Agencys i. T. System doing cybersecurity and also doing password restoration. Kind of and against them you had the Peoples Liberation army. So it wasnt entirely a fair fight. Sought idea of managed services is good but its easier to say than to do. So in talking to people in the government they say, well, theres networks, theres email, theres the application thats are running. What is it youre going to be managing . What is it youre going to move to . Then theres the question of who is it thats going to manage the services . Do you go to commercial contractors the way gsa does it now . Do you have it be a Central Agency like dhs . I dont know if you want to talk about managed services. If this works, it and the budget will profoundly change how the federal government does Cyber Security. Ill stress at this point the way if. So i dont know who wants to go first. Ill take a first stab. I think the answer to your question depends on the answer of who. Commercial. Is it another agency . Is it dhs . Depends on the nature of the service. Right . And, you know, i think in a minimum we need to be flexible and, you know, approach this from a pretty dynamic perspective. If i could pick one shared service, i would start with the email i think. Wave of a magic wand. Thats the vector by which bad guys and people in the private sector know this as well. Its one of the most common if its the most common way for bad guys to get into a system is email and if youll harden email youll go a long way towards reducing your risk. I would just jump in and say i think part of the goal is not just managed services and shared services and may be situations where it makes sense to have, for example, centralized provision from one agency for other agencies. My the one closest to my heart there is the continuous diagnostics and Mitigation Program or cdm and partially accelerated and enhanced by the cnap and its dhss way of agencies secure the inside of their network so if the Einstein Program is perimeter protection, cdm is what gets inside their network an its really three things. Its a new approach to acquisition, a new approach to governance and capables. Capables first. Thats easy. They need security tools. Were buying them security tools. Nothing too sophisticated about them. How were buying them is novel, though. Weve brought together the agencies and were saying, and this is a common private of the private sector. You buy a lot of individual tools, it doesnt get you where you need to go. You have to tie those tools together. And so were saying, we are going to buy you a suite of tools with integration to tie them altogether and give you a coherent picture of the internal security and thats the acquisition approach so were using gsa to do an assisted acquisition on this, essentially helping us run the acquisition. Were buying a suite of tools. Weve grouped agencies into buckets. Each of them is getting a different suite of tools. There were different competitors and different contractors chosen for each of the buckets of agencies. So were getting some diversity in the tool set but were getting integrated outcomes. And the final win there is governance. Which is where see a coherent picture of how agencies risk is being managed across the federal government. So they get all these capabilities, they get them cheaper, dramatically cheaper because we buy them in bulk as a government and we get an integrated rollup of all the data that comes out of these tools. Its a win for everybody involved. And its a really different way of looking at a shared service for the federal government. Anybody else . Kirsten . Tom . From the you know, i think i think andys right on. You know, but i want to kind of go back to the notion of signal versus noise that i think one of the areas where a managed service can be most useful is helping that poor cio working in an agency whos getting hit kind of make sense of, you know, you get you know, you always hear the numbers. We have been hit 400,000 times today. Of the 400,000 times today, whens most important . My guess is maybe only 1 or 2 and when you begin to look at the targeted, sophisticated attacks, if you can help that cio leverage, you know, extensible capabilities where they can say i have 400,000 but only two of those are important. You have the term of art contextualize it. You say i know this is going on across the world and thats the type of managed service that would help make things actionable. I think seeing the outcome of the cdm dashboard and seeing that put in place is very interested for the idea of managed services. Great. I have more questions but i dont know if anyone out there has a question. Go ahead, please. We have one here. Thank you. Nick farmer. Is there any effort going on from the either the federal government or the Governors Association to move to web services . Something like aws for the government instead of doing discrete individual services for individual agencies. So, that might be a cloud question. Yeah. So ill you know, ill tell you theres a few answers to that. One of them is the government put in place the fed ramp program in 2009, 10 time frame. The idea of the fed ramp program was to make it easier for the government to use Cloud Services like a. W. S. And the idea there is when the government buys i. T. Normally, the agency thats bought it does its own security assessment. So they test the i. T. And make a decision like is it sufficiently secure . The problem with doing that with the Cloud Services company is do we want 20 agencies testing the same company . Because its no longer im buying something youre installing it here. Its im going to use the thing youre providing in the cloud and doesnt make sense for 20 agencies to all test and fed ramp said well test it once. Each agency can look at the outcomes and make a different decision. For this agency, what you got out of the test is sufficient. For another agency they may want more and not redoing the test 20 times. That was a very foundational way of making Cloud Services available to the government. Now, is it perfect . Of course not. But its a really Important Foundation and were building on that and we do see agencies taking advantage of this. There are agencies on the d. O. D. And the Intelligence Community side, theres a goal to build a private cloud just for them but using commercial technologies. On the civilian government side, theres increasing use of public cloud providers and through this fed ramp process making it more efficient to use those cloud providers. Sometimes cloud raises privacy questions. Where is the data held . Who owns it . How you control it and so forth. I think cloud is coming more and more. You know, probably the same answer andy had within the states that its going to depend on the state and depend on the agency and depend on how they need to protect that information and where it can be stored. Maybe one question to ask raised by this and services is how does the federal government compare to the private sector in how it manages Cyber Security . If theres a private sector best practice and that could vary Big Companies to little companies, how does the federal government stack up . I dont know who wants to go on that one first but when i look at what companies are doing it seems to be different from what agencies are doing. I would say one key difference i see is in governance. Cyber security is increasingly centralized in large private sector companies. Even for companies that have fairly autonomous business units, the level of centralized oversight is increasingly significant and directive. Were still fairly distributed in the government. Fatara, legislation that the congress passed, was intended to help that strengthening cios at the agency level. Cnap is intended to help that by creating a federal siso. But comparatively speaking, we are still very distributed from a governance perspective. In terms of the technologies, i dont think were that different from very large private Sector Enterprises in the sense that private Sector Enterprises that are at large scale are that are not technology companies, are actually being somewhat delegate about the move into the cloud. They do struggle with their scale. They are often ahead of us in terms where phase one which is coming out now in the government is probably a few years behind where the private sector is, but in general the Large Enterprises not Tech Companies are not dissimilar in the approach of the government other than that centralized governance. I think just, you know, as you find within the private sector pockets of excellence with respect to management of Cyber Security risk and also some real players. The level varies across federal government as well. There are also budget issues we talked about earlier come into play here. Oneyear budgeting. Senator kaine mentioned that as a real challenge for the federal government thats unique to the federal government. Even the state governments dont even have that. As to your budgeting. So i guess i always caution against when comparing the federal government to the private sector yes, theres a lot we can learn. I dont want to say its apples and oranges. Maybe its oranges and mandarins. Okay. Kirsten, tom, i dont know if you want to no . Theres no way in hell im going to compare the private sector to the federal with andy sitting right next to me. Im a big guy. Let me add one thing to that. We risk falling hint if we dont sufficiently fund our efforts. The 17 president s budget with the cnap if it is literally the minimal amount we need to get progress. We cannot go below that or we will absolutely fall behind. I do think that the processes, the governance were talking about, i think were going to come to an flx point where the difference between what the feds do, what the private sector does, whether organizations i think were moving, i think were years away from that but i think we will hit a point where there is more parity there. I think its going to depend on the agency because not every data system, not every critical piece of infrastructure has the same value and i think thats going to really kind of weigh on how much dollars get spent to reduce risk. I have heard that the president sometimes thinks of himself as the ceo of the federal enterprise and hes a little frustrated at his ability to manage it, which explains some of the rationale for cnap. Well see if it works. But any other questions . Weve got goodness. I said the wrong thing. We have four questions. Well take them why dont we start there and well work our way across the room. Can you move up here . Go ahead, please. Hong kong phoenix tv. I have a question on china. Last year when the opm happened the United States was about to put sanction on china and then the chinese president came, the attention was sort of relieved. And recently we had u. S. China highlevel experts conversation on cyber. So could you please shed some lights on what happened, what is going on right now. Is the United States still face the same challenge from china as it had before . Thank you. So our relationship with china is complex. Has many, many dimensions to it. Cybers obviously one. We were very pleased with the commitments that were made in september during president xis visit here. Obviously, we are watching watching chinas adherence to those commitments very closely and with great interest. Weve got i think a very robust dialogue with the Chinese Government on cyber among many other issues. I think its a productive dialogue and one that ought to keep happening. I will say one positive sign is eugene caspersky complained that after the agreement it looked like russia was getting more attention from china than the u. S. Thats probably a good thing. We had another question right here in the front. Well go across the room. Hi. My name is john gudgel. Im a ph. D. Student at George Mason University school of policy. We know that cyber information has value. Obviously fire eye has a Business Model for managing cybersecurity. Im wondering, what is the business incentives for a private Industry Company to want to share with the government . I think its part of what im doing my dissertation on. Sure. So what ill tell you is first of all, you need to separate