[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


                CDM, THE FUTURE OF FEDERAL CYBERSECURITY

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                           CYBERSECURITY AND
                       INFRASTRUCTURE PROTECTION

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            JANUARY 17, 2018

                               __________

                           Serial No. 115-44

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                               
                    U.S. GOVERNMENT PUBLISHING OFFICE                    
30-190 PDF                  WASHINGTON : 2018                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, gpo@custhelp.com.                              
                               

                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Sheila Jackson Lee, Texas
Mike Rogers, Alabama                 James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania           Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania            William R. Keating, Massachusetts
John Katko, New York                 Donald M. Payne, Jr., New Jersey
Will Hurd, Texas                     Filemon Vela, Texas
Martha McSally, Arizona              Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas                Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York     J. Luis Correa, California
Mike Gallagher, Wisconsin            Val Butler Demings, Florida
Clay Higgins, Louisiana              Nanette Diaz Barragan, California
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Don Bacon, Nebraska
                   Brendan P. Shields, Staff Director
                 Steven S. Giaier, Deputy Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                  Hope Goins, Minority Staff Director
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                    John Ratcliffe, Texas, Chairman
John Katko, New York                 Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York     Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin            James R. Langevin, Rhode Island
Brian K. Fitzpatrick, Pennsylvania   Val Butler Demings, Florida
Don Bacon, Nebraska                  Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
             Kristen M. Duncan, Subcommittee Staff Director
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on Cybersecurity 
  and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana:
  Oral Statement.................................................     3
  Prepared Statement.............................................     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Oral Statement.................................................     5
  Prepared Statement.............................................     6
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Prepared Statement.............................................     7

                               Witnesses

Mr. Frank Dimina, Area Vice President, Federal, Splunk:
  Oral Statement.................................................     8
  Prepared Statement.............................................    10
Mr. Dan Carayiannis, Public Sector Director, RSA Archer:
  Oral Statement.................................................    12
  Prepared Statement.............................................    14
Mr. Gregg T. Mossburg, Senior Vice President for Strategic 
  Operations, CGI Federal:
  Oral Statement.................................................    19
  Prepared Statement.............................................    20
Mr. A.R. ``Trey'' Hodgkins, III, Senior Vice President, Public 
  Sector, Information Technology Alliance for Public Sector:
  Oral Statement.................................................    23
  Prepared Statement.............................................    25

 
                CDM, THE FUTURE OF FEDERAL CYBERSECURITY

                              ----------                              


                      Wednesday, January 17, 2018

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:09 p.m., in 
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe 
(Chairman of the subcommittee) presiding.
    Present: Representatives Ratcliffe, Gallagher, Bacon, 
Fitzpatrick, Katko, Richmond, Thompson, Demings, Langevin, and 
Jackson Lee.
    Also present: Representative Thompson.
    Mr. Ratcliffe. Good afternoon. The Committee on Homeland 
Security Subcommittee on Cybersecurity and Infrastructure 
Protection will come to order.
    The subcommittee is meeting today to receive testimony 
regarding the implementation and future of DHS's Continuous 
Diagnostics and Mitigation, or CDM, program. I now recognize 
myself for an opening statement.
    In providing effective cybersecurity, the ability of the 
Federal enterprise to monitor and assess the vulnerabilities 
and threats to its networks and systems in real time or as near 
real time as possible is paramount. This is what the Continuous 
Diagnostics and Mitigation, or CDM, program at DHS is all 
about, understanding what and who is on Federal networks so 
that we can achieve true visibility into the Federal 
Government's digital ecosystem.
    Phase 1 of CDM is to provide visibility into Federal 
networks and information systems by working to identify what 
was on Federal networks. It was a simple question, really. What 
hardware and software was on the systems an agency or 
department was running? This was about taking stock of those 
internet-connected assets. As DHS has moved through Phase 1, 
they found an incredible amount of devices connected to our 
networks that agencies were not previously aware of.
    How can you protect what you cannot see? How can you 
modernize your technology if you do not even know what 
technology you have? It is no secret that the Government has 
trouble buying technology. Old and outdated technology is not 
only a barrier to the Federal Government completing its mission 
to serve the American people in a digital world, but brings 
with it insecurities and raises serious cybersecurity risks for 
each and every agency and department.
    DHS began Phase 1 in 2012. While I understand that setting 
up new Government programs, buying new and advanced 
technologies, and deploying those technologies across a massive 
Federal environment is not easy, the threats to Federal 
agencies, however, continue to grow every minute. The maturity 
of the Continuous Diagnostics and Mitigation program has to 
move at the pace of new technologies and innovations, not at 
the pace of bureaucracy.
    To most effectively carry out oversight, we must educate 
ourselves. While DHS is working with 70-plus Federal agencies 
and departments from the 24 CFO Act, agencies down to dozens of 
smaller bureaus and offices, this committee must work to better 
understand the pace at which cybersecurity technologies are 
advancing and how programs like CDM are working to protect the 
dot-gov.
    Does DHS have access to the cybersecurity platforms, 
technologies, and services necessary to make effective 
continuous monitoring a reality in 5 years, not in 15 years? We 
must work with the experts leading these charges in the private 
sector to find ways for more agile adoption of the tools and 
services we need to defend our networks and our data.
    As we have seen with both the private sector and Government 
data breaches, the identities and privacies of millions of real 
Americans are at risk here. The Federal Government must work to 
protect the data of these citizens, including the employees 
that work within. That is why we are here today: To learn what 
we are doing right and to learn what we could be doing better.
    To a certain extent, what does success look like? The 
rapidly-evolving threat landscape of modern information age 
means that the Government must change its processes to ensure 
that we are not gathering more data than we can really protect. 
As we continue this conversation, I look forward to hearing 
from stakeholders throughout the Federal IT space, including 
technology companies, DHS, and the Federal agencies that they 
serve. We begin with the private-sector experts joining us 
today.
    CDM is the ambitious program that I believe if implemented 
well and over a reasonable time line provides the American 
people with the kind of Federal cybersecurity defense that they 
deserve. I want to thank the witnesses for their time and I 
look forward to their testimony today.
    [The statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                            January 17, 2018
    In providing effective cybersecurity, the ability of the Federal 
enterprise to monitor and assess the vulnerabilities and threats to its 
networks and systems, in real time or as near real time as possible, is 
paramount.
    This is what the Continuous Diagnostics and Mitigation--or CDM--
program at DHS is all about. Understanding what and who is on Federal 
networks so that we can achieve true visibility into the Federal 
Governments' digital ecosystem.
    Phase One of CDM is to provide visibility into Federal networks and 
information systems by working to identify what was on Federal 
networks.
    It was a simple question really: What hardware and software was on 
the systems an agency or department was running? This was about taking 
stock of those internet-connected assets.
    As DHS has moved through Phase One, they found incredible amounts 
of devices connected to our networks that agencies were not previously 
aware of.
    How can you protect what you can't see?
    How can you modernize your technology if you don't even know what 
technology you have?
    It is no secret that the Government has trouble buying technology.
    Old and outdated technology is not only a barrier to the Federal 
Government completing its mission to serve the American people in a 
digital world--but brings with it insecurities and raises serious 
cybersecurity risks for each and every agency and department.
    DHS began Phase One in 2012, while I understand that setting up new 
Government programs, buying new and advanced technologies, and 
deploying those technologies across a massive Federal environment is 
not easy, the threats to Federal agencies continue to grow every 
minute.
    The maturity of the Continuing Diagnostics and Mitigation Program 
has to move at the pace of new technologies and innovations, not at the 
pace of bureaucracy.
    To most effectively carryout oversight, we must educate ourselves. 
While DHS is working with 70-plus Federal agencies and departments--
from the 24 CFO Act agencies down to the dozens of smaller bureaus and 
offices--this committee must work to better understand the pace at 
which cybersecurity technologies are advancing and how programs like 
CDM are working to protect .gov.
    Does DHS have access to the cybersecurity platforms, technologies, 
and services necessary to make effective continuous monitoring a 
reality--in 5 years not 15 years?
    We must work with the experts leading these charges in the private 
sector to find ways for more agile adoption of the tools and services 
we need to defend our networks and data.
    As we have seen with both private-sector and Government data 
breaches, the identities and privacy of millions of real Americans are 
at risk. The Federal Government must work to protect the data of these 
citizens, including the employees that work within.
    That is why we are here today. To learn what we are doing right and 
what we could be doing better.
    And--to a certain extent--what success looks like.
    The rapidly-evolving threat landscape of the modern information age 
means that Government must change its processes to ensure that we 
aren't gathering more data than we can protect.
    As we continue this conversation I look forward to hearing from 
stakeholders throughout the Federal IT space, including technology 
companies, DHS and the Federal agencies that they serve.
    We begin with the private-sector experts joining us today.
    CDM is an ambitious program that I believe, if implemented well and 
over a reasonable time line, provides the American people the kind of 
Federal cybersecurity that they deserve.
    I want to thank the witnesses for their time and I look forward to 
their testimony.

