Identifying on the Agency Networks and allow us to better prioriti prioritize. Thanks. So one of the other points i want to cover today was last week the gao came out with a fairly critical report one that would appear to be most troubling said only 7 of the 24 csf agencies have programs with any functions considered effective per the niche standards for Cyber Security control. That doesnt sound very good. I want to give you the opportunity to as we talk about the Cyber Security posture of the dot guv, reconcile that with the report. Sir, i think that we have weve learned a lot over the years about agency capac tattoo manage Cyber Security risks and the resources they have to do so. I can say theyve prioritized across the highest level of government. What weve learned through engagement in partnership and measuring agencies is there remains significant gaps and we have built over the last couple of years and are continuing to build Technical Assistance capabilities. Things like design and injufearing. Helping agencies get much more indepth insight into those networks and providing them with a greater level of assistance both engineering and on the government side to help them address the often complicated networks with the resources we have. But we see a lot of potential for cdm in the ability to deliver tools at lower cost across agencies and this is the firsz time many agencies have had access to this level of automated data to understand what is on their network and so we see a lot of potential for this. But for many age aensz theres lot of capability that hads to be built and were continuing to take advantage of things like shared service. More capability of dhs to deploy to agencies. So you comment about shared services and resources i want to follow up because i think its important to look where we are and where were going. So looking forward, how do you see dhss federal Network Protection tools evauvlting past say a signaturebased Threat Detection tools and particularry where my conversations with the administration and Cyber Security advisors really putting an emphasize on Cloud Computing and shared it services and resources. So i guess in a sense what is einstein future generations, 10. 0 look like . Well, im not exactly sure what einstein 10. 0 will look like yet but i can tell you where were looking to evolve. The president s Key Initiative around modernizing our it. There are large challenges with legacy technology. But we need to modernize the way we governor and procure. Were working very cleesly to modernize our security processes. We insure that we are modernizing our security approach but not losing the inside that we have into traffic, either traversing inhadternal or in and out of Agency Networks. Importantly we have learned on cdm some key lessons from the first faces of good d ploimd. We have a new contract vehicle in place that will enable cloud and noble technologies in additioning to the oun premise capability we have right now. We are buildling on what industry is learning from behavioral based detection method and we have had successful pilots and look forward to continuing to build that capability. My time pfszects pired. The chair now recognizes mr. Chair for his questions. You all know i authored legislation to dpraul a Department WideCyber Security strategy within dhs. That strategy and report was due in march. We still dont have it. So bhaults rr the status of it and if youre running into problems getting it done, what are those problemsed . Sir, thank you for the question. The office of policy has the pen, so to speak. It rolls in components across the department between secret service, i ice, Homeland Security investigations, u. S. Coast guard, as well as nppd. So while we dont necessarily leave the investment of that strategy, we are a significant player. My understanding of where it sits is thefluenced by the president s executive order, 138hung released earlier in the spring. That reports puts dhs at the front or in the lead for almost all of the reports, particularly in the first two and fourth work stream. Federal net wrkz, critical infrastrurture and private work forts. They are anticipated to have severe impacts on some of the priorities of the department including nppd. So i believe the decision on finalizing the strategy has been lets get through the sthuper asecurity assessments as well as the administrations anticipated national. Security strategy that are expected in the next several months and when we have a broughter understanding of where the department is going, that will fwiet that said, it is still as a priority to finalize that report. Frrts that said, as a department, we are moving forward with a number of our priorities. I do want to touch on a couple things you did early. As the senior official performing the duties, while we do not have a permanent nem tep saesh reitary to move out and execute authorization by secretary duke. While we do not have a permanent undersecretary now i believe i have every authority i believe i need to execute the mission within nppd. In terms of strategy and we talk about report, let me take that aside. Do we have a departmentwide strategy how we deal with cybersecurity and our needs and challenges we continue to face in the near future. Sir, my understanding there is a departmentwide Cybersecurity Strategy in draft form, yes, sir. Again, i dont want to get into the weeds. Are you operating on a catastroph comprehensive strategy on a daytoday basis . Were in the lead for insuring the nations physical infrastructure of cybersecurity and threats. Our top goal is securing federal