Potomac Forum The Forum of Choice for Government & Industry Training Since 1982

The Forum of Choice for Government & Industry Training Since 1982

Implementing the President's Cybersecurity Executive Order (EO) Training Workshop

A "How To" Workshop to Implement the Requirements of the EO and its Reporting Requirements

Wednesday, July 12, 2017

On site registration will be available at the Willard. Online registration is now closed.

 

 

Keynote Speaker

 

Dr. Ron Ross

"The Cybersecurity Executive Order: Building the Next Generation Risk Management Framework and Controls"

NIST Fellow

Author of the NIST Risk Management Framework and numerous NIST Publications

 

 

Confirmed Guest Speakers:

 

Dr. Barry C. West

Senior Advisor to DHS CIO

Senior Accountable Official for Risk Management

U.S. Department of Homeland Security (DHS)

 

Martin Stanley

Branch Chief, Cybersecurity Assurance Branch

National Protection and Programs Directorate (NPDD)

U.S. Department of Homeland Security (DHS)

 

Jarvis Rodgers

Information Technology Audit Director, Office of Inspector General (OIG)

U.S. Department of Health and Human Services (HHS)

 

Kirit Amin

Chief Information Officer (CIO)

U.S. International Trade Commission (USITC)

 

Jaime Noble, CAP, CISSP

Deputy Director for IT Security & Deputy Chief Information Security Officer

U.S. Department of Justice

 

 

Additional guest speakers awaiting confirmation.

 

 

Wednesday, July 12, 2017

Meeting Location: 
Willard InterContinental Hotel

Willard Intercontinental Hotel
1401 Pennsylvania Avenue N.W.
Washington 20004
United States

Metro Center (Red, Orange, Blue Lines). Use the exit marked “12th & F Sts” to exit onto F St., then continue straight two blocks and cross 14th St.

Overview: 

This workshop will focus on the President’s EO on Cybersecurity and discuss its requirements.  A key requirement is the implementation of NIST’s Cybersecurity Framework (CSF).  We will present an understanding of the CSF and NIST’s Risk Management Framework (RMF) which is a key component of the CSF. The CSF and RMF are critical for the federal government in its efforts to mitigate risk within enterprise information systems.  The workshop will provide detailed guidance on the integration of the CSF and RMF into a holistic Cybersecurity solution.  In addition, the workshop will address the EO reporting requirements for the first 90-day report and the other reports identified in the EO.            

 

Hear from industry experts and government officials tasked with implementing robust cybersecurity and risk management strategies along with learning how NIST’s CSF and RMF can be effectively implemented to reduce the risk of cyber-attacks. Listen to a government panel of CIOs and CISOs to understand the challenges they are facing on a day-to-day basis and how implementation of NIST’s CSF and RMF helps them identify the risks and what it takes to mitigate those risks. Gaining insights from the panel and peer interactions at the workshop should be invaluable in implementing the President’s EO and moving the needle forward in improving federal cybersecurity.

What You Will Learn: 

  • The approach used by the NIST RMF
  • The value of the integration of the NIST RMF with the NIST CSF
  • Development of agency Risk Management Strategies
  • Changes in federal information system authorization requirements and guidelines
  • Guidance into what agencies can expect from the NIST RMF and new CSF processes
  • Importance of Risk Assessments (RA), Security Control Assessments (SCA), and Security Testing & Evaluation (ST&E)
  • Security control categorization and how it is used to manage risk
  • NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans; NIST SP 800-37 Rev. 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach and NIST SP 800-39 Managing Information Security Risk
  • Reporting requirements for the Executive Order
  • Best practices for responding to the Executive Order
Why You Should Attend: 

  • Network with risk management, security and CIO colleagues
  • Gain a better understanding of the May 11th Presidential Executive Order on Cybersecurity
  • Review the key steps within the NIST RMF and CSF
  • Obtain practical knowledge of how NIST RMF and CSF are incorporated into information system security
  • Gain insight into conducting and implementing the NIST RMF and CSF in your organization
  • Collect information on how NIST frameworks can be leveraged to enhance the security of your organization
  • Learn how risk management and cybersecurity are essential for regulatory compliance
Who Should Attend: 

