Potential threats from russia as the war continues. Thank all of you who have been working so hard to the front lines and to protect the Critical Infrastructure that america relies on every hour of every day. The sub partnerships are the heart of everything that we do and are vital to ensure the security in particular of chemicals the facilities that store them. Foundational to our nations most important supply chain. Just like everything that we do, this is not a Medicine Mission that the government can do alone, this is something we have to collaborate with and work on as a nation. We know that the threat is only getting more complex, more dynamic and dangerous. Whether it is nation state threats, or terrorists, threats from cyber criminals, we are dealing with a very difficult threat environment. I think the good news is, we have incredible people working across industry across the state and local level, developing defensive strategies that are going to help us ensure that we can protect this nation, particularly from chemical terrorism. We know how seriously the risks are to our system from both cyber and physical threats and the importance of programs like which really emphasize a very holistic approach that encompasses both cyber and security measures. I was going to the risk based performance standard last night in preparations for this talk. In 2009, the standards were laid out in physical security, but also cybersecurity. It was before cyber was really a thing, this committee understood the importance of a collective approach to protecting both the industry and the facility that house our chemicals. We celebrate a milestone, a decade and a half of successful collaboration with the 15th anniversary of our program. As we think about celebrating the maturity of the program, i want to emphasize the reauthorization is a very high priority for us. We cannot lose momentum in those efforts to prevent chemical terrorism. We know that the threat is real. My team and i are very focused on that. I would be remiss if i did not take the opportunity to think security inspectors. I know that there are some in the room here and watching from our regions. They work day in and day out to ensure our facilities. I am really proud of everything that they are doing. I am proud to all of the things that we do to offer voluntary services, whether there is riskbased assessment. I know theres a lot of information youre going to hear or have heard in the summit. Really important to take advantage if you are not already of some of the services we provide. We are going to talk about our cyber Incident Reporting today. Also to be able to report incidents when they incur to help inform the security of the overall sector, as well as the security of the other sectors giving the interdependence that we know what this sector. We use that information to ensure we can raise the bar on our collective defense. I know were going to get started here with kelly. I wanted to take a few are permitted opportunities to tell you how pleased i am to be here and excited i am for the ongoing collaboration that we have with this community. Thanks very much. [applause] thank you. After the fireside chat, kelly murray, she joined in 2008 and has held a variety of roles and has held a variety of roles with regulatory program. And overseeing site security plans and approval, miss murray became the head of the office of chemical security in the spring of 2021. In her role as associate director, she focuses on a wide range of chemical security initiatives, including the maturation of the program, the newly launched program, and the proposed Ammonium Nitrate security program. We are so glad that both of you could join us this morning and the floor is yours. Thank you. Thank you for your opening remarks. We are so happy to have you this year in person. Yesterday everyone got in excited nature because i am glad to be back in person. We do have a handful of questions. In your opening remarks, you touched on threats facing our Critical Infrastructure. Can you start with a snapshot of the current physical and cyber Threat Landscape and what we are doing as a nation to address that . I am excited to be here with you. Thank you for putting the summit together. It is important to walk about talk about the Threat Landscape in holistic way. We play two roles. We play a role with the american Cyber Defense agency. We are the National Coordinator for Critical Infrastructure security and resilience. We are really focused on the full range of threats that can affect all of Critical Infrastructure as we all Work Together to protect and defend it and ensure its resilience. From a cyber perspective we know it is a complex and dynamic and increasingly dangerous landscape. We have seen state actors like russia, china, iran, north korea that are increasingly well resourced in this area and sophisticated. And then, a full range of cyber criminals that have become more sophisticated and more effective given the proliferation of cyber tools. We do not have the luxury just to worry about Cyber Threats. We need to look at the full range of threats. This is something that i know ryan mentioned. Before i came to cisa i was the head of a Firm Resilience at morgan stanley. I was asked to set up our Cyber DefenseFusion Center to ensure we could understand, detents, detect and responded to all , Cyber Threats to the firm. Two years in, we were asked to expand it to a Resilience Center in the understanding that it is not just Cyber Threats, but physical threats. Terrorism, manmade threats, natural threats, hurricanes, diseases, pandemic. We really have to look at the full landscape. That is why i was so