2024 Annual FISMA and Risk Management Framework Panel Discussion

Opening Remarks

Panel Discussion: 2024 Annual FISMA and Risk Management Framework

Moderator:

• Sarah Mirzakhani
  Partner, Sikich LLP

Panelists:

• Steven Hernandez
  Chief Information Security Officer, and Director of Information Assurance Services @ U.S. Department of Education

• Jennifer Franks
  Director, Center for Enhanced Cybersecurity @ US Government Accountability Office (GAO)

• Victoria Yan Pillitteri
  Federal Information Security Modernization Act (FISMA) Implementation Project Lead @ National Institute of Standards and Technology (NIST)

Closing Remarks

Sarah_Mirzakhani
Partner @ Sikich LLP
CISA

Sarah Mirzakhani, CISA, is a partner with over 20 years of experience in information technology audit/information assurance and information security solutions. Sarah serves federal agencies with varying, complex IT systems and environments. Her experience includes leading information technology internal control reviews and security audits, such as the Federal Information Security Modernization Act (FISMA) and overseeing vulnerability assessments and penetration testing.

Sarah is also skilled in conducting and leading system and organization controls/SSAE18 audits and readiness assessments, regulatory compliance reviews, and system implementation reviews for not-for-profit, commercial, and governmental entities. She has extensive knowledge of the National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS), and Office of Management and Budget (OMB).

She provides services in areas, such as IT and Cybersecurity Audits, FISMA Audit Services, and Performance Audits.

Sarah holds a Bachelor of Science in Business Administration, Management Information Systems, West Virginia University, and is a Certified Information Systems Auditor (CISA). She is affiliated with the Information Systems Audit and Control Association (ISACA) and the Association of Government Accountants (AGA).

Steven Hernandez
Chief Information Security Officer, and Director of Information Assurance Services @ U.S. Department of Education
MBA, CISSP, CISA, CNSS, CSSLP, CDPSE, SSCP, CGGC, ITIL

Steven Hernandez is an information assurance executive serving the past twenty years in a variety of contexts and missions. His rich background includes law enforcement, financial, education, healthcare, credentialing, heavy manufacturing, non-profits, and governments at the federal, state, and local levels. Steven’s experience ranges from the board room to leading tactical, day-to-day security operations as well as leading broad security initiatives such as the US government’s Zero Trust Architecture approach across large and complex organizations.

Presently he is the Chief Information Security Officer and Director of Information Assurance Services at the U.S. Department of Education. Steven also serves as the co-chair of the US Government Federal CISO Council and Government Chair of the ACT-IAC Cybersecurity Community of Interest. Prior to his position at Education, he held a variety of roles at the Office of Inspector General, US Department of Health and Human Services including CTO, CIO, CISO, Senior Official for Privacy and Chief Services Engineering Officer. He is an inaugural member of the United States Scholarship for Service Hall of Fame and an ardent supporter of the next generation of cybersecurity professionals through his teaching work as an Honorary Professor, Affiliate Faculty, and guest lecturer at over a dozen Institutions of higher education.

Jennifer Franks
Director, Center for Enhanced Cybersecurity @ US Government Accountability Office (GAO)

Jennifer Franks directs the Center for Enhanced Cybersecurity within GAO’s Information Technology and Cybersecurity team. She oversees reviews that primarily focus on emerging cybersecurity issues and assessing an agency’s ability to protect the confidentiality, integrity, and availability of its sensitive data and computing infrastructure. Her multi-disciplinary teams actively review agencies’ computer security vulnerabilities across their enterprise-wide computing environment by assessing program management compliance and technical controls recommended for the agencies to follow in accordance with federal guidance and leading practices. In addition, she leads reviews in the areas of IT management and operations, financial management, healthcare and public health IT, data protection, and privacy.

Jennifer joined GAO in 2006. She is a Diversity Champion who leads efforts to increase inclusiveness at GAO. Since 2012, she has facilitated numerous agency Diversity, Equity, Inclusion, and Accessibility (DEIA) courses, and holds facilitator certifications in “Engaging in Bold, Inclusive Conversations” and “Green Dot Bystander Intervention” training.

Jennifer earned a master’s degree in information security policy and management from Carnegie Mellon University and earned a bachelor’s degree in computer information systems from Hampton University.

Victoria Yan Pillitteri
Federal Information Security Modernization Act (FISMA) Implementation Project Lead @ NIST
CISSP

Victoria Yan Pillitteri is a supervisory computer scientist in the Computer Security Division at the National Institute of Standards and Technology (NIST). Ms. Pillitteri is the Acting Manager of the Security Engineering and Risk Management Group and also leads the Federal Information Security Modernization Act (FISMA) Implementation Project, supervising a team of technical and administrative staff that are responsible for conducting the research and development of the suite of risk management guidance used for managing cybersecurity risk in the federal government, and associated stakeholder outreach and public-private coordination/collaboration efforts. She serves as the lead of the Joint Task Force working group, a partnership with Department of Defense, the Intelligence Community and Civilian Agencies to develop a unified security framework to protect USG from cyberattacks and is co-chair of the Federal Cybersecurity and Privacy Professionals Forum hosted NIST.

She previously worked on development of the Cybersecurity Framework and Privacy Framework, led the NIST Smart Grid and Cyber Physical Systems Cybersecurity Research Programs, served on the board of directors of the Smart Grid Interoperability Panel, and completed a detail in the office of the NIST Director as an IT policy advisor. She has co-authored a number of NIST Special Publications (SPs) and Interagency Reports (IRs) on information security, including SP 800-12, 800-37, 800-53, 800-82, 800-171, 800-171A, 800-171B, 800-137A, 1108 and IR 7628.

Victoria holds a B.S. in Electrical Engineering from the University of Maryland, a M.S in Computer Science, with a concentration in Information Assurance, from the George Washington University, completed the Key Executive Leadership Program at American University, and is a Certified Information Systems Security Professional (CISSP). She has completed a Senior Executive Service Candidate Development Program (SES CDP) and is SES certified.