Continue those discussions as well. Inwhat was your experience the cloud sector and smart grid sector tell you that will end up looking like . Probably the most maturing right now is the discussions the smart grid, just because it is a little bit older than the cloud side. It was focused on the government adoption side. The smart grid, a smart grid interoperability panel, which is an actual 501 c 3 organization , was put together because the Stakeholder Group felt there was not an existing organization that could facilitate that process. They establish one of their own. This has provided funding for the operation of the organization. We remained working with them routinely today where you now have a living cycle of, ok, here are the changing issues, here the top ones, here are the ones to fix. The top panel does the triage. And in many cases, now works with all of the different standard organizations that are hey,rting that, saying, here are key areas to improve. And making sure the adoption side is worked out. Because again, that was interfacing with the regulated industries as well. I think it might look different. It probably will. This is a different sector. We are not going in with an answer. And this may take a wild to put together, but it is worth continuing discussions about how we do this if it is not a onetime process, but something we do year in and year out. Thank you for this discussion. I am unaffiliated. You spoke a little bit about how the federal agencies are going to comment on this, and react, and how industry has incentive. I was wondering how you will get the State Government to adopt this and get involved. There are many things at the state level that our matter that are very important. That is a great question. I will let you answer that. [laughter] we have had strong interest from the states. A number of state cios were at. He event i was talking to them about their framework process. They end up touching this problem and a number of different levels. Many of these Critical Infrastructure entities are interacting heavily with the theys, and in some cases are regulated or involved with the states themselves anyway. Again, this harmonization issue comes right out for them, that this is an important building , becauseuilding block it is something they can use as a framework for these organizations. Think of the Water Utilities and others that are happening at this level. The other place that this is helpful to them is the extent to which we see Widespread Adoption of the framework means that the Technology Providers that are providing technology and software and Security Solutions to support these companies are now creating a market of some scale. They can help drive down costs and improve performance. Affects all the states that may be in and of themselves would not have the market scale to drive this. We encourage state participation from the very beginning. They have it involved in the framework process from the very beginning and you will continue to see their involvement ramp up. Click the only thing is, one of the reasons we have been pushing for legislation at the federal level is the fear that you would end up with a mishmash of state legislation that doesnt allow for these types of efficient, effective markets. The framework is helpful, because it creates a baseline that is collaborative and based on the sort of standards full stop i think its quite helpful. Sort of standards. I think its quite helpful. But how do you think it is handled at the federal level how do you think it is handled at the federal level . There are requirements of security at the federal government. How do you see this being ruled rolled out . Clicks at the rollout, we talked a little bit about this in terms of government use. The most straightforward thing that every adopting company is doing right now is to use the framework to develop profiles of your current practice. That is what is laid out in the framework. One of the first things we will be doing is at the agency level, we will be using this to, similar to your in the station, try to develop similar to your organization, try to identification. The Security Model aspect of the implementation of the framework could be extremely helpful to the federal government. They moved the debate past the and theion of controls notion that the only thing you can assess and measure is how many of the controls you put in place. Under the framework, that is a tier one implementation level. What this starts to point to is that you can move beyond that into a real Risk Management framework with a higher maturity level that has bigger advantages. It opens up the pallet of addressing this as a Risk Management exercise within the government. And finally, the last one is, there has been a tendency to address Cyber Security performance issues within the government i just making the cios more and more muscular. The framework actually points to a different answer, which is integrating it with the program lines. This is going to the boardrooms and to the ceos. It points to a very interesting starting with is the cabinet level secretaries and accountability there and looking at this from an integrated perspective. We just started that, but i think it will be quite interesting. You have been a cabinet level secretary. I was privileged to have a wonderful acting deputy , dr. Patrick gallagher. And one of the things he has done in that capacity is to really take in hand the Cyber Security management at the department of commerce. I think you called it eating our own cookie. In terms ofat, making management at the highest levels of the department security,e for cyber and not simply something that our cios deal with. When do you see that being made publicly available, published . Know, there isou no obvious exemption. There may be Security Issues and aspects of them. Let me go back to the point that the framework is not about the controls. In any organization, youre going to have the dynamic set of controls. In piles are drowning of controls that they have been looking at, and by the way, other mandates outside the security space. What is unique about the framework from the governments perspective is the management approach to really integrate it into how you run the department. And to make those decisions, not Just Technology decisions, but skill sets and hiring and cost allocation, and all of the other things that are just as much a part of Cyber Security as controls. Is a veryys, this fresh perspective on the government approach. And i think the management approach could be very public. That is probably more important. That is where the real accountability lies. We have two questions. You can take them both, and then we will have two questions to finish. We will take both questions and then we will answer them. I wanted to come back on your comment about controls. If i understand correctly, the controls are the first step of four. Does that mean that the controls are within the government today . Bitet me be a little careful about what the implementation is pointing to. There are controls at every level. And controls are an important control ahow you particular risk. Im not saying there are only controls at tier one and then you can get away from the controls. What the mud the implementation here is pointing to is, in some ways, you are maturing and managing this risk. I think of tier one as being a rule following culture. In other words, you create it and the success is i got through the list and i can do all of this reliably and repeatedly. That is quite different than an adaptive or proactive type culture, where in addition to having the rules and controls, you are actively identifying new changes preemptively. It is going from ace from a set of static controls to an immune system. Controls are everywhere. But you asked an interesting question where will the federal government and up as we start doing profiles . I dont know. I think, because my suspicion is that since we have been mesmerized by control belications, we should not surprised to find ourselves near an implementation level that is focused on that, which would be ground one. But we will see. It will be quite interesting as we do that. Final question. One of the things the panel talked about was the alignment of the business interests with the National Interests. Andme give you a scenario see how that would really change in the corporate world. Im talking about a target named nieman marcus. I recently read a study where the u. S. Credit cards are eons behind the european credit cards with a magnetic strip and everything. Visa, mastercard, american now, a target like Neiman Marcus could be losing 7 billion a year. Replace all ofto the credit cards, it will cost us more like 11 billion, right . Normally, Cyber Security they dont really do. Case, they are doing that. How do you make sure that some interestin a financial does not overtake what you would call the National Interest . Underneath your question is one of the profound issues congress will face. If these are not aligned, then i think that is because ultimately, we are talking about something that if it fails under a cyber attack has great harm to the country. That is just going to get fixed somehow. But i think, backing up a little bit, im not sure that i would financial Risk Assessment that they were looking at was correct. In the following sense, you know, you are correct that one of the issues the u. S. Has seen in the sector is we were early adopters of car tech of card technology, but it was very expensive to deploy. It has been compared to mature too much younger technology for card readers and so forth. And with that legacy comes vulnerability. Ie question will really be, yes that is why the Risk Management is so important. To what extent does the refresh of this Technology Help and mitigate and control those risks . I would assume that is what a Good Organization would be going after. But this is not just the direct financial loss of those customers who lost their information. And that is certainly not what im hearing from the ceos. This is a profound reputational loss. This is potentially going right at their market share. What im hearing from ceos is a very acute sensitivity that this is a big deal and that is why it is rising to the very top of the boardrooms as the discussion. I would be surprised if they were reaching that kind of simple apples to oranges comparison, because that does not track from what track with what im hearing from ceos today. I think that is right. The cost benefit analysis is, in todays environment, wrong. I think it reflects what has challengerically the in dealing with Cyber Security. , the compliance , they were whirring about it, but it is a cost issue. It is difficult to get attention. I think because of reputational concerns, because of the impact if you are a company that has a , i thinknt failure that is reaching that is changing, as reflected in the level of concern that was talked about. And i think we are seeing that reflected in some of the demand in the corporate sector to change, for example, card technology, despite the economics that you talked about. I work in a highly disruptive sector where companies dont , largely based on new innovation. The key to the success of those companies are trust and integrity. To the extent that we dont take Cyber Security seriously, we are undermining that trust and integrity. And that is a principal reason why it is one of the issues that fromr, perhaps, most often our most Senior Executives in the companies that iraq present. It is truly one of their top priorities. In anright and pure analytical or quantitative sense might not show up. But the and the brand damage is so significant that it is conscious of those issues. One penultimate question whate we end up looking at this is like in this. And that is, the question of