CISO Exchange falls apart

The controversial Chief Information Security Officers Exchange effectively collapsed today, with both of its co-chairs, Rep. Tom Davis (R-Va.), and the federal CIO Council, withdrawing their support.

"Neither Davis nor the [House Government Reform] Committee will have any role in the exchange," David Marin, deputy staff director for the committee, said today.

While Davis "certainly supports the goal" of the exchange, "there is nothing on the table" as to what future form it might take, should it be reestablished, Marin said. "We're always looking for ideas," he said.

Earlier, the CIO Council also withdrew from the group, Karen Evans, director of the council and Office of Management and Budget administrator for e-government and IT, said in a statement.

Instead, the Council will ask its Best Practices Committee to develop ways to improve cybersecurity scores governmentwide, Evans said.

"While we firmly support the CISO Exchange's objective of improving the federal government's security posture and improving the cybersecurity scorecard grades, we believe the most appropriate context for doing so is through the CIO Council's Best Practices Committee," Evans said in a statement.

The CISO Exchange was announced in February by Davis, who was to co-chair the group along with the CIO Council. The new organization attracted controversy when an advisory board was named April 6. The exchange set a $75,000 fee to become an industry member of the advisory board. Lower levels of participation carried fees of $25,000 and $5,000.

The fees and the structure of the exchange raised concern that it appeared to be a vehicle for gaining exclusive access to Davis, chairman of the House Government Reform Committee.

Under the original plan, the CISO Exchange was to have two co-chairs representing Davis' committee and the CIO Council, respectively. In addition to the exchange co-chairs, the group's advisory board would consist of 12 members, six from government and six from industry. The group also planned to publish an annual report on cybersecurity.

The Industry Advisory Council, a nonprofit group in Fairfax, Va., is considering taking over the exchange.

"The CIO Council looks forward to establishing a Chief Information Security Officers Exchange that is open and accessible to all members of the IT community in both the government and private sector," said Dan Matthews, vice chairman of the council.

Stephen O'Keeffe, the Alexandria, Va. public relations executive who helped create and who was to manage the CISO Exchange, has staunchly defended the group's fees and structure. Despite the withdrawal of Davis and the CIO Council, he said he was "proud of the role of the CISO Exchange in its success in elevating the requirement for federal information security."

However, O'Keeffe also said "there needs to be a bright line on what is, and what is not, acceptable in public-private interactions, and for the private sector funding such initiatives. ... For the issue of access, this needs to be resolved. If it is ambiguous, there is a potential for misinterpretation."