NIST Partners with SANS for the 8th Annual IT Security Automation Conference

National Cyber Security Month kicked-off in October with the eighth annual conference on automating cyber security titled the IT Security Automation Conference (ITSAC).   It is one thing to talk about public/private partnerships in the area of cyber security, and quite another to pull off a successful three day conference where federal security experts share the stage with a wide range of commercial practitioners.

  • Debora Plunkett, Information Assurance Director at the National Security Agency, gave the keynote with a particular emphasis on mobile devices.
  • Alan Paller, from the world renowned SANS Institute, provided stories of Stuxnet as well as an overview on training information security professionals.
  • Richard Spires, the CIO of the Department of Homeland Security, drilled down into FedRAMP, an area where federal information technology professionals have many concerns.

Debora detailed the various challenges in managing mobile devices.  She reinforced the relevancy of cell phones by stating that fifty million people in the world today have mobile phones but do not have electricity at home.  Each one of these mobile devices has the potential for transferring or originating malicious code.  From a federal perspective, the mobile security strategy must be able to protect data, have a robust management system, and ensure secure communication.

Alan Paller is the Director of Research at the SANS Institute in Bethesda, Maryland.  During his presentation, he commented on the sophisticated computer virus, Stuxnet.  He told the audience that individuals with malicious intent were re-engineering Stuxnet to send at the United States. The obvious point was to develop a deeper understanding of offensive as well as defensive security practices.


Allen Paller, SANS Institute

A main focal point of the conference focused on identifying security improvements that can be developed for routine tasks in order to save time and free-up humans for more analytical and strategic purposes.

Many information technology professionals have complained that universities are not preparing workers for the tactical aspects of this process.  In other words, college graduates are infused with a test taking ability, but no practical experience for understanding servers and mobile devices.  Paller described a new initiative from Cisco and Northrup Grumman where they partner with community colleges to develop programs for learning security basics.  Students would have nine hours in front of a computer for each hour in the classroom, combined with internships that allow for theoretical knowledge to be used in a more productive manner.

When it comes to automating security practices for the federal government, a good example is the Office of Management and Budget’s FedRAMP initiative.  Instead of each agency “reinventing the wheel” with duplicative security testing, FedRAMP allows joint authorizations and continuous monitoring for cloud computing systems. This innovation helps third party organizations to indicate if an application is compliant with the security process.  These third party organizations are colloquially referred to as 3PAOs, or Third Party Assessment Organizations.  The concept is to transfer compliance costs to the private sector, which reduces the federal monetary burden while maintaining high levels of quality assurance.

There was a large contingent from the Social Security Administration and the Department of Justice who attended the presentation on FedRAMP by the CIO of the Department of Homeland Security, Richard Spires. He indicated that the effort was starting to gain momentum.  Currently, the GSA has fifty two compliance applications and hopes to add three more by the end of the year. Richard indicated that the federal government is currently running twelve cloud-based services.  These allow for subscription based models that scale easily and comply with security controls.

Today, data is growing forty times as fast at the world’s population.  Much of this data is generated by smart phones, which should hit the magic number of one billion by the end of 2012.  A key factor of success for government and commercial enterprises to control security is an automated approach within this dynamic environment. The eighth annual conference will be known as step in the right direction for balancing insight from both sides of the security world.

ARMATURE is a leading provider of web-based products and services for accreditation, governance, risk, compliance, and quality solutions. For more information regarding regulatory compliance, read about updating conformity assessment policy with Gordon Gillerman and Matt Scholl from the National Institute of Standards and Technology (NIST).


ARMATURE’s John Gilroy hosts a weekly radio show on Federal News Radio, appears regularly as “The Computer Guy” on The Kojo Nnamdi Show, and is an experienced platform speaker. Read thought-provoking comments on the technology industry at John’s blog and follow John on Twitter @RayGilray.