Department of Homeland Security- National Cyber Security Division (NCSD) US-CERT (2003-2007)
Original team member of the startup of DHS NCSD in 2003.
• Participated in the ground floor effort to develop a set of cyber security controls similar to NIST 800-53 but specific to Supervisory Control and Data Acquisition Systems (SCADA) that could affect the national security of the United States. This effort resulted in the NIST 800-82 "Guide to Industrial Control Systems" (ICS) Worked directly with the Idaho National Laboratory (INL) to develop national level policy for SCADA control systems.
• Development of the National Critical Infrastructure Protection plan guidance documents (Agriculture, Food, Energy, Water, Public Health, Emergency Services, Defense Industrial Base, Information and Telco, Transportation, Banking and Finance, Chemical/Hazardous Materials, Postal & Shipping, National Monuments and Icons and Nuclear Power Plants).
• NCSD cyber review of the thirteen Critical National Infrastructure Sector Security Plans for Transportation Security Administration (TSA), Information Technology & Nuclear national sectors.
• Internal review process of the National Infrastructure Protection Plan (NIPP).
• Framework for development of national asset database of Critical Infrastructure Key Resources (CIKR)
• Developed CNDSP Risk Assessment questionnaire and automated tool.
• Conducted Computer Network Defense Service Provider (CNDSP) risk assessments of cyber security emergency response centers (CSIRC) at Dept of Education, Internal Revenue Service and FAA
• Analyzed cyber security in RAMCAP and VISAT DHS physical security vulnerability tools
• Real ID Act 2005 Standards - The Real Id Act sets more stringent national standards for obtaining state drivers licenses. Performed cyber security research to determine most appropriate Identification & Authentication technology, cyber security policies and procedures and alternative uses and how technology could be integrated into the existing infrastructure (e.g. State Driver's License Bureaus). Evaluated smart card architecture, USB certificate tokens, Interconnecting systems security (social security, birth records, residence verification)
• Developed SCADA Control System Risk Assessment Questionnaire for Chemical Industry Sector
• Researched and prepared internal report on existing national, state, and international cyber laws & regulations. Sarbanes Oxley, HIPPA, Graham Leach Bliley, Real ID, FISMA, HSPD 12, HSPD 7
• Research Project White Paper: "Potential Risks resulting from the increasing U.S. dependence on global cyber infrastructure".
• Development of the IT Sector Specific Security Plan
• Prepared a cross reference matrix comparing the most commonly used cyber security standards, guidelines, methodologies, checklists and management systems: BS 7799, CISSP COBIT, GAISP, ISO 17799, ITIL,NIST 800 Series Special Publications, SAS 70
• Completed Cyber Security Risk Assessment of Special Events occurring prior to and including the 2004 Presidential inauguration. These events include the Republican National Convention, the Democratic National Convention, the G8 Summit, the World War II Memorial dedication, Olympics and the Presidential election..
• Developed NIST SP 800 series based DHS Risk Management Checklist with integrated Risk Assessment tool.