Transcript for "CISA's Cyber Performance Goals: A Guide to Implementation and Framework Alignment": Hello, everyone. Welcome to this webinar. I am Tarek Wiley Baptiga. And, today, we're here to discuss CSIS Cyberforce goals. We're gonna give you a guide to implementation and framework alignment. And I'm very happy to be joined today, by two experts, in this field. So we have Kaye, who is the CSIS cybersecurity state coordinator and adviser or a CISA cybersecurity state coordinator and adviser, as well as Bob Brennan, who is managing partner over at Proactive Risk. So we'll start with you. Chris, can you give us a quick introduction? Yeah. Sure. Well, first, I'd like to start by thanking you, Tarek, and your team at Ortega for just kind of hosting and promoting this event. Always love having these conversations. And it's an honor to be speaking with you and, the audience about, CISA. Also, super humbling to be, on a webinar with one of my heroes, Tom Brennan, in the space. You'll hear from him a little bit later. But, I'll I'll just say this much. We should all be happy that he's actually on our side. So I'll leave it at that. That's a great intro. We can, move it over to you, Tom. Well, thanks, Chris. I'll mail you your $20 for that intro, but thank you very much. I'm Tom Brennan with Proactive Risk. We provide, services in the space to help organizations be better. I also spend a lot of my time with the Crest International Organization as their America's lead. And I also help out with organizations like Manelbaum Barrett as their CIO. So I have a a pretty full plate of, cyber stuff, but I'm happy to be here. Perfect. Thank you, Tom. And, again, we're here to have, an open discussion about, CISA. And, you know, I really wanna open this up, make it as much of a discussion as possible. So, our all of our audience members, you'll see in your top right, there is a chat section. Some of you have found it already. If you have any questions, throughout the webinar, please drop it into that chat. We will do our best to get to all of them that come through the chat. So, you know, please participate, and we'll try to make it as much of a discussion with you as we can. That being said, you know, why don't we dive right in? I could start talking to you all about, CISA, but why do that when I have an expert on the subject here with us today? So, Chris, I will I'll jump into the first question and direct it your way. Great. So some of the people might be familiar with CISA and its responsibilities, but, if they're not, you know, somebody who's more of a novice, can you please, give a quick overview of Syso, you know, what you guys do? Sure. Happy, happy to. And that's not unreasonable. A lot of audience I speak to are not entirely familiar or haven't had an opportunity to interact with Sysa because we're really six six years old, six and a half years old. So, but I'll start kind of with this. There may be some of you, in the audience that remembers a press conference with Ronald Reagan where he said, hey. The joke was, what are the nine most terrifying words in the English language? And, the punchline was, I'm from the government, and I'm here to help. Right? And listen. We can all admit, hey, that that might be true in in some cases. But I'll tell you what from my perspective and working with system, it's not a punchline for us. You know? It's actually, like, almost like a credo. We're from the government. We're we're here to help. We understand the, tremendous risk that all of you, are kind of trying to combat against, you know, cyber adversaries, from from from all different perspectives. But just to give you some perspective on who CISA is, we're one of the operational agencies that, is kind of under the umbrella of the US Department of Homeland Security. And we serve as America's civilian cyber defense agency and national coordinator for the critical infrastructure resiliency and security. CISA leads the national effort to understand, manage, and reduce both cyber and physical risk, to the infrastructure that Americans rely on every hour of every day. And what I also like to say too is what CISA is not. We're not a regulator. We're not a law enforcement agency. We're not there to collect evidence and prosecute, the adversaries, and we're not an intelligence organization. We're simply here to kind of partner voluntarily with organizations, and offer them services and resources, which we'll talk about in a little bit, to help them reduce reduce their risk. Great. Thank you. And, you know, given that CISA is focused on minimizing risk for critical infrastructure, can you tell us a little bit about what that looks like today? Yeah. Yeah. Absolutely. So a lot of what I do, a lot of what CISA promotes is a focus on the fundamentals, deny our adversaries like the low hanging fruit. And so what does that kind of mean? Apply those patches that are issued, like, at a very rapid cadence. Use phishing resistant multifactor authentication. Enable logging for your applications, access control, and security functions. Secure storage of those logs, and address end of life systems before they become unsupported. You see, the thing is you may not think that your organization would be the target of a foreign nation state. Right? Maybe you're not the Pentagon or you're not whatever. But the reality is oftentimes, organizations aren't victimized because they are the direct target. It's because, their technology is targeted. There are vulnerabilities and exposures in the technology stack that are being utilized that are kind of scanned, identified by our adversaries, and then exploited. So it's really important too to note that you may not consider yourself a direct target, but who are the people that rely on you and your organization's goods and services? Maybe that's an organization that provides a national critical function. And so maybe to get to that or to kinda degrade that capability, they might even target you. So you have to take a holistic approach. But, again, start with the fundamentals, the basic blocking and tackling of cybersecurity. Perfect. Thank you. And so when talking about risk, who or what does, CISA identify as a main risk to achieving its strategic goals? Like, what is the main threat to critical infrastructure and to others? Yeah. So great question. So what I'm gonna do now is I'm actually gonna read something, from the office of the director of national intelligence. Every year, they produce an annual threat assessment. And so this is from last year's. I'm hoping