8. Building Effective Security into Acquisitions

Assured Visibility, Control, Compliance for Effective Security

The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »

Voting

0 votes
Public Input

2. Business Initiated Vulnerabilities

Adopting Flexible, Fast, Scalable Solutions

The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »

Voting

0 votes
Public Input

1. Addressing Cyber Fundamentals

Improving Detection, Remediation, and Investigation Capabilities

The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »

Voting

0 votes
Public Input

7. Executive Leadership-led Risk Management

Improved Visibility, Cost Savings Can Boost Exec Risk Management

The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »

Voting

0 votes
Public Input

4.Adopting a Threat-Aware Proactive Defense

Think Like The Adversary

By nature, defensive safeguards place the adversary in control; he need only breach one point of weakness to reach success. In contrast, the defender must attempt to cover all possible weaknesses. Shoring up these weaknesses becomes a costly enterprise and the economies of scale help ensure the attacker maintains the advantage.

Current security tools independently address weaknesses; suites of tools offer more complete... more »

Voting

1 vote
Public Input

7. Executive Leadership-led Risk Management

Money Doesn't Grow On Trees - Focus Your Spend

Federal executives continue to grapple with how best to allocate funds in addressing prevalent and emerging cyber threats. Federal agencies can empower executives in the fight against cyber crime by taking three calculated actions:

1. Size – Measure overall risk exposure across the organization's value chain
2. Monetize – Adopt a defensible framework for quantifying the benefits of cybersecurity investments
3. Operationalize... more »

Voting

15 votes
Public Input

1. Addressing Cyber Fundamentals

Human-centered Approach

We could take a human-centered or human factors approach to answering the question, “Why don’t we do what we’re supposed to do, and what can we do differently to get a better outcome?”

We'd have to drive conversation to the point where the rubber meets the road, by which I mean an action or behavior, performed by a person, which creates a particular harm. Assuming we could categorize the harms in a way useful for analysis... more »

Voting

1 vote
Public Input

5. Sharing of Threat Intelligence

ACT-IAC Membership Meeting Ideas

1. Find a way to establish a trusted repository where cyber first-responder insight can be shared without tipping off others about threats or vulnerabilities.
2. Standardize cybersecurity processes across government (reference different physical security procedures in place across civilian agencies).
3. Incentivize citizens and the private sector to support a strong cybersecurity posture. Build on the Cybersecurity... more »

Voting

1 vote
Public Input

1. Addressing Cyber Fundamentals

Cyber-Castle Doctrine to Deter and Counter Cyber-Attacks on U.S.

Situation:
• Cyber-attackers have no fear of retaliation, risk or viable legal proceedings.
• There is no U.S. Government legal doctrine to counter cyber-attacks on U.S. industries, governments and citizens.
• The U.S. Government does not have the cyber capacity to protect U.S. industries.

Proposal:

The U.S. Congress should create a newly crafted Cyber-Castle Doctrine legislation for a legal framework for U.S. industries... more »

Voting

2 votes
Public Input

1. Addressing Cyber Fundamentals

Hold agencies accountable to NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) did a great job describing what is needed to have a good cyber security posture, but it leaves you hanging on how do you do it; what are good practices; how do you measure it? To help assess the operational cyber defense posture of Department of Defense (DoD) systems, Office of Secretary of Defense (OSD), Director Operational Test and Evaluation (DOT&E) developed metrics using the... more »

Voting

2 votes
Public Input