benefits of building security in has become essential. Evaluating the cost-effectiveness of security solutions at the software development level requires understanding the impact of increasing degrees of security on the development effort. This session presented a new rating scale for establishing levels of secure software development, and the preliminary effort estimation results obtained from experts. It also discussed the next steps envisioned to propose a security cost model based on empirical data.

Elaine Venson Slides

Kevin Cox, CDM Program Manager, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security

The Continuous Diagnostics and Mitigation (CDM) program at DHS is delivering automated tools to federal agencies to strengthen their ability to monitor and manage the threat of cyber vulnerabilities. CDM program objectives are to reduce the agencies’ threat surface, increase visibility into the federal cybersecurity posture, improve federal cybersecurity response capabilities, and streamline Federal Information Security Modernization Act (FISMA) reporting.

This session looked at what’s next in CDM as we expand to cloud, mobility, and zero trust security architecture.

Kevin Cox Slides

• Luke McCormack, retired, former CIO, U.S. Department of Homeland Security - moderator
• Tony Scott, Chairman, The TonyScottGroup
• Karen Evans, CIO, U.S. Department of Homeland Security

This "Titans of Cyber" closing discussion with Mr. Tony Scott, former Federal CIO and member of the Cyber Resilience Summit program committee, and Karen Evans, CIO of the Department of Homeland Security, summarized key points made during the Summit and provided insights on the path forward.

Read Summary and Discussion Points