twenty twenty five will be issued soon. But let me read to you, about this. Now it leads with it says China, but let's be clear here. When we're talking about, China, we're talking about the government of China, not Chinese people, but, the actual People's Republic Of China. So it says, China remains the most active and persistent cyber threat to US government, private sector, and critical infrastructure networks. Beijing's cyber espionage pursuits and its industry's export of surveillance information and communications technologies increases the threats of aggressive cyber operations against The United States and the suppression of the free flow of information in cyberspace. Again, coming from the 2024, ODNI's annual threat assessment. So what we kinda see is is this they are the most prolific threat. Now, if you were to Google CISA and the letters p r c, it will bring you to our webpage, cisa.gov website that will have a list of jointly authored cybersecurity advisors. I mean and when I say jointly, I mean, not just CISA, but our partners in the FBI, the NSA, but also our international partners who are are combining these threats too. And within those joint cybersecurity advisories, you'll see, you know, guidance, context, indicators of compromise, mitigation strategies, and so forth. So I would direct the audience to go and check those out. They're constantly being updated and, you know, a great resource for everybody. And then I'll kind of say this too about the threat from the PRC. You know, when it comes to, like, US strategic or military doctrine and planning, I think we go to great lengths to avoid collateral damage as much as possible. Whereas what we're seeing from the People's Republic Of China is that, you know, that's actually a component of their strategy to create societal panic and chaos, to really disrupt how things function here in the homeland. So that way, we're less capable to respond to any of their geopolitical or military aspirations. Great. Thank you. I'm gonna throw it over to you, Tom. So we've been talking about kind of CSIS perspective. So, from, your perspective on the provider side, what has your experience been in terms of kind of the risks that Chris has been discussing and kinda how CISA fits into, alleviating some of the risks that you're saying, maybe with your clients? Yeah. Thank you. I couldn't agree more. I I think that the the traditional people process and technology has to be, you know, said over and over again, because it's, in many cases, the basics. You know, criminals have a return on investment. Right? A risk of incarceration. And businesses are trying to figure out how to spend less, get more, and have a magic button sort of to push to have things be okay. Those things are kinda opposite, if you will. Bad guys, and I get to play one, because I slept in my hobby in last night or more importantly because I do a lot of red team work. But when we're looking at it at a target, the organization is really what's the crown jewels. Right? What's the goal? Is it a disruption of a service? Is it to knock something offline and disrupt it? Is it physically to alter the integrity of the data so it has a further downstream effect? Or, god forbid, there's a physical component with kinetic, that can cause a system to explode or or someone to get hurt. So the the the criminal, and I use the word criminal not hacker, because I always have been a hacker for a long, long time. But I think it's all about ethics. Right? So the the criminal targets an organization and they're not looking to necessarily smash and grab a window and grab a watch. Maybe they're looking to, know, get into the organization through a web application or through a network hole or through a physical, exploit. But, you know, that's very important to understand the people side. And then, of course, we get into the process, and the technology and and they have equal concerns. So back to your question. CISA, I think, does a fantastic job, raising visibility for problems, both at the nation state level as well as the SMB. Because at the end of the day, you know, there's there's, like, 2,500,000 businesses where where I am here in New York Metro with, like, 19,000,000 citizens. Right? There's a lot of attack service. It really comes down to what are we targeting? What areas are, most interesting? And critical national infrastructure, by definition, you know, is disruptive or could be disruptive to life in in humans, that live in this region, if not the whole country. So to me, I think Cisco does a great job. Great. Thanks, Tom. And we, just got a comment that I think leads well into our next, question. So our comment says that, this person recently went through the CPGs with their CSID adviser and would love to hear more depth of perspective on the categories of goals and examples of how to apply them, especially the perspective of how to more broadly apply them, not just to critical infrastructure. So, Chris, with that with that in mind as we go into these next, next questions, you know, can you say you know, on the, we've been talking a lot about what CISA wants to accomplish. But, can you talk about your approach? How are you helping? And then, you know, anything that, you know, goes in-depth, on your perspective of the goals, and applying them would be great. Sure. Hey. Thanks for the comment, TC Meggs. And I'm glad to hear that you're engaged with your local cybersecurity adviser. So I think well, I think I was gonna talk about the CPGs a little later on, but, heck, you brought it up. Let let's talk a little bit about it now. The CPGs, the full title of them are the cross, sector cybersecurity performance goals. So, what I'd like to kinda do is highlight so let me let me step back a little bit. Like, assessing your environment through the eyes of an adversary is just a very fundamental way to understand, hey, what potential exposure you might have. You know, I started off, in my career earlier, with the New Jersey State Police, and for a long time, I was I was assigned to our our governor's security detail. And one of the first things they teach us is to how how do you, like, stand back, stand in the shoes of someone who wants to do harm, wants to do bad things, and what does the environment look like to you? Where are the kind of the easiest places for you to go to accomplish your objectives? And so from SIS's perspective, self assessment is one of the first places to go. Right? Yep. That's me right there. Just, in in the chat. Self assessment is one of the first