  • CIOs, CISOs, and Staff
  • IT security and risk management practitioners
  • IGs and Staff
  • Program Managers responsible for risk management
  • Government Employees who want to better understand risk management
  • Industry and Contractors who support risk management for the government
  • All government and industry members who need to better understand risk management 
Agenda: 

 

7:30AM

Registration and Continental Breakfast

 

8:30

Welcome
 

Art Chantker, President, Potomac Forum

 

8:45

Keynote Presentation

The Cybersecurity Executive Order: Building the Next Generation Risk Management Framework and Controls
 

Dr. Ron Ross, NIST Fellow, Author of the NIST Risk Management Framework and  numerous NIST Publications

 

9:45

Refreshment Break

 

10:00

NIST Risk Management Framework and Cyber Threat Landscape  -

Integration of NIST Risk Management with Cybersecurity Framework

  • Overview of the NIST RMF and CSF Frameworks
  • Integration of risk management into cybersecurity processes
  • Understanding of compliance-based vs. risk-based governance structure

 

Dave Simprini, Grant Thornton

 

11:00

Understanding NIST Risk Management Framework
Step 1: Categorize

Step 2: Select
Step 3: Implement

  • Process for categorization information systems and data
  • Understanding of different types of security controls
  • Implementation strategies for security controls

 

Kirsten Orr, Grant Thornton

 

12:00 PM

Networking Luncheon

1:00

CIO/CISO/OIG Government Panel Discussion: Operational and Compliance Challenges and Best Practices for Risk Management
  • What are the differences in perspectives of Risk Management
  • How can IGs help their agencies address Risk Management
  • How have CISOs integrated Risk Management into their agency’s Enterprise Risk Management
  • Agency response to the Executive Order on cybersecurity

 

Moderator: John Lainhart, Grant Thornton

 

Panelists

- Dr. Barry C. West, Senior Advisor to DHS CIO, Senior Accountable Official for Risk Management, U.S. Department of Homeland Security (DHS)

- Jarvis Rodgers, Information Technology Audit Director, Office of Inspector General (OIG), U.S. Department of Health and Human Services (HHS)

- Kirit Amin, Chief Information Officer (CIO), U.S. International Trade Commission (USITC)

- Jaime Noble, CAP, CISSP, Deputy Director for IT Security & Deputy Chief Information Security Officer, U.S. Department of Justice

Martin Stanley, Branch Chief, Cybersecurity Assurance Branch, National Protection and Programs Directorate (NPDD), U.S. Department of Homeland Security (DHS)

 

2:15

Understanding NIST Risk Management Framework 
Step 4: Assess
Step 5: Authorize
Step 6: Monitor
  • Components of an information system Authority to Operate (ATO)
  • Understanding of differences between C&A and A&A practices
  • Incorporation of risk and security control assessments as part of continuous monitoring

 

Eric Pennington, Grant Thornton

 

3:00

Refreshment Break

 

3:15

Cybersecurity Overview – Latest information on Government Cybersecurity Initiatives
  • Where does cyber security fit within an agency?
  • What are some cyber security common misconceptions?
  • What are the common information system security pitfalls?
 
Glenn Keaveny, Grant Thornton
 

4:15

Open Group Discussion: Lessons Learned from the 90-day Cybersecurity Executive Order Assessment Process
 

4:45

Wrap-up and Q&A

5:00

Workshop Adjourns

 

5:00

Post Workshop Discussions with Instructors on Specific Individual Topics

 

Registration Information: 

 

 

  Early Bird Registration Fee AFTER JUNE 17
Government Employees:
(Federal, State or Local Government Issued ID)

