 Good afternoon, ladies and gentlemen. Welcome to the Director's Industry Engagement session focusing on this is strategic plan of action line of effort. Number four, harmonized cybersecurity and the user experience. I'm Kasha Simmons and I'm your moderator today. Before we begin, I'd like to review some process rules to help us make virtual this virtual event go over without some of the common hiccups. First, please make sure your, your mic is muted until you are called upon to ask a question. When we do call upon you, please unmute your mic and speak loudly and clearly. So that's mute when you're not talking and unmute when you speak. If you have a camera available, please be sure to turn it on when you speak. It's nice to put a plate of face with a voice and it will make our interactions a little more personable. Once you've asked your question, please mute your mic again. For this event, we requested questions from industry and will address a few of those questions following the presentation. Afterward, we'll open the floor to new questions from participants. If any of you have additional questions, indicate so by using the raise hand feature and I will call upon you by your company's name. Please introduce yourself and then you can ask your question. We have 60 minutes today, so please keep your intros and questions as succinct as possible. And now, please welcome the director, Defense Information Systems Agency, Lieutenant General Robert Skinner. Well, good afternoon everyone and thanks for taking time out of your schedules. As I think some of you know, this is our fourth iteration of walking through our strategic plan. And this is on LOE number four, which is really about harmonizing cybersecurity and user experience. And I would offer there has never been a time that I've been in the department where user experience and cybersecurity have really been at the forefront of what we are doing across the department. We've had pockets of excellence, but across the department, we're really looking at this with a fine tooth comb to really try to understand how we can better harmonize. As we look at the POM 24 process within the department, we've had multiple studies. One study on user experience and IT performance and other study on cybersecurity, I'll say zero trust. So that just kind of shows you the level of importance that the department is placing on these two, I'll say, categories. I would offer that I think this is at the forefront of anything that has to do with either one of those. And I would offer that I don't think the department can do the department and our mission partners can't have the right balance and the right harmony between cybersecurity and user experience without this support. Whether it's through our internet access points, whether it's through the DOD net that we are providing services to agencies and we continue to bring more agencies on each and every day. So that's kind of the focus of today. I would also offer that as we look at this, it's not an easy kill, I'll say, from making sure we got the right user experience and cybersecurity. Because once you turn the restat on one of them, then that restat causes a ripple with the other one and vice versa. And so as you kind of look at this, you can't look at them in a vacuum and you have to continue focusing on those. But I would offer there's a lot that goes into it, right? Just think of user experience, for example. How do you know where the issue is when you have 40, 50 different gates that I'll say transaction has to go through in some instances to get from the user to the appropriate data application and then back? And so as we kind of look at this, there's a continuous monitoring aspect that we've got to focus on. And how do we leverage technology to make it easier to understand on a real-time basis where any bottlenecks are or where any user frustration is coming from, whether it's software or whether it's hardware or a combination. And then as you continue to do that, you've got to look at, well, where's the cybersecurity, right? And I would offer it's more about cyber readiness and cyber resilience than it is about security. And that is, how do we protect? How do we secure? And how do we make accessible the right information to the right individuals at the right time? Which brings in identity management as an example that a lot of people don't really think about. And so as you look at the tools and the capabilities, what we're really looking for is how do we simplify the environment to make the user experience go up as well as cyber resiliency at the same time, right? Let's bring the water line up for each of those. We have a cast of characters here. I'll say that I am honored to be part of that cast. And actually we have Ms. McMillan who's brand new to this cast. And so we'll make sure that we have a few questions for her to start out with. But we'll go through those. We'll go through some of your questions and then open it up. But at the end of each day, our objective is how do we drive improvements so that at the point in time of our choosing, whether it's during Hurricane Iain that has gone through the southeast, specifically Florida, but now I think it's up in the Georgia, whether it's a conflict and or whether it's day to day competition, these have to be harmonized and the restats have to be set well so that we can drive forward. The other piece I'll ask is in leveraging technology, we have a lot of technology today that we leverage your help from an industry standpoint to help us tune and optimize what we have before offering another solution. It's always at the forefront of my conversations because you've already sold us a lot and so help us use what we have better. Or if you can bring a solution that we can remove a lot of tools to simplify the environment that also provides greater capability, we are all in on that also. So with that, I will ask a question to our esteemed colleagues to my left and to my right and we'll kind of walk through this and then we'll kind of go out to you in case questions have not been asked. So the first one I'll turn it over to our contracting guru, Mr. Doug Packard. Mr. Doug Packard, regarding zero trust and continuous monitoring, are there any specific exclusions or requirements directly related to current and future satellite communication