Most US federal agencies lack a formal mechanism to receive information from third-parties about potential security vulnerabilities. Many agencies have no defined strategy for triaging reports about flaws reported by outside parties. Only a few agencies have clearly stated that those who disclose vulnerabilities in good faith will not be subject to legal action by the government.
These circumstances create an environment that discourages people from reporting potential information security problems to the government, which delays or prevents the discovery, prioritization, and remediation of these issues.
Representatives from the Office of the Federal CIO and the Cyber & Infrastructure Security Agency will talk about potential approaches and solicit feedback on addressing these concerns in the enterprise of enterprises that is the US Government.
Cameron Dixon is a public servant technologist at the US Cyber and Infrastructure Security Agency (CISA). He works to improve information security practices in US-based government organizations. Cameron’s service in government has focused on internet scanning and direct reporting as a policy forcing function. He was the product manager for “Cyber Hygiene”, a vulnerability scanning service that helps users detect flaws and adopt modern security protocols. He was the lead technical author of several cybersecurity directives that require civilian executive branch agencies maintain good practices in web encryption, email authentication, and DNS security. He also managed the development of open source tools to track the directives’ progress. In 2018, Cameron served as the deputy program manager for the .gov top-level domain at the General Services Administration, where he ran day-to-day operations. Key outcomes of his work included mandatory two-factor authentication to the .gov registrar, a plain-language website for the TLD, and guiding new domain registrants to publish a security contact to WHOIS and adopt security features like HSTS preloading or strong DMARC policies.
Matthew Cornelius is a Senior Advisor for Technology and Cybersecurity at the Office of Management and Budget (OMB). He leads OMB’s Federal IT Modernization Cross Agency Priority Goal, recently published as one of the key pillars of the President’s Management Agenda. Mr. Cornelius worked with Congress to authorize and appropriate the Modernizing Government Technology Act (MGT Act), which established the Technology Modernization Fund (TMF). He established the Technology Modernization Board (chaired by the Federal CIO) that oversees the evaluation of projects for funding by the TMF and serves as executive secretary and principle executor of the TMF. Previously at OMB, he led the development of the Report to the President on Federal IT Modernization. Prior to OMB, Mr. Cornelius served as the Senior Advisor for Cybersecurity to the Administrator of the General Services Administration. He began his Federal career as a Policy Analyst at the Department of the Treasury.