 $ $695 

Special Reduced Rates in Support of Government Budget Reductions

 $ $895
Team Rate for both Government and Industry: Send a government team to learn together. Register two government employees from the same office at the same time and the third person receives $100 off the current government rate. Team rate applies to every tiered registration fee.
Industry and Contractors:
(Including contractors on-site and in direct support of government agencies).
 $ $895  $ $995

Registration Includes: Presentations, Workshop Notebook, Continental Breakfast, All Day Refreshments and Hosted Luncheon

Keynote Speaker: 

Ronald (Ron) Ross

Fellow

National Institute of Standards and Technology

Ron Ross is a Fellow at the National Institute of Standards and Technology. His focus areas include information security, systems security engineering, and risk management. Dr. Ross leads the Federal Information Security Modernization Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure. His current publications include Federal Information Processing Standards (FIPS) 199 (security categorization), FIPS 200 (security requirements), and NIST Special Publication (SP) 800-39 (enterprise risk management), SP 800-53 (security and privacy controls), SP 800-53A (security assessment), SP 800-37 (Risk Management Framework), SP 800-30 (risk assessment), SP 800-160 (systems security engineering), and SP 800-171 (security requirements for nonfederal systems and organizations). Dr. Ross also leads the Joint Task Force, an interagency partnership with the Department of Defense, Office of the Director National Intelligence, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for the development of the Unified Information Security Framework for the federal government and its contractors.

 

 

Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection. He has also lectured at many universities and colleges across the country including the Massachusetts Institute of Technology, Dartmouth College, Stanford University, the George Washington University, and the Naval Postgraduate School. A graduate of the United States Military Academy at West Point, Dr. Ross served in many leadership and technical positions during his twenty-year career in the United States Army. While assigned to the National Security Agency, Dr. Ross received the Scientific Achievement Award for his work on an inter-agency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. Dr. Ross is a four-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government and is a recipient of the Presidential Rank Award. He has also received the Department of Commerce Gold and Silver Medal Awards and has been inducted into the Information Systems Security Association Hall of Fame and given its highest honor of Distinguished Fellow. In addition, Dr. Ross has been inducted into the National Cyber Security Hall of Fame.

 

 

Dr. Ross has received numerous private sector cybersecurity awards including the Partnership for Public Service Samuel J. Heyman Service to America Medal for Homeland Security and Law Enforcement, Applied Computer Security Associates Distinguished Practitioner Award, Government Computer News Government Executive of the Year Award, Vanguard Chairman’s Award, Government Technology Research Alliance Award, InformationWeek’s Government CIO 50 Award, Billington Cybersecurity Leadership Award, ISACA National Capital Area Conyers Award, ISACA Joseph J. Wasserman Award, Symantec Cyber 7 Award, SC Magazine’s Cyber Security Luminaries, (ISC)2 Inaugural Lynn F. McNulty Tribute Award, 1105 Media Gov30 Award, and three-time Top 10 Influencers in Government IT Security.

 

 

During his military career, Dr. Ross served as a White House aide and a senior technical advisor to the Department of the Army. He is a graduate of the Defense Systems Management College and holds Masters and Ph.D. degrees in Computer Science from the U.S. Naval Postgraduate School specializing in artificial intelligence and robotics.

Guest Speakers: 

Jarvis Rodgers

Information Technology Audit Director

Office of Inspector General (OIG)

U.S. Department of Health and Human Services (HHS)

 

Jarvis Rodgers is the Information Technology Audit Director at the Department of Health and Human Services (HHS), Office of Inspector General (OIG). Jarvis leads a team of talented IT auditors and security analysts who conduct independent IT audits and penetration tests of HHS’s 12 operating divisions and grant recipients. A key component of IT auditing includes an evaluation of internal controls and risk assessments. Jarvis has 15 years of experience conducting IT audits of large and small agencies: Department of Agriculture, Department of Interior, National Credit Union Administration and The Pension Benefit Guaranty Corporation.

 

Jarvis holds a bachelor’s degree in Computer Information Systems and a master’s degree in Business Administration. He is also a Certified Information Systems Auditor and a Certified Information Systems Security Professional.