modes? As a follow-up, now that the U.S. Space Force is standing up, has stood up, what will be the impact to this regarding SATCOM contracting for bandwidth, services, and end support, especially those relate to small business for large business contract awards? Dr. Liu. Thank you, sir, and good afternoon. So regarding these zero trust and continuous monitoring, it may be best for the U.S. Space Force is the department's executive agent for commercial satellite communications to address that part of the question. As far as the use of large business versus small business, my commitment as far as acquisitions procurement is done within the Defense Information Technology Organization offices at Dicker Scott, that the large business, small business suites and awards will continue, as they always have, based on robust market research. We make a very conscious decision for how we'll procure them. U.S. Space Force will stand up their own catering office. They have built some more now to begin to do that. They will go through the same process we do, remote, robust market research. They'll make comparisons to how they make the business decisions on large versus small business set-asides. What the portfolios that they manage within the Air Force or Space Force are at large. And they will make a decision based on those factors, based on the goals of some of the department, and based on how they see the structure for commercial communications via satellite as best to be secured. Thank you, sir. Thanks, Doug. The next question I'll turn over to Ms. Woods, because I think this is a, she and some of the colleagues can kind of walk through some of this, too, to include Steve Wallace as our emerging technologies. But this is really talking, and I think it's a combination of LOE 2, which is how do we leverage innovation to improve readiness, and LOE 4, which is harmonizing cybersecurity and user experience. The LOE number four indicates this is planned to leverage technology insertion through the DevSecOps agile software development framework. Automation and machine learning to deliver services to our mission partners with added focus on ease of use, transparency, storefront upgrades, and data-driven decision capability. Can you provide an update on the initiatives which are in the next six month pipeline towards these efforts? And before she answers, I'll tell you, I took a briefing from her and her team today on infrastructure as code, but also container as a service. And the work that this team is doing with industry is pretty groundbreaking in my eyes, definitely from a DOD standpoint, maybe not from an industry standpoint, but they're doing a lot of great things to improve that experience of cloud adoption, but also how we're monitoring the environment to make it better from a security and experience standpoint. So it was a great, great briefing, and I know she'll talk a little bit about it here in a second. Great, thank you. So I would start with, you know, in general, right, there's a variety of hosting and compute platforms, and it's important to meet customers where they are. There's traditional hosting and private cloud and commercial cloud. And within all of these environments, historically, a lot of the application building is done manually rather than in an automated process. And so there's discrepancies and disparities in a test environment, development environments, production environments. And the main thrust of a DevSecOps pipeline and the product we're developing, we call Vulkan, is taking all those manual processes, those things that have to be repeated over and over again, and turning it into a pipeline with different tooling that ingests applications, but rather than the build and the deployment being done manually, it's able to be done in an automated way. And to link this to cybersecurity, one of the key elements of a good DevSecOps pipeline is injecting cybersecurity approval points so that code is only built up to a certain place, and then you're able to look to make sure policies have been implemented correctly and then move on to the next iteration and keep going. This takes processes down from weeks and months. You start counting in hours, which is transformative. And pipelines can be deployed in any of the different hosting and compute environments. Part of what we're also doing is taking things like infrastructure as code where rather than having to manually create environments in the cloud, which everyone has to have some kind of environment for their application to land, that can be turned into pre-configured and pre-authorized baselines that immediately deploy the environment, security policies, privileged use, integration with different authorization pipelines, and so collectively a tool like that again takes something that takes weeks or maybe months down to two to four hours. When you start connecting a DevSecOps pipeline that's pushing an application through to update it and increase the cybersecurity improvements and having all those checkpoints, then you're able to push it into something like infrastructure as code where it's creating the cloud environment. It's a process that is hyper automated. It improves cybersecurity. It improves the experience that the developers are going through that the users can expect a consistent experience and push that through the entire process. Great. Thanks, Sharon. Next one I'd like to turn over to Mr. Wallace. And this is how effective is using the other transaction authority contracting capability working to close a gap between what the Defense Department knows and doesn't know about how quantum computing will affect its ability to secure its algorithms and cryptographic solutions. All right. Thank you, sir. So the OTA vehicle is the perfect place, the perfect type of vehicle to get after this type of challenge. So here at DISA we've done many OTAs at this point and many other within my team within emerging technology, but we recently released the request for white papers for the quantum resistant algorithm prototype that we want to do. And so we've been watching the space for a number of years. We've been watching as the number of algorithms made their way through the NIST process. When they finally popped, I think it was this spring, this summer, the five algorithms that sort of exited, they could have a dramatic impact on the way that we provide services across the department. Quantum resistant crypto in general is very important to all of us just from the perspective of the ability to defend the network as quantum computers become more of a reality. So we do, we have that white paper out on the street now. The intent there is to test the impact of those algorithms on our existing, whether that be transport infrastructure, compute infrastructure, those types of things. And get a better understanding and appreciation so that when the time does come to move to these algorithms will be well positioned and ready to go. So again, and the beauty of the OTA in that is that we release our white paper with the best of our knowledge. But during that prototype phase it will allow us to continually evolve our thinking in that space and ultimately deliver a better product. So thanks, sir. Thanks, Steve. And I think as we continue to look through emerging technologies, we're really focused on leveraging OTAs as an opportunity to really get a better understanding before we go, I'll say, full board towards a particular technology. The next one I'll turn over to Mr. Greenwell. How is the agency currently looking at next generation risk management framework? And is there a specific team we can speak with that is responsible for making compliance about operational readiness? This is a question straight from my heart. All right. Thank you, sir. Good afternoon, everyone. So from an RMF perspective, the risk management executive organization is the team that actually managed this is that here within the agency. Ms. Jackie Snowfer is our acting director of the risk management organization. So certainly you can reach out through her and through our, you know, various offices to be able to touch base with us in regards to any questions you might have. Some of the activities that we're trying to focus on is again driving automation through the RMF and moving away from a stack of paperwork, if you will, to actually leveraging data as the source of compliance information around the various controls. You know, some people believe, well, let's move away from controls in total and really just look at the vulnerabilities that may exist on a system itself. And we can't do that. And we can't just go to the operational readiness aspects to to look at just, you know, things like cyber defense. It's how do we actually get that integrated view? And again, really informed by data and informed by the actual capabilities that are on the network. So we take the advantage of keep things like blue team testing, red team testing. Those do give us that perspective of the operational sense. But then, you know, again, with the control aspects of making sure that the system itself is designed securely that those functions and features within an application as an example, are actually doing what they're supposed to do and protecting the data. So I would, you know, tell you that we are making some strides in this area. We're working very closely between our risk management organization and our chief data office in terms of how do we get at better leveraging the cyber security data and having that actually start to inform our risk management decision making. And Mr. Greenwell has certainly talked this this many times, right? I think sometimes we we as a department get into the notion of a risk averse framework versus a risk managed framework. And so there's an education piece with our authorizing officials to truly understand what risk that they are accepting in any particular system and or program. And then how do we leverage technology to continuously monitor and continuously assess what that risk profile is? I think that at the end of the day is where we're really trying to go from from a secure cyber readiness and security standpoint. So with that, I'd like to turn it to Dr. Herman and then Mr. Packer to discuss this next one. How does DISA envision small businesses supporting Thunderdome after the prototype is complete? And how does DISA intend to utilize other transaction authorities contracts like this in the future? Dr. Herman, we'll start with you and then Mr. Packer. So I'll take the specific questions about Thunderdome. Thunderdome is one of the main things that we're trying to accomplish in the name of Zero Trust. We've prototyped some capabilities in the lab. We're now putting those capabilities in production. We're particularly excited about the way the OTA has allowed us to have pivot points should some of the technologies not prove out. But at the end of January right now, we will make a decision about whether or not the technologies that have been evaluated in a very rigorous fashion makes sense for us to award a production contract as a follow-on to the prototype OTA. As part of that, whenever we're awarding OTAs, we're looking primarily for nontraditional partners that have specific skills that they bring to us. When we award the production contracts, if that's the decision that's made, that's also part of the negotiation to allow us to continue to take advantage of the particular capabilities that those vendors bring to the table. Right, and so to add that, as far as the smallest participation, so right now Thunderdome is in a prototype. Within that prototype, Booz Allen has selected their core team of nontraditional defense contractors for the prototype. So if the decision is made to go to a production OTA or Thunderdome solution, at that point negotiation with a Booz Allen Hamilton is successful. At that point, we do negotiate in good faith to include those nontraditional business partners. It may or may not be the same small business team. It may or may not be different large businesses in the spectrum that would provide the services. Keep in mind, going from a very small prototype to the department as an enterprise is a math problem and then it's a complex equation, right? So it depends on how Booz Allen, if it's successful, how they choose to array that team and how they would go into production to provide a solution across the department. And it's just a very complex problem to negotiate from good faith to support the small business community, as we always have with our small business first policies. But it becomes a very complex equation going from a small prototype that Dr. Herman's champion to