places to start if you have if you're not doing any type of assessment whatsoever. Now the cybersecurity performance goal is one of 60 different assessments contained in something called a CSET tool. Now, you can Google right now CISA, CSET, Charlie Sierra echo tangy tango, and GitHub. Because Sysa has a GitHub repository like a lot of a lot of folks. Right? And you could pull down the CSET tool. It's 1.5 gigabytes. It downloads locally, and then you can just install on your desktop, laptop, what have you. It's not unless you're running Mac, It's it's right now, it's just Windows based. But when you download this, one of the assessments, one of the 60 assessments in there is the cybersecurity performance goals. Now the cybersecurity performance goals, is simply based on the NIST cybersecurity framework. Identify, protect, detect, respond, and recover. Now we all know that, there was recent, update to a two point o version, and the control area of govern is actually being, added to CBGs. That should be out probably early summertime from what I hear from the team. And so, for if you had never conducted an assessment before, this is a great place to start. Like TC Meggs, mentioned, hey. You know, maybe you have an appetite for, like, more meat on the bone. We got you there. But if you haven't done an assessment, do this one. It's gonna ask some very basic questions. And unless you have those questions answered or are addressing those questions, you know what? Sometimes it doesn't make sense to go on to a full pen test. Right? If you don't even have an inventory of your of your assets. Right? If you're not conducting training, if you're, you know, you don't have an incident response plan. So it kinda covers those basics. Now to get to TC next questions, there are other assessments within that c set tool. Like I said, there are 60, that will take all all the way from, like, a a 38 question CPG assessment, what we just talked about, over to, like, a 369 cyber resilience review that covers 10 different domains. And I just recently did one for the first time out in Long Island, and it took the better part of the day. But that assessment gets much more into the weeds about people processing technology. And, so if you if you have an appetite for that and you kinda check the CPG box, look into the, look into the CSET tool for the cyber resilience review assessment. So that's kind of one of the things that we we we kind of ask folks to do is make sure that they understand, their organization, from an external perspective. Another thing is we provide assistance to organizations, for incident response planning. Sometimes organizations we find do have incident response plans, but they haven't been reviewed. They haven't been updated. And so if you don't even have one, we can there are templates that we SysTA provides for you to at least get started with identifying the people that need to be contacted, the events that need to happen in certain orders. And then plans are great. Right? But honestly, unless you exercise those plans, it's really difficult to not to know what you don't know when when you when you actually start to get people to talk and you have to make decisions. And so CISA also offers a tabletop exercise program that has well over 100 scenarios already built. And I think if you Google, CISA and, CTEP, Charlie, Tango, Echo, Papa, you'll see on there, that these are just Word documents. Now not all not like of the hundred, over hundred, not all of them are cyber. Some are physical. Some are cyber, and some are converged cyber and physical. But listen, if you wanna conduct an exercise, you haven't done one before, you don't have the budget to have a a big third party come in and and run this for you, visit that site. It's a Word document. You pull it down. You can add your logo. You can modify it, but it has scenarios lined up. Hey, on this day, help desk gets this. On this day, users report this. On this day, this is and then discussion questions. Injects. There are usually two modules for each of the exercises, but it helps to kind of just get people talking. Oh, what if? I don't know. We never thought about that. And you really want to exercise these things on blue sky days before it gets pretty stressful. So that's one. And the last thing I'll mention as far as how CISA is trying to help organizations, reduce their risk, has to do with our sci fi vulnerability scanning, sci fi vulnerability scanning service. Right? And it consists of two things. Vulnerability scanning for, you know, web connected, you know, devices, appliances, so forth. We use Tenable's Nessus. You provide us kind of your IP address space, and and then we provide scans if everything looks good every week. But if depending on the level of criticality, there's something that's exposed, unpatched, older operating system we know is getting exploited, you know, and we deem to be critical. We're gonna kind of get you remind you about scan and remind you every twelve hours until, know, you tell us no. It's not connected to anything or we're not worried about it. We accept it. Whatever it is, but, we'll kind of, you know, increase the cadence if we see something that looks potentially problematic. The other component of SysSys' sci high, cyber hygiene services are web application scanning. So any web connected applications that you might be running. You know, we use Qualys to check for some misconfigurations and and and and things of that nature. And, basically, those are things that I would recommend everybody take advantage of. Great. Thank you. Sounds like CISA does a lot. Sounds like you offer a lot. All that being said, you know, what's the rep? How much does it all cost? Oh, yeah. Right. Exactly. Yeah. What's as big on this? Right? Well, what I'll say you know, I would I would some people say, hey. You get what you pay for. Right? So I never like to say that these services are for free because those of us that, get a paycheck every two week, if you look on that line that says federal taxes, that's where it's paid for. But there's no charge to any organization so long as they're US based. You know, we we provide these to public sector and private sector organizations. So there there is no charge for the services. You can go to our assisted.gov website. Tons and tons of research. Almost like too much. Right? Which is good to, like like, TC Meggs kinda, like, talked about having a relationship with their local cybersecurity adviser. It's it's always great to have, you know, the Chris k wherever you are in the country, like, on speed dial or connected to them, and they can help to help you to navigate, these services and resources, and also keep you up to date when when new new things get come out. Great. Thank you. And now, throw it back to you for a second, Tom. Can you tell us what you're seeing in terms of CSO awareness and implementation in the market, or among your clients? How you made it, Tom? Sorry about that. I don't wanna have the have the dogs barking in the background. I I would say that, like I said earlier, the the ability to have a a trusted third party best practice is always important to measure against. Any organization regardless of what industry they're in or sector that they represent, there's there's a value there. Right? The value could be, business intellectual property. It could be data. It could be credit cards. It could be, information about their own employees. But at the end of the day, the reference of measuring against a third party is super helpful because, you know, we're looking again back to the people process and technology conversation. I I can't say how many times, that an organization that we work with, we look at their controls. They're trying to measure against something and get a score or get a a validation or get a, report on compliance. But, you know, there's different stages. Right? There's sort of an initial phase. There's something that's, like, repeatable. Then you can have it well defined or even managed or co managed and then optimized. So the maturity scale of the different controls are, pretty pretty, different different levels. Again, example, if you do security awareness education, which everybody should do something, right, for their staff, at what level is that maturity? Is it something that you're doing once a year? Is it simply a five minute overview? You only do it when you hire people? Do you expect them to learn on their own? Are you measuring it weekly? Like, there's different ways to measure awareness training. The same way there's different ways of measuring such as patch management or security reviews or code analysis if you're doing web application security as Chris mentioned. And commercial tools are very helpful in the space to find, known problems and known systems. But at the same time, like, web application is is is interesting because it talks about context. Right? You have to have a human, understanding of what the application flow is to be, looking at business logic flaws. Conducting a point and click scan of something will give you low hanging fruit, and everybody should be looking at minimizing their attack surface. So, again, best practices are useful. Organizations are leveraging these, across other frameworks. Then sometimes also cross mapping them to other frameworks as well, to sort of get the best of the different, regimes of compliance if if that means anything. Great. Thank you, Tom. Chris, you mentioned, the assessments before, I think. Can you talk us through the assessment process, and, you know, if there are any other resource, resources that you recommend? But, what does that process look like? Yeah. So when it comes to the cybersecurity performance goals assessment, which is, again, kind of like our kinda like the appetizer on our menu. Right? You can do it in one of two ways. Like, I think TC mentioned Eddie Harmon. I know Eddie. He's aces. Right? You can kinda get in touch with your local cybersecurity adviser, and together, you can kinda walk through. Now the actual assessment is super user friendly. And it's almost if you've done TurboTax or something like that, it it kinda walks you through. There are actually icons for, like, you could upload documents. Right? So you can make the cybersecurity performance goal kind of a persistent or perpetual reassessment process every six months, because it will produce a report at the end that you can kind of compare, bring to leadership, justify budgeting, or what have you. But there are goals you're gonna upload documents. There are also reference goals. So if you want more information on what is this question referring to, it will lead you to the ISO 27 k o one or or NIST eight hundred fifty three special pub or whatever it is. It will actually kind of give you the actual frameworks to go back to and kind of research a little bit more. So the the cybersecurity performance goals, I think I mentioned it earlier, 38 questions. Right? And, again, covering down identify, protect, detect, respond, and recover. And it it doesn't with the right kind of folks in the room, again, thirty five, forty, forty five minutes tops, and it gets you an idea of where you should stand. If you're gonna download this that that CSET tool, the cybersecurity self evaluation tool from GitHub, another exceptional resource in there is the ransomware readiness assessment. That's just 48 questions. And if you're wanna understand your potential, exposure or preparedness for that specific risk, take the 48 question ransomware readiness, and this is again it's in there. And I'll say this too. This tool does not somehow covertly beam information back to the mother ship CISA, in in Northern Virginia. It the data resides locally, and it stays locally. Even if I were to say, you know, right seat, left seat with this with you, I would simply be advising you on clarifications for the questions on your in your typing information in your machine. You keep the reports and so forth. So so that's something that, you know, I I, again, advise if you haven't conducted any type of self assessments. And, again, the it's just a tabletop exercise packages. That's what I was kinda mentioning, the prewritten exercises. Download the word document. Take a look at, to read it through. Great exercise to do with your team internally. And then I'll say this much too. Cisco also has a national exercise team. So if you say to me, Chris, you know what? We're good on we're good on denial service. We're good on ransomware. We're good on, you know, some of these some of the main things. But, you know, we provide, you know, water to this community or to a hospital or something. We'd actually like to integrate an exercise that incorporates external stakeholders. Maybe it's the FBI, maybe it's CISA, maybe it's the water company, maybe it's the hospital. Well, if you're at that point, you can make we can make a request for you to get on the docket for the national CISIS National Cyber Exercise Team, who will then you know, now I'll caveat this. The lead up time for something like that is