Around, both in the audience here and throughout the exhibit hall, are some of the most Innovative Cybersecurity Companies and organizations in the world facing some of the toughest adversaries. We thank you for your dedication to this mission. My wonderful wife, susan, founded billington cybersecurity nearly ten years ago. Besides this annual summit we host the leadership council, a membership council. We aim to be top experts in the serious and deep dialogue about cybersecurity in our nations capital. I deeply thank the superb speakers who will share their insights. Please lets give them a round of applause. [ applause ] for the media, including cspan thats filming the event today, this conference is on the record unless specified and unclassified. And we welcome those members of the media today. You can follow us on twitter at billington cyber. And use billingt billingtonsum. We have a packed day and a half ahead. It has been expanded by a half day this year. Q a will be available for some but not all sessions. Either by live mic or nobilitec. Id like to thank our partners and exhibitors who make the event possible today. And they really do. Without them, we could not host this program. Id like to thank them beginning with our lead underwriter, northrup grumman. Allen hamilton, our diamond sponsors, google cloud, aws, cisco, hp federal. At platinum, mcafee, bit site and blt. And at bronze, ativo networks. I also want to mention that we also have three country zones this year, which were very excited about as well. To my left we have the uks cyber Innovation Zone which is in its fifth year. To my right, we have the israel Innovation Zone and the canada zone to my right which is in its third year. With that said,b we again appreciate all our exhibitors and partners, including our continuing education partners. Please lets give them all a round of applause. [ applause ] one Quick Logistics note. If youre an isc squared member, we do have continuing education for the first year. So please do go to the Registration Desk and give them your member number. And theyll be able to send you a digital certificate. So now its my great honor to introduce for the first year a master of ceremonies for our program. Known most to most in this room, captain ed diviny, recently retired after 34 years of service and most recently as the director for Corporate Partnerships and Technology Outreach at u. S. Cybercommand. Thanks to each of you for being here, have a great one and a half days. Ill be popping back on stage from time to time throughout the day and a half. But youre in extremely capable hands with captain ed diviny, my great friend and who im very honored to introduce to you now as our master of ceremonies. [ applause ] hello, everyone and good afternoon. Thank you very much for the very kind introduction and for the opportunity. Weve been friends a long time and im honored to serve as your master of ceremonies here today. You and susan have built a Great Company that provides a much needed venue to discuss the most pressing cyberchallenges facing both corporations and our government. Im excited about the great lineup of speakers today and the robust agenda ahead of us. Enough for me, lets get our day started. Its my honor to introduce our welcoming keynote speaker, grant schneider. Thank you grant for opening the conference and the floor is now yours. Its a shorter walk than it is for the sound. Good afternoon. First of all, i want to thank you everyone for being here today. Someone beforehand told me that im the first speaker, so i need to bring a lot of energy and rile up the crowd. But im a policy guy, so im not sure thats sort of in my mantra. You might want a more operational person and i think theyre later on this afternoon. I want to thank tom for having me here today. And the ability to talk to you a little bit about the roles and responsibilities of what we do within Office Management and budget. And i think its really well connected to the theme for this tenth annual cybersecurity summit. The theme being a call to action to address tomorrows top cyber challenges. This is at the core of what we do within o b. Were trying to help agencies address thaer teyre top future challenges and their challenges from yesterday that they havent finalized yet. We do that in a number of ways. If you go and look at the guiding document for our organization, is the federal Information Security modernization act of 2014. In that, it assigned a number of responsibilities to the o b director around cybersecurity and we carry those out on his behalf. And if you look at it, theres six or seven items that were assigned to three main functions. First and foremost is developing and overseeing the implementation of government wide cybersecurity policies. Number two, is insuring that agencies are protecting federal Information Systems and data, commiserate with the potential risk of harm of a compromise. Think Risk Management, not all those other words i used. Third is assuring that federal agencies are complying with government wide cybersecurity standards, be those things from the National Institute of standards and technology, o b guidance, laws, binding operational directives from the department of Homeland Security. Wrr working with agencies and holding them accountable to be able to deliver on those. I want to talk about a few things weve done in the last year around each of those. Around developing and overseeing the implementation of new cybersecurity policies, we have updated excuse me, were about to update our trusted Internet Connection policy. This is about while those three things i listed that we do to help agencies, thats the what they need to