privacy. What is explicit when the president gives his executive orders that he needed to respect privacy. And throughout the process, from the ncern what you might call the privacy lobby to ensure that was the case. And you have produced a response in a response to that. Could you tell us the story so that we have a better understanding of how you have altered the framework to reply to some of those concerns . I think, the short version of that story is the one you laid out, that privacy was the explicit requirement for us to consider as we developed the framework from the very beginning. It was actually part of every discussion and every workshop we had, including the kickoff workshop. I remember having a discussion about the incorporation of privacy at that point. Weeemed to happen could come back and have a discussion about what the psychology was, but it was intended to be an issue where, first of all, the maturity of how you implement the building. Locks those were less mature than what was true in a lot of the Cyber Security areas. And partly based on that, it was relegated even though we brought it up at every workshop, it is one that we kept going back to, saying that we need to work on this. And one of the consequences of this is that midway through the process, the privacy principles were basically in a standalone section as an appendix. What think maybe that is caught everyones attention. When that construct was finally there, then i think the Stakeholder Group was working on them,amework, all 3000 of they jumped in. It was an interesting perspective of how the framework works. The whole industry stood up and said, this does not make sense to have this be a full on attachment. This is based on the same kind of Data Protection principles that are integrated. They made a counter proposal to integrate those into the main framework. Now it is actually integrated and not bolted on. That is where we stand today. I think where it ended up is the right place. Security is an essential ingredient of privacy. It is part of the privacy principles, part of the white Consumer Privacy bill of rights. It is not a standalone issue. Privacy implications on some of the Cyber Security practices, particularly when you get into sharing information , or inird parties particular the government. Incorporateant to into the framework the privacy practices, as has been done. It really is part and parcel of security. We were one of the stakeholders who were concerned with the bolted on approach. But we think it ended up in the right place. I do note that it is one of the nine more extremes, so we intend to engage and make sure it progresses forward. Which brings me to my last question, which is as we do what do werward, think success is going to look like . And an important part of the framework, i hope i am correct is to assess where there may be a requirement for legislation or others to engage. A question for each of the knowists is, how will we ,hether a direction is required but more importantly, what does becess look like, and can we confident that this is delivering what we think it should deliver . Would come down this way. I think a big part of it is adoption. The extent to which most businesses are looking at the framework and integrating it into their operations, much in the way we talk about ceos taking it apart of their boardroom discussion. The second part of it is that if it am i in fact, does not become a stale document that sits on the shelf, but does become a living, breathing, iterative process as opposed to an whereby we be are still working on it 10 years from now. Gaps with congress. I think we have spoken to those. And the most pressing that can be dealt with on its own is around information sharing. How much confidence do you have that those can happen . A high degree of confidence. The question is when. [laughter] my confident, im sitting in a discussion with congressman rogers and ruthless burger on lossless burger on monday. I hate to say anything that would give away my position. It is highly unlikely, but i think it is possible. Or one version, 2. 0, point some significant number. Because i think that would be a that there is active engagement, active adoption, and is leading toe the iterative process, and any indication that the model is working . It to getways like asked this question. Acid test of all of this is our nations Critical Infrastructure, is it better protected, and it is also hard to measure. That is going to be very challenging. So i think of the Success Story as having sort of two elements. One is the nearterm. I think that is the adoption, and the way i have characterized that, is that inevitable . And we are struggling with those kinds of nuts and bolts issues. They may be tough, but the kinds of things that can only come up with those trying to use this. That is a big success, because that means this is actually need put into practice, and you have a framework to improve, and then i think there is an intermediate set of metrics that i think are potentially very powerful, and it kind of goes to the safety comparison, so while the final outcome could be something we are only retrospectively looking back, i hope that we start seeing some very meaningful improvements in what i Call Security behavior, and that could be the capacity within organizations to be able to identify risks, that could be the capacity of staff, it could be skill level, and it could also be behaviors like self awareness, the idea that we know what is happening on our systems more or that the speed improves. I think it is quite measurable. It would point to a healthier organization in managing these risks, and my hope is we will be working with industry. Nist thing toof a do, looking for meaningful measurements along those lines. Thank you. We will be looking forward to the Cyber Security framework 2. 0 or 3. 0 and perhaps have comment on it, and i would like to thank all of you for j