networks and facilities for me and with the assistant secretary manfra, that is at the very top our minds every single day. The second piece is identifying mitigating systemic risks across the nations infrastructure. When i think about that, im thinking about the section 9 Critical Infrastructure greatest risks and also putting election infrastructure in there. As i mentioned in my opening comment that, for me, this is number one priority for nppd. We cannot fail there and third and finally incentivizing better practices across the community to include, state, local, medium sized businesses. Miss hoffman, theres been a great deal of concern among National Security experts russias goal of disrupting ukraines Power Supplies in 2015 and 2016 was to test its capabilities for a larger attack on the United States. Last month we learned russia may have been responsible for dragonfly 2. 0 which exploited and targeted some of our increasing sector. How is the Energy Sector surviving and what is the capability widespread with that at your back . Thank you, congressman. The ukraine attack was very much an eye Opening Event for the Energy Sector, specifically the electronic sector got very organized recognizing we had to step up our Continuous Monitoring capabilities, ability to detect behavior on the system and also building inherent protections as we develop new technologies, recognizing the core of anything is protecting agooens sphere fishing and pass words and credentials and starting to go after where we need to be to prevent an attack on the system. Weve been working very actively on the sector to build tools and capabilities for protections of their system. The chair now recognizes the gentleman from new york, mr. Donovan for five minutes. Thank you. Id like to ask a question of all of you. In 2015, Congress Passed the cybersecurity act and in 2017 we passed the cyberinfrastructure security act and the president also issued an executive order back in may to strengthen our abilities. What do you guys need . What can congress do to help you protect our nation . Our federal agency, our private entities, as mr. Richmond said, our Energy Industries . What do you guys need from us to help you protect our nation better than were able to do now . Sir, thank you for the question. The very first thing i would start with, as you mentioned the cybersecurity and Infrastructure Security Agency act of 2017, passing out of the full committee was a significant step forward. What we need as i mentioned in my opening comments, quick action by the full house and senate. Let me give you a little antidote why thats important. That bill will give us three things, one, it will allow us to introduce some operational efficiencies, looking at Common Infrastructure across the organization, push them together so we are more streamlined how we engage and deliver services from Customer Service oriencation. Second, it will help with our branding and clarify roles and responsibilities not just within nppd but more importantly with our federal, state and local partners and private sector. I will come back to that in a second. Finally, what that will do is give us the ability to attract talent. We talked a little bit about workforce and hiring and partnership. On that clarity of roles and responsibilities, let me talk about that for just a second. Ive been down to puerto rico twice in the last week. I was there last monday with administrator long and the president s Homeland Security advisor, tom boss sert and i was there last friday with acting secretary duke. On friday, meeting with acting secretary duke, the governor and his key staff we were discussing a number of the Critical Infrastructure challenges in puerto rico. When it came around to me, i talked about the communications infrastructure. You know the National Communication center resides within the manfrose organization. And we talked about whether were assisting at t, sprint, tmobile, help them get back in to prioritize capabilities, cell on wheels, cell on lite truck, things like that to help temporarily pop up the Communications Service and help get communication is in for cell towers. As i briefed out where we were helping those Companies Get introduced back in i introduced myself as the official performing the duties of the undersecretary National Program doctorate rat. Try repeating that back out its not easy. Someone who has never heard that before immediately went onto a press interview alongside the tsa administrator, vice commandant of coast guard, department of Homeland Security said we have 93, tsa, coast guard and the comes guy. She doesnt know how to describe me, when im out engaging my stakeholders, they dont understand the mission i deliver. I need help clarifying that and providing very up front clear what i do and what my team delivers. That is a significant advancement. Any help i can get there, please help me out. More broadly in terms of additional authorities and clarification of authorities we are in the process of running that kind of stock taking of where the department sits in cybersecurity. Department of energy in the fast act got significant authorities that could come to bear in the event of a grid incident. Dhs has authorities in terms of Incident Response information sharing, thank you for those authorities. Going forward, were not quite sure just yet what we need. I will tell you this, the cybersecurity threat is not going away, our adversaries are getting faster, more agile. We need to be resourced and staffed and positioned to respond to that. I know one more thing we will not use Less Technology going