his next champion to be an enterprise level effort. It's just a much different environment. We do push it, but we just can't make any commitments or promises of what that will entail in the end. Thank you. Thanks, Doug. And from a contractual standpoint, he always keeps us out of trouble. So we definitely appreciate that. For number nine, I'd like to turn this over to Ms. McMillan and then we'll save Mr. Greenwell. I would like to add anything. There's a general concept that is summed up by don't let perfection be the enemy of good enough. Cybersecurity and usability don't often, if ever, run in tandem, but usually are trade-offs. Is there any way to you, is there any way that you can delineate where cybersecurity is good enough to allow greater usability? This also ties into the innovation, Eloy, because innovation will naturally test current standards which are perceived as trending towards the side of perfection. Thank you, sir. So I think about this question a lot as we're trying to integrate and do the 4ENO activities and bring all the daffas into the fourth estate and identifying where the organizations have from a classification perspective and also to identifying their data is something that we have to be cognizant of as we're ingesting and taking new tools into the space. You mentioned and hit on this earlier when we're talking about DOD net expanding and fourth estate. Having that single pane of glass, you have to think about the classification of that data that's coming into your environment and then also to from a risk perspective. But I'll turn it to Roger to kind of highlight from a CIO on how you envision and support over. Sure. Thanks, Tanisha. So again, from, you know, it is about risk management and not risk avoidance, you know, as the director said. And so we have to, you know, understand the environment under which, you know, data and systems actually operate. So as we look at, you know, some of our systems, you know, is the system internet facing. Okay, if it's internet facing, there's probably an additional layer of protections. What is the actual value of that data, both from a mission perspective, from a cost perspective, from a liability perspective, understanding, you know, the availability requirements of the data. We don't want to spend an absorbent amount of money to, you know, be able to coop a system that effectively, you know, doesn't have high availability requirements. And certainly we want to be able to back it up and restore that capability, but it may not require a hot failover capability. So, you know, that's where candidly we have to be able to create that balance and understand that, you know, all systems are not equal. And again, you know, that don't let perfection be the enemy of good enough. We have to take a look at every single system, every single network, what we're building out with the Fourth of the State Network Optimization Effort and understand what our partners out there need. And making sure that, again, we're enabling those right capabilities in a balanced way and in an affordable way for the department. All right. Thank you. Thank you. Thanks, Roger. The next one I'll turn over to Mr. Wallace, who is our Chief Technology Officer and the Merching Technologies Expert. How does the plan to implement the Zero Trust model to enable safe and secure use of smartphones and tablets in the DoD? And does your answer change in a potential BYOAD environment? Sure, thanks. Thanks, sir. So, if you look at the Zero Trust architecture, there's the seven pillars, right? The user, the endpoint, and then on down the line all the way back to data and automation. The reality is that a mobile device is simply an endpoint in that equation. So it certainly has a play. We're looking at different ways that we can actually extract the state of that device and use that in a decision to allow access to a system. So it is certainly part of that overall Zero Trust equation. I'd say on the BYOAD side, it's a very similar approach except rather than the entirety of the device and taking the entirety of the device, you're taking the entirety of the container that may be sitting on that device or if it's a virtual machine, the state of that virtual machine, I think it's all still relative, but you're definitely, whether it's BYOAD or whether it's a traditional government furnished device, it plays into the equation the same way. Thanks, Steve. Appreciate it. And this one I'll turn over to Ms. Woods as our cloud expert. Since DOD is quickly moving to the cloud, what is DISA's role in providing cybersecurity services? So there's a few elements to this and I would like to hand it over to Dr. Herman as well to answer pieces of this question. But one of it is just being, you know, DISA is a CSSP and so we have to do that data collection and data analysis in order to understand what our threat posture is and be able to protect ultimately workloads that are in the cloud. Another part of it is the joint warfighting cloud capability contract. It's not just a contract, those services will go through the ATO process like any other technology or enterprise commodity that DISA is delivering so that there's a level of, you know, validity that the services are in fact secure. The other part of this too is DISA providing enterprise cloud accelerators. So things like I mentioned before, DevSecOps or infrastructure as code where the consistency in user experience, the automation, putting in security checkpoints, all of that are capabilities that DISA is delivering that enhances the cybersecurity posture of applications that are in the cloud. Another one of those are things like enterprise identity and Thunderdown but for that I'll turn it over to Dr. Herman. So for applications that are in the cloud we're going to be providing application security stacks that will allow those applications to be protected using both information about the identity of the user that's trying to access it but also information about the endpoint to Steve Wallace's discussion about mobile devices before any device is going to provide that information. Together we're going to be able to make those kinds of fine grain access control decisions that will allow us to eliminate the ability to promulgate threats across the environment horizontally. Thanks, Sharon. Because I think we're running into the open question time. I'd like to turn this over to Mr. Packard because I know inflation is on the minds of everyone and I think if we don't cover it here, I knew it would be covered in the session right after this. Does DISA have a plan to address unordinary rising inflation under their agency multiple award vehicles, SETI and Encore, that have fixed labor category cost? Is there intent to establish new multiple award agency vehicles in advance of the 10-year expirations or establish an on-ramp that allows additional companies to bid on this effort and existing prime contractors to establish inflation-adjusted rates? It's probably generally for me to comment at this point on how our large idea queues that the Encore SETIs would play out. I would offer you this. In May of this year, the department issued policy regarding inflation. With the general context of it, if it is a cost-reversible contract, the government bears the burden, generally bears the burden of the risk of performance and that could be through payment of higher labor rates. On a fixed price contract, generally, but more specifically, the government bears the risk of performance with those labor rates. We were cautioned by the department back in May that county and officers should not consider, approve, request record adjustment that looked to increase those labor rates. There was some recent, there was another email, a bigger part. There was a separate memorandum that came out in September that addressed an acute need by a small business or by a particular supplier to look at having rates or commodity prices in the contract changed. So in 30-plus years, I have seen 85804, which is a special exemption to work around those policies of the department. I have seen that used zero times. I think there's been times through indemnification, I think with anthrax work, with some super fun cleanup sites, there was some 85804 extraordinary exceptions to policy. That public law means, after anything else in the federal regulation or federal law, two parties can agree to make a change that is not allowed by any of the law on the books. There's a very extraordinary relief. I've never personally seen it done, but I've heard of it done maybe in very, very specific times. On broader IDAQ contracts a bit early in the process, there's, believe it, no instructional guidance from the department on those broader reading vehicles. Maybe, I'm hoping maybe by the forecast industry, there'll be a little bit more direct guidance on what we may or may not be able to do under those contracts. But generally, if you have a fixed price contract across the department, the guidance from the department is that we don't do record adjustments and that we do not raise prices on fixed price contract labor rates. I appreciate that because I know that's on everyone's mind as inflation continues to be at a high level. With that, I'll turn it back to our moderator and see if there's any questions for us. All right. At this time, we will open up the questions to the floor. Please, if you have any questions, please raise your hand and we will take those questions in order of your hand raised. All right. CyberArk, Mr. Kopko. Good afternoon panel, ladies and gentlemen, good to see you all again, Tom Kopko from CyberArk as you know, privileged access management and identity solutions. My question is about the Enterprise ICAM goal that's in LOE 4. It's a goal for DISA. While the Navy has already established its Enterprise ICAM solution, PEO Digital has the Naval Identity Service program. It's a best agreed ICAM solution that has dynamic integrations between components, solid compliance with zero trust. Great solution. My question is, what has DISA learned so far from Navy's Enterprise ICAM solution? Thanks for the question. So one thing I can tell you is that we use almost exactly the same fundamental pieces of technology in the Enterprise solution that we put in place here at DISA. So the Navy has done, I think in large part, kind of done the same thing that we already had in place. There's a reason for that. So the department is moving towards a federated approach. In some cases, tactical requirements require that services have something in place for their folks that wouldn't be available or connected to the Enterprise. So I think we have the same capabilities in place and that's going to lead us to a pretty straightforward federation of those capabilities to make sure that we're all operating off the single identity that will enable us to achieve the zero trust results that we're trying to try. One thing that I have learned from not just the Navy but also the other services is that in general, they have better access to attributes about their users in order to make those fine-grain access control decisions. Imagine if you had a role-based attribute that said that an individual was a commander and because of that status, they have access to certain applications or certain data. That is not an enterprise-level piece of data that's available across the department universally in the same way. So as we move forward, we're trying to have as much of that information available at the Enterprise, sometimes taking that from the services to stitch together that larger picture. But sometimes they have better ability to make those fine-grain access control decisions simply because they're all on the same HR system or what have you. But I think attributes is probably the biggest thing I would take away. But we're finding that from really all the services. And then I think if you look across the services, the Army, the Air Force as well, you see very similar if not exactly the same technologies being used over. Thanks, Dr. Eggman. And I would just add, you know, identity, ICAM, I'll say identity management, access control is at the heart of zero trust. And it's a foundational. And what we've learned is we don't necessarily want to be a monolith, right? We want to be agile and we want to make sure that the agility is all the way down. I'll say the structural stack, not necessarily the technology stack. And that's why we're really focused on how do we leverage those attributes that are necessary from an Enterprise standpoint and let's provide those as an Enterprise, but also allow the flexibility for our mission partners to, in a federated environment, to provide