Kirit Amin, PMP

Chief Information Officer,

U.S. International Trade Commission

 

Kirit Amin was named US International Trade Commission (USITC) , Chief Information Officer (CIO) in December 2014. He works directly for the Board of Commissioners and has already mapped out the Data Center , Cloud and shared services strategy as well as the road map for the modernization of the commission’s IT infrastructure and mission critical systems.

 

Kirit was the U.S. Department of Commerce, Deputy Chief Information Officer and Chief Technology Officer (CTO) from November 2012 until his move to USITC in December 2014. He provided leadership and strategic technology implementation, fulfilling the CIO and Department’s IT operational mission, while expanding the use of Department-wide shared services, cloud implementation and emerging technologies.

 

Prior to joining the Department of Commerce, Mr. Amin served as the Chief Technology and Innovation Officer at HUD where he provided valuable leadership and vision to help define its 5 year IT Transformation initiatives, acquisition strategy for HUDNET, HUD’s next generation Enterprise Infrastructure including WAN, Data Center and end user functions, shared services strategy and implementation, as well as cloud strategy and implementation.

 

Prior to HUD, Amin was the Chief Information Officer for the Bureau of Consular Affairs (CA), for nearly five years where his leadership was instrumental in transforming the US State Department, Office of Consular Systems and Technology’s [CST] IT operations consisting of a multitude of overlapping legacy systems, to an exemplar cutting edge IT operation, that was recognized as one of the most innovative and successful IT shops in the Federal Government. He served as a senior advisor and participant for various interagency/international groups.

 

During his long and successful career in the Federal IT private sector at organizations such as Nortel/PEC, Infotec, CSC etc. serving Federal Departments such as DOA, DHS, DOI, DOT, VA, DOJ, the USAF, DIA, etc.

Jaime Noble, CAP, CISSP

Deputy Director for IT Security & Deputy Chief Information Security Officer

Office of Justice Programs

U.S. Department of Justice

 

Jaime Lynn Noble became the Deputy Chief Information Security Officer for the Department of Justice’s (DOJ) Office of Justice Programs (OJP) in January, 2017 where she provides leadership and direction for improving the effectiveness and consistency of OJP information systems. In her current role, she is responsible for Technical Security Operations, Security Engineering, initial and on-going Security Assessments and Security Status Reporting supporting On-going Authorization as she continues to improve the OJP’s Information security risk management program and ensure information systems are in compliance with federal information security requirements.

 

Prior to her role within the Department of Justice (DOJ), Jaime served as the Deputy Chief Information Security Officer & Risk Management Program Manager at US Census Bureau for 5 years. She began her federal career at Census in 2001 as a programmer supporting Demographic surveys and censuses. In 2008, she moved to the Office of Information Security (OIS) and led the Bureau's transition from the Certification & Accreditation Process to the Risk Management Framework. In 2014, Jaime and her team received the Department of Commerce Gold Medal Honor Award for developing an innovative security program that allows executives to better understand risk and determine the most cost- effective actions to manage them while minimizing the impact on the mission.

 

Jaime is a Certified Authorization Professional (CAP), a Certified Information System Security Professional (CISSP), has a Bachelor's Degree in Management Science & Information Systems from the Pennsylvania State University and a Master's Certificate in IT Project Management from the George Washington University.

Dr. Barry C. West

Deputy CIO and Senior Advisor to the CIO

Department of Homeland Security (DHS)

Dr. West is a career technologist with 30 years in the information technology field.

 

He was recently appointed as the Senior Advisor and Senior Accountable Official for Risk Management for the U.S. Department of Homeland Security.  Prior to his current position, he was the President of the Mason Harriman Group, which is a management consulting company based out of Washington, D.C. 

 

He has 27 years of government service to include being Chief Information Officer at five different government organizations –

 

Federal Deposit Insurance Corporation (FDIC), the Pension Benefit Guaranty Corporation (PBGC), Department of Commerce (DOC), Federal Emergency Management Agency (FEMA) during hurricane Katrina and the National Weather Service (NWS). 

 

His government service also included time in the U.S. Air Force where he was selected as the top individual for his career field by winning the Weather Observer of the Year Award from among 2,000+ competitors.

 

Dr. West also held private sector executive positions at S.E. Solutions Inc. and Tab Books Inc. 

 

He is the past President of two of the largest IT associations in the United States:

American Council for Technology (ACT) and the Association for Federal Information Resources Management (AFFIRM).  

 

He has represented the United States Government Information Technology community at four different world-wide gatherings of NATO countries. 

 

Dr. West completed his Executive Doctorate in Business from Georgia State University with a focus on Cloud Computing.  He was recently appointed by Georgia State University to be their Executive-In-Residence.  He has published in IEEE Computer Society, IT Professional journal and the European Journal of Information Systems (EJIS) journal article where his research focusing on cloud computing was selected for publication.

 

Dr. West received an honorary degree in Business from his alma mater- Northern Michigan University (NMU) in May 2015 where he also delivered the Commencement Speech for the Spring 2015 graduates. 

Dr. West was selected as the Executive-In-Residence at Northern Michigan University for the Fall 2015.  He is also an Emeritus member of the Government Business Executive Forum (GBEF).

Martin Stanley

Chief, Cybersecurity Assurance Branch

National Protection and Programs Directorate (NPDD)

U.S. Department of Homeland Security (DHS)

 

Martin Stanley is the Branch Chief of the Cybersecurity Assurance Branch at the Department of Homeland Security. In this role Martin leads the assessment and reporting of civilian federal agency cybersecurity programs and performance under FISMA. While at DHS, Martin has led the development of the High Value Asset (HVA) Assessment methodology which is applied to the Federal Civilian Agencies most critical systems. Martin previously led the Information Security Program at the Food and Drug Administration where he oversaw world-wide enterprise information security for 300+ applications and 2 modern data centers serving 17000+ employees and contractors. Prior to his federal service Martin held executive leadership positions at Vonage and UUNET Technologies.

Instructors: 

David Simprini

Principal
Grant Thornton LLP
 

Mr. Simprini has experience auditing NIST-governed IT controls, Federal Information System Controls Audit Manual (FISCAM) controls, A-123 Controls, Sarbanes-Oxley compliance controls, segregation of duties, data migration, Enterprise Resource Planning (ERP) implementations, performance audits, and internal audit functions for clients from a broad spectrum of industries including Aerospace and Defense, Financial Services, Entertainment and Media, and Technology. He also has experience in planning integrated Federal financial audits, executing all phases of field work. As the lead IT Manager on the first independent external financial statement audit of any kind for the USMC, Mr. Simprini assisted with the planning and development of the overall audit approach, scoping assessment, and modified FISCAM IT test program. Throughout the testing phase, he led teams in field work at USMC financial centers and their associated financial and reporting IT Systems.

John Lainhart

Director, Global Public Sector

Grant Thornton

John is a Director in the Public Sector Practice of Grant Thornton’s Alexandria office. He is a member of the Information Assurance and Cybersecurity group. 

 

John has 45+ years of U.S. federal government experience in IT Governance, Security, Privacy, IT Risk Management, IT Value, and Cybersecurity.  He has 30+ years of experience as an IT auditor and culminated his public sector career serving as the first Inspector General and Officer of the U.S. House of Representatives. He joined PwC consulting service as the Partner responsible for providing Security and IT Management services to the U.S. Public Sector and served as the Partner, Cybersecurity & Privacy Services Leader for the U.S. Public Sector when IBM acquired PwC’s consulting business until retiring in June 2016.

 

John serves on the Board of Directors of George Washington University’s Center for Cyber and Homeland Security. John is active in the ISACA community, and currently serves as Advisor to the ISACA Board of Directors. He previously served as Co-chair of the COBIT 5 Task Force and served on the AICPA’s Assurance Services Executive Committee and was instrumental in the development of the AICPA’s Trust Services and SSAE No. 16.