do. We also need to provide them tools and capabilities from a broader government standpoint for their ability to actually deliver on those requirements. And so were putting out a new policy. Hopefully in a couple weeks around trusted Internet Connection. That is been out for public comment. So youve seen versions of it. But this is about how do we evolve our policies to adapt to Technology Changes and really the movement to cloud environments, which is absolutely critical as we look to moderninize federal Information Technology. Secondly, last year the very end of the last congress, the president signed into law the federal acquwizition security a. We can have a federal Acquisition Security Council and really look at the security of the equipment that were bringing into the federal space. Theres a lot of work ongoing with that. But this really is a tool for federal agencies to be able to have a bit of a vetting of the equipment thats coming into their enterprise and be able to leverage both classified and unclassified information from making determinations they dont want to bring something into their environment. When we talk about protecting information, commiserate with the risk of potential compromise or Risk Management, its all about Risk Management. We cant protect everything. We have to understand what is most cri most critical. We updated our policy at the beginning of this year. In addition, the department of Homeland Security updated guidance on high value assets. Weve tried to partner with dhs to be able to provide a more tactical level of input enin details for agencies to be married with or combined with the policy that were putting out from an o b standpoint. In addition to our hva update and really understanding whats most important to protect it, when it comes down to protecting our systems and our information, its really a people challenge. And so our ability to have and your ability to have the right workforce, a capable Cybersecurity Workforce is absolutely critical. The president signed an executive order, which has a number of tasks, things were really looking forward to for the federal enterprise around some cyber competitions. Youll hear more about hopefully in the coming months. Also rotational programs. How can we rotate more and move of our Cyber Workforce from agencies to agencies to grow the skills of those individuals, but also to enhance the abilities of other agencies and bring in outside talent. And then in addition to that is this year we launched our cybersecurity reskilling academic. Weve had one cohort go through. Weve got a second one goen. This is a pilot. The two cohorts are 50 or 60 people. This is about how can we take federal employees who are looking to move into another type of learn a new skill, learn cybersecurity and move into a new career, how can we leverage their dedication to the government, their understanding of what it takes to get stuff done in the federal enterprise and then teach them and train them in cybersecurity. They going to have enough they can apply on what theyre working on and start to transition kn transition into a new career path. How do we leverage those individuals. On the third one, which is insuring federal agencies comply with the variety of standards we have out there, we talk about compliance, its used as a dirty word. I actually think though compliance is necessary but not sufficient. We have to have certain things out there that agencies need to comply with. We need to have some checklists. We need to be sure that agencies are taking advantage of the various tools and capabilities and resources that are available to them. And so, you know, as i mentioned, those come in the form of laws, memos, binding operational directives. As we move more into supply chain Risk Management, theyll come potentially in the form of removal and Exclusion Orders when we talk about equipment that cant be in the enterprise. Obviously, a big yaer from National Institute of standards and technologies, special pubs and guidance we have and that they put out. And so today nist has released an update, and what this is about is about cyber resiliency. Were never going to prevent attacks, were never going to stop bad guys from getting into our systems. How do we insure that we have resiliency of mission within cyberspace . Id like to ask ron ross to come out and hes going to give you some of the highlights of this 800. 160 rev 2 and im going to be back for a panel here in a few minutes, so thank you. Thank you very much, grant. Thanks to Tom Billington for giving us this opportunity to announce a very important document. Weve just finished this document about a week ago. Its been in development for about 18 months. And it really addresses some of the very difficult and challenging problems that were all having today with regard to cybersecurity. If you recall the past several decades our strategy for protecting our critical assets has been a one dimensional strategy. Stopping the bad guys at the front door before they get enand do damage. We know after many decades of empirical evident of the cyberattacks and things weve experienced, even when we do everything right, sometimes those high end adversaries find a way to get into the systems and compromise our critical assets. This addresses something call cyber cyberresiliency. How can they take that punch and keep on operating even if its in a debilitated status. Its our first attempt to extend that one dimensional cybersecurity protection to three dimensions. Where the second dimension is called damage limitation. How do we limit the damage the adversaries can do once theyve breached our systems . We assume that the adversaries are