DorobekINSIDER: NASA cyber-security chief Jerry Davis to join VA

Monday - 7/26/2010, 9:04am EDT

Jerry Davis, the widely respected chief information security officer at NASA, is leaving that agency to join the Department of Veterans Affairs, the DorobekINSIDER has confirmed.

The move had been widely rumored for months, but was just made official when Davis accepted the offer from the VA on Friday.

While NASA has has its own share of cyber-security issues, the challenges at VA are daunting. Not only is VA the second largest agency in government, but it is the poster child for cyber-security problems dating back to that now infamous stolen laptop that was loaded with millions of names and personal information on vets.

Back in 2006, the data on  26.5 million active duty troops and veterans were on the laptop and external drive, which disappeared while in the custody of a Veterans Affairs data analyst in 2006.

While none of those data became public — and it wasn’t a result of a cyber-attack but rather a common house burglary, it has become the most discussed cyber-security event, even more than four years later. And the event cost the agency $20 million in a settlement.

Read more and hear GAO’s assessment of VA’s IT situation here… or read the GAO report here. [PDF]

Davis talking about that on Federal News Radio’s Federal Security Spotlight [July 1, 2010]… and on Federal News Radio’s Federal Drive about changing ways of measuring cyber-security [May 28, 2010]

From NextGov:

[Davis told] his staff on Tuesday to shift their focus from certifying that networks are compliant with a nearly decade-old law to monitoring systems for holes and real-time reporting of threats.
The change is a watershed moment for federal information technology managers, who since 2002 have been required to follow a law that critics say forces IT staffs to spend days filling out reports that confirm technology managers have followed certain security procedures. The law did not require specific actions to secure systems, said opponents of the Federal Information Security Management Act.

Jerry Davis, NASA’s deputy chief information officer for IT security, issued a memo to information system managers informing them they no longer need to certify every three years that their networks are compliant with FISMA, as called for by the law. Instead, they should rely on automated continuous monitoring to find holes that hackers could exploit. The process will remain in effect as long as agencies are required to submit annual status reports for networks and vulnerabilities detected during the monitoring don’t pose unacceptable risk.
Here is Davis’s most recent bio:

Jerry L. Davis is the Deputy Chief Information Officer (DCIO), IT Security for the National Aeronautics and Space Administration (NASA). Jerry’s role is to provide thought leadership and oversee all aspects of Information Security and privacy for the Agency to include the development and implementation of enterprise-wide IT security engineering and architecture, IT security governance and IT security operations capabilities. Jerry’s division also generates IT and data security solutions and services to the Agency’s Space Operations, Science, Exploration Systems and Aeronautics Research Mission Directorates programs and projects, while defending $1.8 billion in annual IT investments.

Previously, Jerry served as the DCIO for the Department of Education overseeing the day-to-day operations of the Department’s enterprise-wide IT infrastructure. During his tenure at the Department, Jerry also served as the Department’s first Chief Information Security Officer (CISO) and Director, Information Assurance (IA). In this role, Jerry’s teams proactively defended over $500 million dollars in annual IT investments, which supported the $400 billion dollar grants and loans portfolio.

Jerry was one of the principal thought leaders in the design, implementation and management of the District of Columbia’s first city-wide IT Security program and served as the Manager of Wide Area Network (WAN) Security Architecture. Jerry also held positions as a senior security consultant with several Fortune 500 consulting firms, serving clients in the Intelligence Community (IC), Department of Defense (DoD) and federal civilian agencies. Jerry held a staff position with the Central Intelligence Agency’s (CIA) Directorate of Operations (DO) for several years. Jerry is a combat veteran of the United States Marine Corps and trained as a Counterintelligence Specialist with focus on Human Intelligence (HUMINT) operations. He holds a masters degree in network security from a National Security Agency (NSA) Center of Excellence in Information Assurance and a bachelors of science in business with a concentration in IT security. Jerry has done doctoral work in the field of information systems and holds the Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP) certifications. Mr Davis won the People’s Choice Award at the 2009 Mid-Atlantic Region Information Security Executive of the Year and was selected as one of the 50 Most Important African Americans in Technology in 2009.