impressed with the comprehensive nature of the riskbased portfolio standards, both from looking at physical security, as well as cybersecurity. I think this is uniquely one of those sectors and industries that from the beginning really looked at the holistic Threat Landscape and that is why i am so excited about our work here at cisa and your leadership. One of the reasons we are so successful at implementing at the beginning and standardizing that process was our partnership. We as a regulator in cisa center around partnership. Could you describe cisas approach to those partnerships . Partnerships are at the core of everything we do in cisa. We do have cfats regulatory authority, but most of what we do is not regulated. Its voluntary. I spend the vast majority of my career in hardcore National Security. I was in the army, deployed many times. I was in the intelligence community. In the National Security world, you can say that the federal government arguably has monopoly power. In Homeland Security and chemical security and cybersecurity, the federal government is just a partner. Its just a coequal partner with industry, and in many cases, state and local partners that, some of whom, on public utilities. So, that ability to create trust in relationships is absolutely fundamental to everything we do. Cfats is a critical piece of this. The program you started is also equally important to get a wider range of capability to help protect the entities that are not necessarily part of cfats. A lot of that work is about partnerships. I always say that the foundation of any great partnership, whether a marriage or a business deal, is trust. Building that trust is a fundamental to our success. With trust, you have to approach it with humility and transparency. And gratitude. Gratitude for people coming to the table bringing expertise, bringing ideas, bringing problemsolving and bringing a fundamental belief we have to Work Together for the collective defense of the nation. We were talking about it earlier this morning. How part since the participative this community is in building the collective defense. It is terrific to be part of this today. I know from our perspective, cfats has had a little bit of a rough start at the beginning. Building performance regulation was new and different. It turns out it was definitely the right thing to do. We have always found these partners in this room were never shy of sharing their opinion. They were never shy of collaborating and providing input. While it started off as a little bit of a rocky partnership, because we needed that humility, and to learn how to develop the program, it really turned into, and created, the trust that to this day, this group is just very open, very collaborative, very willing to express their opinions. I think this has created that trust in even a regulator. So much so that we are now all touting performancebased regulation and how that is the future of Critical Infrastructure regulation, in my mind really. I think our Industry Partners would agree. They are often the ones on the hill talking with our Congressional Committee about the benefits of cfats and need for longterm reauthorization. I think that shows a True Partnership model even in a regulatory space. Totally. You have been in this program a while, almost from the beginning. Kudos to you. This is an incredible evolution we have seen in leadership. The program has made incredible strides. It is a model, you know . As i mentioned, we are largely a voluntary agency. When you think about regulation and regulatory authority, i mentioned in my mark the cyber in my remarks the cyber and civic reporting. We will go through a rulemaking process from that. Having come from a highly regulated industry in finance, there is a place for regulation. But, regulation has to be smart. It has to not be overly burdensome. It has to ensure we are putting the right measures in place to collectively protect the sector. Ensuring we are not leading to compliance box checking. It is about optimized risk Operational Risk management. These performance standards are emblematic of a type of regulation that is really effective in this space. An effective model to think interesting model to think about is we evolve in the space, protection, Critical Infrastructure. Moving into the risk area, one of the focuses i know that has been on a lot of your minds and a lot of folks minds is a key to discussing the effort expanding convergence of cyber and physical systems. As a cisa director, what do you see as the most pressing security challenges today and in the future . This is such a important question. One of my big Strategic Priorities for the coming year is to develop a more holistic approach, given the recognition that our systems are all converging between physical and cyber. There was a call with the president s panel on Security Telecommunications yesterday that a great report on i. T. ot convergence. There is a lot of work being done in the sector on that. Certainly, there protection from both physical, but in particular Cyber Threats to Operational Technology systems. In the olden days we thought of i. T. And ot as two separate worlds. There are different systems, but given the impact that you have from Cyber Threats and i. T. Through to ot, this community realizes, given much of the processing controls, the data controls, the industrial control system, that has helped to power the chemical industry, we needed to be very mindful of all the threats that can exist to physical threats, Cyber Threats come into our Operational Technology. That is one of the things i am most focused on. As we know, these can have realworld impacts when you