Most of the current assessments primarily focus on assessing and evaluating the development process and a product's documentation, rather than formal artifacts resulting in subjective "confidence" that system is meeting security objectives. New technology developments in area of system assurance enable solutions for more cost-effective and comprehensive assessments with objective results.
 

Protecting core enterprise missions and the information systems supporting those missions in an environment of increasingly sophisticated cyber threats must be a top priority for senior leaders today. Establishing a strong and robust information security program and employing a flexible and dynamic risk management framework and associated security standards and guidelines can help corporate leaders protect organizational operations and assets from the potential adverse impacts resulting from both routine and advanced persistent cyber threats.
 

• Djenana Campara, CEO, KDM Analytics
• Gary S. Elliott, Chief Information Assurance Officer
• Marlena Erdos, Independent Consultant
• Karen Evans, Director, US Cyber Challenge
• Ron Ross, Senior Computer Scientist & Information Security Researcher, NIST

This panel will not only explore these attributes of success
and what represents effective measures for each, but the
larger questions of inter-enterprise, cross-agency, and
even cross-national success measures.

• Risk - the probability of an attack
• Regret - the measurable impact and resultant consequence of an attack
• Cost - how much money should be spent to mitigate the risk, avoid the impact, and buffer the consequence
  are inextricably linked and, together, form the basis for
  measuring cyber security success.

The visibility of cybersecurity has been heightened significantly by the alarm raised worldwide in the commercial and public sectors alike to the threat to information systems posed by nation-state, cybercriminals, terrorists, and cyber-vandals. The reaction to this threat is also significant: The President of the United States has put forward a Comprehensive National Cybersecurity Initiative (or CNCI), and has appointed a National Cyber Coordinator. A US Cyber Command has been established; the Department of Defense has put in place a Defense Industrial Base (DIB) Pilot Program and Framework Agreements to improve the cybersecurity of aerospace and defense companies. Work is underway to understand the cyber challenge and improve the cybersecurity of the information systems on which depends on our critical infrastructure. Around the world, companies with global supply chains are trying to understand what they have at risk in cyberspace, and how to mitigate that risk. Some companies are going further, seeking to enhance their reputation as information service providers by emphasizing the importance they put on cybersecurity.
 

Those who acquire, build, and manage large-scale systems and Systems of Systems, recognize the complex supply chain they represent, consisting of proprietary and open-source software, legacy systems, hardware, and firmware; from multiple suppliers who employ people from around the world. As a result, the threat to today's systems is present across the full system life cycle. Dealing with that threat in the acquisition, development, operation, and maintenance of systems is largely a question of understanding and accepting residual risk, that is, the risk that still remains after all mitigation efforts has been employed. In this context, system assurance can be viewed as the level of confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system. Engineering practices that support such confidence in all phases of the life cycle are key to marketplace acceptance, managing corporate risk exposure, and to national security.

This presentation addresses the definition of the problem, results from several joint Industry/Government forums addressing issues in system assurance, standardization efforts in support of system assurance, and practical engineering guidance for system acquirers, developers, operators, and maintainers.
 

With today's global IT software supply chain, project management and software/systems engineering processes must explicitly address security risks posed by exploitable software. Traditionally, these disciplines have not clearly and directly focused on software security risks that can be passed from projects to the organization. Software security assurance processes and practices span development and acquisition and can be used to enhance project management and quality assurance activities. Mr. Jarzombek explains the critical need for adherence to the practices, guidelines, rules, and principles used to build security into every phase of software development.
 

For the past ten years, Industry and Government have played a primarily insiders, reactive, tactical game. There has been no overall US Interagency (as confirmed by the Pres Cyberspace Policy Document) and therefore no Strategic Framework for Industry to plug into - so we have all (by necessity) looked inwardly, to take care of what is within our realm of influence:

	Government Departments and Agencies have looked at their respective portions of the Internet, NIPRNET, SIPRNET, TS Networks.
	Savvy, responsible and moneyed Companies and Corporations have done the same.

All the time realizing that none of us singularly own, control, nor operate our Networks - and so alone we will always be outnumbered by the ever incoming threats, our numerous vulnerability vectors and our good but extremely limited and often tactically focused defenses - putting us all way behind the "Cyber Power Curve."

Therefore the only way to get ahead of the current Cyber Assurance negative spiral is to put in place an executable strategic framework - that includes (but is certainly not limited to the following):

	Raise the level of the Debate - Educate our Nation? and our World (exactly what OMG is doing today)
	Organize for Success (government cannot accomplish? the task alone) - Prioritize some initial areas that a Private-Public Partnership must focus on:

Panelists:

• Mark Cohn, Vice President of Enterprise Security, Unisys
• Paul Croll, Chair of the IEEE Software and Systems Engineering Standards Committee & Vice Chair of the US Technical Advisory Group for ISO/IEC JTC1/SC7
• Joe Jarzombek, Director Software Assurance, Department of Homeland Security, National Cyber Security Division
• Terry Roberts, Executive Director, ASP/Interagency & Cyber, Carnegie Mellon, SEI 

One of this conferences major themes how to "... encourage the broad use of cyber security standards developed through the joint efforts of vendors, end-users and government
agencies ..." The imperative for this "encouragement" might best be expressed by the old adage "we sink or swim together." This is especially true given today's environment that threatens us all individually and collectively. Therefore this panel will discuss opportunities and barriers to effective collaboration with the end objective of making us all more secure.