usually six to eight months. There'll be monthly planning meetings, to make sure that the team understands what policies and processes you're looking to exercise, reviews those, make sure your goals are clear to them, and they construct an exercise that, you know, to your satisfaction that meets your expectations, who you wanna invite and where is it gonna be, all of that stuff. But they'll help to deliver that, from the national level if, you know, kind of if you're already if you're at that spot. So, you know, we could go from, like, very basic exercise planning all the way up to, incorporating numerous external agencies that, you would wanna work with, before, you actually have to do something in real life, if you know what I mean. Yeah. Absolutely. So, Tom, I'm gonna take a question here from the audience as I I think it it kind of, leads into what we're gonna be discussing next. So Tom Cole, says, as I go through all the security frameworks such as NIST, I feel the information is too vague. It's too difficult to pick out the actual actions required to comply to the goals. So not really a question, but can you can you kinda speak to what Tom's talking about where, you know, there's a lot of different frameworks? You know, each of those has a lot of requirements, a lot of controls. You know, can you can you talk to his feeling of it being too vague and difficult? Yeah. No. I I I would share that with him. Meaning over the years, I think with, some gray hair, and some experience, we start to know what good looks like. But the difficult process is not having reference architectures. Right? If you're you're doing transactions online and you're completely a SaaS based platform selling widgets, well, that's a reference architecture about how to secure the web application, how to conduct that business. If you're a hospital and you're providing certain services and you have exposures such both physical as well as electronic to the outside and the inside of people accessing systems and data, different reference architecture. And that's where a lot of these compliance, areas or frameworks come from. Right? We start talking about things like, the, the CCPA with California for protecting resident data or the GDPR or we're talking about the New York City DFS Five Hundred. You know, they have different areas of focus, whether it be a financial services company, health care, etcetera. And then there's lots of, compliance related items like PCI, to protect credit card data. So Visa and Mastercard can put you have faith in their brands. Right? At the end of the day, there's there's there's good cross mapping, I think, between best practice because a lot of things are what's the intent, what's the purpose. If CPGs in purpose and Sysa's purpose is to help, critical national infrastructure, you know, water, gas, electric, the 16 core, the guidance is usually very focused in that particular area to do. You have to do at least this as a minimum standard because the government doesn't run these organizations. Right? They may be here to help and support, but as Chris said, the the government is not operating those those commercial businesses. Right? We're we're this is America. So at the end of the day, we're trying to say, hey. You probably should do at least this as a minimum standard. You start looking at other frameworks that are, involved. And I like to take the CPG personally and map it with, like, the Center for Internet Security version eight controls, which is a little prescriptive, and start mapping it to best practice based on references and based on, experienced architectural reviews and understand, okay, well, are you doing, various controls along the way to help insurances? And again, the attacker mindset, as Chris pointed out before, I couldn't agree with more. It's let's build it and let's look at the whiteboard and say, if I was a bad guy, how would I break it? Right? And you start determining what enclave, separations, choke points are within the environment to make it easier to detect when somebody's within the wire as they say or within the environment. Because you have to assume compromise. You have to assume systems will be broken into. And how do you keep the business running with not allowing, the entire place to fall down, you know, when somebody breaches, you know, ring one or ring two within the organization. That answer the question a little bit? I think so. Yeah. I think, in fact, we get into get into what we're talking about next. So, yeah, thank you for that. You did start touching on this a bit, about how CISA or CPGs can kinda integrate with some of these other frameworks or, you know, align with some of the frameworks that other people are using at their organizations. So can you talk a little bit more about that, about how, how they fit into an organization's security strategy and, how CISA CPGs align with other frameworks. Sure. So let let me give an example, and it might be, abstract for some people on the call, but walk with me here. If you're an organization that provides, let's say, water simple water, water or wastewater, and I use the state of New Jersey, you have an annual requirement to look at what's called the WQAA, Water Quality Accountability Act for New Jersey and report that information back. Right? Because you wanna have some assurances that there's good water quality, both wastewater and and water, processing. But let's assume that municipality that runs that or the private sector business that runs those, those environments, they also take payments, probably from people in the municipality. Right? Or maybe, from businesses that buy water services, waste or, direct. And maybe they take payments like credit cards. Okay. So now you have a water requirement. Now you have a a PCI requirement. Oh, yeah. Then you're gonna go ahead and you wanna do, some sort of SOC two assessment of your business so that when people buy services from you, they have some assurances that you have a decent, infrastructure. Now you're up to three. So you keep going on what is the requirements of the business to demonstrate commercially reasonable security. So when and if there's a risk or a problem, they can be defensible and you start having these multiple things you have to do. So first comes with a little bit of experience, I think, to know how to build things the right way or the best way possible at the time. You map them back to the the framework areas or the compliance requirements that the business has. You start mapping to what do we do in these areas of controls. Again, what my controls for people, my controls for a process, my controls for technology. And that guy that and that might be mapped to 18 or 26 or 35 control areas, but you start sort of sort of understand what the measurement is of the maturity. Are you super mature? Have you been around for a while? Do you have the right people? Do you have tons of budget? And have you been pretty innovative in the space? Well, you probably do fairly well. But not everybody has enough budget or enough people or has had the time to do the work that quite frankly is boring, for many people. Right? Pen testing and packing and stuff sounds like fun, takes a long time. Right? So then being the defender could build those systems that are resilient from attack. You have to have, I think, some of that experience to know how to break in order to build a better mousetrap. So back to the question, I really strictly believe that as we start mapping the the different of the items that are available, it's really important to sort of walk and understand what the business needs to be resilient. So again, back to our water company. They had to now comply with several, requirements or mandates. They measure themselves to what they're currently doing. People are, you know, upset that they don't have enough people or budget or systems that can actually provide the data that's needed, and they have a gap. And then what do they do with the gap? Right? That's the risk. They can they can insure against it, they can outsource it, they can accept it, but at least now they know about it and they can apply the appropriate controls around it to help mitigate the problem. So that's that's, I think a statement or a summary that this is an ongoing effort with organizations to be better. And as I said before with, you know, two and a half million businesses in the New York City Metro Area, there's plenty of work to do. It's really a matter of trying to help people to say, hey, you should be able to be, some minimum requirements might be a good idea to to protect a small business, a medium business, or a large. Great. Thank you, Tom. And, I you work with a a lot of clients on, you know, creating their cybersecurity programs and cross mapping frameworks. So can you share some best practices for creating a cybersecurity program that cross maps, CSUS CPGs with other frameworks that, that people are using? Sure. Sure. I will certainly thank Aptia, for the opportunity to to, be on the webinar. And they have a a tool that's helpful. You know, their tool is helpful to get rid of multiple spreadsheets and lots of manual mapping. So they do have a very good engine that allows us to map things between different frameworks. I highly encourage people to take a look at the tool. But again, tools are tools. And the joke I have with my wife is I can walk in the Home Depot, look at all the hammers and screwdrivers on the wall, but guess what? Nothing in my house gets fixed. I write checks. I don't fix things. I don't I don't build or paint walls. It's not me. Not not what I do. But in the cyber space, you know, the tools are important. I think we have to have platforms and tools that are not only, stable and resilient and been used and tested, but they can make the job easier. Because, again, we don't have enough people to make some of these things move fast. So where we start is kinda what I mentioned before. You have to really take one step back and look at the organization through the, the the real view. And the real view is what's the risk. If you're a business owner, you wanna run fast, you wanna deliver a great service at a at a at a reasonable price. Right? You wanna make a margin, you wanna have a healthy business, and you wanna make sure the people that work for you can put food on their table and and know that they're gonna be there for a while. But at the end of the day, that business owner is may not be focused on that security piece because that may not be something he or she is from or or the world they come from. But it's a risk. They're concerned about what they hear about every day in the news. They're they're concerned about what is being announced pretty much weekly about the next company that was, you know, hacked or breached. But more importantly, what's the position? If it if you say it won't happen to you, well, okay. Well, good luck, Fred. It's like going to Vegas and hoping you're gonna you're gonna hit the hit hit roulette. But if it does become a problem within the business, what is your resilience? You know, what are you able to do? And quite frankly, when you turn around to your insurance company, if you have insurance, and ask them to assist with any sort of coverage, they're gonna say, oh, yeah. Did you do the things you were supposed to do? The things you agreed to? Oh, yeah. We didn't get around to that. And then they're gonna say, well, we're not gonna cover you. Right? So insurance is one way to mitigate risk. The other way is to actually try to bolster or make the the environment harder for the attacker because you wanna go back to the risk of incarceration. Right? The bad guy wants the data or wants to use you as a jumping point. You need to make it harder for that person in order to be part of the ecosystem to build a resilient business. Perfect. Thank you. I've got a couple questions left, before we start to wrap up. So audience, you know, if you've got any other questions that you want answered, please manage your time. Enter those into the chat, and we'll try to get to those, before the end of this call. But, until then, jumping back to you, Chris. Can you can you talk about how someone, can reach out to you or or another rep, to learn more about CISA or get help with the CPG assessment process. Yeah. Sure. Absolutely. So, this, although the majority of kind of the employees are, you know, in the, in the Northern Virginia area, You know, we have a regional approach because we understand that, as a federal organization entity, we we, you know, we we can't make connections from, like, DC. So there are Chris K's, throughout the country, represented, in all of the states and territories. And in order to find kind of your version of me, maybe, hopefully, a better version of me, all you simply need to do is just Google CISA and regions. CISA and region. You'll see a map come up. You'll see, are you a part of Region 12, 7, 9, whatever? And then they're also click on that, and then they're also they'll be, like, email your regional office. And it's as simple as that. Just