    Mr. Ratcliffe. I now recognize the Ranking Minority Member, 
Mr. Richmond, for any opening statement that he might have.
    Mr. Richmond. Good afternoon, and thank you to Chairman 
Ratcliffe for today's hearing on the Department of Homeland 
Security's Continuous Diagnostics and Mitigation program, CDM.
    Today, DHS is working to protect Federal networks by 
administering two signature programs, Einstein and CDM. These 
programs work in tandem to keep out unauthorized traffic and 
provide on-going monitoring and mitigation of cybersecurity 
risk. Through CDM, the Department works with Federal agencies 
to procure cybersecurity tools and services to empower them to 
fend off cyber attacks.
    As initially envisioned, CDM will provide each agency with 
the information and tools necessary to protect its network by, 
among other things, identifying the assets on the agency's 
network that warrant protection, bolstering access controls to 
various elements of an agency's network, and improving 
situational awareness about activities on an agency's network.
    Implementation of CDM, however, has been slower than DHS 
originally anticipated. Challenges inherent to the size and 
scope of the task for accounting for all assets on the Federal 
network, confusion about whether DHS or a customer agency was 
responsible for footing the bill for CDM-related expenses, and 
technology gaps in the commercial off-the-shelf markets have 
collectively slowed the process.
    That said, today about 20 agencies have their internal 
dashboards up and running, two agencies have connected to the 
Federal dashboard, and by next month, DHS expects that all 24 
of its target agencies to be connected to the Federal 
dashboard. As more agencies connect to the Federal dashboard, 
DHS will have greater visibility across Federal networks and 
will be better positioned to identify and mitigate malicious 
activity, including complex coordinated attacks.
    As representatives of vendors who work directly with DHS on 
CDM, the witnesses here today have a unique perspective on how 
to ensure Federal agencies continue to prioritize cybersecurity 
investments, how the Federal Government can implement the 
lessons learned over the past 5 years to improve the program, 
and whether contracting personnel have the training necessary 
to deploy CDM quickly.
    I also hope the witnesses can speak to how the Department's 
failure to name a permanent under secretary for the National 
Protection and Programs Directorate, along with on-going chief 
information officer vacancies across the Federal Government, 
are affecting the implementation of CDM.
    Our adversaries have made their interest in breaching 
Federal networks crystal clear. Just last week, Trend Micro 
reported that Fancy Bear, the same Russian-backed hacking group 
that breached the Democratic National Committee in 2016, has 
been targeting the Senate's network. Although Congressional 
networks do not participate in CDM, this troubling report 
serves as a reminder that the interest in breaching U.S. 
Government networks persists and that the Federal Government 
must act more quickly to protect itself.
    On a final note, this subcommittee is also responsible for 
ensuring that Federal policies support private-sector efforts 
to secure critical infrastructure. Last summer, reports emerged 
that hackers successfully penetrated domestic energy companies 
and nuclear power plants. In light of the growing cyber threats 
across critical infrastructure, I will be interested in 
learning whether the private sector can benefit from 
implementing elements of CDM, like the dashboard, and whether 
efforts to implement CDM-like programs are already under way.
    I look forward to the insight of our panelists today and I 
thank you all for being here. With that, Mr. Chairman, I yield 
back the balance of my time.
    [The statement of Ranking Member Richmond follows:]
             Statement of Ranking Member Cedric L. Richmond
                            January 17, 2018
    Today, DHS is working to protect Federal networks by administering 
two signature programs--EINSTEIN and CDM. These programs work in tandem 
to keep out unauthorized traffic and provide on-going monitoring and 
mitigation of cybersecurity risks. Through CDM, the Department works 
with Federal agencies to procure cybersecurity tools and services to 
empower them to fend off cyber attacks.
    As initially envisioned, CDM would provide each agency with the 
information and tools necessary to protect its network by, among other 
things, identifying the assets on an agency's network that warrant 
protection, bolstering access controls to various elements of an 
agency's network, and improving situational awareness about activities 
on an agency's network.
    Implementation of CDM, however, has been slower than DHS 
anticipated. Challenges inherent to the size and scope of the task of 
accounting for all assets on the Federal network, confusion about 
whether DHS or a customer agency was responsible for footing the bill 
for CDM-related expenses, and technology gaps in the commercial-off-
the-shelf markets have collectively slowed the process.
    That said, today about 20 agencies have their internal dashboards 
up and running and two agencies have connected to the Federal 
dashboard. And by next month, DHS expects that all 24 of its target 
agencies to be connected to the Federal dashboard.
    As more agencies connect to the Federal dashboard, DHS will have 
greater visibility across Federal networks and will be better-
positioned to identify and mitigate malicious activity, including 
complex, coordinated attacks.
    As representatives of vendors who work directly with DHS on CDM, 
the witnesses here today have a unique perspective on how to ensure 
Federal agencies continue to prioritize cybersecurity investments, how 
the Federal Government can implement the lessons learned over the past 
5 years to improve the program, and whether contracting personnel have 
the training necessary to deploy CDM quickly.
    I also hope to witnesses can speak to how the Department's failure 
to name a permanent under secretary for the National Protection and 
Programs Directorate, along with on-going chief information officer 
vacancies across the Federal Government, are affecting implementation 
of CDM.
    Our adversaries have made their interest in breaching Federal 
networks clear. Just last week, Trend Micro reported that Fancy Bear, 
the same Russian-backed hacking group that breached the Democratic 
National Committee in 2016, has been targeting the Senate's network.
    Although Congressional networks do not participate in CDM, this 
troubling report serves as a reminder that the interest in breaching 
U.S. Government networks persists and that the Federal Government must 
act more quickly to protect itself.
    On a final note, this subcommittee is also responsible for ensuring 
that Federal policies support private-sector efforts to secure critical 
infrastructure. Last summer, reports emerged that hackers successfully 
penetrated domestic energy companies and nuclear power plants.
    In light of the growing cyber threats against critical 
infrastructure, I will be interested in learning whether the private 
sector can benefit from implementing elements of CDM and whether 
efforts to implement CDM-like programs are already under way.

