 The people running the forums and looks after all of our IT itself. So if there is a Cyber security issue at the open group if there's a breach it's all Dave's fault and Of course, it's nothing to do with me Believe that you believe anything so Dave come on up. Please give a big warm. I'm group welcome Dave will introduce the panelists Yeah, on that last point I was watching the the four things and I thought 75% of passing grade, right? So so Allen the VP of security and I'll be talking to you later about Assessments and things like that. So anyway, you know, we heard earlier from the great presentations from from from Bruce and Dan And others about how governments are starting to take an interest in in cyber security Of course governments have an obligation to protect their citizens What we're going to hear about today on this panel will be three initiatives that the that the US government is undertaking to develop cybersecurity guidelines particularly in the area of supply chain risk management efforts and their efforts focus on the integrity of Hardware software that are being incorporated both through procurement into government Systems but also more importantly, you've heard several times this morning about how those policies and Frameworks are being extended to protect the critical infrastructure. So we're going to talk about those I want to introduce our three panels and invite them to come on up. So first Don Davidson. Oh Here he is. So Don is the chief for lifecycle risk management in the Office of the deputy CIO for cyber security and Don in addition to having about 40 odd years of service in the in the DoD is actually Co-lead in the outreach efforts and the harmonization efforts of the open trusted technology form Second I'd like to do introduce Angela Smith who's the senior technical advisor in GSA's office of government-wide policy and you're helping to lead the Planning to strengthen those cyber security practices Prinslee's in GSA. I'm sure those are a strong, you know procurement and regulation flavor policy flavor there and Finally Matt Scholl from from who's the deputy division chief of NIST the which is the US national Institute of Standards and Technology and You promote the use of cyber security standards as it fits a standards organization. So thank you all for for participating I'm going to just ask everybody to spend take, you know, three or four minutes to talk about what the efforts of your of your groups are and Then we'll go into some questions. We'll have I've got a few that we've got Come out But then we'll be as usual taking some from the floor or remind everybody if you have questions for our panelists Write them down on cards, and I believe my colleague Jim Hightell will again be asking the questions First of all the prerequisite for being on this panel was the great smile You can see that four pictures they had to choose four people three guvies with big smiles in order to do this for public Private so not the norm for government pictures So those that know me I've been doing this stuff for way too long I really enjoy the work I think the public private piece the government engages in is is critical work And we don't do it as well as we should So I'm kind of passionate about it, and I think that helps I Was brought into the CIO because I had a long supply chain risk management background in DoD How to use it to improve our supply chain processes inside DoD and Mitch Comer off my boss Approach me what is now about six years ago said can you bring that supply chain experience? So that we can look at the IT products that we're bringing into our enterprise And how do I work with industry to improve the integrity of those products? And one of the lanes we've worked on is is through the open group and through the ISO community Develop better commercial standards with commercial industry, you know, what can they do to raise the bar? What I'm going to talk about today primarily is Don Davidson opinion is not officially a DoD position in many of these many these situations When we tend to write the standards and regulate from a government perspective, we often get it wrong And we'd much rather see industry float the boat and have standards that they agree to That are commercially acceptable global sourcing standards So I don't write very unique standards for the government that makes it more difficult for us to use COTS products Because we gain an advantage When I use commercial off-the-shelf products that are manufactured At a cheaper rate Usually it can embrace innovation in a faster manner Unfortunately that takes me down the CIO route of getting the best IT as quickly as I can that does not always include the cyber Security that we'd like to see so how do we then blend those two together? So I have a role for the CIO and the role for CISO that actually manages the risk in that community And that's where I've spent the bulk of my time I'd say in the first half half of my time the three years Since then I've not been able to spend as much time in this in this space Because we've been more focused on DoD internal and US government internal and I think you'll hear some conversations from my from my partners in this space For where we need to do better due diligence We need to do better Contracting and articulate our requirements better. Thank you Angela Thank you for inviting me here today I think you know these type of forms are so important to the work that the government does and I'll be speaking to it I think a little bit later You know, we're not in this game alone. We're here to serve the the citizenry the Our partners in industry academia, so we're all we're all in the same game, especially when it comes to cyber security So I think you'll hear that theme from all three of us that you know, we're not here to impose things This isn't about compliance. This is about how do we make this work for all of us so that our security posture is a whole lot Better on at the same time We're kind of looking at those issues where we're you know, we're not ramping up the cost And we're not driving down innovation and we're still recognizing that we have to work in a global world So a little bit about GSA. I imagine Portion of you will probably familiar with the general services administration We do support the whole of government in terms of kind of providing those general services You may have heard of the public building service. We're kind of the federal Landlord and own a good portion of the federal buildings and then we have the federal acquisition service Which clearly does federal acquisitions and supports all the agencies and their acquisition needs We also have a couple other offices the offices and services innovative technologies which runs USA gov And they also run the you may have heard of it Fed ramp for cloud computing often getting