saying, hey. I would like to speak with a cybersecurity adviser about Cisco resources, question mark. Thank you, and that's it. That's all it takes. At that point, it'll kind of be, you know, farmed out to whoever's area of responsibility that is, and they'll they'll kind of walk you through things. Again, my job here, I'm not one of the cooks in the kitchen. I'm kind of the waiter that kinda find your appetite, right, and takes your order and then make sure the food gets delivered fast and hot. Right? So that's kind of really where where where I fit into the that's my little cog in the machine. So, again, system regions, Google that. It's gonna identify your region. Email the regional office. They're just gonna kinda push it down. They they know who is responsible for your area, and we'll put you in touch with them. Great. Thank you so much, Chris. And, Tom, do you have any final advice for an organization that's going through the c's, CISA CPG process? And, you know, as a provider, what's the advantage of working with a provider to do this kind of work? Sure. So I I think working with a provider is is should be experience. Should be a hand holding, experience to help guide somebody through the journey, particularly around areas that may be far into the organization. Again, people. Right? Lack of experience. Something as simple as a tabletop exercise, surprisingly, doesn't happen a lot with organizations. So the number one piece of advice I would have in advance of going through the CPG review, is to sit down with your team, you know, by the lunch, make it sort of lighthearted, and say, alright, guys. Let's you work here. Let's imagine for a moment that three of you decided to go bad, go rogue, and and cause disruption. What department would you go after and why? If you went around the room and you asked the people that are part of your IT team or part of your operations team or part of your business, if you ask these questions, you're gonna get some smiles, but you'll get some actual reality, which is, you know, I've always been concerned about not having cameras in the building. I've always been concerned about these locks that don't lock. I've always been concerned about the security of being able to install any application on the computer without any restrictions. Like, you're gonna start hearing those things and those tabletop exercises can can turn into scenarios where that, okay, well, what would we do when this happens? If the social media account of the business became compromised and then there was some really raunchy stuff posted about the business, would anyone care? Would it really affect our our brand and our image? If so, well, what will we do about it? What's our process when that happens on a Friday night at 03:00 in the afternoon and how that bleeds over when people aren't concerned or they're not, you know, they don't they're they're not working on a Friday night into a Saturday. Like, there's always those those those timelines. My point is go back to the framework, go back to the measuring the business, having the tabletop exercise stuff with your team, you start really looking at really what the maturities of the business. And then the outcomes. The outcomes are really important because you need to be honest with yourself and say, wow, you know what? We say we do change control. We say we have a a log of what's changed in the business over the last six months. But if somebody came in and audited us or said, can you prove that you disabled a bunch of accounts or that you can you prove that everybody was using multifactor authentication? Can you prove certain things? You may not have those those records. And that's really what's important these days is making sure you can demonstrate some commercially reasonable security in a business so that you can not only be better for your customers, but you could, in the event of a problem, go back to that. Now I've written a bunch of books and helped out with a co authoring a bunch of stuff. Again, nobody likes to read the the material, but there's a lot of great material out there, templates, best practices, guides, reference architectures. Organizations need to get behind their technologist teams, and and and let them do the thing that they do best, which is build secure systems and and and spend the time to make the business more resilient. Because, again, it's it's really about safety. Thank you, Tom. Another question from the audience. Kareem asked, are there any plans to at least consider including an assessment for measuring maturity and AI risks in the CSET tool? Yeah. I saw I saw that in the chat, Karim. Mister Bennett, thank you so much for posting that. You know, so CISA has taken a very progressive, position on AI. You know, it's not all evil. We recognize that it is a tool, and it kinda like Tom mentioned earlier in the webinar. You know, it's about to kind of the ethics behind, you know, who uses it and how they're gonna use it. The the actual tool itself doesn't necessarily have, any ethics to it. But, we we see, hey, the potential for, for it kind of, scaling, the speed and scale, that it could could increase, attackers' ability to, you know, to victimize people. But we also recognize that, you know, it certainly has, potential to on the network defender, the blue side of things, you know, automate tasks and process, alerting, and so forth. I'm gonna, again, direct you to the system's website for the most current, guidance on AI kind of, assessments. There's nothing, though, that I can tell you, that I'm aware of about incorporating, an AI kinda maturity assessment into the CSET tool. But when I talk to those folks, I'll I'll ask them. I'll ask them, hey. You know, that's something that, it seems like there's an appetite for. Do you have plans for that and so forth? But right now, I'm not aware of any, module or assessment that's gonna be added that addresses that particular risk. So I'll I'll jump in on that one as well. And, again, this is the whole conversation of how things evolve. CISA does have, an ICT task force, which I'm a part of, which also has a focus, not only on supply chain manager, but also AI. And there is some items in the works that are gonna drive some of those best practices and and, top tens. I do wanna point out though that that usually takes a little bit longer because it's a much bigger, environment where people are collaborating to produce an end result. But I would go, another reference point in chat is to the open web application security project. The OWASP