    Mr. Ratcliffe. Thank the gentleman. The Chair now 
recognizes the Ranking Minority Member of the full committee, 
the gentleman from Mississippi, Mr. Thompson, for an opening 
statement.
    Mr. Thompson. Thank you very much, Mr. Chairman and Ranking 
Member. I want to thank both of you for your on-going work to 
assess and improve the Department of Homeland Security's 
efforts to secure Federal networks.
    Over the past decade, hackers have breached networks across 
the Federal Government, including the State Department, the 
Department of Commerce, the Department of Justice, Department 
of Energy, and the Office of Personnel Management. These 
hackers show no sign of slowing down. Instead, their tactics 
are growing more aggressive and more sophisticated.
    Congress has charged the Department of Homeland Security 
with important responsibilities associated with taking on 
evolving threats to Federal networks. Chief among these 
responsibilities is helping Federal agencies improve visibility 
of network assets and prioritize efforts to correct 
vulnerabilities. Initiated in August 2013 and formally 
authorized in 2014, the Continuous Diagnostics and Mitigation 
program, commonly called CDM, is supposed to do just that.
    Through four phases of implementation, CDM will help 
agencies understand, No. 1; what assets are on that network; 
No. 2, who is on their network; No. 3, what is happening on 
their networks; and, No. 4, how to protect data on their 
networks. Unfortunately, despite the security benefits CDM can 
provide, implementation has been slow.
    As of last month, nearly 5 years after CDM was launched, 
only 8 Federal agencies had transitioned to operation and 
management of Phase 1. A number of reasons have been offered to 
explain why CDM implementation lagged behind expectations, 
including ambitious programmatic goals, challenges in 
reconciling diverse agency structure and architecture, and 
resource and leadership challenges, among others. The Ranking 
Member of the subcommittee just talked about the fact that top 
people are not in place to provide some of the absolute 
necessity for direction.
    There are a number of other things, Mr. Chair, that I could 
talk about, but I look forward to the testimony and ultimately 
an opportunity to ask some questions. I yield back.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                            January 17, 2018
    Over the past decade, hackers have breached networks across the 
Federal Government, including the State Department, the Department of 
Commerce, the Department of Justice, the Department of Energy, and the 
Office of Personnel Management.
    These hackers show no signs of slowing down. Instead, their tactics 
are growing more aggressive and more sophisticated.
    Congress has charged the Department of Homeland Security with 
important responsibilities associated with taking on evolving threats 
to Federal networks.
    Chief among these responsibilities is helping Federal agencies 
improve visibility of networked assets and prioritize efforts to 
correct vulnerabilities. Initiated in August 2013 and formally 
authorized in the 2014, the Continuous Diagnostics and Mitigation 
Program (CDM) is supposed to do just that.
    Through four phases of implementation, CDM will help agencies 
understand: (1) What assets are on their networks; (2) Who is on their 
networks; (3) What is happening on their networks; and (4) How to 
protect data on their networks.
    Unfortunately, despite the security benefits CDM can provide, 
implementation has been slow. As of last month--nearly 5 years after 
CDM was launched--only 8 Federal agencies had transitioned to 
operations and management of Phase 1.
    A number of reasons have been offered to explain why CDM 
implementation lagged behind expectations, including ambitious 
programmatic goals, challenges in reconciling diverse agency structures 
and architectures, and resource and leadership challenges, among other 
things.
    Indeed, so many explanations for slow CDM implementation have been 
offered that it is hard to suggest a silver bullet solution. What is 
clear, however, is that the threats to our Federal networks are far 
outpacing agency implementation of CDM.
    Is critical that we understand why implementation has been so slow 
so we can give the Department the resources, support, and authority it 
needs to resolve ongoing implementation challenges.
    That is why the expertise of the panelists today is so valuable.
    I will be interested in understanding what you all view as the 
lessons learned from the implementation of Phase 1 that can be applied 
to improve future implementation of the program.

    Mr. Ratcliffe. Thank the gentleman. Other Members of the 
committee are reminded that opening statements may be submitted 
for the record.
    [The statement of Hon. Jackson Lee follows:]
               Statement of Honorable Sheila Jackson Lee
                            January 17, 2018
    Chairman John Ratcliffe and Ranking Member Cedric Richmond, thank 
you for today's hearing on ``CDM: The Future of Federal 
Cybersecurity.''
    This hearing will provide Members of the Committee on Homeland 
Security with the opportunity to learn more about the Continuous 
Diagnostics and Mitigation (CDM) program, a key component of the 
Department of Homeland Security's (DHS) overall effort to protect 
Federal network.
    The Continuous Diagnostics and Mitigation program is an active 
approach to fortifying the cybersecurity of Government networks and 
systems.
    The task of installing CDM across the Federal Government was too 
large a task for one contractor so DHS divided the work among several 
contractors and subcontractors.
    Our witnesses will provide valuable insight in the process of 
installing of CDM throughout the Federal Government:
                               witnesses
   Dan Carayiannis, Federal director, RSA;
   Gregg Mossburg, senior vice president, Federal Strategic 
        Operations Group, CGI;
   Frank Dimina, associate vice president, Federal Civilian 
        Sales, Splunk; and
   Mr. A.R. ``Trey'' Hodgkins, III, senior vice president, 
        Public Sector, Information Technology Alliance for Public 
        Sector (Democratic Witness).
    The security of Federal agency networks has been a major concern of 
mine since I chaired Subcommittee on Transportation Security, which at 
that time had jurisdiction over cybersecurity issues.
    Earlier this month, the House passed H.R. 3202, the Cyber 
Vulnerabilities Disclosure Act, which I introduced to address the need 
for effective and aggressive action to deal with the threat of Zero Day 
Events.
    H.R. 3202 requires the Secretary of Homeland Security to submit a 
report on the policies and procedures developed for coordinating cyber 
vulnerability disclosures.
    The Continuous Diagnostics and Mitigation or CDM provides Federal 
departments and agencies with the tools needed to identify 
cybersecurity risks on an on-going basis, prioritize these risks based 
upon potential impacts, and enable cybersecurity personnel to mitigate 
the most significant problems first.
    The Congress established the CDM program to provide adequate, risk-
based, and cost-effective cybersecurity and more efficiently allocate 
cybersecurity resources.
    It is true that each Federal agency is responsible for protecting 
its own information systems; however, some agencies, including DHS, 
play a larger role in Federal network security.
    Under the Federal Information Security Modernization Act, DHS is 
required to deploy technologies to continuously diagnose or mitigate 
cyber threats and vulnerabilities and make such capabilities available 
to agencies upon request.
    The law essentially codified the CDM program, which DHS is 
implementing.
    DHS entered into partnership with GSA in 2013 to meet the statutory 
obligation of the Federal Information Security Modernization Act, which 
facilitated agencies' purchase of consistent, compliant technologies 
that offered ``Information Security Continuous Monitoring Mitigation'' 
(ISCM).
    The first contract was awarded on August 12, 2013, to 17 companies, 
supported by 20 subcontractors, that received awards under a $6 
billion, 5-year companion Continuous-Monitoring-as-a-Service to deliver 
diagnostic sensors, tools, and dashboards to agencies.
    CDM is an essential part of the Department of Homeland Security's 
overall effort to protect the civilian Federal network.
    Implementation of CDM is being phased in under the process 
established by DHS using several contractors and subcontractors.
    There have been a number of challenges to the process of 
implementing a Federal-wide CDM program.
    DHS encountered a number of unexpected challenges during the 
rollout of Phase 1.
    For example, neither DHS nor the customer agencies anticipated how 
difficult it would be to identify all the hardware and software assets 
associated to a network and grossly underestimated the number of 
agency-connected devices, which delayed the purchase and installation 
of the necessary sensors.
    In May 2016, GAO reported that most of the 18 agencies covered by 
the CFO Act that had high-impact systems were in the early stages of 
CDM implementation, and many were proceeding with plans to develop 
their own continuous monitoring-strategies, independent of CDM.
    Further, only 2 of the 17 agencies reported that they had completed 
installation of agency and bureau or component-level dashboards and 
monitored attributes of authorized users operating in their agency's 
computing environment.
    Due to these unexpected challenges the early estimates of 
completing Phase 3 by 2017 were not met.
    These issues as well as the urgency of protecting Federal agency 
networks makes it imperative that we have DHS before the committee to 
provide an update on the CDM program.
    I look forward to hearing the testimony from today's witnesses.
    Mr. Chairman, I yield back.

    Mr. Ratcliffe. We are pleased to have a distinguished panel 
of witnesses before us today on this very important topic.
    Mr. Frank Dimina is the area vice president for Federal at 
Splunk. Mr. Dimina's entire 20-year career has been within the 
cybersecurity industry, including several years as a security 
operations center director and consultant, providing advisory 
services and incident response support to public sector and 
commercial organizations. Thanks for being here.
    Mr. Dan Carayiannis is the public sector director for RSA 
Archer. I noticed in your bio nearly 30 years of IT management 
and security experience, and I look forward to having the 
benefit of your insights on that today. I know the full 
committee does, as well.
    Mr. Gregg Mossburg is the senior vice president for 
strategic operations at CGI Federal. Mr. Mossburg served as a 
commissioner on the Tech America Foundation 2011 commission on 
the leadership opportunity in U.S. deployment of the cloud, or 
cloud 2.0. Migrating to more shared service is certainly an 
important aspect of the CDM program, and so we are grateful to 
have you as a witness here today.
    Finally, Mr. A.R. ``Trey'' Hodgkins is the senior vice 
president for the public sector at the Information Technology 
Alliance for Public Sector. I saw, Mr. Hodgkins, that you 
received some awards for your work in IT procurement reform. 
That experience is one that I think will be very relevant to 
today's conversation.
    I would now like to ask each of you witnesses to stand and 
raise your right hand so I can swear you in to testify.
    [Witnesses sworn.]
    Mr. Ratcliffe. Please let the record reflect that each of 
the witnesses has been sworn and answered in the affirmative. 
You may be seated.
    The witnesses' full written statements will appear in the 
record. The Chair now recognizes Mr. Dimina for 5 minutes for 
his opening statement.

STATEMENT OF FRANK DIMINA, AREA VICE PRESIDENT, FEDERAL, SPLUNK

    Mr. Dimina. Chairman Ratcliffe, Ranking Member Richmond, 
and Members of the subcommittee, thank you for the opportunity 
to appear today to discuss the Continuous Diagnostics and 
Mitigation program at the Department of Homeland Security. My 
name is Frank Dimina, and I am area vice president of Federal 
for Splunk.
    In this role I have worked with Federal agencies, including 
DHS, on multiple cybersecurity and data analytics projects. My 
entire 20-year career has been within the cybersecurity 
industry, including several years as a security operations 
center director.
    Splunk is a fast-growing software company in San Francisco 
with a similar mission: Make machine data accessible, usable, 
and valuable to everyone.
    More than 13,000 companies, Government agencies, 
universities, and other organizations are using the Splunk 
software. In the cybersecurity arena, Splunk's software 
platform often serves as the nerve center of an organization's 
security operation center.
    In my testimony today, I will provide my views on three 
main topics: The progress to date of the CDM program; 
opportunities to modernize and enhance the CDM program; and 
supporting CDM's continued success.
    The CDM program has made significant progress over the last 
several years in providing Federal agencies with capabilities 
that identify cybersecurity risks on an on-going basis, 
prioritize those risks based on potential impacts, and enable 
cybersecurity personnel to mitigate the most significant 
threats first. That progress is due to the dedication and hard 
work of the CDM team at DHS and the support that this program 
has received from Congress and DHS leadership.
    Phase 1 of CDM, which is focused on determining what is on 
the network, has helped Federal agencies to identify endpoints 
on their networks and raise awareness of the extent of their 
cyber footprint. After deploying Phase 1 tools, some Federal 
agencies found a significant number of additional endpoints 
within their enterprise. As a result, those agencies are now 
carrying out efforts to bring those endpoints into the program.
    Phase 2, which focuses on determining who is on the 
network, is just now rolling into production. DHS and the 
General Services Administration, or GSA, are in the process of 
procuring CDM phase 3 and 4, which focuses on determining what 
is happening on the network. Once fully implemented, phases 3 
and 4 will give Federal agencies the ability to move from 
legacy, time-based system accreditation to dynamic, risk-based, 
and event-driven authorization. This will vastly improve the 
overall security posture of the Federal civilian government.
    Building on the progress to date, I believe there are 
important opportunities to further modernize and enhance the 
CDM program. One key opportunity is to better leverage the 
existing data collected throughout CDM. In our view, DHS should 
transform the existing CDM integration layer into a common data 
analytics fabric that is standardized across the program. The 
data analytics fabric would serve as a platform for collecting 
security-relevant data across Federal agencies at scale, while 
enabling DHS to perform flexible search queries, build robust 
visualizations, and provide real-time reporting of the results.
    There are several key benefits to this approach. First, a 
common data analytics fabric would improve the granularity of 
data available to Federal cyber analysts. Today, CDM data 
presented in the Federal dashboard is summary data. Like a 
photograph, summary data provides a snapshot in time, but lacks 
the fidelity of a live video feed. Providing DHS analysts with 
greater detail and drill-down capability would significantly 
enhance their ability to protect the homeland.
    Second, this would provide DHS and security teams across 
Federal agencies with access to data at machine speed. Across 
Government, there is a clear need for real-time access to cyber 
data from the analyst up to the executive.
    Third, a common data analytics fabric would provide the 
foundation to correlate CDM data with security data from other 
shared service initiatives like Einstein. Allowing the analysts 
at DHS to connect information from Einstein and CDM would be a 
mission enabler and provide a level of visibility that is not 
possible today. This approach might also result in additional 
economic benefits for the Government by standardizing CDM 
components, reducing human capital expenditures, and enabling 
operational efficiencies across CDM.
    Promoting CDM's continued success over the next several 
years will require continued funding through appropriations, 
robust oversight by Congress, and sustained leadership from 
DHS. Success also requires a smart acquisition strategy that is 
flexible and encourages participation by innovative 
cybersecurity companies.
    Thoughtful design of the next phase of CDM could help DHS 
future-proof the program. CDM must allow for additions of new 
technologies that enable risk-based monitoring and protection 
for emerging information technology, such as the internet of 
things, cloud, and micro-services.
    In closing, I will reiterate that the CDM program has made 
important strides. Now is the time to look at modernizing the 
approach and enhancing the capabilities of this program.
    Thank you again for the opportunity to testify before you 
today. I look forward to answering your questions.
    [The prepared statement of Mr. Dimina follows:]
                   Prepared Statement of Frank Dimina
                            January 17, 2018
    Chairman Ratcliffe, Ranking Member Richmond, and Members of the 
subcommittee: Thank you for the opportunity to appear before the 
subcommittee to discuss the Continuous Diagnostics and Mitigation (CDM) 
program at the Department of Homeland Security (DHS).
    My name is Frank Dimina, and I serve as the area vice president, 
Federal for Splunk Inc. In this role, I oversee Splunk's Federal 
civilian government business. I originally joined Splunk as the 
director of the homeland security and law enforcement team. During my 
tenure at Splunk, I have worked with Federal agencies, including DHS, 
on multiple cybersecurity and data analytics projects. My entire 20-
year career has been within the cybersecurity industry, including 
several years as a Security Operations Center director and as a 
cybersecurity consultant providing advisory services and incident 
response support to public sector and commercial organizations.
    Splunk is a fast-growing software company based in San Francisco 
with a singular mission: Make machine data accessible, usable, and 
valuable to everyone. Machine data is produced by every digital device, 
including computers, mobile devices, networks, sensors, software 
applications, and many other sources. Machine data contains valuable 
information that is used for security, anti-fraud, IT operations, 
compliance, business analytics, internet of things (IoT), and other use 
cases. More than 13,000 companies, Government agencies, universities, 
and other organizations are using the Splunk software platform. In the 
cybersecurity area, Splunk's software platform often serves as the 
nerve center of an organization's security operation center, providing 
a single pane of glass view for security analysts across an 
organization's entire security posture. Many Federal agencies, 
including DHS, currently use Splunk.
    Before I proceed with the rest of my testimony, I would like to 
recognize this subcommittee's leadership on the issue of cybersecurity. 
