Public-Private Partnerships Back Evolving Cybersecurity Frameworks

Federal agencies are developing joint efforts with government partners and industry to share new cybersecurity frameworks, tools and defense strategies to stay ahead of growing digital threats, cyber leaders explained at the 2025 CyberScape Summit in Bethesda, Maryland Thursday.

NIST’s CSF 2.0 Leverages Partnerships

NIST launched its Cybersecurity Framework Version 2.0 in Feb. 2024. The strategy leveraged public-private partnerships to develop best practices to manage cybersecurity risks and respond to cyber incidents, expanding on the agency’s 1.o strategy by adding a “govern” function.

According to Amy Mahn, international specialist at NIST, the original five functions in the Cybersecurity Framework — identify, protect, detect, respond and recover — still exist in the current version, however, the new govern function “helps people to leverage the people, processes and procedures in their organization to help better manage cybersecurity risk.”

NIST aims to continue its collaborative efforts with industry and government partners to continuously update guidance and develop new resources.

“We have great and strong relationships across the government to bring in that input and feedback for our guidance documents. And on the industry side, we enjoy having the ability to have more candid and open conversations because we are non-regulatory,” said Mahn. “People tell us about the challenges and issues they’re seeing, or if we hear that there’s been an incident, we want to learn from them and see what they went through, and bring that into our guidance documents to be able to make more helpful cybersecurity risk management tools.”

CMMC is Critical to Protecting Confidentiality of DOD’s Data

The Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program is essential to maintain data confidentiality, according to DOD’s Chief Defense Industrial Base Cybersecurity and Deputy CIO for Cybersecurity Stacy Bostjanick.

Cyber risks continue to threaten DOD’s data, with adversaries targeting blueprints on the department’s weapons systems, threatening the nation’s competitive advantage. Bostjanick said this information has been stolen in as little as 10 or 15 minutes.

DOD published a new rule in Dec. 2024, providing an in depth description of the requirements for companies to comply with CMMC.

“Our team is rapidly looking at all avenues and aspects to be able to comply with the current administration’s requirement,” said Bostjanick. “I do not expect the new administration to stop this. It was begun under the first Trump administration, and when you look at the statistics that we’re losing $100 million like a day in data loss in the country. This is something we have to get on top of.”

Collaboration plays a key role in the evolution of CMMC. DOD is leveraging the federal CISO council as the department continues to roll out the requirements across the government.

“One of the things that we’re trying to do in this collaboration is ensure that we come up with a standard across all the federal government,” said Bostjanick. “Because think about what a fun time it would be if DoD requires you to have a 17-character password with three different characters in it, and NASA requires you to have one that’s 15 characters, how are you going to manage that? We also talk a lot with our industry partners, we have a council capability where we meet with them to get the feedback.”

DOD’s Program Helps Find Vulnerabilities Before They Find You

DOD Cyber Crime Center’s (DC3) Vulnerability Disclosure Program (VDP) serves as the ingestion point for all vulnerability reporting for Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) and U.S. Cyber Command. The division has processed more than 50,000 reports since its launch in 2016, according to Melissa Vice, the program’s director explained during the event.

“These are big, high target assets that are being attacked daily. So it is very important to get ahead of those vulnerabilities,” said Vice. “The uniqueness of our program is that we ingest those reports from crowdsource ethical researchers in 45 different countries. It comes into our group within DC3, we triage, validate those reports, and get them over to JFHQ-DODIN for timely remediation.”

Vice also highlighted the Defense Industrial Base Vulnerability Disclosure Program (DIB VDP) that launched in June 2024. The program led helps defense contractors find and fix software vulnerabilities in their internet-facing systems. It aims to reduce cybersecurity risks and protect both the Defense Industrial Base and the DOD from potential threats.

“As rules are coming out as new things are coming within the DFARS, and maybe even in legislation that says you have to have now your own vulnerability disclosure policies or similar things, it’s good to know what capabilities are already out there for you to assist,” said Vice. “We have loved being a partnership with NIST over the years. We also have co-authored with CISA to create the [NIST’s] SP 800-216 on DOD’s vulnerability disclosures and management.”

Wiz Provides a New Way for Agencies to do Security

Siloed tools create gaps, limit visibility and lack insight into the root cause and immediate remediation steps. Wiz created the first cloud native security solution built and architected for the cloud, according to Dean Scontras, vice president of Wiz’s Public Sector.

“Wiz fills those technical and organizational gaps that lead to risk and simplify that process,” said Scontras. “When we plug a Wiz into an agency’s cloud environment, usually that personnel can see their multi-cloud estate instantly with complete context.”

Scontras explained what industry calls “democratizing security,” which provides a single platform that all stakeholders can use to see the same information and allow them to collaborate across silos.

“One of my favorite analogies for this is when Log4j vulnerability broke out, the customer plugged Wiz into their environment and security cloud, and developers could all see where those vulnerabilities were, which pose the most threat and how to mitigate it immediately,” said Scontras. “It’s not just for CMMC, it’s for FedRAMP, it’s for agencies, it’s for the entire country’s cybersecurity supply chain.”

Wiz also collaborates with government agencies — from a regulations standpoint — by sharing threat information.

“I think there’s another side of Wiz that’s actively participating with the government from a threat intelligence perspective. So that is cross collaboration,” said Scontras. “I think also, from a from a tools perspective, we provide all those vulnerabilities and risk management frameworks that you can map against as a government customer, so you know if you’re in compliance or out of compliance.”