the agility that they need, either at the tactical level and or at a program and or application level to really focus on what that program application, tactical level needs. And so I think there's, we have a good way forward from a framework standpoint that allows agility, but also there's some consistency and interoperability. Thank you. Up next is Intel Federal. Ms. Tovar, please introduce yourself and ask your question. Good afternoon, everyone. Our question, my name is Nicole Tovar and I am the Account Executive here at the Intel Corporation. Our question is really around communication between containers. So is DISA interested in enclave to enclave key management and attestation up and down the stack with the device ID being part of that attestation? That is definitely not one that I will answer, so I will turn that over to the experts. So hi, this is Steve Wallace, so I'll take that one. I'd say the answer is a simple yes, right? So especially everyone loves to throw out these these topics of zero trust and the concepts of zero trust. I mean that that fits into that fairly nicely, right? That ability to identify and strongly, strongly bind communication between stacks and that sort of thing. So yes, I think we would be useful for us to have a conversation about that. Excellent. Next question is from Broadcom Software. Ken Wright, Account Director for Broadcom. My question is focused on end user experience. This is a common theme across multiple LOEs in the strategic plan. Synthetic user monitoring is mentioned specifically in LOE number two. We are not aware of any specific RFI, OTA, or other engagement with industry focused on end user experience. We assume these efforts are taking place embedded within disparate programs. Would DISA consider a focused industry day to expose take holders to industry innovation in this technology space? We're familiar with the technical exchange meetings. We've had mixed results getting engagement through that process. So just trying to think outside the box of other opportunities. Thank you. So this is Steve again. So we have not looked at that holistic or using one of those vehicles rather to go after something like that. In terms of an industry day, I mean the challenge of the end user experience is pretty broad, right? You could define many different things in that user experience spectrum, whether it's walking in the door and being functional by the end of the day with your PC and accounts and all that sort of thing to, hey, why does this application take so long to respond and basically inhibit me from doing my job after I've been here for six months? So it really runs the gamut and we are trying to look at every aspect of that. You're right, we do talk about the synthetic user monitoring. We're just sort of wading into that one frankly. I don't think that we've necessarily considered an industry day around that. I don't think it's necessarily a bad idea, but at the same time I think we would need to narrow the scope so that we're not talking about so many different things that we all don't get anything out of it. So I think that's worthwhile for us to take back and consider and I appreciate the feedback there because I think it would be useful. Just to add to that, Steve, again I think the synthetic user monitoring piece gets into the holistic monitoring and what capabilities we have, whether it's information that's coming from a cloud service, software as a service, being able to marry up information that comes from the various cloud providers with the data that we get from the synthetic user monitoring and understand where potential impacts are leveraging things like synthetic monitoring. So I think Steve kind of summed that up well in terms of the industry day perspective. Yeah, and I would offer maybe there's a way that, and we'll take it back to look at, maybe there's a way that we can, maybe not an industry day but maybe as part of our forecast industry have a session or two that delves into kind of the user experience and then as Mr. Wallace and Ms. Greenwell said, if there's a way that we can kind of focus it, so it's not too large and maybe we have a few sessions that are focused on user experience in relation to this aspect of the user experience may help, but we will take that back and look at it. So thanks for the thought. Excellent. Next question for Mr. Reddix from the Reddix Group. Okay everyone, thanks a lot for taking my question and director, thanks a lot for asking my submitted question related to quantum computing. As a follow on to that, we're looking at special ops tier one, tier two, tier three utilization of tactical edge type of technology, especially wearables and things like that. Where do you see DISA and DOD as a whole strategically looking at the tactical edge type of data gathering and the utilization of tactical edge devices going forward? Thank you. Yes sir, so Steve Wallace again. So the tactical edge thing has always been an interesting space for us, right? We've dabbled in it but typically it's with a mission partner, so say with one of the services something like that since they're typically the ones providing the services all the way at the edge. You mentioned wearables. I'd be curious of the context where you're talking about wearables. We did look at wearables with respect to a program called a shirt identity a few years ago which was meant to bind a number of things that were discovered on the wearable and predict whether the user was who they claimed that they were. But then I actually also had a conversation just last week with Space Command and they're looking at how they can use wearables in terms of physical fitness requirements and that type of thing. So maybe we can take this offline because we'd probably dive fairly deep in it if you want to reach out to me. I'd be happy to have a deeper conversation but in summary I'd say that our work tactically tends to be more bound with the services and their unique needs. Excellent. Thank you. The other thing that I would add is every time we focus and we look at the enterprise the tactical edge is in mind because at the end of the day the tactical edge has to get to the tactical edge somewhere else and if you don't have the foundational aspects of from an enterprise standpoint then it's not going to work or it won't work as effective. And when you think about what we're really driving towards from a potential conflict in the future against a peer adversary then that makes it that much more important that you have the capabilities at the strategic operational and tactical levels. I think that's on all of our programs and systems we are actually taking into account and we have great relationships with Special Operations Command as an example and the things that they're doing at the tactical edge as well as the different services. There's always a uniqueness when it comes to the different services and our mission partners but then the day even all that uniqueness has to come into an enterprise that transports and ensures that the information necessary gets to the right foxhole and or the right ship and or the right air base. Thank you. Thank you. Denae Sores. Miss Staten please introduce yourself and share your question. Hi. Yes. Thank you for taking my question. Can DISA provide their plan to support small business contractors with prime contracting opportunities when recent actions to establish large single awarded IDQs will greatly decrease the number of the small business contractor pool. Specifically I guess my question is what actions is DISA taking to meet the small disadvantaged goals when the number of ADA contracting opportunities in DISA has significantly decreased. So I'm not sure if the number of ADA kind of have decreased. We do look at all of ADA's very diligently if they're above a 4.5 million dollar threshold to ensure they're competed in that sole source. We are about at a 13 percent I believe to a 40 percent goal for this FY for small disadvantaged business. So we do have a very responsible track record. I do know at the forecast industry Ms. Capinas will discuss in detail a five part process about how she with the Kent offices and with the mission partners determine what the best fit is. There are small business set asides and there are then sub what I'll call sub level set asides women and small business hubs on an 88 set aside that can be used. There's about five different factors that that she and the chaos the mission partners use to make that final determination. It is a full spectrum of if you're an ADA and have an ADA award the hubs on small business is not it's not happy with that set aside. So it's a series of dynamics. She goes through very deliberately for every procurement every procurement is small business until we prove that it cannot be but it doesn't necessarily get into what's what smaller social economic group is targeted by the agency. So I'd encourage you forecast industry will be virtual and in person. I encourage you listen in to her to her brief. I did see the slides yesterday and I think they'll be very informative and have a very favorite answer for you. If there's following questions Ms. Capinas her team will be at the forecast and they can get through ma'am those type of questions for you in detail. Great. Thank you. All right. Next up is BMC software Mr. Morris. Yeah. Ken Morris BMC software and my question is so first of all thank you for hosting these events and really appreciate the time that you invest with industry. So thinking back about Thunderdome and kind of leaning forward in terms of enterprise production. What is the plan to onboard new customers and leverage big data platform to automate data consumed from those edge and application based security stacks and then from those secure solutions. How are they able to communicate with one another to get traffic across the network. So we're actually piloting that as part of our OTA and our operational assessment that's under being undertaken right now. There is a there is a I would call it an initial set of capabilities associated with the analytics piece. Primarily using tools that are part of the the technologies that we brought forth and bringing them together in a in a sort of a non a non vendor specific way to simulate something like a single pane of glass. But the intent is after we go to production we will actually incorporate that that set of data collection data analytics and automation into the larger processes that we have for defensive cyber operations the same tools and and and also the same same support for things like cybersecurity service provider that that we also provide for our other capabilities. So we're we're working primarily at the at the on the dis in backbone and the connections to the customer customer edge networks around the department. So we feel and we're proving it out. We feel confident that we have the connectivity necessary for that data to flow and we should have good results here in the next couple of months. Thank you. All right. Next up is Tritus Corporation. Miss Carter. Hi. Thank you for having me. It's great to see this event and I really appreciate all the information. My question is is this a worried about customer costs with these initiatives and looking at current successful cybersecurity solutions in the community that utilizes existing hardware and devices to minimize cost and time. Thank you. Hi. Great question. So I'm Jason Martin a couple of different roles here but one that the boss has given me as of recently is to identify potentially new ways to optimize our expenditures and then in turn how we are maximizing our services at the at the lowest possible cost. So I would say we absolutely are open to a number of suggestions in various areas of technology how we leverage existing technology integrate new technology and or go with full blown you know cuts type solutions. But I will say it's an ongoing effort and it's interesting when I think about this is either cost reimbursement or to wick of models how we are doing the cost reimbursement with the customers the PEO's across the department are as well. So we're consulting with them in terms of OK here's how we built rates in the past. Here's how we've taken cost into consideration. Here's some things we've done internally to optimize that rate back to them and they're starting to adopt some of those practices as well. From a cyber perspective I think as everybody knows and we've talked about on here today it's a fast evolving environment and it's something that we literally discuss on a daily basis. Are we doing what's right. Are we doing what's right for the end point. Are we doing what's