I attended the March 13, 2024 PCAST meeting at FDD HQ in Washington DC to discuss the President’s Council of Advisors on Science and Technology (PCAST) Report with CISA Director Easterly and ONCD Director Coker, along with 80 other people. The meeting and the foundational PCAST report are both significant from the perspective of an implementer of cybersecurity supply chain risk assessment solutions and as a cybersecurity professional working on critical infrastructure. As an implementer, I’m optimistic that the PCAST vision and goals expressed in the PCAST report and discussed during the meeting are practical and achievable in their aspirations. The goals expressed by the PCAST report are not just “wall paper”, these are imperative to overcome the wave of disruptions to critical infrastructure and continue to operate critical infrastructure resiliently. But, most compelling of all for me, was the recognition that success of the PCAST goals is dependent upon a cross domain of stakeholders with varying roles and expertise working together as one Cyber Team; It takes a village.
The PCAST meeting was instrumental because it included stakeholders from across critical infrastructure including policy makers, software producers, Executives and Board members, device manufacturers, and, of special interest to me: Software Engineers, the “foot soldiers”/implementers of cyber supply chain risk management solutions that will turn the PCAST recommendations into working code and processes that achieve the PCAST goals and vision. Every stakeholder domain that needed to be present, was present at this meeting, and that is the “magic” of the people behind the PCAST report, especially Dr. Georgianna Shea. The meeting attendee makeup shows a clear understanding that cybersecurity is a “Team Sport” that requires the commitment of people from the highest peak to the lowest trenches all working together to make this vision into reality. REA is happy to be working in the trenches, writing software solutions to achieve the PCAST goals and thanks Dr. Shea for this meeting invitation.
I encourage parties to read all 50 pages of the PCAST Report, paying specific attention to the four recommendations and overarching principles driving this initiative.
A disruption to our critical infrastructure can have a painful impact on people’s lives, as was recently witnessed when people were unable to fill prescription drugs due to a cyber-incident at Change Healthcare, a United Healthcare Group company. The PCAST report acknowledges that disruptions to critical infrastructure are inevitable and we must work as one team toward making our critical infrastructure more resilient to disruptions, regardless of the root cause of that disruption.
I had the opportunity to introduce myself to CISA Director Easterly and thanked her for funding an additional two years of the very successful ICT_SCRM Task Force operating under the direction of CISA’s National Risk Management Center (NRMC) to help small and medium businesses protect themselves from cyber-risk using realistic approaches. The ICT_SCRM Task Force has published detailed guidance to help software manufacturers pass the US Government expectations/requirements to procure and use only trustworthy products in the Software Acquisition Guide and accompanying spreadsheet which consumers send to software suppliers to indicate their adherence to Secure by Design practices. A 5 page Fact Sheet is also available
In summary, the PCAST report is practical and achievable in its aspirational goals and vision for a more resilient critical infrastructure for the American people that is the result of hard work and collaboration across domains of expertise from the Policy Makers to the Board Room to the cybersecurity personnel watching for cyber-risk in the trenches. Everyone must do their part to achieve success for the PCAST vision. Cybersecurity is a “Team Sport”; It takes a village. The PCAST report and an audio playback of the March 13 meeting are available at this link: