This week, it was impossible to ignore the flood of news emanating from the 16th Annual Billington Cybersecurity Summit in Washington, D.C. Cybersecurity leaders from across industry and the federal government gathered at the event, generating plenty of headlines in the process. You can find details on many of those stories and more below in my weekly roundup:
The Buzz From Billington
Speakers at the Billington conference seemingly covered all of the major cybersecurity issues relevant to the federal government and beyond, including cyber warfare, cyber resilience, post-quantum cryptography and zero trust. Here’s what caught the media’s attention:
- Sessions kicked off with the first public remarks by National Cyber Director Sean Cairncross since his Senate confirmation in which he called for investments in the cybersecurity workforce and for rapidly modernizing federal cyber defenses, reported by Justin Doubleday for Federal News Network. Tim Starks of CyberScoop quoted Cairncross’ statement that the U.S. needs a new, coordinated strategy to counter its cyber adversaries and “shift the burden of risk in cyberspace from Americans to them.” In Nextgov/FCW, David DiMolfetta noted that Cairncross said he plans to explore increased involvement with the private sector to deter foreign adversaries that target and infiltrate U.S. networks. In MeriTalk, Grace Dille wrote that Cairncross said the effort would require “increased involvement with the private sector is necessary for our success.”
- Michael Duffy, the acting federal CISO, shared news at the Billington event that the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) will bring together all of the federal chief information security officers within the next month for a tabletop exercise focused on operational resilience, according to a piece by Dille. Duffy also participated in a “fireside chat” where he outlined his priorities for federal cyber officials over the next year, emphasizing the need for collaboration across the government, as reported by Madison Alder in FedScoop.
- DiMolfetta also reported from the conference on comments from Alexei Bulazel, the National Security Council’s senior cybersecurity director, that he expects the U.S. to push the envelope on offensive hacking but said those endeavors shouldn’t detract from efforts to establish more robust defensive cybersecurity measures. David Jones of industry publication Cybersecurity Dive quoted Bulazel, “We are unapologetically unafraid to do offensive cyber.” Covering the same session, Starks noted that Bulazel said he was dismayed by the lag in security technology embedded in critical infrastructure, saying it pales in comparison to the tech in modern smartphones.
- Speakers from the National Institute of Standards and Technology (NIST) and OMB gave an update on their efforts to transition the government to a quantum-safe future by identifying systems using vulnerable cryptography and specifying new algorithms for post-quantum cryptography adoption, according to a MeriTalk article by Weslan Hansen.
- Randy Resnick, who leads the Pentagon’s zero trust efforts, told attendees that the Pentagon is 24 months away from its deadline to hit its zero trust baseline target to secure the Defense Department’s data, applications, assets, and services, Lauren C. Williams reported in Defense One. Also reporting from the conference for MeriTalk, Lisbeth Perez covered Resnick’s comments on how the government’s updated zero trust strategy will incorporate lessons learned over the past three years and expand its focus to include operational technology – a crucial but often overlooked component of military infrastructure.
- Williams also covered remarks by Vice Adm. Frank Whitworth, head of the National Geospatial-Intelligence Agency, in which he underscored the need to give CISOs tools they need to use AI to defend against AI-generated threats.
- Nick Andersen, CISA’s executive assistant director for cybersecurity, spoke at Billington about how the agency is charting a new path forward for the Common Vulnerabilities and Exposures (CVE) program, with the top cybersecurity official looking to bring more “quality” to the CVE catalog, according to coverage by Doubleday for Federal News Network. DiMolfetta reported that CISA is exploring more diversified funding mechanisms to help cover the cost of the bedrock vulnerability cataloging program that’s been relied upon by the cyber community for years. In her article for MeriTalk, Hansen noted that the new focus on CVE comes after it narrowly avoided a lapse in its funding earlier this year.
CMMC, Finally
Although not officially announced at the Billington event, attendees there were no doubt aware of this week’s long-awaited announcement regarding publication of the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) final rule on mandatory cybersecurity requirements for defense contractors. Here’s a roundup of some that coverage:
- Chris Riotta wrote in GovInfoSecurity that the CMMC final rule means contractors face the certainty of new cybersecurity requirements with the official publication of a controls framework that will become mandatory over the course of the next three years.
- The rule officially takes effect Nov. 10, marking the near end of a years-long effort to enforce new cybersecurity standards for defense contractors, Mikayla Easley reported in DefenseScoop.
- MeriTalk’s Perez noted that the final rule marks “a shift from policy to enforceable requirements across the defense industrial base.”
- Doubleday’s coverage for Federal News Network led with the rule’s focus on training and small business relief.
- The first step to implementation involves getting new cyber and supply chain security standards into solicitations, according to an analysis by Ross Wilkers in Washington Technology.
- Sara Friedman provided the industry perspective in Inside Cybersecurity, noting that stakeholders are highlighting the importance of preparing for procurement requirements as the program goes into effect.
Upcoming Industry Events
If you’re feeling left out because you didn’t get to the Billington conference, here are some other upcoming opportunities for you to rub elbows with your peers and catch up on what’s happening:
- September 16: FedForward: Empowering Government Missions, MeriTalk/Cisco, The City Club of Washington, Washington, D.C.
- September 16: POLITICO’s 2025 AI & Tech Summit, POLITICO, Union Station – East Hall, Washington, D.C.
- September 17: Cyber Defenders Workshop, GovExec, The Hamilton Live, Washington, D.C.
- September 17: Axios AI + DC Summit, Axios, Mellon Auditorium, Washington, D.C.
- September 18-19: Intelligence and National Security Summit, AFCEA, Gaylord National Resort & Convention Center, National Harbor, Maryland
- September 18: Tech Tonic September 2025, MeriTalk, Morton’s The Steakhouse, Washington, D.C.
- September 18: GAIN 2025, GovExec, Carahsoft Collaboration & Conference Center, Reston, Virginia
- September 18: FedTalks, FedScoop, Waldorf Astoria, Washington, D.C.
If you’re planning to attend the GAIN 2025 conference, please stop by the W2 Communications table and say hello. My colleagues and I look forward to seeing you there and giving you a complimentary bottle of zesty W2 Communications hot sauce!
That’s it for now but certainly there will be more to come next week. Subscribe to this newsletter on LinkedIn or via the form below to stay up to date.
This Week in Government Tech Media – In Your Inbox!
Fill out the form below to receive the blog via email each week.