best for the network. Are we working with JFHU to make sure they have what they need at the most optimal or effective price points. But I would say that is something we do talk about daily and it is something absolutely when we go to these technology talks with Steve Wallace. It's hey what do we have in the architecture today. Is it working laws or not. Can we leverage it. Can we not and go from there. So I suspect there's some other folks that have input as well. Yeah I was just going to hop in. So I know recently as I've been engaging with the DAFAs on Fourth Estate moving into for you know effort there's been a lot of consideration for sustainment costs and then also to as an agency when we talk about the efficiencies right and bringing these organizations into this single pane and DOD net effort. How do we ensure that there's efficiencies long term from a cost perspective. So I know it's certainly something that I'm asking my team to lay down how we are costing out measures today. How are we ensuring that the metrics that we're seeing today from across all of the different organizations are aligning with efficiencies that the the department is trying to go towards from a mission perspective. It's Roger Greenwell just so just add to that a little bit. You know the fact is that we've had you know we've got multiple capabilities in place today as the director talked about we have to really optimize what it is that we actually have within our stocks today and make sure that we're using that efficiently and effectively. You know as we've as we've evolved some of our architecture we've seen cases of where you know we have multiple sensors effectively collecting the same data for different purposes. So again bringing that efficiency to mind is something we absolutely are focused on you know how do we again make that data accessible then whether it's from a cyber defense perspective whether it's from a performance management perspective. All of that again ties back to the end user experience and the end user experience is often driven by cost to you know it's exactly what Tanisha is focused on from the business perspective of the end user and we have to be concerned about it from the technology perspective as well. I would just add to that that that in in providing capabilities we have a we have a strong preference to adopting commercial solutions that are available to us so that we don't end up in a situation where we're paying to develop capabilities that already exist today. It's an industry and it's one of the ways that we we try to drive costs down because development of capabilities really isn't where we want to be. And I would add to and this is an area where I think industry can help is to consider hybrid technologies. So some customers they're not in a position for instance to take everything to the cloud. They still have a presence in data centers and that is you know traditional equipment and hardware and they're not in a position to just lift and shift it all into a cloud environment. But they could have some applications in the cloud and so where industry I think can help is how do you enable traditional data center or private cloud communication to applications that are also in commercial cloud. We've looked at containerization and we have a container solution that's on prem in the data centers and when a customer has containerization in the cloud it can enable them to have those applications in that data flow in a more interoperable seamless way. But then you get into things like ingress costs and egress costs and so I think those are areas where industry can help us become more efficient from a cost standpoint as well as the technologies being able to communicate with each other across the entire spectrum of hosting and compute. Thanks team and I know we're running a little bit out of time so let me kind of wrap it up a little bit and I would just ask if you had questions that didn't get answered. Our team you know how to reach out to our team and we will get you an answer on those things. And I thought that was a great last question. Right because total cost of ownership is part of every equation that we have when we are producing and are providing services and are working with with industry. And that goes all the way from the research to the adoption to the sun setting. And I think you have seen from an agency standpoint we are not afraid to sunset capabilities that are no longer best value. And so I would continually ask industry to give us your insights and give us your thoughts on what you think is not best value and why and where there are opportunities for us to also decrease the total cost of ownership so that we can kind of drive to the future faster. And so if you've got ideas, Ryan Jenkins, Frank Gonzalez and the MPO and the corporate connections team are more than happy to talk with you and discuss and figure out where within the agency that we can work together to identify those opportunities so we can jump to the future faster which is really what we are trying to do. I would offer just first off thanks again for the members of the team. As I said earlier, I'm honored to be part of their team. They're doing some amazing things despite some of the bureaucracy that we have to work through just like any organization does. They're doing some great things and I would also offer the partnership that we have with industry is amazing. And that partnership with the industry and our personnel is really what puts us ahead of other countries, other nations across the board. And so we just want to thank you for your time, for your thoughtful and insightful questions as we continue to drive the department forward and we hope that the partnership continues because that's the only way that we are going to be successful in the future. So thanks again for your time and I look forward to the next session as we talk about workforce and then we will kind of roll back through from an LOE standpoint in the future. So thank you. To echo General Skinner, thank you all for attending today. This engagement will be posted online for public viewing. To request a follow on meeting with DISA, please submit a meeting request to the corporate connections mailbox. A link will be posted on the closing slide. Stay safe and enjoy the weekend. This concludes our virtual engagement.