There are two main takeaways lessons from the three day 7th Annual IT Security Automation Conference. The first lesson learned was that continuous monitoring (CM/ISCM) should and will replace many aspects of the current A-130 based security reauthorization process. The transition to ISCM in lieu of much of the reauthorization process is driven by the twin needs needs for cost control and a swifter, more tailored approach to measuring system security.
The second point that became apparant at the conference is the leadership role of federal scientists, technical experts and managers in information systems security. Presentations by federal officials made clear not only their subject matter expertise but also their comitment to protecting national security.
A forthcoming Administrative Law Review article discusses the importance of agencies “fostering growth of social entrepreneurs, i.e., individuals who develop a concept, market it and make it grow; an action similar to starting a for-profit firm in the private sector but in this case the payoff is in terms of improving the functioning of the government – not a hundred foot yacht.” The conference demonstrated that at least some agencies have succeeded. The yacht owners, and all Americans, should be grateful.