involved in a lot of the incubation of kind of new solutions That you know from trying to figure out how best to make them work across the federal government One of those examples is connect.gov which is around how do we do identity credentials better and cheaper and more efficiently and consistently to serve our citizenry in terms of accessing government information and services My organization office government policy clearly we don't do policy for all of off, you know, all of government Ours is really focused on the policy areas that are Related to general services and that covers fleet travel real property acquisitions IT And a couple other little things like some aviation policy oddly enough so Without us even necessarily knowing it where we found ourselves very front and center and a lot of the conversation that's going on today around supply chain around cyber how to manage risk and and Trying to figure out, you know in the area for example fleet. We know that connected cars are coming So, you know, how do we kind of look at that from a policy perspective and not do those? Impeding regulations for evolving areas when you know, we're all trying to figure it out at the same time. So I think for OGP We have a significant footprint in the area of identity and access management around the federal bridge policy authority we have testing program for approved products and Services list for those ID management programs. We also run the dot gov registrar for all of the dot gov domains us all of us government federal state local tribal territorial and and One of the things that I'm really personally excited about and it's very applicable for here is we're standing up a business due diligence information service to address some of those things we heard earlier that there are insurance policy Colleagues talked about one kind of how do we identify what those risk indicators are And make better risk-informed Decisions and with that I think I segue to Definitely piggybacking off the risk management framework that NIST is putting together. What's what's what's this doing in this space? Sisting on it is. Could be. Oh, thank you for inviting me This is a great opportunity for us to talk about some of the work that we're doing not just individually but jointly as agencies across the US government I'm from the National Institute of Standards and Technology We are an institute that is national and that focuses on Standards and technology. There's a shocker, huh? So that being said we are mostly Technology-focused working in standards and standards bodies as well not necessarily policy focused NIST serves Especially in cybersecurity kind of two roles when we look at these things first and foremost We have responsibilities through many different Drivers to provide what we call our internal government corporate standards So the standards and guidelines that government follows to secure government systems are developed in a interagency and External collaboration, but by NIST these come out in a series of fancy government acronym documents that we call special Publications or SP 800 series documents We also write the standards the corporate standards us government corporate standards for non-national security systems that come out in federal Information processing standards. We have just a few of those mostly focused in the areas of cryptography and encryption Where we are very clear and very explicit in the types and Mechanisms of encryption that is acceptable for use by the US government And then we have a test and conformance program That's external using external commercial laboratories so that external commercial providers Can bring in their product that we require to demonstrate conformance to the government Have that exercise done and then be available for procurement and use by the US government That's kind of our internal to government role. We also have an external role in participating in standards bodies We work very extensively in both national and international standards bodies in a range of areas to include cybersecurity where the MO for the US government is to use and follow industry and have industry-led Consensus-based open standards bodies be the default choice of industry of excuse me of government When government needs to pick select or identify a standard and that's not just you know good motherhood and apple pie talk That's law as in the National Technology Transfer Advancement Act and TTAA specifies that It's also policy from the White House and OMBA 119 policy that states this will be the The way the US government looks at seeks and and works with industry in standards and in standards bodies This is a small agency comparatively So when we do our work, especially even when we do our work for our internal corporate standards for the US government We do this in an external and collaborative process Because most of the products we will use will come from industry and many of the smarts on how to do this right Reside outside of government. So when we have this open collaborative Transparent process that includes industry we find that we get then the best product that we can use inside the government And something that is potentially realistic for industry to build for us that we need So if I could follow up I could so the other seat that's not on the other end of this this panel would be Joe Jorzenbeck and DHS Because the four of us as an enterprise actually as work as partners for the federal government to work on the supply chain risk management effort We've been working together since the CNCI initiatives on supply chain risk management That have continued to live even though the comprehensive national cybersecurity initiative. It's now sunsetted I know Michael Daniel when he announced the new information sharing Analysis offices the eye sows for the critical infrastructure Emphasized that one of the areas we should do a better job of sharing information was our supply chains So the government and industry has to do a better job of where we find problems or find Positive information about supply chains and best practices We should be sharing those to develop those commercial standards that we will all use a couple of forums that we use So in DOD there is the Department of Defense and instruction 5200 dot 44 on trusted system and networks and I deal on a quarterly basis with all of the Agencies and services on what are our best practices on do supply chain risk management for DOD? Partner with NIST To lead a what was working group to on supply chain risk management now is folding under the Committee on National Security Systems And we're actually rewriting CNCS CNSS directive 505 on supply chain risk management right now Which is a parallel construct that? The wider federal government would use on national security systems Obviously partnered with GSA on the publication of their document last year on cybersecurity improvement through acquisition That was part of the framework initiative. That's paragraph 8 echo under executive order 13636 So we partner with these these four Groups all the time so we get a more uniform message from the federal government on supply chain risk management And then I would be at a and remiss Joe would have you know sort of chastised me If I didn't mention the software and supply chain assurance forums so on a quarterly basis We get together normally at MITRE in McLean three days worth of conferences on software assurance hardware assurance supply chain risk management Assured services kind of activities best practices usually 200 or so attendees from the public private domain on what are those best practices? Bigger uptake in the last two years when that we've gone more supply chain than just software and a lot more international participation Canada Canadian governments participating the UK governments participating Some of the individual companies with a global more of a global footprint or participating more Very encouraged by that dialogue and and you know mentioned the 1b a 119 we're very big fans of that at the open group because we think it's actually a very good policy on Encouraging government use of voluntary consensus standards organizations like the open group And you know you mentioned, you know the NIST initiative and the supply chain insurance and the security supply chain insurance workshop Which we we try to bring in all of the input Developed by members of the open group and and share those to Bring them into those government processes So Matt since you mentioned the special publications 160 and 161 161 a good it's actually a good example here. I think of The government you're using that open process that you folks have defined to bring in voluntary consensus standards from industry and of course Referencing the open trusted technology provider standard is in there. So How do you see those playing with the the cyber security framework that's that's come out of the President's initiative. So that's a that's a great question. So I'm going to try to parse this out as carefully as I can So the cyber security framework was developed under an executive order with the intent of it to Before us critical infrastructure external bodies non-us government agencies to kind of convene them together to come and Self-organized to develop the cyber security framework and It's funny because you know I was listening to the earlier panel with Larry and folks And then they kept calling it the NIST cyber security framework and we always kind of cringe when we hear that we like to call it Industries cyber security framework. We just have you know, we hosted the party, you know We bought the beer, but they came and they had the party is kind of how we like to look at it and That's going to be our aspects going forward. It's it's industries framework. It was built by industry and it's for industry Special publication 800 160 and 800 161 actually 161 specifically was developed in Coordination with GSA DOD and DHS in the working group that Don was discussing as well as in this open process where it was put out for public comment and incited Appropriate standards as we felt them necessary, but it's really for use Internal to government. It's a special publication. So it's for internal government use that being said We often find NIST special publications or DOD CNSS products or DHS Reference materials to be quite useful for people outside government and that's a good thing So if it is used By people in the framework, that's great when you look at when we develop the framework We call that a couple of areas that we said not quite ready for us to say Here's some reference standards Here's some specifics that you could use and some of the areas we called out were in education and training one of the other areas we call that was in supply chain assurance and we did not at that time want to Buy us a thrown influence in the commercial markets to one place or another by citing a specific reference to an implementation A standard or a best practice at that time I think as we go forward in the framework in the next Probably a year and a half when we bring the band back together to have that party again It's going to be a question. We're going to ask industry. What are you using in your supply chains? What standards do you find? Effective in mitigating your risks and then let's include them into the category subcategories as needed So that's I think the plan going forward Don mentioned CNSS and the collaboration there. That's the the intelligence side of the in-house policies and The CNSS work and the NIST work as he said they're going to be You know different cover pages, but same same text is the plan going forward and then going forward in 161 as NIST We'd like to look at What are some of the technical because again? We're in the technology space things that people can do in supply chain to help them Understand their supply chain risks mitigate them appropriately as they as they feel and or communicate that back and forth with their suppliers There's lots of very interesting R&D work going on in that space both in academia at universities as well as industry around the country I want to pull on that thread a little bit You mentioned some of the technical aspects of that we heard earlier about more of the more business oriented approach of Assessing risk, you know forming risk taxonomies assessing risk and then getting commercial insurance against that Do you see that moving over from sort of the technical aspects of security into the business practices as well? I don't know if moving over Might be the right term what we'd like to those see and we've seen the cyber security framework as a mechanism to allow this is to Not allow the translation to be dropped between the technical side and the business side When we first did the framework the first month, you know, we're NIST and so we reverted to our comfort zone so we wrote something geeky and very long and Business came back to us and said, you know, this is very nice But my CEO is going to throw me out of the door and and not give me anything Make this something that can translate from management level down to technical level and allow people to understand From business risk and how that integrates to business risk all the way down to the technical things that I need to do so That's a long answer for saying I'm hoping it we can keep the translation From technical to management not necessarily replaced or have to bounce back and forth So I can just follow up a little bit on the technical aspect So I think that's a strong point for the OTTPS So the open trusted technology provider standards the fact that I don't know that we're mature enough to test product To know that all the vulnerabilities are pulled out of that product Okay, so we're not there yet But we can't identify the best practices and say is a given company or line a line of business in that company Using those best practices and we can actually have good dialogue with those those portions of the organization to say these are the practices We're following and I gained trust and confidence in those practices and those practices Make sense to me that that I can gain trust and confidence in the development of that product I don't know that we're mature enough to know how to test that product yet in many cases We do test in some arenas. That's good We need to have product testing, but I know that the idea of having a process accreditation in some kind Process designation is of value to us This should be complimentary, right? Yes, you know good processes will produce good products. You would think so. Yeah But that is trust but verify, right? Yes. So so you mentioned OTTPS. So Appreciate that There are other we we started on a global theme We always try to think not only just of even though we're in Baltimore We we always try to think of beyond the US standards Are there international standards or international activities done that you you'd highlight as providing impact in the Supply chain security. Yeah, well, so we often lean to the ISO community in that arena The ISO the open group is engaged there as well as you know So the development of 27,000 series 7,1002 are looking promising to us as they're maturing and are being updated Those that that have participated me the industry players participated in the development of 27.036 on ICT supplier relationships That's a free standard at least part part one is out there. I think that's a good Sort of strategic standard that talk that talks about how to talk about the supply chain It's not something you've been accredited against or test against I think that when we can have those commercial standards that we reference is Where we're able to raise the bar on those commercial off-the-shelf type products that then allow industry to produce products that are used globally We may not be able to get the the high assurance kind of world like a crypto world We may not be able to agree those at the at the global level We may end up seeing national standards and some of those Individual niche areas and we have to you know develop our risk management to work in those arenas But as much as possible where we prefer to use commercial standards that's back to the OMB 1-9 alpha what we can Yeah, well I should probably mention here that there is an activity inside the open group to talk about Higher level risk assurance or higher levels of assurance Working you know ISO and right common criteria. So we try to cover the whole spectrum there So those are the guidelines we're hearing I wanted to ask Angela give has been a lot of focus on these guidelines For determining who's a a legitimate or trustable reseller or OEM That for the federal government to procure from why is it? What are the obstacles? Why is this hard for the federal government to to go and say? put that kind of evaluation Into into a procurement because obviously procurement is going to really drive what a vendor will invest in Right. So I think I'll just share kind of what Donna said. So these are my opinions They largely reflect, you know, a lot of the work I'm doing and with my colleagues in government, but they are my opinions. So I Think I think it's a fair statement to say that certainly the government Recognizes that purchasing from trusted suppliers and purchasing products and that we can rely on have a high degree of confidence And there's certainly an objective There are challenges You know, sometimes we wish we had a little magic wand and could make this challenges go away, but the reality is we do have a balancing act with a number of different special interests and You know, whether it's ensuring that there's robust competition the need to ensure that you know, we have done impede innovation. There's the government has a Definite interest in helping to promote small business. We have specific goals. We need to achieve and And just from experience kind of Magic wand approach where everything's everybody must comply with acts often Create some political tensions on the hill where You know certain politicians like it phone calls and that creates some other challenges. So all said Let me back up a little bit and say back to the executive order that we all worked on quite closely It was clearly identified as one of those core recommendations that we made back to the White House as a Consensus group working on this for all of whole government efforts that that is absolutely the direction We need to be going into we need to have a way to identify what those trusted sellers are and those resellers and those products and And we're working on that. It is a commitment. We're there's active working groups going on right now. So I you know, I It's not an easy answer. There's regulations involved and other things like that. So I think just stay tuned We definitely want to want to hear the input from industry on that continue to have a robust conversation about that If I could follow up on the only if you don't mind I jump in a lot I think it's better to have dialogue. So if you don't mind so the OEM issue is huge for us So aerospace and defense uses products much longer than most other enterprises So if you look a lot of the airframes that are out there are used for 50 60 70 years And they're modularly upgraded over time same for our weapons systems Our information systems tend to turn a little faster But still we face a challenge that many of the parts that we use are no longer in production So I can't go buy them from the original manufacturer. So how do I develop the best practices to identify? Some sort of authorized distributor list in some way shape or form So in those niche areas where I can look at a given source of supply where I know it's going to be out We actually looking lifetime buys our diminishing manufacturing Services program and DoD looks at that and says where can we buy lifetime buys for those products? You can't normally do that for software But but you can you know gain some support ability contracts in that arena So we try to do that next in life, but there are often times that we face ourselves With with a challenge of the original manufacturers no longer in business So how do I then establish some trust and confidence? For for some supply chain that was not originally established by the OEM There are some whitelisting efforts and we think that for narrow bands and narrow niches of enterprises We actually can do whitelist for that arena We're very reluctant to whitelist for broader communities because that narrows where you can source from we definitely are not in the practice of blacklisting We often have to caution a lot of the dialogue in this area and comes back to why don't you just buy American? And I often come back and say I don't know what that means anymore Because even if I bought something that was made here in the US most of that supply chain supports that Manufacturing or assembly is parts that come from around the globe So it really is about sourcing smartly in the global economy We are less concerned about something being produced Internationally than being touched by a foreign government unduly so we are about foreign ownership control and influence So where we think a government actually touches the supply chain does cause us concerned So it's not about a company being hosted or based in a foreign country Is there maybe some sort of relationship with a government entity where? And if I could just add on a little bit I was going to remiss in saying that back to the business due diligence information service that we're working to stand up So recognizing that maybe regulation isn't always the right answer or a law isn't always right I said how do we move forward on meeting those objectives on on finding confidence across the board and our products and services and So to that extent it is about what kind of information can can we look at better from a risk management perspective and make better informed decisions To the extent and I think this is where you're going to see the government headed right now our level of awareness and Over the products and services we buy is it's pretty pretty rudimentary In terms of an assurance level, you know, we kind of look at finance We look at a few financial things, you know Do the company have capability to actually do what they're saying they're going to do we look at you know Do they do something for Joe over here and and he didn't like it into the past performance? And then there's some a few little things like trade agreement act beyond that There's really not a whole heck of a lot. So we clearly recognize the need to look at the supply chain the people the processes the types of adoption of standards and good practices all those indicators and And to the extent we make a risk informed decision certain things may be weighted differently perhaps and so That may be a one way we achieve our objective Yeah, I think one of the things that you know gets highlighted when we have this discussion is you know We use the term supply chain a lot, but it means a lot of different things depending on you know We just talked about two very different threat models in supply chain As well as what we're talking about and we're talking about people. We're talking about business relationships We're talking about product or product realization and product development and all of them have supply chain Contexts to them depending on your mission and your threat model that you're that you're trying to mitigate against You know coming back to the OEM or authorized reseller issue. It's a wonderful way to help with For example counterfeit, but not necessarily business relationship potentially long term that being said the government in my opinion But maybe larger than my opinion needs to do a lot better job in managing It's procurement to OEMs and authorized resellers and on the flip side We need to get off our unsupported legacy base So a lot of the supply chain issues we have in the government are self-imposed Because potentially we're still sitting on either XP or God help me the old deck Vax in the basement Running cobalt because it's been running for 20 years and no one wants to turn it off So a lot of it is our own modernization fears and getting us off of unsupported legacy technology In into space that would help us reduce the supply chain issue I have to pick up on one thing you mentioned type of white listing This is something where British typically when an open group when the open group would do a standard we provide a mechanism by which a Vendor can self-identify themselves as being compliant with standard And use that as a way of at least input to how vendors create their approved vendor lists or their whitelist What if you want to call it that do you see a role you see a role for that? What's what's interesting? I'm both in DOD and in the critical infrastructure stuff. So I know that It's frustrating sometimes when you help develop a standard and I do get queries So why don't you just call it on a contract make it a make it a government-wide standard and enforce it in all your contracting? Well, we generally don't make those unilateral decisions. We lead up to the risk management aspects of that individual enterprise to call out that standard However We do recognize the fact that we need to have better contracting mechanisms that give Credit where someone's making the additional efforts to improve cyber security I know that my leadership in CIO has challenged us in that in that space my job's changed a little bit To be broader than supply chain risk management in the fact that that we're looking at the for those that know DOD that sort of What we call the mother of all charts that shows all the acquisition processes across DOD How do we better include cyber security decision-making in all of those acquisition decisions? How do we partner better with the procurement acquisition community to influence those and part of the challenge for us in the space? Is how do I give credit where someone is improving the cyber security aspects of their products? So we we want to get away from that lease cost technically acceptable solution To give extra credit in the source selection where someone is doing something more So how do I do that? And I would say that if you've got a given standard, you know Provide you more trust and confidence. I gain a certain level of trust and confidence if someone self-certifies against it I gain another level of confidence if it's a third-party look at that kind of world So how do I give that that credit to those companies? They're doing that additional due diligence and so we're investing in how to do that better Yes So about five years ago, I used to get a call once a week from a company that said I have a proposal or I have a contract And it says I have to do the FISMA, you know, what does that mean? Okay, take a deep breath this is gonna be a long stand and you know We usually turn them back to the contract and say ask them exactly what their requirements are That conversation is dying away, which is a good sign in my opinion. I think communication between government It starts with the system owners to their contracting shop and then from the contracting shop back out to the vendors I think that flow is going much better just on the reduction of those questions that I'm getting The when we looked at the again that the cyber security framework goes about integrating Cybersecurity risk with all the other business risks with economic risk with customer risk with supply risk So when we look at this in an acquisition aspect It would be nice if cybersecurity was a factor that was looked at along with price along with past performance along with You know all the other things that are looked at in a contractual review or bid review So it should be something that's integrated with that. So now I'm going to go to another ping about self-certification So the government does allow for vendor self attestation and there are standards on how to do vendor self attestation That you conform to a standard and the government has a range of programs that allow this the Products that meets IPv6 government profile implementation The government just says here's our IPv6 profile you go you test Send us your test results and with your product and you self attest That's good enough for our risk tolerances and using products that we believe meet IPv6 And then we have a range of test programs from vendor can self test vendor needs to get an independent test Vendor has to have a third-party test Pre-market all the way through post-market surveillance and it has to do with where your risk tolerances are pacemakers We like to have pre-market third-party independent testing and then post-market surveillance and how they're doing in the products High impact issue when they fail IPv6 Lower risk, okay, but here's our requirements vendor you self attest to us when you come back Nothing stops industry from voluntarily self attesting to a standard as part of their communication back to the government as far as How we manage and control our risk to you Yeah, one one other piece. I'm glad you mentioned FISMA because as we talked about cyber security I'm sorry I mentioned FISMA. I know I'm glad It's kind of been my own little personal pee for a long time. I've had the opportunity to have to sign off on Accreditations and authorizations for systems and It's it's about how do we raise the conversation up and out of the CIO organization To actually the the business and mission leaders talk about government And it gets back to moving to a risk management-based type of an organization Not a control compliance checklist, but really how do we understand that in the context of our mission and our responsibility You know delivering that mission, you know, what is it? We're trying to do and what's that impact if we do it poorly if there's the cyber threats or you know Or cyber issues that we experience there and and within that context Looking at what those products and services need to be and how much vetting needs to occur And what level of assurance we need to have over that this product just like you were saying with the testing programs So I think I think we're very pleased. We're seeing that shift occur You know certainly from some of us not happening as rapidly as we'd like, but it needs to happen thoughtfully and steadily and I and I do feel positive That we're moving in the right direction now It's a couple more questions. I want to get in I want to make sure we leave some time for audience questions here And but I'm gonna this one start with We've talked a little a lot about how government does procurement and of course that's that's a big lever But the the cybersecurity framework also talks about critical infrastructure, which are largely or almost universally in the US managed by commercial commercial companies so how do you see these kinds of policies and processes and metrics moving from The federal procurement world out to these commercial companies in the infrastructure space. I'll turn the DHS So as we were talking earlier the framework Which is one piece of the larger executive order for which, you know, we all participated in Department of Homeland Security is running a voluntary program to help commercial Critical infrastructure owners and operators implement cybersecurity programs enhance an existing program Communicate their needs to suppliers or requirements But from a market perspective We've also seen the cybersecurity framework being used as a standardized mechanism to express their security requirements so Critical infrastructure owner operator a small you miss them, you know local electric co-op or a water muni They're focused on delivery of their core service mission That's what they're very good at and they'll outsource a lot of their other things They'll outsource their HR they outsource their payroll they outsource their IT and along with outsourcing their IT They'll also outsource their cybersecurity with their IT So their outsource provider will just come back to them and say this is what we do and they say well I guess that looks good But they didn't necessarily have a standardized way to compare one provider to another or to Clearly articulate what they think their requirements are to their services or their suppliers So as a communication mechanism, we're seeing markets starting to form around This is what I need from you service provider and reflectively service providers saying this is what I can give you You know critical infrastructure owner operator So that's at a service level. We're also starting to see product Mapping capabilities that they're offering as well Don was talking about, you know slow turns and some DOD products Critical that some of the large critical infrastructure things are, you know, very long-term infrastructures Yeah, you know, you'll keep a bulk power generator Forever because they're very expensive. They take, you know, X money years to build usually their custom builds And as long as it's working, you're going to keep turning those those turbines So much longer turn and some of those infrastructure products as well so we're seeing the framework being used to express either capabilities or requirements between suppliers products and infrastructure owners and operators Any thoughts? I Just one other piece that I Think that the government is now doing a better job and there's much more outreach occurring There is I know if the GHs were here They would talk about some of that that in the past There really haven't been those formalized structures where we and the government might know something bad is happening Or there's an issue or a concern or something with a product or whatever the case may be And we didn't have those mechanisms in place to actually share and have a conversation about that in a form that was safe and and Informative and kind of could figure out together how we needed to proceed That's happening now. I think that's going to continue So, you know, it's it is a challenging space I mean you've got everything from like you said outsourcing it to you've got got embedded, you know Firmware type issue is it's very complicated. I will say that I think for just GSA we're