SlideShare a Scribd company logo

Leveraging Standards to Improve IT Supply Chain Security

Download as PPT, PDF
J
John Gilligan

Presented at ISAC, May 5, 2009.

Technology
1 of 20
1 Leveraging Purchase Power and Standards to Improve Security in the IT Supply Chain John M. Gilligan Gilligan Group, Inc. May 5, 2009 Protecting the Resiliency of the Supply Chain
2 Topics • Background • The “Good Old Days”—Status Quo • The “Aha” Moment • Standard Desktop becomes Federal Desktop • Next steps – Cyber Security Commission Recommendation – Evolving Standards • Summary
3 Relevant Background • Air Force – 700,000 Unclassified Desktops – 60,000 Classified Desktops – IT Spending $7B; Security Spending of $700 M • Federal Government – Approximately 4 million desktops – IT Spending $60B; Security spending of $5B • National Institutes of Standards and Technology (NIST) Provides IT Security Standards/Guidance
4 Air Force CIO Observations Regarding Software Security • Spending more to “patch and fix” software systems than to purchase them • SW vendor contract terms—no warranties, no standards, and no legal precedents for remedy • AF IT purchasing is ad hoc (and expensive) • Air Force is largest enterprise buyer for many vendors COTS software business model is fundamentally broken!
5From National Institute of Standards and Technology briefing--http://nvd.nist.gov/scap.cfm NIST provides a lot of guidance in security—is it addressing the right problem?
6 The CIO’s Cyber Security Dilemma • There are only so many resources available to be allocated against all IT priorities • There is no such thing as perfect cyber security • Finding flaws in cyber security implementation is a “target rich” environment How much security is enough, and where should investments be applied?
7 How to Assess Effective Security GAO Reports? Congressional FISMAGrades? Percentage of Systems Certified? Number of Systems with Contingency Plans? Agency Auditor reports? The threat is increasing! Are we focusing on the right things? "Pentagon Shuts Down Systems After Cyber- Attack" Malicious scans of DoD increase 300%!
8 An “Aha” Moment! • Scene: 2002 briefing by NSA regarding latest penetration assessment of DoD systems • Objective: Embarrass DoD CIOs for failure to provide adequate security. • Subplot: If CIOs patch/fix current avenues of penetration, NSA would likely find others • Realization: Let’s use NSA’s offensive capabilities to guide security investments Let “Offense Inform Defense”!
9 AF Standard Desktop Concept • NSA “Offensive Team” briefings to Air Force on attack patterns and vulnerabilities exploited • ~80% of vulnerabilities tied to incorrectly configured COTS software • Joint effort by NSA, NIST, DISA, DHS, CIS, Microsoft to create Standard Desktop Configuration (SDC) for Microsoft Windows/Office/IE Address the source of the biggest problem—and do it in the supply chain!
10 Secure Desktop Configuration • Defined ~ 600 security configuration settings for Windows XP and VISTA (out of 4477) – Leveraged prior work by MS, NIST, CIS, NSA, DISA • Protocols and software tools to validate implementation – CVE/OVAL • Phased Implementation (2005-2007) – Senior-level governance process Software delivered from hardware vendors in “locked down” configuration
11 AF Standard Desktop Configuration Results • Improved Security – Drop in security events – Reduced Patching time 57 days to 72 hours • Reduced Costs of Operation and Ownership – Hundreds of millions saved to date* • Improved System Performance • Common platform for COTS/GOTS applications leads to more rapid development and testing * SDC Linked with Enterprise License Agreement and Commodity Purchasing Efforts
12 Enterprise Client PC Hardware Step 1: USAF Quarterly Enterprise Buy (QEB) Standards – 700K purchased since Aug 2003; $200M+ avoidance Enterprise Licensing and Services Step 2: USAF Enterprise License Agreements – Implemented in Jul – Sep 2004 $100M+ savings by 2010 Enterprise Client, Server, and Active Directory Configurations Step 3: USAF Standard Desktop Configuration – AF wide implementation in 2006; Servers 2008 Enterprise Configuration and Patch Management Step 4: USAF Enterprise Configuration Management processes – Implementation 2006-2008 Comply and Connect Enforcement Step 5: USAF Comply, Connect and Remediate policy and processes – Incremental improvements 2006-2009 Security As Part of IT Commodity Life Cycle Management Incremental Improvements in End Point and Server Capability and Security 12
13 AF Standard Desktop Configuration FDCC • Adopt AF-validated standard desktop concept • OMB mandate for Federal Desktop Core Configuration (FDCC)—March 2007 • Security Content Automation Protocol (SCAP) – Validate configuration – Check/remediate patching – Asset management – Standard vulnerability list Expanded across Federal government and extended automation support
14 Continued Evolution of “Aha” Realization: The Consensus Audit Guidelines (CAG) • Ensure that investments are focused to counter highest threats — pick a subset • Leverage offense to inform defense – focus on high payoff areas • Maximize use of automation to enforce security controls — negate human errors • Use consensus process to ensure best ideas Focus investments by letting cyber offense inform defense!
15 Next Steps--Cyber Security Commission Recommendation • Mandate “Locked-down” configurations for all software delivered to the government • Build on existing efforts (e.g., NIST, BITS, FERC, NIAP, CIS) – Public-private partnership to develop guidelines • Self-certification by software vendors – Satisfy security guidelines – Do not “unlock” security of other software Expand FDCC Concept to all Software Products
16 Security Content Automation Protocol (SCAP) • What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security and management properties of every device in a network. • How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. (Enables tool interoperability) • Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations
17 Security Standards Efforts: Security Content Automation Protocol (SCAP)
18 Security Standards Efforts: Next Steps* * Making Security Measurable – The MITRE Corporation
19 Summary • Need to fundamentally change business model for buying COTS software – Vendors deliver “secure” configuration of products – Use automated tools to validate security • Integrate security with improved commodity supply chain management (planning, purchase, operations, disposal) • Advancement of standards and related tools holds great promise for dramatic improvements to the IT Supply Chain
20 Contact Information John Gilligan jgilligan@gilligangroupinc.com 703-503-3232 www.gilligangroupinc.com Making Security Measurable Bob Martin—MITRE Corporation rmartin@mitre.org

Recommended

David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...Government Technology and Services Coalition
 
Security In The Supply Chain
Security In The Supply ChainSecurity In The Supply Chain
Security In The Supply ChainJohn Gilligan
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGovernment Technology and Services Coalition
 
Robert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight sessionRobert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight sessionGovernment Technology and Services Coalition
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...EnergySec
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're InfectedTripwire
 

Recommended

David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...Government Technology and Services Coalition
 
Security In The Supply Chain
Security In The Supply ChainSecurity In The Supply Chain
Security In The Supply ChainJohn Gilligan
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGovernment Technology and Services Coalition
 
Robert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight sessionRobert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight sessionGovernment Technology and Services Coalition
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...
Essential Power Case Study: Protecting Critical Infrastructure From Cyber Att...EnergySec
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're InfectedTripwire
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for SecurityTripwire
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...EnergySec
 
From Air Gap to Air Control
From Air Gap to Air ControlFrom Air Gap to Air Control
From Air Gap to Air ControlEnergySec
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Tripwire
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesJohn Gilligan
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Vidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solutionVidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solutionVidSys, Inc.
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...Government Technology and Services Coalition
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesJohn Gilligan
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171Corserva
 
Tripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Keep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureKeep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureTripwire
 
The Power of Cross-Channel Marketing
The Power of Cross-Channel MarketingThe Power of Cross-Channel Marketing
The Power of Cross-Channel MarketingKyle Lacy
 
KNK PVT LTD PROFILE
KNK PVT LTD PROFILEKNK PVT LTD PROFILE
KNK PVT LTD PROFILEDharmendra singh
 

More Related Content

What's hot

Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for SecurityTripwire
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...EnergySec
 
From Air Gap to Air Control
From Air Gap to Air ControlFrom Air Gap to Air Control
From Air Gap to Air ControlEnergySec
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Tripwire
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesJohn Gilligan
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Vidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solutionVidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solutionVidSys, Inc.
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesJohn Gilligan
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171Corserva
 
Tripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Keep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureKeep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureTripwire
 

What's hot (20)

Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
An Approach to Closing the Gaps between Physical, Process Control, and Cybers...
 
From Air Gap to Air Control
From Air Gap to Air ControlFrom Air Gap to Air Control
From Air Gap to Air Control
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
Vidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solutionVidsys Physical Security Information Management (PSIM) solution
Vidsys Physical Security Information Management (PSIM) solution
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
 
How to Comply with NIST 800-171
How to Comply with NIST 800-171How to Comply with NIST 800-171
How to Comply with NIST 800-171
 
Tripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability ManagementTripwire IP360 Vulnerability Management
Tripwire IP360 Vulnerability Management
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Keep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be SecureKeep Your Guard: Stay Compliant and Be Secure
Keep Your Guard: Stay Compliant and Be Secure
 

Viewers also liked

The Power of Cross-Channel Marketing
The Power of Cross-Channel MarketingThe Power of Cross-Channel Marketing
The Power of Cross-Channel MarketingKyle Lacy
 
Fortalezasydebilidadesdeldesempeodocente 140220224536-phpapp02
Fortalezasydebilidadesdeldesempeodocente 140220224536-phpapp02Fortalezasydebilidadesdeldesempeodocente 140220224536-phpapp02
Fortalezasydebilidadesdeldesempeodocente 140220224536-phpapp02Jose Francisco Ortoneda Velasquez
 
Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...John Gilligan
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityJohn Gilligan
 
Unite Seoul 2016 UTK Doc
Unite Seoul 2016 UTK DocUnite Seoul 2016 UTK Doc
Unite Seoul 2016 UTK DocUnity Korea
 
Presentación transformadores tecnología electrica yimmy
Presentación transformadores tecnología electrica yimmyPresentación transformadores tecnología electrica yimmy
Presentación transformadores tecnología electrica yimmyYimmy Solis
 
Data collection methods in qualitative research
Data collection methods in qualitative researchData collection methods in qualitative research
Data collection methods in qualitative researchgdengurah
 
2. conspect istoricul microbiologiei
2. conspect istoricul microbiologiei2. conspect istoricul microbiologiei
2. conspect istoricul microbiologieiEugen Tabac
 
Qualitative research design
Qualitative research designQualitative research design
Qualitative research designRobemar Icban
 

Viewers also liked (20)

The Power of Cross-Channel Marketing
The Power of Cross-Channel MarketingThe Power of Cross-Channel Marketing
The Power of Cross-Channel Marketing
 
KNK PVT LTD PROFILE
KNK PVT LTD PROFILEKNK PVT LTD PROFILE
KNK PVT LTD PROFILE
 
Education vs innovation
Education vs innovationEducation vs innovation
Education vs innovation
 
Company Profile 2016
Company Profile 2016Company Profile 2016
Company Profile 2016
 
Hiren Patadia
Hiren PatadiaHiren Patadia
Hiren Patadia
 
Writing a business plan
Writing a business planWriting a business plan
Writing a business plan
 
5 traveling tips for startups on a budget
5 traveling tips for startups on a budget5 traveling tips for startups on a budget
5 traveling tips for startups on a budget
 
Etiquette and rules of golf game!
Etiquette and rules of golf game!Etiquette and rules of golf game!
Etiquette and rules of golf game!
 
Fortalezasydebilidadesdeldesempeodocente 140220224536-phpapp02
Fortalezasydebilidadesdeldesempeodocente 140220224536-phpapp02Fortalezasydebilidadesdeldesempeodocente 140220224536-phpapp02
Fortalezasydebilidadesdeldesempeodocente 140220224536-phpapp02
 
Romance & Finance
Romance & FinanceRomance & Finance
Romance & Finance
 
Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...Federal Risk and Authorization Management Program: Assessment and Recommendat...
Federal Risk and Authorization Management Program: Assessment and Recommendat...
 
Camus
CamusCamus
Camus
 
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber SecurityLeveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
 
Unite Seoul 2016 UTK Doc
Unite Seoul 2016 UTK DocUnite Seoul 2016 UTK Doc
Unite Seoul 2016 UTK Doc
 
Presentación transformadores tecnología electrica yimmy
Presentación transformadores tecnología electrica yimmyPresentación transformadores tecnología electrica yimmy
Presentación transformadores tecnología electrica yimmy
 
Data collection methods in qualitative research
Data collection methods in qualitative researchData collection methods in qualitative research
Data collection methods in qualitative research
 
2. conspect istoricul microbiologiei
2. conspect istoricul microbiologiei2. conspect istoricul microbiologiei
2. conspect istoricul microbiologiei
 
Chap 12 e161
Chap 12 e161Chap 12 e161
Chap 12 e161
 
Qualitative research design
Qualitative research designQualitative research design
Qualitative research design
 
Qualitative data collection
Qualitative data collectionQualitative data collection
Qualitative data collection
 

Similar to Leveraging Standards to Improve IT Supply Chain Security

risk assessment 27.docx
risk assessment 27.docxrisk assessment 27.docx
risk assessment 27.docxwrite5
 
dataProtection_p3.ppt
dataProtection_p3.pptdataProtection_p3.ppt
dataProtection_p3.pptssusera76ea9
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsSolarWinds
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023Withum
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 
Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixHCLSoftware
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 
Sify - IT Management Services
Sify - IT Management ServicesSify - IT Management Services
Sify - IT Management Serviceswebhostingguy
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Unanet
 
Network Configuration and Audit Simplified
Network Configuration and Audit SimplifiedNetwork Configuration and Audit Simplified
Network Configuration and Audit SimplifiedChristopher Willard
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowPECB
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsJohn Gilligan
 
Cyber Resilience Summit Briefing March 15, 2016
Cyber Resilience Summit Briefing March 15, 2016Cyber Resilience Summit Briefing March 15, 2016
Cyber Resilience Summit Briefing March 15, 2016John Weiler
 

Similar to Leveraging Standards to Improve IT Supply Chain Security (20)

risk assessment 27.docx
risk assessment 27.docxrisk assessment 27.docx
risk assessment 27.docx
 
dataProtection_p3.ppt
dataProtection_p3.pptdataProtection_p3.ppt
dataProtection_p3.ppt
 
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsGovernment Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWinds
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023CMMC for Contractors and Manufacturers – What to Know for 2023
CMMC for Contractors and Manufacturers – What to Know for 2023
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC Breakdown
 
CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 
Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFix
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 
Sify - IT Management Services
Sify - IT Management ServicesSify - IT Management Services
Sify - IT Management Services
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
 
Network Configuration and Audit Simplified
Network Configuration and Audit SimplifiedNetwork Configuration and Audit Simplified
Network Configuration and Audit Simplified
 
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to KnowCMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber Program
 
Cyber Resilience Summit Briefing March 15, 2016
Cyber Resilience Summit Briefing March 15, 2016Cyber Resilience Summit Briefing March 15, 2016
Cyber Resilience Summit Briefing March 15, 2016
 

More from John Gilligan

Practical approaches to address government contracting problems
Practical approaches to address government contracting problemsPractical approaches to address government contracting problems
Practical approaches to address government contracting problemsJohn Gilligan
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy John Gilligan
 
Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...John Gilligan
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous MonitoringJohn Gilligan
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsJohn Gilligan
 
Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesJohn Gilligan
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 

More from John Gilligan (9)

Practical approaches to address government contracting problems
Practical approaches to address government contracting problemsPractical approaches to address government contracting problems
Practical approaches to address government contracting problems
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...Automating Enterprise IT Management by Leveraging Security Content Automation...
Automating Enterprise IT Management by Leveraging Security Content Automation...
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
Implementing Continuous Monitoring
Implementing Continuous MonitoringImplementing Continuous Monitoring
Implementing Continuous Monitoring
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
Understanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and ChallengesUnderstanding Technology Stakeholders: Their Progress and Challenges
Understanding Technology Stakeholders: Their Progress and Challenges
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 

Leveraging Standards to Improve IT Supply Chain Security

  • 1. 1 Leveraging Purchase Power and Standards to Improve Security in the IT Supply Chain John M. Gilligan Gilligan Group, Inc. May 5, 2009 Protecting the Resiliency of the Supply Chain
  • 2. 2 Topics • Background • The “Good Old Days”—Status Quo • The “Aha” Moment • Standard Desktop becomes Federal Desktop • Next steps – Cyber Security Commission Recommendation – Evolving Standards • Summary
  • 3. 3 Relevant Background • Air Force – 700,000 Unclassified Desktops – 60,000 Classified Desktops – IT Spending $7B; Security Spending of $700 M • Federal Government – Approximately 4 million desktops – IT Spending $60B; Security spending of $5B • National Institutes of Standards and Technology (NIST) Provides IT Security Standards/Guidance
  • 4. 4 Air Force CIO Observations Regarding Software Security • Spending more to “patch and fix” software systems than to purchase them • SW vendor contract terms—no warranties, no standards, and no legal precedents for remedy • AF IT purchasing is ad hoc (and expensive) • Air Force is largest enterprise buyer for many vendors COTS software business model is fundamentally broken!
  • 5. 5From National Institute of Standards and Technology briefing--http://nvd.nist.gov/scap.cfm NIST provides a lot of guidance in security—is it addressing the right problem?
  • 6. 6 The CIO’s Cyber Security Dilemma • There are only so many resources available to be allocated against all IT priorities • There is no such thing as perfect cyber security • Finding flaws in cyber security implementation is a “target rich” environment How much security is enough, and where should investments be applied?
  • 7. 7 How to Assess Effective Security GAO Reports? Congressional FISMAGrades? Percentage of Systems Certified? Number of Systems with Contingency Plans? Agency Auditor reports? The threat is increasing! Are we focusing on the right things? "Pentagon Shuts Down Systems After Cyber- Attack" Malicious scans of DoD increase 300%!
  • 8. 8 An “Aha” Moment! • Scene: 2002 briefing by NSA regarding latest penetration assessment of DoD systems • Objective: Embarrass DoD CIOs for failure to provide adequate security. • Subplot: If CIOs patch/fix current avenues of penetration, NSA would likely find others • Realization: Let’s use NSA’s offensive capabilities to guide security investments Let “Offense Inform Defense”!
  • 9. 9 AF Standard Desktop Concept • NSA “Offensive Team” briefings to Air Force on attack patterns and vulnerabilities exploited • ~80% of vulnerabilities tied to incorrectly configured COTS software • Joint effort by NSA, NIST, DISA, DHS, CIS, Microsoft to create Standard Desktop Configuration (SDC) for Microsoft Windows/Office/IE Address the source of the biggest problem—and do it in the supply chain!
  • 10. 10 Secure Desktop Configuration • Defined ~ 600 security configuration settings for Windows XP and VISTA (out of 4477) – Leveraged prior work by MS, NIST, CIS, NSA, DISA • Protocols and software tools to validate implementation – CVE/OVAL • Phased Implementation (2005-2007) – Senior-level governance process Software delivered from hardware vendors in “locked down” configuration
  • 11. 11 AF Standard Desktop Configuration Results • Improved Security – Drop in security events – Reduced Patching time 57 days to 72 hours • Reduced Costs of Operation and Ownership – Hundreds of millions saved to date* • Improved System Performance • Common platform for COTS/GOTS applications leads to more rapid development and testing * SDC Linked with Enterprise License Agreement and Commodity Purchasing Efforts
  • 12. 12 Enterprise Client PC Hardware Step 1: USAF Quarterly Enterprise Buy (QEB) Standards – 700K purchased since Aug 2003; $200M+ avoidance Enterprise Licensing and Services Step 2: USAF Enterprise License Agreements – Implemented in Jul – Sep 2004 $100M+ savings by 2010 Enterprise Client, Server, and Active Directory Configurations Step 3: USAF Standard Desktop Configuration – AF wide implementation in 2006; Servers 2008 Enterprise Configuration and Patch Management Step 4: USAF Enterprise Configuration Management processes – Implementation 2006-2008 Comply and Connect Enforcement Step 5: USAF Comply, Connect and Remediate policy and processes – Incremental improvements 2006-2009 Security As Part of IT Commodity Life Cycle Management Incremental Improvements in End Point and Server Capability and Security 12
  • 13. 13 AF Standard Desktop Configuration FDCC • Adopt AF-validated standard desktop concept • OMB mandate for Federal Desktop Core Configuration (FDCC)—March 2007 • Security Content Automation Protocol (SCAP) – Validate configuration – Check/remediate patching – Asset management – Standard vulnerability list Expanded across Federal government and extended automation support
  • 14. 14 Continued Evolution of “Aha” Realization: The Consensus Audit Guidelines (CAG) • Ensure that investments are focused to counter highest threats — pick a subset • Leverage offense to inform defense – focus on high payoff areas • Maximize use of automation to enforce security controls — negate human errors • Use consensus process to ensure best ideas Focus investments by letting cyber offense inform defense!
  • 15. 15 Next Steps--Cyber Security Commission Recommendation • Mandate “Locked-down” configurations for all software delivered to the government • Build on existing efforts (e.g., NIST, BITS, FERC, NIAP, CIS) – Public-private partnership to develop guidelines • Self-certification by software vendors – Satisfy security guidelines – Do not “unlock” security of other software Expand FDCC Concept to all Software Products
  • 16. 16 Security Content Automation Protocol (SCAP) • What is it: A set of open standards that allows for the monitoring, positive control, and reporting of security and management properties of every device in a network. • How is it implemented: Commercial products implement SCAP protocols to exchange and enforce configuration, security policy, and vulnerability information. (Enables tool interoperability) • Where is it going: Extensions in development to address software design weaknesses, attack patterns, and malware attributes. SCAP Enables Automated Tools To Implement And Enforce Secure Operations
  • 17. 17 Security Standards Efforts: Security Content Automation Protocol (SCAP)
  • 18. 18 Security Standards Efforts: Next Steps* * Making Security Measurable – The MITRE Corporation
  • 19. 19 Summary • Need to fundamentally change business model for buying COTS software – Vendors deliver “secure” configuration of products – Use automated tools to validate security • Integrate security with improved commodity supply chain management (planning, purchase, operations, disposal) • Advancement of standards and related tools holds great promise for dramatic improvements to the IT Supply Chain