Cybersecurity is a rapidly-changing landscape, with threat actors and 
technology providers evolving daily. Legislation and robust 
Congressional oversight will be critical as we all work in partnership 
to strengthen cybersecurity on a national, State, local, enterprise, 
and consumer level.
    In my testimony today, I will provide my views on three main 
topics:
   The progress to date of the CDM program;
   Opportunities to modernize and enhance the CDM program; and
   Supporting CDM's continued success over the next several 
        years.
                      progress of the cdm program
    The CDM program, which was established by Congress to provide risk-
based and cost-effective cybersecurity across the Federal Government, 
has made significant progress over the last several years. Through the 
CDM program, DHS has taken significant steps to provide Federal 
agencies with capabilities and technologies that identify cybersecurity 
risks on an on-going basis, prioritize those risks based on potential 
impacts, and enable cybersecurity personnel to mitigate the most 
significant threats first.
    This progress is due to the dedication and hard work of the CDM 
team at DHS and the support that the program has received from Congress 
and DHS leadership. CDM has raised the bar for security and provides a 
solid foundation for achieving a baseline of protection across the 
Federal IT landscape.
    Members of the Splunk team have been involved with CDM from the 
very beginning of the program. Currently, Splunk software is deployed 
as a part of the CDM program at all 24 civilian CFO Act agencies. We 
have witnessed both the early challenges and the more recent steady and 
consistent implementation of CDM across Federal agencies. Since the 
beginning, Splunk has worked with various system integrators supporting 
the CDM program. That viewpoint has given us unique insights into the 
operational challenges, successes, and needs of the program.
    A critical decision made during the genesis of the CDM program was 
the adoption of a phased approach. Phase 1 of CDM, which is focused on 
determining what is on the network, has helped Federal agencies to 
identify the endpoints on their networks and raise awareness of the 
extent of their cyber footprint. After deploying phase 1 tools, some 
Federal agencies found a significant number of additional endpoints 
within their enterprise. As a result, those agencies are now carrying 
out efforts to bring those endpoints into the program.
    Phase 2, which focuses on determining who is on the network, is 
just now rolling into production. We believe the goal of phase 2, 
building a master user record for users of Federal networks, will be 
essential to threat mitigation and risk awareness across the Federal 
Government.
    DHS and the General Services Administration (GSA) are in the 
process of procuring CDM phase 3 and phase 4, which focus on 
determining what is happening on the network, via the Dynamic and 
Evolving Federal Enterprise Network Defense (DEFEND) Task Order series. 
Once fully implemented, phases 3 and 4 will give Federal agencies the 
ability to move from legacy, time-based system accreditation to 
dynamic, risk-based, and event-driven authorization. This will vastly 
improve the security posture of the Federal cyber landscape.
                     modernizing and enhancing cdm
    Building on the progress to date, I believe that there are 
important opportunities to further modernize and enhance the CDM 
program. One key opportunity is to better leverage the existing data 
collected throughout CDM.
    In our view, DHS should enhance the existing CDM integration layer 
so it becomes a common data analytics fabric that is standardized 
across the program. The data analytics fabric would serve as a platform 
for collecting security-relevant data across Federal agencies at scale, 
which would enable DHS to perform flexible search queries, build robust 
visualizations, and provide real-time reporting of the results. There 
are several key benefits to this approach.
    First, a common data analytics fabric would improve the granularity 
of data available to Federal cyber analysts. Today, CDM data presented 
in the Federal dashboard is summary data. Like a photograph, summary 
data provides a snapshot in time, but lacks the fidelity of a live 
video feed. Providing DHS analysts with greater detail and drill-down 
capability would significantly enhance their ability to proactively 
hunt for malicious activity.
    Second, a common data analytics fabric would provide DHS and 
security teams at Federal agencies with drill-down access to granular 
data at machine speed. Across the Government, there is a clear need for 
real-time access to cyber data from the analyst up to the executive. 
Moving this access to machine speed will strengthen the effectiveness 
of the Government's response to attacks against Federal systems.
    Third, a common data analytics fabric would provide the foundation 
to integrate CDM data with security data from other shared service 
initiatives like EINSTEIN, the DHS program that provides perimeter 
defense for Federal agencies. Allowing the analysts at DHS to correlate 
EINSTEIN and CDM data would be an important step as it would provide a 
level of visibility that is not possible today.
    The approach I have described would enhance efficiencies in 
cybersecurity and information sharing within DHS and between DHS and 
agency partners. It might also result in additional economic benefits 
for the Federal Government by standardizing CDM components, reducing 
human capital expenditures, and enabling operational efficiencies 
across CDM.
     supporting cdm's continued success over the next several years
    Promoting CDM's continued success over the next several years will 
require continued funding through appropriations, robust oversight by 
Congress, and sustained leadership from DHS.
    Success also requires a smart acquisition strategy that is flexible 
and encourages participation by innovative cybersecurity companies. One 
positive step is the decision by DHS and GSA to move to the GSA Special 
Item Number (SIN), reflecting lessons learned from the procurements 
associated with the CDM Blanket Purchase Agreement (BPA). This change 
instills a flexible approach that allows for CDM technical capabilities 
to evolve through the Request For Services (RFS) model. We believe the 
continued adoption of this acquisition strategy will help to keep CDM 
agile, innovative, and competitive.
    Thoughtful design of the next phase of CDM will help DHS to better 
position the program for the future. CDM must be able to evolve quickly 
and allow for additions of new technologies that can enable risk-based 
monitoring and protection for modern practices such as cloud and micro-
services.
    The future of the CDM program has critical implications for the 
security and resilience of the Federal Government's infrastructure. CDM 
can also set a positive example for large organizations outside of the 
Government, since some of the key concepts of the CDM program have 
applicability in the private sector.
                               conclusion
    In closing, I will reiterate that the CDM program has made 
important strides. Now is the time to look at modernizing the approach 
and enhancing the capabilities of this program.
    We look forward to our continued role in the Government-industry 
partnership that will move CDM forward to the next level.
    Thank you for the opportunity to testify before you today. I look 
forward to answering any questions you might have.

    Mr. Ratcliffe. Thank you, Mr. Dimina.
    The Chair now recognizes Mr. Carayiannis for 5 minutes for 
his opening statement.

   STATEMENT OF DAN CARAYIANNIS, PUBLIC SECTOR DIRECTOR, RSA 
                             ARCHER

    Mr. Carayiannis. Chairman Ratcliffe, Ranking Member 
Richmond, Ranking Member Thompson, committee, thank you very 
much for the opportunity to testify today on the Department of 
Homeland Security's Continuous Diagnostics and Mitigation 
program. I commend the committee's initiative to better 
understand this mission-critical program.
    My name is Dan Carayiannis, and I have spent over 30 years 
in the information technology industry. Currently, I am the RSA 
Archer public sector global director for RSA security, part of 
Dell Technologies. I also lead the RSA Archer CDM dashboard 
program and Archer's initiatives in the Federal, State, local, 
and the international public sector.
    RSA has been in the cybersecurity industry and a leader in 
that industry for over 30 years, serving more than 14,000 
global customers and many sectors of the economy. RSA solutions 
help detect, investigate, and respond to advanced attacks. We 
confirm and manage identities. We ultimately reduce 
intellectual property theft, fraud, and cyber crime.
    What is Archer as it relates to CDM today? RSA Archer is 
the commercial off-the-shelf software solution chosen for the 
CDM dashboard. The platform is approximately 1,400 global 
deployments, including many Fortune 100 companies, as well as 
Government entities. Archer is a flexible, browser-based, 
scalable, easily deployed, and fully integrated within a 
comprehensive dashboard architecture meeting DHS's current and 
future dashboard requirements.
    RSA is committed to the continued success of CDM. We meet 
regularly with key stakeholders within the DHS itself, prime 
contractors to ensure our technology is well aligned with 
current and anticipated needs of the program. We have provided 
flexible licensing arrangements and have undertaken several 
leases of our products and enhancements that map directly to 
DHS requirements. We are supporting the CDM program through the 
dashboard contractor and again also through the various prime 
contractors.
    As a result of our experience and involvement with DHS and 
the CDM program, we would like to propose the following 
recommendations. First, we strongly encourage DHS to maintain 
on-going control of the dashboard. We see the DHS dashboard as 
both a strategic executive risk management visualization tool 
as well as an agency operational tool. Standardization and 
consistently across the Government is critical to programs' 
success. Having a standardized risk management approach with 
one organization, DHS, responsible for managing cybersecurity 
risk across the civilian Government is key and a reason we 
believe that the program is succeeding and will succeed. 
Centralized management and standardized risk scoring provides 
confidence and consistent measurement and representation of 
risk across all Government departments and agencies.
    Second, we encourage DHS to continue facilitating a shared 
vision approach for program success. Continued dialog among 
DHS, RSA, and dashboard end-group prime contractors allows us 
to reflect on our base software and the architecture and its 
design and plan for future software enhancements to benefit the 
program going forward.
    Third, we encourage an active, on-going training program as 
part of the DHS initiative. The contractors who have invested 
in RSA Archer training have accelerated their learning curve on 
Archer and increased their deployment successes. We also 
recommend DHS personnel participate in Archer training so they 
can better understand how they can get more benefit out of the 
RSA Archer platform as it relates to CDM.
    Fourth, we urge the subcommittee to continue its current 
and strong support of the CDM program and ensure DHS has the 
necessary authorization and funding to build upon the current 
implementation.
    Finally, we encourage CDM information be analyzed for 
Government benefits beyond the initial CDM scope. One of the 
byproduct benefits of CDM and the program that it is serving is 
the agencies can leverage data aggregated across the Government 
that are currently out of scope requirements. For example, 
agencies can enhance their assessment and authorization, or 
continuity of operations capabilities and processes, by 
leveraging existing CDM data. Both data elements can be 
leveraged by agencies to enhance their security posture, their 
capabilities, and their reactions to threats.
    In closing, we believe the CDM program is having a very 
positive impact on how Government, as well as commercial 
organizations, think about managing cyber risk. RSA believes 
the CDM program is well-positioned to help the Federal 
Government better understand and react to cyber threats. Thank 
you very much for the opportunity to testify today. I would be 
happy to answer any questions you may have.
    [The prepared statement of Mr. Carayiannis follows:]
                 Prepared Statement of Dan Carayiannis
                            January 17, 2018
                              introduction
    Chairman Ratcliffe, Ranking Member Richmond, and Members of the 
committee, thank you for the opportunity to testify today on the 
Department of Homeland Security (DHS) Continuous Diagnostics and 
Mitigation (CDM) program. I applaud the committee's efforts to improve 
cybersecurity across the Federal Government and commend the committee's 
initiative to better understand this mission-critical program.
    My name is Dan Carayiannis and I am the RSA Archer global public 
sector director for RSA Security, part of Dell Technologies. I have 
been part of the RSA Archer business unit for 10 years and I'm the RSA 
lead for the DHS CDM Dashboard. I also lead Archer's initiatives in the 
Federal, State, local, and international public sector. I have spent 
over 30 years in the information technology industry.
    RSA has been a cyber industry leader for more than 30 years. The 
more than 14,000 global customers we serve represent many sectors of 
the economy. Our business helps enable those we work with to 
effectively detect, investigate, and respond to advanced attacks; 
confirm and manage identities; and ultimately reduce intellectual 
property theft, fraud, and cyber crime.
    Today, I want to explain how RSA Archer is designed and deployed, 
how it helps DHS drive greater cybersecurity, and our CDM program 
recommendations.
                            about rsa archer
    RSA Archer is a commercial off-the-shelf technology platform that 
allows organizations to manage multiple domains of risk in a 
configurable, integrated software system. RSA Archer is the software 
solution the CDM program is using as a basis for both the agency and 
Federal dashboards. Our platform and solutions support a range of needs 
to include a flexible data architecture, integration capabilities, 
reporting and dashboards, analytical functions as well as notification 
and workflow functionality. These capabilities provide users with the 
ability to interact, gather information, and manage data beyond merely 
cataloging records. With RSA Archer, risk and compliance teams can 
better manage risks, escalate issues, streamline processes, and make 
decisions based on the improved organization of data.
    RSA Archer has been a technology solution provider in the 
Governance, Risk, and Compliance industry since 2000. The platform has 
approximately 1,400 deployments globally, including many of the Fortune 
100 companies and Government entities. RSA Archer is used in a variety 
of applications and methods, ranging from global, cross-functional 
programs such as enterprise-level risk management to single function or 
regional implementations to support defined-use cases.
    Risk and security management in today's world must be approached as 
an integrated business solution for a complex business challenge. The 
RSA Archer Suite includes multi-disciplinary risk management solutions 
and use cases that address the most critical domains of business risk. 
RSA Archer solutions incorporate industry standards to quickly 
implement the processes to achieve the visibility business and 
technology leaders need. Our use cases have adopted best-practice 
standards derived from our extensive customer base and industry 
standards including NIST 800-53, NIST 800-30, NIST CSF, FISMA, 
ISO31000, ISO27000, COSO, ISO22301, and more. RSA Archer solutions are 
also designed with a maturity-driven approach that enables 
organizations to implement risk management processes over time. Our use 
case model allows customers to target the organization's most pressing 
needs by mixing and matching use cases as the business requires.
    All RSA Archer solutions are implemented on the RSA Archer 
platform, allowing an organization to build a consolidated 
technological approach to managing security, risk, and compliance 
processes. We understand risk, security, and compliance programs 
require a flexible, sustainable approach and our technology is designed 
to be highly configurable and customizable. The RSA Archer platform 
enables organizations to modify RSA Archer use cases to meet their 
unique requirements with functionality such as configurable workflows, 
risk calculations, standard and ad hoc dashboard and reports and 
flexible technology-agnostic data ingest capabilities. Customers are 
able to tailor applications to meet their business requirements without 
the need for extensive coding or development skills all of which is of 
significant benefit to the DHS CDM program. To meet more advanced 
needs, customers can leverage RSA Archer APIs and integrate external 
products to meet unique requirements.
    RSA Archer features the following key capabilities:
   An integrated reporting engine and does not require external 
        reporting tools;
   Persona-driven reports and dashboards are built into the 
        solutions, along with the ability to create ad hoc reports and 
        dashboards to meet users' needs;
   User interface designed to satisfy both frequent users 
        (risk/compliance/security teams) and infrequent users (business 
        users/first line of defense);
   Integration capabilities that allow organizations to 
        consolidate data from external systems and range from data 
        import to scheduled data feeds to an API;
   Data ingest capabilities that allow for integrations with 
        external information sources without major code/development 
        efforts to quickly consolidate and map external data to RSA 
        Archer applications;
   Flexible risk-scoring functionality as well as robust 
        workflow and notification capabilities enable customers to 
        automate business process.
                           rsa archer and cdm
    The Federal Government is challenged with a broad range of 
continuous monitoring security maturity levels and efforts across a 
wide range of agencies. To address these challenges, CDM provides a 
framework that enables consistent and automated compliance monitoring 
and reporting, helps agencies understand risks and vulnerabilities that 
could impact the security and operation of their enterprise, and does 
so in a consolidated and accelerated time frame.
    RSA Archer provides the base software solution for CDM that is 
commercial off-the-shelf technology that's flexible, browser-based, 
scalable, easily deployed, and can be fully integrated within a 
comprehensive dashboard architecture to meet DHS's current and future 
dashboard requirements. The RSA Archer Continuous Monitoring software 
solution was built to meet the needs of Federal agencies as well as 
commercial organizations by providing mission-critical capabilities 
essential to the Continuous Monitoring program. In the case of CDM, the 
software is being configured and customized to support program 
requirements by MTV, the dashboard prime contractor under DHS's 
direction. These essentials are:
   Enabling near-real time visibility into the security posture 
        of targeted devices across the enterprise;
   Managing with a risk-based approach by prioritizing security 
        risk data and focusing on ``worst first'';
   Maintaining a common operational cyber landscape with 
        aggregation and correlation of data to stay current with latest 
        requirements;
   Having real-time alerting capabilities, and advanced 
        reporting and dashboards at multiple levels of the organization 
        in order to help protect infrastructure across network endpoint 
        such as laptops, desktops computers, and servers;
   Protecting sensitive information such as security 
        configurations and vulnerability information while providing 
        access to the proper individuals to mitigate risks;
   Tracking and reporting compliance across vulnerabilities, 
        configurations, assets, and applications; and
   Leveraging and maximizing existing and new agency 
        infrastructure CDM tools.
    The CDM project is segmented into multiple phases and functional 
areas as the DHS diagram below illustrates.