forward. As you indicated earlier we are going to the cloud, to shared services and relying upon these crosscutting Technology Capabilities in the Information Technology sector. We need to insure from a digital defense perspective we have what we need. We welcome that conversation. You can believe that youll see me again and we will be talking about that. I have two seconds left. Would ow contribute, please . Yes, sir. Very briefly, just to compliment what chris talks about, were working within the federal government to understand what is the full braet of our authorities, how to lean into the authorities we have to deploy more capability within the Critical Infrastructures were working to understand now that weve identified these most critical assets at greatest risk, are there legal and operational and policy hurdles we need to address in order to assure we have appropriate prevention and response and recovery capability is in place and we look forward to working with you. Please dont wait until another hearing. Let us know how we can help. Absolutely. I yield back the time i have left. The chair recognizes the gentleman from mississippi. Mr. Thompson. Thank you, mr. Thompson. The last two speakers have talked about being resourced and staffed from an agency standpoint. Last march, we held a hearing talking about staffing at the department. Can you give us the number of unfilled position is in the Cyber Division right now . Sir, we are currently staffed at 76 of our fully funded billets. So we are 24 under. Can you tell us why we are understaffed at this point . Yes, sir. There are a variety of reasons. The first, largely thanks to the work of this committee and our appropriations staff in congress in building the billets that are allocated to my organization, we have grown significantly. We have worked very hard to build according to that growth in billets. We have had some challenges. Weve worked with our management colleagues and Human Capital colleagues to identify areas we can reduce the time to hire. I can say looking at the statistics from fiscal year 16 higher to fiscal year 17 hire weve been able to reduce the time to hire by 10 . Many of these requirements have to do with security clearances. It does take a long time to process people through that security clearance process. Weve made significant progress. Were continuing to work through our Security Office to continue to shorten that. Were diversifying our recruitment paths looking at scholarship for Service Cyber core program has been a great pipeline after the government funded scholarships, bringing these individuals in as interns and hiring them full time, theyre already fully qualified for our direct Hire Authority and looking at other programs such as pathways, president ial fellows and other programs. Were looking at partnerships with industry yes, sir. I dont mean to cut you off. Is the problem we have too many programs to attach people to or im just trying to find out why, when weve give you the authority to hire, why weve not been able to come closer to whatever that authority is. Is there something we need to do to get you to that point . Sir, separate the authority that we were given by congress to build an accepted Service Program. What i was referring to was i did not believe a couple years ago we were fully leveraging the authorities we already had and the programs we already had to bring people in and tightening the timeline that it takes to bring people on. The accepted Service Program is led by our chief Human Capital officer. I know this is a high priority for her. We did not probably appropriately expedite the development of that program four years ago. We have now done so. My understanding that we will now be able to hire against that Program Beginning in fiscal year 19 but theres a regulatory process we do have to undergo as a part of that. Just for the sake of the committee, can you provide us with a timeline between when somebody whos considered for employment and when that is completed . Is it not just get back to us yes, sir. Three months, six months, a year . I think that would be instructive for us, so we can kind of see if theres something involved . Yes, sir. The reason i say that, mr. Chairman, i think all of us are constantly bombarded by people looking for employment opportunities. If we have potential opportunities here, is it something we are not doing . Are we not going out recruiting in a broader view or just what . We just need to kind of figure something out. Right. If i could, sir, just clarify the 76 is just indicating people that are on board right now. If you includie the people in te full pipeline, that brings us to 85 . For virginia we are at about 224 days to hire. That sounds long but that is to include a top secret sci clearance process actually for the benchmark of the rest of the government, were actually doing quite well. We want to continue to work with you, sir, we will come back with you. Please get back with us. Mr. Krebs, we have a Congressional Task force on Election Security and we made requests of the department to provide us a classified briefing around this issue and weve been told that it has to be bipartisan, that you cant just brief democrats. Are you aware of that . Im not aware of any existing policy. Let me say this. I share your concern on election infrastructure. I made that clear today wanted to say directly to you as well it is my top priority at the department. If we cant do this right and dedicate every single asset we have to assisting our state and local partners frankly im not sure what were doing daytoday. In terms of what we