Over the past 20 years, some would say the specific approach to cybersecurity taken by the government and industry has been shortsighted. The defense-in-depth...
The SANS Institute in 2012 called defense-in-depth unsustainable and provides no assurances than an enemy can be removed from the network permanently once they are inside.
SANS says this concept of defense-in-depth came from the kinetic world where have multiple fire alarms, extinguishers and evacuation plans in case of a fire is a good example.
But in the cyber world this concept didn’t transfer over like many thought it would.
So the big question is how do we fix that?
Over the last seven years, the Office of Management and Budget has been pushing agencies toward continuous monitoring and risk management.
This is the idea of understanding your networks and data, and then recognizing the risks associated with losing that data or control of those networks, and then making informed decisions on how best to protect your assets.
The recent update to Circular A-130 addresses this idea head on, calling for agencies to implement an agencywide risk management process that frames, assesses, responds to, and monitors information security and privacy risk on an ongoing basis across three tiers—organization, mission and the information system level.
The other key piece to this continuous monitoring and risk based approach is automation.
That is where the Homeland Security Department’s Continuous Diagnostics and Mitigation (CDM) program comes in. Experts say CDM tools will help agencies know where their vulnerabilities are more quickly and automatically address the problem and let the chief information security officer know what’s going on.
Agencies are making progress toward this continuous monitoring and risk based approach, but it’s taking time and hackers are exploiting gaps in the system.
Moderator
Jason Miller, Federal News Radio
Jason Miller is an executive editor and reporter with Federal News Radio. As executive editor, Jason helps direct the news coverage of the station and works with reporters to ensure a broad range of coverage of federal technology, procurement, finance and human resource news.As a reporter, Jason focuses mainly on technology and procurement issues, including cybersecurity, e-government and acquisition policies and programs.
Panelists
Gregory Garcia, Chief Information Officer, Army Corps of Engineers
Gregory Garcia was selected for the Senior Executive Service in 2005. He assumed the position of the Chief Information Officer/G-6 at the U.S. Army Corps of Engineers on Feb. 21. In this role, he serves as the principal advisor to the Corps Commanding General on information technology issues. He is responsible for all aspects of information resource management and information technology for the Corps.
Dr. Ray Letteer, Chief of the Cybersecurity Division C4 Department at Headquarters, U.S. Marine Corps
Dr. Letteer is responsible for and oversees all Cybersecurity tasks, standard, and conditions within the Marine Corps, which includes Computer Network Defense, Defensive Cyber Operations, Public Key Infrastructure, Electronic Key Management Systems, and Certification & Accreditation. He also serves as the appointed Approving Official for the Marine Corps Enterprise Network, which includes all networks and networked systems whether in garrison or tactically deployed. He is also the Functional Area Manager for Marine Corps EKMS/KMI/PKI issues.
Paul Morris, Deputy CISO/Deputy Director, Information Assurance & Cyber Security Division, TSA
Paul Morris leads the Information Assurance & Cybersecurity Division of approximately 50 federal employees and 120 contractors. He leads a multi-faceted workforce responsible for: Federal Information Security Management Act (FISMA) Compliance and Policy; Cyber Security Awareness and Operational Support; Critical Infrastructure Protection; Secure Infrastructure and Vulnerability Management; Forensic Operations and a 24×7 Cyber Security Operations Center.
Matt Alderman, Vice President of Strategy, Tenable Network Security
As VP of Strategy, Matt is responsible for developing Tenable’s long-term vision and strategies for partner alliances, new solutions, and product development to meet the emerging needs of Tenable’s customers across the globe. An information security and compliance veteran with 20+ years of experience designing and implementing solutions, Matt came to Tenable from RSA, where he led product strategy and messaging for Archer. Before RSA, he was responsible for enhancements to the SaaS platform and Policy Compliance solution at Qualys, where he also co-authored and published Policy Compliance for Dummies. Matt was the founder and CTO at ControlPath, where he and co-inventor Sean Molloy were issued United States Patent 7,788,150: Method for assessing risk in a business.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED