Good afternoon and welcome to the 10th annual Cyber Security summit. My name is Tom Billington. Its ab honor and privilege to convene this forum for a tenth year to address our high purpose and theme a call to action for the siCyber Security community. As you look around in the audience here and throughout the exhibit hall are some of the most Innovative Companies and organizations in the world. Facing some of the toughest adversaries. We thank you for your dedication to the mission. My wonderful wife and i founded Cyber Security ten years ago. Besides this annual summit, we host the leadership council, a Member Service and aim for dialogue about Cyber Security in our nations capital. Thats filming the event today, this conference is on the record unless specified and unclassified. And we welcome those members of the media today. You can follow us on twitter at billingtoncyber. As youll see from the Conference Program in your conference materials, we have a packed day and a a half ahead. It has been expanded by a half day this year. Q a will be available for some, but not all sessions. Either by live microphone or note card. Now id like to thank our sponsors and exhibiters who make the event possible today. They really do. Without them, we could not host this program. So id like to thank them beginning with our lead underwriter. Our knowledge partner. Our diamond sponsor, google cloud. At platinum, and gold the. I also want to mention that we also have three country zones this year which were very excited about as well. So to my left, we have the uk cyber zone, which is in the fifth year. To my right, we have the israel cyber innovation zone, which is in its first year this year, which were excited about and the canada zone to my right, which is is in its third year. We appreciate all the partners and continuing education partners. So please lets give them all a round of applause. One Quick Logistics note. If youre an isc squared member, we have continued education for the first year. Please go it the Registration Desk and give them your member nourm. They will be able to send you a digital certificate. So now its my great honor to introduce for the first year a master of ceremonies for our program. Known to most in this room captain ed, recently retired after 34 years of service and most recently as the director. Hello, everyone, good afternoon. Thank you very much for the very kind introduction and the opportuni opportunity. We have been friends a long time and im honored to serve as your master of ceremonies here today. You and susan have built a Great Company that provides a muchneeded venue to discuss the most pressing sicyber challenge facing corporations and our government. Im excited about the great line up of speakers today and the agenda ahead of us. Enough for me, lets get our day started. Its my honor to introduce our welcoming keynote speaker. The federal chief Information Security officer at omb. Thank you for opening the conference and the floor is now yours. Its a shorter walk than the sound. So good afternoon, first of all i want to thank everyone for being here today. Someone beforehand told me im the first speaker, so i need to bring a lot of energy and rile up the crowd. But im a policy guy, so im not sure thats in my mantra. You might want a more operational person. I think later on this afternoon. I want to thank tom for having me here today and the ability to talk to you a little bit about the roles and correspondents of what we do within the office of management and budget. And i think its really well connected to the theme for this tenth annual Cyber Security summit. And the theme being a call to action to address tomorrows top cyber challenges. This is republican at the core we do. Were trying to help agencies address their top future cyber challenges as well as the cyber challenges quite frankly from yesterday that they havent finalized yet. And we do that in a number of ways. If you look at the guiding document for our organization, is the federal Information Security modernization act of 2014. In that, it assigns a number of responsibilities to the omb director around Cyber Security and we carry those out on the his behalf. If you look at it, theres six or seven items that boils down to really three main functions. First and foremost is developing and overseeing the implementation of government wide Cyber Security policies is. Number two, and im going to touch on each of these in a moment, number two is ensuring the agency ises that are protecting federal Information Systems and data, with the potential risk of harm of a compromise. Think Risk Management, not all those other words i used. And third, ensuring that federal agencies are complying with government wide Cyber Security standards, be those things from the National Institute of standards and technology, omb guidance, laws, binding operational directives from the department of Homeland Security, working with agencies and holdihold ing them accountable to deliver on those. And so i want to talk about a few things that we have done in the last year around each of those. Around overseeing the implementation of new Cyber Security policies, we have updated we are about to update the trusted Internet Connection policy. This is really about the three things i listed that we do to help agencies. Thats really the what they need to do. We also need to provide them tools and capabilities from a broader government standpoint for their ability to actually deliver on those requirements. And so were putting out a new policy around trusted Internet Connection. Thats been out for Public Comment. So you have seen versions of it. This is really about how do we evolve our policies to adapt to Technology Changes and really the movement to cloud environment. Which is absolutely criticals we look to modernize federal Information Technology. Secondly, last year the very end of the congress, the president signed into law the federal acquisition supply Chain Security acts. And that created a mechanism inside the federal government by which we can have a federal Acquisition Security Council and really look at the security of the equipment that were bringing into the federal space. Theres a lot of work ongoing with that. But this really is a tool for federal agencies to be able to have a bit of a vetting of the equipment thats coming into their enterprise. And be able to leverage both classified and unclassified information for making determinations they dont want to bring something into their environment. When we talk about protecting information commensurate with the risk of potential compromise or Risk Management, it really is all about Risk Management. We cant protect everything. We have to understand what is is the most critical and in order to best understand whats most critical, we updated our high value asset policy at the beginning of this year. And in addition to updating the high value policy, the department of Homeland Security updated guidance on high value assets. So we really tried to partner with dhs to be able to provide a more tactical level of input and details for agencies to be married with or combined with the policy that were putting out from an omb standpoint. In addition to our hva update and really understanding whats most important to protect it, when it comes down to protecting our systems and our information, its really a people challenge. And so our ability to have and your aublt to haability to have workforce a capable workforce is absolutely critical. This year the president signed americas Cyber Security pork force executive order. Which has a number of tasks, things were really looking forward to for the federal enterprise around some cyber competitions that youll hear more about in the coming months and rotational programs for how can we rotate more and move some of our Cyber Workforce from agencies to agency ises to grow skills, the skills of those individuals, but also to enhance the abilities of other agencies and bring in some outside talent. And in addition to that on the workforce is this year we launched our Cyber Security reskilling academy. We have had one cohort go through. We have a second one in. This is a pilot. So altogether they are 50 or 60 people. But this is about how can we take federal employees who are looking to move into another type of skill and move into a new career, how can we leverage their dedication to the government, their understanding of what it takes to get stuff done in the federal enterprise and teach them and train them in Cyber Security. And they are not going to become after a six or eightweek class, they are not going to become hands on cyber experts, but have enough to what they apply and what they are working on and start to transition into a new career path. So really how do we leverage those individuals. And then on the third one, which is ensuring federal agencies comply with all the variety of stands that we have out there, we talk about compliance. Its used as a dirty word. I actually think compliance is necessary, but not sufficient. We have to have certain things out there that agencies need to comply with. We need to have some checklists. They need to be sure that agencies are taking advantage of the various tools and capabilities and resources that are available to them. So as i mentioned come in the form of laws, come in the form of omb memoses, binding operational directives, r as we move more into Risk Management, they will come in potentially in the form of removal and exclusion orders, when we talk about equipment that cant be in the enterprise. And then obviously, a big area are our special pubs and guidance that we have and they put out. So today an swrup date was released for Public Comment to 800160. What this is about is about cyber resiliency. Were never going to prevent attacks. Were never going to stop bad guys from getting into our systems. So how do we ensure that we have resiliency is of mission within cyber space. So right now, id like to ask ron ross from the National Institute of standards and technology to come out and hes going to give you some of the highlights highlights of this. And im going to be back for a panel here in a few minutes. So thank you. Thank you very much. And thanks to Tom Billington for giving us this opportunity to announce a very important document. We finished this about a week ago. Its been in development for about 18 months. And it really addresses some of the very difficult and challenging problems that were all having today with regard to Cyber Security. If you recall the past several decades, our strategy for protecting our Critical Systems and our critical assets has been really a one dimensional strategy. Its relied on pen b Trump Administration resistance. Stopping the bad guys at the front door before they get in and do damage. We know after many decades of evidence of the Cyber Attacks and things we have experienced, even when we do everything right, sometimes those high end adversaries find a way to get into the systems and compromise our critical assets. So this dresses something called cyber resiliency. How can we make our systems less brit the to take that punch and still keep on operating, even if its in a degraded or debilit e debilitating status. So its our first attempt to extend that one dimensional Cyber Security protection to three dimensions. The second dimension is damage limitation. How do we limit the damage they can do once they breached our systems. We assume the adversaries are either in your system now or getting in there at some point. And then the third dimension is going to be how do we make the systems cyber resilient. Where they can continue to operate. And are survivable. This document has got a lot of very practical guidance in it for all of our customers out there who want want to make not only systems that are going through the life cycle, but also the 95 of your systems that are legacy, the installed base. How do you apply some of the techniques and approaches for cyber resiliency to increase that level of protection for your pretkrit call say sets and systems. This is really a a national imperative now because we have seen over the last couple years the adversaries are very capable, they are targeting our Critical Resources and in many cases, they are doing great damage. So for things like Critical Infrastructure, for critical federal systems, things from voting systems to weapons systems, to power plants, cyber resiliency is the wave of the future. In some sense, were trying to make these finite computing machines operate more like the human body with an immune system where you can get a cold or virus and then your immune system kicks in and doesnt take you down completely. So for the next 45 days this draft will be on the website. We encourage all of you to take a look at the guidance. We have some great use cases now to deal with microgrids, enterprise, Information Technology systems, and theres a host of other things. Theres some things on the cyber apattack where we show how applying these principles of cyber resiliency to your systems could stop some of these high end attacks by adversaries. So thank you to Tom Billington for letting us have the time this morning. Tha thanks to grant snider and the folks at omb who have been very supportive. And one last shoutout to my team members who worked on this document nonstop for the last 18 months. And also to glen from the office of the Vice President to have been very supportive on helping move this guidance forward because we have a lot of critical space and Defense System ises that can take advantage of this. So thank you very much and have a great conference, folks. Appreciate it. Thank you very much for the remarks. One programming note. For those who have been to our events in the past, we had an exhibition hall with a lot of the vendors in a separate area. To be more inclusive and allow a greater flow of communication, we chose to do everything allinone venue. Because of that, if you keep the conversations on the side down to a money mum to allow the speakers and those in the audience here to hear them. So now please let its my honor to welcome the former deputy undersecretary for Cyber Security and communications at the department of Homeland Security. She will be leading a fire side chat with the only two people who have held the position of federal systems, whom you just heard from and retired general greg, the first u. S. In the president of the secretary federal. Thank you. Gompb, and thank you all for being here and spending time with us on these important topics. I want to thank the billington conference and our r sponsors. I have 30 minutes to bring out, this is almost unfair, only 30 minutes with the First Federal chief Information Security officer and our current federal chief Information Security officer doing great work. So greg, ill start with you. It was a pleasure to work with you then. What are some of the highest impact areas you generated . Some of the shifts you were working on . I think as we take a look at Cyber Security in the federal government, its really a learning continuum. We try to get better and build upon the Lessons Learned from the past. And we certainly tried doing that when i was in office. Some of the more impactful things that we did, i think grant is continuing with, is first, changing the narrative and looking at Cyber Security as a Risk Management issue. Previously, not only in the public sector, but also in the private sector, we saw a lot of emphasis solely on just compliance. And not necessarily taking a look at Cyber Security as a wholistic Risk Management issue that involves people, process and technology. So thats the first thing that leaps off the page for me is that was the narrative we were trying to move forward on. And im pleased to see that continuing. Secondly, we were trying to make sure that we were trying to implement best practices and sharing that. So information sharing vs critically important. Ways we were doing that was through Public Private partnerships and geting Twoway Communications between industry and the federal gove