the companies that do have a Business Model of selling indicators or selling cyberthreat information from the companies that are just defending their networks. Right now theres a lot of value, shared value locked up in companies who are just defending their own networks but not taking information they gained from that and sharing it on ward. And our goal is first of all town lock some of that value. If youre the Acme Corporation youre not in the cybersecurity business, youre just defending yourself, youre still learning valuable things every day, and if you share that through the automated indicator sharing system, we can help other companies protect themselves. On the now switch your lens to look at the cybersecurity Industry Companies and obviously thomas is going to have an opinion on this as well. But when i talk to those Companies Increasingly what i hear from them is they realize that indicators themselves are going to be commoditized. And if you think about an indicator, an indicator is Something Like the i. P. Address of a malicious computer or the email address that a phishing email is coming from. These things are becoming pretty widely known. I think the Business Value is not as much on the indicators themselves. Its going on the contextual information that surrounds those indicators. I think theres still going to be a huge market and a huge need for Cybersecurity Companies to help provide the context around indicators even as we more broadly disseminate and rapidly disseminate the indicators themselves. I think the Business Models are shifting in that sector and thats really how were reaching this goal of broadly sharing indicators. I would say not all indicators are going to be commoditized. Certainly theres already commoditized. A company like fire eye brings and im not here to pitch for identify eye. But a company like ours, were in 20 or 30 different countries. Weve got tens of thousands of end points. Were on many, many, many systems. We gather intelligence and information. And frankly, if indicators first off, we hold the our clientele. Their privacy as paramount. That we dont share information about particular clients unless its already on the news, unless theyve already, you know, agreed to do that. So when the skater geindicator pushed out there it loses its value. The bad guys are going to change their you can still stop them and track them down. There is a value for a company, for the whole private sector to be involved in this. My notion earlier of a dib for cybersecurity, a Defense Industrial base where theres a balance between what the feds do, what private sector do, what higher ed does and ngo we all have an intrinsic val krewe. I think cybersecurity is different from a kinetic response. For example, if there were a substation that was under attack by an armed you know, an armed group, big green is going to be there. The armys going to be there. Someones going to show up. And there are a lot of instances right now where those private substations or universities are under attack by nation states. Sometimes its organized criminals. And its not always going to be dhs going to be able to respond or the fbi be able to respond or whoever. You need Companies Like fire eye and others because we fill a very, very important need. And what dhs does and what the feds do, they provide some Great Services but its not going to be ubiquitous and its not going to be esoteric for every single need that every single state has. We had one. Please. Rick webber at inside cybersecurity. I guess this is for andy ozment. You mentioned when we were talking about information sharing and sisa implementation. Have any of the participants in the nk evoked the liability waivers under the new law and in addition to that dhs has said youll be revising and reissuing the guidance on sharing between nonfederal entities. If you can talk about that also. Just by sharing you received the liability protection. You dont have to sort of formally invoke it. The act of sharing is protected under sisa and the cybersecurity act. In terms of revising the guidan guidance, as we were talking with about earlier, im proud of the fact that dhs has hit all the deadlines. They were very aggressive deadlines. We had a lot of people working very late hours. But the next deadline for us. One of the more recent deadlines was first to publish initial drafts of guidance documents in midfebruary and then final drafts in midjune. And so we are on track to meet those deadlines. Either there is out now or well very shortly be out, a federal registry notice that were going to have a workshop on june 9th to go over where we are on those guidelines and sort of show people final drafts and elicit their feedback. And then i do expect us to meet that midjune deadline of finalizing the documents. By the way, we got really positive feedback on those first set of documents we published in february. I think we were pretty close on the mark even in those draft documents. What ive heard from industry is they were very clear and they were very helpful. The biggest feedback weve gotten is actually they want the documents to cover a topic which we just hadnt intended them to cover which we werent expected to cover, which is the Liability Protections that Companies Receive for sharing with each other. That was really we thought outside the scope of that first set of documents but we are going to address it because we have heard a hunger to get more information on that. We are going back and forth right now. The final will be midjune. But we have shared these documents. Were eliciting comments i mean weve 3ub8d these documents in midfebruary. Were illiciting comments, talking with sector coordinating councils. Were going to have this in midjune and then issue the final in midjune. I have one final question. Do we have one more question over there . One in front. Good morning, everyone. My name is elias akora. With the Global Governance institute. Thanks very much for that really interesting presentation. I have a question about this issue and im wondering if you can put it in a global perspective and really hone