Company
Solutions Demo

Learn how SignaCert solutions create a more stable IT environment while reducing costs. Register

Press Release

SignaCert CEO Wyatt Starnes testifies before the House Subcommittee on Technology and Innovation

October 23, 2009

Oral statement of W. Wyatt Starnes
Founder, President and CEO SignaCert, Inc.
Before the House Sub-committee on Technology and Innovation under the House Committee on Science and Technology

Download Full Version as PDF

Good afternoon Mr. Chairman and respected members of the Committee. I appreciate the opportunity to present before this committee today. My name is Wyatt Starnes, and I am the Founder of Tripwire, Inc. and Signacert, Inc. and I currently serve as the CEO and President of SignaCert.

As you are aware Mr. Chairman, I have been working very closely with both the commercial and government sectors in the areas of information assurance and cyber security for several years. For the purposes of this testimony, and for reasons more fully described in my written testimony, I will generally refer to the Information Assurance and Cybersecurity issues collectively as the "Cyber Assurance" challenge. My written testimony covers these broader issues in more detail.

For the purposes of my testimony here I will focus primarily on the questions posed by the committee, specifically:

  • What could National Institute of Science and Technology (NIST) do to address the recommendations of the 60-day review?
  • What are my thoughts and comments on the Reorganization of the Information Technology Laboratory (ITL)?
  • Given the current emphasis on Info Assurance and Cybersecurity, what are my recommendations on how ITL might improve its effectiveness or expand its scope, activities and impact?

Before commenting, I would like to commend this sub-committee, led by Congressman Wu and his staff, in continuing to direct focus on our Cyber Assurance challenges, and the important contributions that NIST has made, and continues to make, in support of this crucial National Security mission.

NIST and the 60-Day Review

Relative to NIST and the 60-day review, my personal experience tells me that NIST is already ahead of the curve with regards to contributing in key areas presented in the report to the President. However, one of the important observations I have about the good work done in the report is that it lacks substantive "out of the box" thinking around the technical challenges we face.

Before I address this specifically, I would like to briefly comment on the role of NIST, and its mission and legislative and budgeted charter. A simple way to state NIST's mission is to reduce the friction of commerce by advancing measurement science, standards and technology.

NIST's role against the 60-day review is clearly in relation to IT measurement standards and technology to enable better and more standardized methods for optimizing the efficacy of cyber assurance methods.

Due to the short time period allowed me in this oral statement, I do not have time to elaborate in detail on NIST's ITL work to support its part of the mission, but I did want to point to a few of the significant contributions that NIST has steadfastly advanced:

  • The 800-series body of work. This work has contributed significantly to the state-of-the art for both Federal and Commercial IT software and systems management.
  • The multilateral (public and private) effort to establish and enhance the Security, Content and Automation Protocol (or S-CAP) method. I specifically would like to emphasize the convergence of the many years of work on the 800-series standards, methods, and best practices with the active effort to improve operational compliance of Federal systems under FISMA. In my opinion, the S-CAP method, and the increased emphasis on continuous monitoring is far and away the most important advance to Federal IT systems management that I have seen in my entire career.

Reorganization of ITL

On this point I can be quite brief. While I am not privy to the precise catalyst of, and motivations for, the contemplated and/or actual organizational event, it seems like the benefit of any doubt surrounding this reorganization should be yielded to the Acting Director and staff at NIST.

I would expect that the intent of these changes is to align expertise with the changing mission requirements. I would hypothesize that NIST has realized that its CYBER ASSURANCE methods and best practices are increasingly a horizontal-cross agency issue, and its core-competencies should not remain in a silo within NIST.

While I support NIST for adjusting to changing needs, my only advice would be more advance marketing and communication to NIST constituencies around decisions that may impact those parties.

Recommendations on how ITL might improve its effectiveness or expand its scope/activities and impact in Information Assurance and Cyber Security

I have worked in and around NIST for nearly a decade and have a very deep respect for the work of NIST. While much has been accomplished, I encourage NIST to continue, with even a greater sense of urgency, with its core standards mission as applied to Cyber Assurance. Specifically:

  • We traditionally have addressed cyber security from a NEGATIVE AND DEFENSIVE model where we are trying to keep the "Bad and risky things" out of our computing environment, and we have created a rich language to articulate this including:
    • The NIST-driven Common Vulnerability Scoring System (CVSS) and National Vulnerability Database (NVD) are important examples. We need to continue to emphasize these as OPERATIONAL METHODS as opposed to limiting them to Certification and Accreditation (C&A) and compliance methods.
  • We now must supplement this with the POSITIVE OFFENSIVE posture where the prescribed "good state" is modeled, attested and continuously enforced.
  • Examples of these methods can be seen in the National Software Reference Library (NSRL) supporting the Help America Vote Act (HAVA). Many of the same "positive validation" and "trust attestation" controls required in HAVA can and should be applied to operation cyber assurance operational best practices. I have spent the better part of my career working on reference base attestation systems, and have seen first hand the significant security and configuration advantages they bring to any IT environment.

Much of the above is collectively captured and supported under the rapidly emerging Security, Content and Automation (S-CAP) framework I mentioned earlier in this testimony.

I urge NIST to continue to work multilaterally with their peers in government and industry and to distill these "best of the best" ideas into NIST standards and methods on a timeline that fully recognizes that we are behind and heavily exposed.

Thank you and I welcome any questions from the committee.

About SignaCert

SignaCert is the leading provider of end-to-end and partner-based IT compliance solutions based on known-provenance whitelist technology. These methods allow SignaCert's direct customers to rapidly achieve and prove continuous compliance for the systems that deliver critical business services. The SignaCert architecture is designed to seamlessly integrate with existing change processes and continuously monitor critical business services without disruption.

Additionally, SignaCert's OEM and ISV Partners can supply to, or license content from, the SignaCert Global Trust Repository (GTR), adding new and important capabilities to their product offerings. All use cases are supported by a rich repository of vendor-independent software measurements. These "white" or "allow" list methods enable SignaCert's patented technology to be quickly deployed and provide immediate visibility into the actual state of IT infrastructure.

Founded in 2004 by 34-year IT security and compliance industry veteran Wyatt Starnes, SignaCert has assembled a world class team of industry leaders with hands-on IT experience for its executive team, board of directors, and advisory board.

SignaCert's end-customers span a wide variety of industries, including financial services, government, and healthcare.