either in your system now or are getting in there at some point. The third dimension is going to be how do we make those systems cyberresilient . Where they can continue to operate and are survivable. This document has a lot of practical guidance for all of our customers out there who want to take not only new development systems, systems that are going through that life cycle, but also the 95 of your systems that are legacy. How do you apply the techniques and approaches for cyber resiliency to increase the level of protection for your critical assets and systems. This is a national imperative. Weve seen over the last couple years, the adversaries are very capable, theyre targeting our Critical Resources and doing great damage. For critical federal systems, voting systems to weapons systems, to power plant, cyberresileiancy is the wave of the future. Were trying to make these finite machines operate more like the human body with an immune system where you can get a cold or virus and then your immune system kicks in and it doesnt take you down completely. For the next 45 days, this final public draft will be on our website. We we encourage you to take a look at our guidance. We have great use cases that deal with microgrids, enterprise, Information Technology systems, and theres a host of other things. We even have a couple of real world rotations on the cyberattack of 2015 and 2016 where we show how applies these constructs to your systems could stop some of these high end attacks by adversaries. Thank you to Tom Billington for letting us have the time this morning. Thanks to grant and all the folks at omb who have been very supportive. One last shoutout to all my team members who worked on this document nonstop, and also to the office of the Vice President who have been very very supportive on helping move this guidance forward. We have a lot of critical defense systems. Thank you very much and have a great canferenconference, folks. Appreciate it. Thank you very much, grant and ron for the remarks. One programming note. For those of you who have been to our events in the past, we have an exhibition hall with a lot of vendors in a separate area. To be more inclusive and to allow a greater flow of communication, we chose to do everything all in one venue. If you would, please, because of that if youd keep the conversations on the side down to a minimum to allow the speakers and those in the audience here to hear. So now, please let me, its my honor to welcome the former deputy undersecretary for cybersecurity and communications at the department of Homeland Security. Shell be leading a fireside chat with the only two people who have held the position of federal sisso. Grant schneider and the retired general hill. Thank you very much. Good afternoon. And thank you all for being here, spending time with us on these important topics. I want to definitely thank the billington conference and the sponsors of course. I have 30 minutes to bring out its almost unfair. Only 30 minutes with the First Federal chief Security Officer and our current federal chief Information Security officer doing great work. General, ill start with you. It was a pleasure to work with you then. What was the highest impact areas you are working on . We take a look at the cybersecurity in the federal government, its at learning continuum. We try to get better and build upon the Lessons Learned from the past. We certainly tried doing that when i was in office. Some of the more impactful things that we did, and i think grant is continuing with is first is changing the narrative and looking at cybersecurity as a Risk Management issue. Previously not only in the Public Sector but the prevent sector we saw emphasis solely on just compliance. Not necessarily taking a look at cybersecurity as a holistic Risk Management issue that involves people process and technology. So thats the first thing weve talked to paige for me. That was the narrative that we were trying to move forward on. Im pleased to see that continuing. Secondly, we were trying to make sure that we were in fact trying to implement best practices and identify them and sharing that. Information sharing was critically important. The ways we were doing that was through Public Private partnerships and getting twoway communication between industry and the federal government. A lot of work that needs to be done on that. I think we really had an impact watching those programs and trying to get those best practices in place. I believe that compliance doesnt always bring you best practices, but best practices will always bring you compliance. The third thing i think was impactful was taking a look and making sure that we were best aligning technology with the mission needs. We launched the continuous d Diagnostics Program to try to raise the bar across the federal government. We had a lot of agencies that were large and wellfunded then we had smaller agencies that werent as wellfunded and werent as large but they still had the same Mission Tasking to protect sensitive information. Having the continuous diagnostic and Mitigation Program launched to help answer the questions of whats on my network, who is on my network and whats going on on my Network Across the federal government was a critical factor and success during our tenure. Further making sure that that cdm program was available to state and local governments as well as to the dot domain was something i thought was a Job Well Done by our team. Thank you. If we look at the recent statistics, the work done by both of you shows the cdm, that Program Actually has improved the security of many of the federal agencies. So grant, youre now in the drivers seat. In t