kind of looking at that space and figuring out like hey, you know We haven't really thought about operational technology and GSA has a lot of that That we're going to need to start considering. I mean, you know, I mentioned the fleet We have the buildings and smart metering and so there there's definitely applicability to us We also have a kind of government continuity a government role as well So we play in the space. I couldn't say where we have a large footprint, but there's It's definitely Important. Thank you. So I'm so don you mentioned the The global nature of supply chains. You don't know what you don't know what made in the USA means I'm going to ask me what is the last and perhaps the toughest question I can ask to a government panel and that is that You know supply chains are global and it's it's good that Governments, you know help protect their citizens by raising the bar on security But from a vendor perspective, there's a lot of concern about how do we navigate What are potentially lots of conflicting or overlapping? the supply chain security or general cybersecurity Policies and regulations because all of those things you take time and cost money to put into the products So how do you see how do you see these? us moving from these Initiatives of specific governments up to use of more global standards So we started pursuing the 27036 initiative in the ISO corp world When we said we need a standard to start looking at supply chain We had a couple of blank stares and say well, what do you mean? We have we have standards out there to supply chain already and we started talking about What's the demand signal? So how do you group the demand signal in such a way that the commercial entity can answer that demand signal? Because if you all parse it differently as a nation's all the nations parse it differently Then you can't accommodate that from a from a COTS product perspective So where can we gain some common expectation? Maybe there's some common expectation in critical infrastructure and there's certain levels of assurance you expect in certain practices for those types of products If we could agree those kinds of areas where we have Common demand signal, then it'll be easier for industry to answer that. I tell you one of the tough ones I see today is cryptography. I think I think it's gonna be really tough to have you know global sourcing standards on cryptography You may have a low bar, but it's Fairly realistic some of the national standards of cryptography may be very unique and that makes some sense to us at this point in time there are other places where we can agree a demand signal That'll help us answer. I think the term we use often is a fit-for-use determination So I see a COTS product. How do I make the fit-for-use determination? That COTS product answers my demand signal I think that's something we have to do as users but the but if I can group better with a Common user community and send that demand signal to the industry They can then reduce costs and answer that and a bit more efficient standard and that's the way I'd like to go The standards create targets exactly now would comment on one last comment for me one of the first initiatives I worked on with Joe Jarzenbeck with John Boyans a meal was not on the team yet at that point in time in 2009 and 2010 We were invited to the White House to start working commercial standards on cyber security and we wrote a white paper That was very well received Nothing happened with that one paper last fall NIST was tasked to Re-investigate that initiative and we're right now at an inter-agency working group level re-investigating the government's role in cyber security standards And so that is evolving very quick and I would not be surprised that in the not too near to near future Maybe August September you'll see something published in that arena for public comment before that Angela So I think you know, I think the area of standards is so critical when you are talking global And and I think you know to the extent that I think all of us in this room understand it You know standards can be extensible they can be Tailored so that when you need to get to the next level of granularity of specificity, you know that that can happen For specific, you know needs but by and large. Yeah, we cannot separate anymore that we We are all you know part of the earth if you will and I'll have to work together and our products are you know are sold and we have You know economic interest and and being good partners trade partners, so I Think I'm glad like John said that There is now a reinvigoration of the Recognition that we need to look at our standards and how we're adopting them and how we're applying them and where they're applicable I Can tell you from just kind of this one is my personal opinion. It's been a challenge I am a huge proponent of Standards and tried working in that space It's difficult having that conversation at a business level with our executive management is because it is such a long-term effort There isn't that immediate political win and like okay, you know, what is this going to get for me tomorrow? It's really a long conversation, so I know I think We're challenged and we you know, how do we communicate that? How do we make that emphasis? In the context of the the business value, I think we all be well-served from that perspective So, you know at at NIST this is a almost a daily conversation So some of the realities are the US government is not the big procurement gorilla that we used to be Or maybe we are but other big gorillas are entering the game as well Which is appropriate? So long term we have to think very hard and careful strategically about choices We force on industry and where we may make them make a choice that might be non-tenable to the US government So we have to be very careful strategically about our requests and requirements on requirements to commercial industry for commercial products That being said International standards are the best place to hammer these things out where industry participates in an even footing with government and Being a non-regulatory agency under the Department of Commerce. It's usually Infrequent when another country pops up with a country-wide specific and unique requirement That multiple folks from industry do not kick our door open and say are you guys aware of what country X is trying to do right now? So industry is both our best years on the ground as to what's happening in the individual countries as well as the best advocate for interoperable understandable industry Participative processes in those standards. That's actually one of the things we would we tend to focus on here as well So it's good to hear that here. Listen. What's that? They're born with two two years and one tongue so So I want to wind up the this question face, but I'm sure we've got some from the audience Jim Do we have some questions for the panel? We have something like 15 questions. So apologies in advance because I'm sure we're not getting to all of them before lunch So first question. Where do you see IT supply chain threats and risks in the broader context of all? Cybersecurity threats and risks are they increasing in importance or as a concern? So we wrestle with this one all the time So all of us are in this world of wrestling with cyber breaches on a daily basis So we spend more and more of our time responding to activities. We see ongoing today and yesterday I have to go back from a leader awareness perspective all the time and say we have to do these things We have to respond But if you ever want to get in front of that response curve, you're gonna have to buy products smarter than you buy them today Because we actually don't do it well and we should do it a lot better. We're very enamored with costs and schedule I want it cheap and I want it now And I often trade off the long-term costs and security Requirements to get it cheap and now and that means I have to spend more time doing the response stuff So I spent a lot of time on the awareness side to make leaders aware of that that you have to spend some time investing You know to buy from trusted sources upfront Doesn't mean you're not gonna have to do response activities, but hopefully you'll do less up Yeah, and let me add on a little bit. So one I absolutely think there's a broad awareness This is you know, not going away. It's evolving and and you know, we got to get done So I've got to get ahead of it and I'll just be completely reactive and responsive But when we talk, you know, we don't we don't build by enlarger own things and you know any more than we did years and years ago so We procure so how do we do that? But it's not just okay. We know we have to do it smarter It's not us just coming up and saying oh, this is what you need to look at it's it's broad It's it's about changing the behemoth government So we've got acquisition professionals who have to get certification and go through little check boxes So how do we introduce them and to their responsibilities and gain their you know raise their awareness? the requiring officials this is across the entire spectrum of How we how we manage Kind of our back-end processes if you will and be you know Like I said before getting out of justice CIO organization and making it more of a holistic look Yeah, so so yes, I think it's good that we're looking at supply chain now I think it shows a higher level of sophistication of how we're trying to manage risk I think it's also an element of us pushing threats around And pushing into places where they can have lower cost for them in higher return So we're kind of pushing them into these these spaces as well But long-term I go back to you know Another one of those supply chain means lots of many different things If we just build these things better, which is a supply chain issue Then we'd have a lot of them downstream immediate issues taken care So next question the OTTPS has been submitted to ISO for consideration as a past standard The final ballot ends in the next couple of weeks. What impact would you expect the adoption of that? By ISO to have in the US I'll tell you a standards joke nice thing about standards is there's so many to choose from so It's not necessarily Where it is, but the usage So that's that's the that will be the key issue if industry finds this useful and industry starts implementing it and Reflecting it back to its customers government being one of those customers. That's where I think then impact will occur Was actually one of the first comments made when we started this new interagency working group on the standards effort Was we're starting to develop a list of all the stands are available to us and one of the criteria We says well having the list is of real value, but what part of industry is actually using that standard and how are they using it? We need to have a better, you know, capture of that information. That's really important the usage adoption And I'll just kind of you know hit the nail on the head there You know as mentioned our business diligence information service that we're working on standing up one of the things we've been doing very Consciously is having conversations with as many people and organizations entities as we possibly can and getting that feedback back So, you know We're trying to move away from a thou shout to a how do we all do this together and do it in the most, you know Intelligent way, so we're looking at you know industry has their own supply chains. What are what is industry doing? How do we make sure what government's doing is going to align with what what your practices and needs are? You know the insurance industry is Remarkable parallel to some of the things we're having to look at So there is a conscious effort on looking at this holistically and aligning as much as we possibly can So you sneak one more in It's a hot potato question, so probably a good one to end A few questions on the opm breach and you know one is what did not work? Well another one was you know what what role do your organizations have in helping? Agencies to get their security rights, so I'll just throw that out So I'm so I'm not Unofficial spokesperson on any of the opm breach information. I I Would say that I think that there is There was a comment I think on the Dan ready and Larry Clinton panel about this is not a tech issue And I know that when we started a new initiative under Terry Halverson the CIO on what was called cyber This is I'm not dodging the question. I'm trying to answer it in a politically correct way We have good technologies to do lots of things we have good policies We don't always follow them And so we have an initiative getting ready to roll out of DOD on cyber hygiene or cyber discipline that looks a lot like the four Things that where these are best practices? How are we doing those and how well are we doing them? And if we grade our own enterprises that we're actually following the the the policies we've established We'll clean up lots of the problems of the breaches We're seeing today because because a lot of them are due to the fact that we have involved our own process Yeah, I'd agree with that so We don't have a response Or forensic responsibility that's with with DHS and FBI But as I said earlier, we write the corporate policies for how to implement a cyber security program Whether or not they're followed is a different issue But Yeah, I got my I got my letter Got my letter to him I think twice I Share Don so much. Yeah, I think we've gone over a little bit. So I'm Standing between people and their lunch so I want to thank my panelists Don Angela Matt. Thank you very much for some great information