are inspecting things like an electric grid, a data system, a chemical processing facility. We are already putting a lot of effort into our focused. We just expanded what we called our joint Cyber Defense collaborative, but last year to bring together federal government partners, international partners, and Industry Partners for collective defense to identify activity, to create a threat picture, to drive down risk. We recently expanded that to i. T. Centers. We were asked last year by the white house to focus on protection of industrial control systems. I think the chemical sector is next in line that we will kick off the 100 day plan, probably later this year. The other thing im excited about is cybersecurity goals that reflect both i. T. And ot and we will be kicking off with some work on chemical sector goals. We will be tapping into the community. There is a lot going on in this space. I know next week we will roll out our systems. We have our newest agency in the federal government. I am excited to really get that started in terms of how we build the agency that america deserves. A lot of that will be focused on how we are reducing risk in the nation, but also how we are building success. We came off the back of another that was pieced together and now we are building one Holistic Agency to focus on the cyber threat and physical threats to the Critical Infrastructure americans rely on every hour of every day. There is a lot of work in that space. We have a very dynamic threat environment. Its not lost on anybody in this room that its ukrainian independence day. It has been six months since the unprovoked invasion by russia. Certainly, we have been concerned about potential threats from russia or statesponsored or criminally aligned groups on our Critical Infrastructure. That is why we have been talking about shields up. The important new all Critical Infrastructure owners and operators. Frankly, this is really the new normal that we need to focus on. It threats across the board. Really important work. You spoke about all of the important work coming up and building the agency and building capability to do all that work. I know we have been focusing a great deal on internally building the workforce, particularly, our Cyber Workforce. We know that Industry Partners have concerns about building their Cyber Workforce as well. Can you talk about diversity and women in the workforce initiatives and priorities and how those will help us transform the agency to provide the programs . This has been something i have been passionate about my whole life. I started as one of the first classes of women at west point when many did not want women there, did not believe women should be there. That was an early lesson in fortitude and resilience. I have always been a big believer in gender diversity. But it is much broader than that. I am interested in your views on this when you think about. When you think about diversity, neurodiversity, diversity of sexual preference, diversity of race, of national origin, skills, background, gender identity. This is about diversity of thought. This is what makes us better at our jobs, solving our most challenging technical problems. Our security problems. That is why we are focused on building an environment that not just welcomes diversity, but truly celebrates it so everybody has a true sense of belonging. That is the culture we are building at cisa. I have been here 13 months now and i have spent a significant amount of time directly engaging with our workforce to cocreate a cultural framework of values and principles that help define what we expect from each other and what we aspire to be as an organization. It is about inclusion, innovation, collaboration, teamwork, ownership, empowerment, trust, and transparency. I think for anybody looking to attract great cyber talent you have to first make sure you have a culture that will appeal to that talent. Todays cyber talent has a lot of opportunities out there and its very competitive. So, a sense of belonging. A culture of psychological safety, flexibility. We provide thousands of divisions that are remote work and telework. And a culture that really prizes people first. That is a big part of what i have been doing over the past year. Frankly what i will be doing over the next however long i am here. I am interested on your views. I can say that similarly not quite as dramatically, i was also kind of a woman in a maledominated field. I started here 15 years ago. It was a maledominated field. Before that i was at the department. Before that i was a math major. A pretty other maledominated field. While i was very used to that in coming into what is now cisa, i was lucky our program started out with a small group of folks and some amazing female leaders that i aspire to and mail leaders that diversity of thought. We were all in this group together. That is the culture that i came into cisa with p or that is what i inspired the team to continue. Hearing all of the opinions, whether it is the industry opinions, staff level opinions, hearing all of those and bringing them in so that we are as transparent as possible. That is a performance standards need to be is innovative. That is what is working with our Critical Infrastructure partners were our technologies are changing quicker than security can keep up. That is the culture that i work to instill on the team. It is what we try to bring on board. We brought a team member on not too long ago. When speaking with her, she said to me she had a lot of opportunities, when i interviewed with this team i felt like i was home. That resonated with me. I strive to create a family culture, the good kind of family c