 

Education

M.A., Management and Supervision, Central Michigan University, 1976

B.A., Business Administration, Davis & Elkins College, 1969

Wharton Information Systems Program, Wharton School of Finance, 1974

 

Professional qualifications and memberships

  • Certified Information Systems Auditor (CISA)
  • Certified Information Security Manager (CISM)
  • Certified in Risk and Information Systems Control (CRISC)
  • Certified in the Governance of Information Technology (CGEIT)
  • Certified Information Privacy Professional/Government (CIPP/G)
  • Certified Information Privacy Professional/U.S. (CIPP/US)

 

Eric Pennington

Director, Public Sector Practice

Grant Thornton

 

Eric is a Director in the Public Sector Practice of Grant Thornton’s Alexandria office. He is a member of the Information Assurance and Cybersecurity group.

 

Eric has over 15 years of experience providing IT audit and advisory services to both public and private entities. Areas of expertise include IT controls testing using the Federal Information System Controls Audit Manual (FISCAM), IT risk assessments, Enterprise Resource Planning (ERP) security assessments, Sarbanes-Oxley compliance and SSAE18 reporting. He also has experience leading all phases of IT general controls and business process application controls testing in support of financial statement audits for several large entities within the Department of Defense (DoD).

 

Education

B.S., Management Science and Information Technology, Virginia Tech

 

Professional qualifications and memberships

• Certified Information Systems Auditor (CISA), ISACA

• Project Management Professional (PMP), PMI

Glenn Keaveny

Director, Cybersecurity

Grant Thornton

Glenn Keaveny recently joined Grant Thorton’s US Public Sector practice, serving as Director, Cybersecurity. Glenn is a CISSP and CEH with over 15 years of experience in Cybersecurity Operations, Vulnerability/Penetration Testing and Cybersecurity Management.  His application background and operations management experience in challenging environments such as defense and healthcare provides a unique basis for his cyber expertise.  Prior to joining Grant Thornton he led and managed Security Operations and Monitoring services for Deloitte.  Prior to that he was the Security Officer for the Defense Information Systems (DISA) Field Security Office (FSO).  He was responsible for security operations of the FSO field activity as well as a team of over 30 cyber security professionals who conducted security operations and monitoring as well as Cyber Command Readiness Inspections (CCRI) similar to civilian vulnerability assessments.  He also managed a team of full time attack and penetration testers who operated year round on sites and systems around the globe.

Kirsten Orr, CISA, CPA

Manager, Global Public Sector

Grant Thornton

 

Kirsten is a manager in the Public Sector Practice of Grant Thornton’s Alexandria office. She is a member of the Information Assurance and Cybersecurity group.

 

Kirsten has more than five years of experience conducting information assurance assessments in support of OMB Circular No. A-123 Reviews, financial statement audits, Federal Information Security Management Act of 2002 (FISMA) Reviews, and Statement on Standards for Attestation Engagements (SSAE) No. 18 Reviews for various government agencies as well as public and private companies. Throughout her career, Kirsten has evaluated Information Technology (IT) controls on a variety of technology platforms including mid-range systems and mainframes governed by the National Institute of Standards and Technology (NIST).

 

Kirsten is an active member of the National Capital Region Chapter of ISACA, and American Institute of Certified Public Accountants (AICPA).

 

Kirsten received her Bachelor of Science in Computer Information Systems and Accounting from James Madison University in 2012.

Cancellation Policy: 

Confirmed registrations who cancel within 3 business days of the program will be subject to a $250 cancellation fee. Registrations cancelled after the program starts are subject to the full registration fee. Substitutions can be made at any time. In the event a particular training workshop is cancelled, the liability of Potomac Forum, Ltd is limited to refund of any prepaid registration fee.

  • © 2017 Potomac Forum Ltd. All Rights Reserved
    Copyright also covers all workshop agendas and descriptions
  • 2800 Eisenhower Avenue, Suite 210, Alexandria, VA 22304