IT Risk Management and Cybersecurity Summit

Transcription

1 IT Risk Management and Cybersecurity Summit Dr. Bill Curtis Executive Director John Weiler Vice Chair 1

2 Seminar Objectives Latest developments in measurement standards: Software security IT software risk (reliability, performance, maintainability) Latest developments in software-related policies: Requirements on addressing risk in acquisition lifecycle Federal IT Acquisition Reform Act (FITARA) NDAA Section 804 Use of measures in policy compliance: Best practices Acquisition language Return on investment and related benefits 2

3 Morning Agenda 9:00 9:15 Welcome from CISQ 9:15 10:15 Lessons from Cyber Security Assessments in DOD Dr. Michael Gilmore Director, OT&E, DOD 10:15 10:30 Refreshment Break 10:30 11:00 Using CISQ Metrics to Automate Software Measurement Dr. Bill Curtis, Executive Director, CISQ 11:00 12:00 Panel: Ag., Dept., & Leg. Policies Impacting Software Risk Joe Jarzombek, Director, Software & Supply Chain Assurance, DHS Bob Dix, VP Policy for Juniper, Former Staff Dir., House Oversight Richard Beutel, Counsel for Acquisition Policy, House Oversight Com Julie Chua, Lead Information Security Specialist, DHHS, ONC 12:00 1:00 Lunch 3

4 Afternoon Agenda 4 1:00 2:00 IT Risk Management John Hickey, CIO and Risk Management Executive, DISA 2:00 2:45 Latest Advances in Cybersecurity & CISQ Security Standard Robert Martin, Director, CWE Repository, MITRE Corp. Carol Woody, Senior Technical Staff, SEI, CMU 2:45 3:00 Break 3:00 3:45 Business Case & ROI John Keane, IT Specialist, PEO DHMS 3:45 4:30 IT-AAC Leadership Panel: Acquisition Language and Metrics Don Johnson, Assoc Dir, Cyber Acquisition, Off. Sec. Defense Don Davidson, ICT-SCRM Specialist for GTF, Off. Sec. Defense; Hon. John G. Grimes, DOD Chief Information Officer Dr. Pres Winter, Former CTO, NSA Greg Capella, Deputy Executive Director, DHS 4:30 5:30 Cocktail Reception

5 Body of Evidence (cont) Failure to fix IT Acquisition is a National Security Threat Federal IT Challenges call for new approaches for mitigating risk AF Science Advisory Board 2000: PMs need greater access to real world lesson learned and innovations of the market to mitigate risk and cost overruns. PMs frequently enter high risk areas due to limited access to lessons learned from those who have already forged ahead. CMU SEI Study 2004: The DoDAF alone is not effective for IT architectures, lacks business view, performance metrics or means of avoiding over specification. DoDAF (C4ISR) was developed by Mitre and IDA in 1986 to provide DoD with a systems engineering documentation tool for existing system implementations NDAA Sec 803 : Government needs a high integrity knowledge exchange by which innovations of the market can be objectively assessed. DSB 2009: Weapons Systems Style Solution Architecture and Acquisition Processes take too long, cost too much, recommend establishing a separate IT Acquisition market that is tuned for the fast paced market. IT-AAC 2009: Major IT Programs lack senior leadership support, and have few vested in the success. All participants, including oversight, must be incentivized in meeting program goals and outcomes. BENS RPT on ACQUISITION 2009: DoD needs independent architecture development that is not compromised by those with a vested interest in the outcome. FAR OCI rules must be better enforced. NDAA Sec : DoD will establish a modular IT Acquisition process that is responsive to the fast paced IT market. "Weapons systems depend on stable requirements, but with IT, technology changes faster than the requirements process can keep up," he said. "It changes faster than the budget process and it changes faster than the acquisition milestone process. For all these reasons, the normal acquisition process does not work for information technology. DepSec Bill Lynn statement at the 2009 Defense IT Acquisition Summit hosted by IT-AAC