in on the question of alliances. Senator kaine talked about nato as a natural ally partner to build a cyberdefense frameworks to be mutually beneficial. Im wondering how much progress has been made or how much work has been done toward this effort on the administration side. And of course im wondering if congress has looked at it. Kirsten, do you want to go first . Sure. In the cybersecurity act there are some interesting provisions about International Cooperation with indicator sharing and things like that. So we were definitely i would say thinking about this and about the importance of that global conversation. On these sorts of ideas. As we negotiated the cybersecurity act. Lets close out the session by asking the question that no one has asked so far but we really need to hear about. Im going to pick on kirsten first. Which is what do you any congress ought to do . Whats on the congressional agenda . Youve done a fair amount. Whats next . Lets get the views from the others. What would you Like Congress to do . Thats going to put some of them on the spot. Kirsten, why dont we start with you . Sure. What we are continuing to do is oversight. Obviously, weve talked a couple times about the deadlines that are sort of ahead of us for the implementation of the cybersecurity act. June 15th i think there are a handful of additional documents due, final guidelines, privacy and policies and things like that. So well continue our oversight. We are considering two potential hearings to look at this implementation. Sort of an industry perspective. And then having folks from dhs come in and talk to us about the implementation. The committee is also very engaged in sort of outside cybersecurity acts. But internet of things, cybersecurity insurance. The security versus security debate that senator kaine spoke about. Obviously chairman mccall is one of the leaders senator warner. With senator warner. Yeah. That obviously is as the senator said looking at all Digital Security technologies. So that will continue to be at the forefront for us as well. Outside of our normal oversight duties. Pass the president s budget request, please. I would just say two things in terms of what i think congress should do. I think they should continue to look at the mission, the whole of nation approach. When you look at what the role of d. O. D. Is, what the rovell dhs is, what the role of states and locals are, and to continue to look at a way to build out a mission that is truly national that really its not just fed centered because i just dont think thats going to work in the way we want it to in terms of getting security. I think the other thing they should do is look at how they are really supporting states and locals with respect to dollars being pushed out to support their own esoteric needs. Great. Ill have two as well. Npbd has made a proposal for authorizing legislation to the congress in terms of our own organizational structure. I think thats a very important bill to move on. And ill be frank. Just from a managerial perspective we have to come to resolution on that issue. It creates enormous uncertainty for us. We really need closure there. The second thing i would say is really to foot stop andy grottos message. The fy17 budget is a make or break budget. The department of defense has i think gotten from my civilian perspective pretty steady and good funding for what theyre trying to do in cybercommand. We have relatively speak not put as much funding into civilian government and cybersecurity. And if were going to be serious about this, we have to put the dollars there. Its not going to magically happen without the resources to support it. And i think the 17 budget is truly a make or break budget for them. Were doing a report at css looking at the progress made in the last decade, which has been substantial, both from the congress and from the bush and obama administrations. But were also looking at the next things that need to be done. So i think a lot of the issues youve heard, building up dhs, thinking about governance, moving to managed services, some of the things we didnt talkb authentication, figuring out d. O. D. s role, these are all going to be big problems. Lets see how far cnap gets in moving the ball forward. Its a great last effort. Well see if it works. Thank you very much for coming. Please join me in thanking everyone. Thank you. [ applause ] cspans washington journal. Todd cox criminal justice directser for the center of american progress. Hell discuss efforts to reform the system, and author and George Mason School of Law Foundation professor, buckley, will be on to talk about his new book about americans ability to go up the economic ladder has been hampered and what can be done to reverse that trend. Be sure to watch cspans washington journal every friday at 7 00 a. M. In addition to the graduating classes all over this planet, i wish youll graduate into a world of peace, light and love but thats not the case. We dont liver in a fairy tale. But i guess the 1 does. This memorial day, watch commencement speeches in their entirety, watching advice and encouragement to the graduating class of 2016. And founder of oracle larry elson at the university of southern california. And maria contrarau sweet administrator at whitier college. You can cant on yourself. What makes you special . What distinguishes you from others . In business, we call it your unique value proposition. Figuring out yours is key. Senator Jeff Sessions in hunts vill. Senator Barbara Boxer that university of california berkley. To be strong and curages and to learn to stand for who you are and what you believe is a way that youve changed here. And will carry into the balance of your life. And white house officials. Vice president joe bide en at t university of notre dame and president obama at rutgers university. Is it any wonder that im optimistic. Throughout our history, a new generation of americans has reached up and bent the arc of hirsry in the direction of more freedom and more opportunity and more justice. And class of 2016, it is your turn now to shape our nations destiny as well as your