top 10 for large language model applications is something that many of us that are software guys, have participated in and and are involved in. And if you don't know what OWASP is, they're they're a group that's really focused on the individual open source software and focuses on, application security. So, to answer your direct question, if you're looking to measure against, large language models and maturity and security or let's say you wanna figure out how to make your environment better, two good resources to start checking out are those. And then, of course, there's a lot of organizations out there that have the right experience. You know, I would say, you know, reach out to them and and and figure out who's who's who's the right fit for you. Thank you, Tom. We have a question from Mark who, says, last I checked, the CPGs were still aligned with NIST, CSF one point one. Are they now aligned with CSF two point o, which has major changes and more aligns with CSUN NIST, ZTA a hundred to 207? If not, when is that expected for everyone to be able to use this in an audit and exams? So I believe the last I heard from the CSET kind of program, folks, is that, the CPG is being updated and should be, out added to the CSET tool, to include the two point o, cybersecurity framework update in the early summertime. So keep an eye out for that. Great. Thank you, Chris. And then let's see. Alexander asks, what are the most common pitfalls you've observed that impede successful implementation of framework alignment in businesses? Cultural, techno technological, any others? So if you don't mind, I'll I'll take the one that I've seen the most resistance from. Typically is not being high enough in the organization to have effect. A lot of the technical resources that latch into a framework or best practice using it as a measurement, good place to start. However, they may be failing falling short with getting executive buy in and support. Before the business can really get behind an initiative, particularly around a framework to allocate budget, time, and, and effort, It's really critically important to have, executive support, because without that, focus, to help the business be in a much better position, there's gonna be a lot of effort that is like spinning your wheels. You're measuring, you're assessing, you're coming up with a score, and then, of course, there's no further action. So if that's your challenge, it's more around trying to incorporate what I said earlier, the tabletop exercise in the beginning to help sort of invoke that, we have some issues. You guys are the right people to help us fix it. And then with sponsorship, you then have an easier path in mapping to, to the maturity models and the outcomes that you're probably looking for. And that re and that's regardless of of which framework, or compliance regime you need to meet. It's, again, building the people pieces is quite difficult. Almost an art form these days, in in cyber is getting the the the rest of the business to realize that the IT guys aren't just fixing people's iPhones and printers. Right? They're they're they're they're to help. They're part of the business. They they need to roll up to the board to make sure that the business stays out of trouble. And if I can just add a footnote to that, a great answer, Tom, is, like, get your senior leadership involved in your exercises. Let them, like, process and get a taste of those what it feels like to, like, be confront the scenario that maybe could have been avoided, you know, if proper attention was given to, the request made by the information security team. Great. Thank you, Chris. Thank you, Tom. If there are no final questions for, Chris or Tom, you know, we'll go ahead and wrap up now. I will say if you're a security provider on the call, please, take three minutes and, complete our compliance survey. I just posted in the chat. And I also posted about our another upcoming webinar that, Aptig is hosting on CUI compliance. You know, please feel free to click on that link if you'd like, some more educational webinars, from Aptiga. As I mentioned, we are at time, so I just wanna thank Tom and Chris. I really appreciate both of you jumping on, you know, sharing your insights. I think this was very informative. Like, a lot of people really care about this, so, you know, I appreciate you taking the time to, share your experience. Also wanna thank the audience. Thank you very much for your, engagement. We hope you found this valuable. And we will send a recording of the webinar, afterwards, so please be on the lookout for that and for any of our future events. And, you know, be on the lookout for more content. And, yeah, we'll be sure to do another webinar pretty soon with with Tom, and proactive risk. And and, Chris, we hope that we can get you involved, again as well. So, thank you both. Anything any final words before we sign off? The only final word I'll say is is is get involved in the community. Take the CPG, read it over, get familiar with it, take the training, go out and help an underserved nonprofit. Go out and help an organization that needs help. As a practitioner, if you have a job and you're and you're and you're focused on that, fantastic. But in your spare time, go mentor somebody. Go help the next generation and use the CPG as a as a benchmark. There's organizations out there that are doing it today like ISC Squared in New Jersey and others, and it's a great opportunity if you do not only go out there but actually be part of the change you wanna see in the world. Yeah. Good stuff. And I would just say too that, listen. I know from my perspective, I talked a lot about a lot of things. I threw a lot of acronyms at you, CTEPs, CPGs, TCET, blah blah blah blah blah. Right? It's the government. Of course, we're gonna have that. Get in touch with your local cybersecurity adviser. They they're more than happy to kind of, like, take a little bit more time, answer your questions specific to your organization, get to know them. They're a great resource. Listen. Even if you're not ready or you're you say, hey. Not at the moment. We're not we're gonna pass on this. They're always a great resource to have a phone number and an email address of who you can contact, for you. So I would just really emphasize, connecting with your local cybersecurity adviser from CISA. Alright. Great. Well, thanks again to our audience. Thank you, Chris and Tom. Really appreciate everyone's time, and, you know, we'll see everybody on the next one. Thank you for joining.