    RSA Archer can support the functional areas as outlined by the 
scope of CDM. The following are examples of how RSA Archer is being 
used to support the phase 1 CDM functional area:
   Functional Area--Hardware Asset Manager.--RSA Archer helps 
        to manage a repository of hardware information assets as a 
        result of its integration with the chosen hardware asset 
        management tool. We are designed to help agencies determine 
        asset classification ratings and required retention periods, 
        determine asset risk, associate the assets with responsible 
        individuals, locations, organizational units, processes they 
        support, facilities where they are housed, and associated with 
        applications they support. RSA Archer can leverage its 
        notification and workflow functionality to support remediation 
        efforts associated with hardware assets and can represent this 
        information in reports, dashboards, and web forms and permit 
        access permissions down to the field level so that multiple 
        levels and views are available to the appropriate organization 
        and personnel for action. In addition, RSA Archer enables 
        agencies to perform on-line assessments to support 
        organization/agency-wide data calls to determine classification 
        ratings and required retention periods.
   Functional Area--Software Asset Manager.--RSA Archer helps 
        to manage a repository of software information assets as a 
        result of its integration with your chosen software asset 
        management tool. RSA Archer is designed to help agencies 
        determine asset classification ratings and required retention 
        periods, determine asset risk, associate the assets with 
        responsible individuals, locations, organizational units, 
        processes they support, facilities where they are housed, and 
        associated with applications they support. RSA Archer can 
        leverage its notification and workflow functionality to support 
        remediation efforts associated with software assets and can 
        represent this information in reports, dashboards, and web 
        forms and permit access permissions down to the field level so 
        that multiple levels and views are available to the appropriate 
        organization and personnel for action. In addition, RSA Archer 
        enables agencies to perform on-line assessments to support 
        organization/agency-wide data calls to determine classification 
        ratings and required retention periods.
   Functional Area--Configuration Management.--RSA Archer 
        consolidates data, helps determine asset, application and 
        system risk, and associates configurations with controls, 
        responsible individuals, locations, organizational units, 
        processes they support, and facilities where they are housed. 
        RSA Archer can leverage its notification and workflow 
        functionality to support remediation efforts associated with 
        configuration issues and can represent this information in 
        reports or dashboards. RSA Archer provides an approach for 
        documenting, identifying, managing, and reporting on 
        configuration data at every level of the organization. RSA 
        Archer allows agencies to consolidate controls across multiple 
        regulatory and business requirements into one integrated 
        framework.
   Functional Area--Vulnerability Management.--RSA Archer 
        consolidates threat data and reports on threat remediation 
        activities and enables a consistent, repeatable threat 
        management process. RSA Archer consolidates vulnerability, 
        malicious code, and patch information from security 
        intelligence providers, and captures vulnerability results from 
        scan technologies into one threat-management system. RSA Archer 
        then cross-references this information with applications, 
        assets, individuals, and organizational units. RSA Archer 
        leverages its notification and workflow functionality to 
        support remediation efforts associated with vulnerabilities and 
        can represent this information in reports, dashboards, and web 
        forms and permit access permissions down to the field level so 
        that multiple levels and views are available to the appropriate 
        organization and personnel for action.
    In summary, RSA Archer is critical in helping DHS realize its goal 
of comprehensive CDM across the .gov landscape. This includes a 
hierarchical deployment of agency-level dashboards rolling up summary 
results to the Federal dashboard. RSA Archer's role is to aggregate 
summary data collected from various technologies and data stores, 
calculate and score risk, notify users of changing data, and enable 
workflow business processes. This aligns specifically with the concepts 
of RSA Archer as a system of engagement (gathering data and enabling 
processes) and system of insight (providing aggregated data for 
decision support).
    Additionally, RSA Archer is helping DHS CDM address the many 
different personas interacting with the ``systems of engagement'' and 
``system of insight.'' A simple way to think of this is to use the 
concepts of 1st, 2nd, and 3rd Lines of Defense (``LoD''). This concept, 
referenced in operational risk management strategies, provides a 
straightforward method to stratify the risk management program and 
using Archer is being applied by DHS.
    In terms of the CDM project, RSA Archer takes the rollup of data 
from 1st LoD (sensors, endpoints, etc. via a variety of technologies) 
to inform and drive mitigation activities at the 2nd LoD at the 
individual agency-level dashboards and facilitating oversight and 
visibility to the 3rd LoD at the DHS Federal Dashboard level.
                 cdm implementation and recommendations
    RSA is committed to CDM as its commercial software manufacturer and 
technology partner. We have actively worked with the DHS CDM Project 
Management Office (``DHS'') as the ``customer,'' as well as with the 
dashboard and prime contractors. We have ensured that our leadership is 
engaged with project and progress updates, have provided flexible 
licensing arrangements, and continue to evolve our technology strategy 
to meet CDM requirements today and anticipate future needs. We meet 
regularly with key stakeholders within DHS and prime contractors to 
ensure our technology is aligned to DHS's requirements.
    To this end, we have expanded several of our development plans to 
ensure DHS benefits from the CDM program improvements. DHS, CDM, and 
Archer are pushing the boundaries on how a large enterprise should 
think about, manage, and respond to today's security threats as well as 
prepare for tomorrow's unknowns. This project not only benefits our 
Nation's security but provides significant private-sector security 
benefits as well.
    To date, we have undertaken and released several product 
enhancements aligned with DHS's requirements. For example, in the 6.3 
version of our platform, released in October 2017, several improvements 
and architectural changes were made based on feedback from DHS and its 
contractors to accelerate data ingest processes. We are also working on 
additional changes to ensure RSA Archer meets its design goal of 
flexibility and also enhanced performance for data management and 
calculations which will help DHS make risk-based decisions in near-real 
time.
    We are supporting the CDM program through the dashboard contractor 
MTV and also through the various prime contractors. This support is 
being provided through our Technical Support, Services, and Engineering 
organizations. While we are the software manufacturer, we fully 
recognize the role and functional elements of the agency level as well 
as the Federal dashboard and continue to fine-tune our base software 
solution and platform to accommodate defined and anticipated 
requirements.
    As a result of our experience and involvement with DHS in the CDM 
program, we propose the following recommendations:
    First, we strongly encourage DHS to maintain on-going control of 
the dashboard.--We see the CDM dashboard as both a strategic executive 
risk management visualization tool as well as an agency operational 
tool. Standardization and consistency across the Government is critical 
to program success and having a standardized risk management approach 
with one organization, DHS, responsible for managing cybersecurity risk 
across the civilian government marketspace is a primary reason we 
believe the program is succeeding. DHS may not be able to respond in a 
timely fashion without a centralized management approach or if it is 
being constrained by a distributed agency funding model. Once fully 
deployed, we believe this highly-controlled approach will render more 
consistent and accurate metrics across the Government, better cyber 
risk-based decisions, where necessary faster remediation and encourage 
standardization and a common consistent measurement and expression of 
risk across the Federal Government. Regardless of the deployed tools 
and data stores used, centralized management and standardized risk 
scoring methodology provides a true ``apples-to-apples'' comparison 
from agency-level dashboards to the Federal-level dashboard, giving the 
Government confidence in consistent measurement and representation of 
risk.
    Second, we encourage DHS to continue facilitating a shared vision 
approach for program success.--Continued dialog among DHS, RSA, and the 
dashboard and group prime contractors allows us to reflect on our base 
software architecture and plan for future software enhancements to 
benefit the program going forward. We also recommend DHS continue to 
allow RSA to participate in DHS and its dashboard prime contractor 
technical exchange meetings on a quarterly or semi-annual basis so we 
can stay current with anticipated requirements.
    Third, we encourage an active, on-going training program as part of 
the CDM initiative.--The contractors who have invested in RSA Archer 
training have accelerated their learning curve on Archer and increased 
their deployment success. As DHS CDM dashboards are fully deployed 
across the Federal civilian agencies, we believe its critical agency 
prime contractors have RSA Archer administrators with the skills and 
experience necessary to maximize dashboard capabilities.
    We also recommend DHS personnel participate in RSA Archer training 
to better understand the RSA Archer platform as it relates to the DHS 
CDM program and in the future. With the successful rollout of 
dashboards across all Government agencies, we recommend agency 
personnel ``user'' training to maximize the value DHS and the 
Government are getting out of its dashboard investment such as embedded 
training videos, on-line training and more.
    Fourth, we recommend careful considerations be put in place during 
the dashboard re-compete process.--We believe the follow-on dashboard 
prime contract holder should have the necessary RSA Archer skills and 
capabilities to accept dashboard responsibilities ``mid-stream'' and 
continue to manage, configure, and customize the dashboard without 
issue. Given the learning curve we have seen the dashboard contractor 
go through to configure and customize RSA Archer to support DHS CDM 
dashboard requirements, ensuring technical personnel are fully trained 
and experienced is a prudent and necessary element of continued 
success.
    Fifth, we urge the subcommittee to continue its strong support of 
the CDM program and ensure it has the necessary authorization and 
resources for full and expanded implementation.--It is essential DHS 
has the necessary funding for the on-going phases of CDM to build upon 
the current implementations and success.
    Finally, we encourage CDM information be analyzed for benefits 
beyond the immediate CDM scope.--One of the bi-product benefits of the 
DHS CDM program is that agencies can leverage CDM aggregated data to 
support other ``out of scope'' agency requirements. For example, 
agencies can enhance their assessment and authorization and continuity 
of operations processes by leveraging critical data elements CDM has 
captured. We believe this saves the Government not only time but also 
funding.
                               conclusion
    In closing, we believe the CDM program is having a very positive 
impact on how governments as well as commercial organizations think 
about managing cyber risk. In today's world, cyber threats are real, 
coming from multiple vectors, and constantly changing. RSA believes the 
CDM program is well-positioned to help the Federal Government better 
understand and react to these cyber threats.
    Thank you Chairman Ratcliffe and Ranking Member Richmond and all 
Members of the subcommittee for your dedication to addressing 
cybersecurity and to the CDM program. I thank you for the opportunity 
to be here today and I look forward to working with you and your 
colleagues in Congress as cybersecurity remains at the forefront of so 
many policy decisions we face. I'd be happy to answer any questions the 
subcommittee may have.

    Mr. Ratcliffe. Thank you, Mr. Carayiannis.
    The Chair recognizes Mr. Mossburg for 5 minutes.

   STATEMENT OF GREGG T. MOSSBURG, SENIOR VICE PRESIDENT FOR 
               STRATEGIC OPERATIONS, CGI FEDERAL

    Mr. Mossburg. Good afternoon, Chairman Ratcliffe, Ranking 
Member Richmond, and other distinguished Members of the 
subcommittee. My name is Gregg Mossburg. I am the senior vice 
president for strategic operations at CGI Federal.
    On behalf of CGI Federal's 6,000-plus dedicated employees 
providing services to over 100 Federal departments and 
agencies, I appreciate the opportunity to testify on the 
progress being made to better secure the Federal Government's 
systems through Continuous Diagnostics and Mitigation.
    CGI Federal plays an important role in the CDM initiative, 
in providing credential management to users at all 23 CFO Act 
agencies and three others to enable greater visibility. 
Providing security to any single network is a challenge. 
Recognizing the enormity of scaling across the entire Federal 
environment, DHS is using an incremental approach to identify 
and deploy capabilities to participating agencies.
    The first phase of the CDM program began in January 2013. 
CDM Phase 1 examined what was on the network. Through discovery 
tools, a Federal agency can identify all of its hardware and 
software. Using policies and rules, a determination can be made 
about whether an asset should be on the network. Next, CDM 
tools can be used to install patches, continuously scan for 
vulnerabilities, and ensure software is configured properly and 
securely.
    Studies have shown that cyber hygiene--including asset 
management, scanning, patching, and proper configuration 
controls--can stop up to 85 percent of cyber attacks. At the 
completion of Phase 1, every device in the Federal Government 
will have a Master Device Record, allowing increased visibility 
and management.
    In June 2016, DHS began rolling out CDM Phase 2, focusing 
on who is on the network. This phase applies the same concept 
of cyber hygiene to users, collecting and aggregating 
information about users from multiple systems into a central 
location from which agencies are able to monitor different 
aspects about their network users. This data is important 
because research continues to show that many security breaches 
are linked to improper use of credentials, including access 
through accounts that should have been terminated. Further, 
this information will permit Federal agencies to verify that 
only authorized users with the proper credentials are accessing 
their networks.
    Soon, DHS will be rolling out Phases 3 and 4, which focuses 
on what is happening on the network and how the data itself is 
protected. Data from all CDM phases is channeled to agency-
level dashboards for display and action. Information from these 
agency dashboards is aggregated into a Federal-level dashboard 
to provide a Government-wide view of how agencies are 
performing and identify the greatest areas of risk.
    I am especially pleased that the subcommittee has both 
tools and systems integration represented at the table today. 
CDM often is discussed in the context of tool acquisition, and 
yet the integration and consulting services provided are key to 
Federal agency success, given the shortage of cybersecurity 
professionals, the vast number of security products available, 
and competing IT priorities. CDM provides not only cyber 
expertise, but also training, testing, and governance support.
    In structuring the CDM acquisitions, DHS has had the 
difficult task of balancing the customized solutions for each 
agency with leveraging economies of scale and solution 
repeatability. DHS also needed to balance the benefits of using 
a single integrator with deep solution expertise versus 
multiple integrators with agency-specific knowledge. As a 
result, DHS and their contracting partner at GSA, a group known 
as Fedsim, carefully evaluated and addressed these trade-offs 
in the new series of CDM acquisitions called Defend. The new 
Defend strategy provides a variety of benefits that I would be 
glad to discuss during the Q&A period.
    As noted earlier, CGI Federal currently is delivering the 
credential management solution to 26 agencies under a 2-year 
task order. To date, this complicated IT implementation effort 
has enjoyed remarkable collaboration among CGI Federal, the 
agencies, and DHS, supported by GSA Fedsim. In fact, early 
deployments already have provided agencies with insight into 
potential issues that can now be addressed.
    While everyone feels the urgency brought on by continuous 
cyber attacks, it is important to not lose sight of the fact 
that providing security to networks as large and complex as 
those of the U.S. Government is an enormous undertaking that 
requires a solid foundation on which to build advanced 
capabilities. CDM is one of the first efforts of its type, and 
we should recognize the impact that it is having.
    Let me close first by thanking the folks at DHS and GSA's 
Fedsim office for their partnership and urgency in supporting 
the CDM implementation. All are focused on schedules, budgets, 
and a relentless drive to get the best from industry. I also 
want to thank the subcommittee for making CDM a priority. Mr. 
Chairman, I look forward to answering any questions that you or 
the subcommittee may have. Thank you.
    [The prepared statement of Mr. Mossburg follows:]
                Prepared Statement of Gregg T. Mossburg
                            January 17, 2018
    Good afternoon, Chairman Ratcliffe, Ranking Member Richmond, and 
other distinguished Members of the Subcommittee on Cybersecurity and 
Infrastructure Protection. My name is Gregg Mossburg. I am the senior 
vice president for Strategic Operations for CGI Federal Inc. (``CGI 
Federal'').
    CGI Federal, a wholly-owned U.S. operating subsidiary of CGI Group 
Inc., is dedicated to partnering with Federal agencies to provide 
solutions for defense, civilian, health care, and intelligence 
missions. Founded in 1976, CGI Group Inc. is the fifth-largest 
independent information technology and business process services firm 
in the world. CGI Group Inc.'s approximately 71,000 professionals serve 
thousands of global clients from offices and delivery centers around 
the world, leveraging a comprehensive portfolio of services including 
high-end business and IT consulting, systems integration, application 
development and maintenance, and infrastructure management, as well as 
150 intellectual property-based services and solutions.
    On behalf of CGI Federal's 6,000-plus dedicated employees providing 
services to over 100 departments and agencies across the Federal 
Government, I appreciate the opportunity to testify before the 
subcommittee on the progress being made to better secure the Federal 
Government's systems through Continuous Diagnostics and Mitigation--
otherwise known as CDM.
    CGI Federal plays an important role in the CDM initiative, 
providing credential management (``CREDMGMT'') to users at all 23 Chief 
Financial Officer (``CFO'') Act agencies and 3 other agencies to enable 
greater network visibility. In the next few minutes, I would like to 
elaborate on the CDM program in general and some of the key factors 
that have led to very positive collaboration and progress among CGI 
Federal and its various Federal agency clients.
   cdm: risk-based, cost-effective cybersecurity across the federal 
                               government
    As you know, cyber threats are growing and evolving continuously. 
While it is not possible to eliminate or even block all cyber threats, 
it is critical that the Federal Government and its contractors focus on 
identifying security risks, allowing leaders to allocate resources 
where they will have the greatest impact. To this end, Congress 
established the CDM program to provide risk-based, cost-effective 
cybersecurity across the Federal Government.
    The U.S. Government operates some of the largest and most critical 
networks in the country. As a result, providing security to any one 
network is a challenge and scaling across the entire Federal 
environment is even more daunting. Consequently, DHS is using an 
incremental CDM approach to identify and deploy capabilities to 
participating Federal agencies.
                         the four-phase rollout
    The first phase of the CDM program began in January 2013. CDM Phase 
1 examined what is on the network. Through discovery tools, a Federal 
agency can identify all of its hardware and software. Using policies 
and rules, a determination can be made about whether an asset should be 
on the network. If it shouldn't be on the network, then it can be 
removed. If it should be on the network, then CDM tools can be used to 
install patches, continuously scan for vulnerabilities, and ensure that 
software is configured properly and securely.
    While it may not sound as glamorous as penetration testing and 
cyber threat hunting, studies have shown that cyber hygiene, which 
consists of four essential activities--i.e., effective asset 
management, scanning, patching, and proper configuration controls--can 
stop up to 85 percent of cyber attacks. At the completion of Phase 1, 
every device in the Federal Government will have a Master Device 
Record, allowing increased visibility into these activities.
    In June 2016, DHS began rolling out CDM Phase 2. Phase 2 focuses on 
who is on the network. This phase applies the same concept of ``cyber 
hygiene'' to users and helps measure how well agencies comply with 
existing Federal mandates such as the Federal Information System 
Management Act (``FISMA'') and the Homeland Security Presidential 
Directive (``HSPD'') 12. The Phase 2 solutions collect and aggregate 
information about users from multiple systems into a central location 
from which agencies are able to monitor different aspects about the 
users on their respective networks. The centralized Master User Record 
(``MUR'') provides information about individual users to include the 
degree of vetting, training completed, and credentials issued. This 
data is important because research continues to show that many security 
breaches are linked to improper use of credentials (including access 
through accounts that should have been terminated). Not only will the 
information collected through the CREDMGMT system allow agencies to 
understand who is on their network, but it will permit Federal agencies 
to verify that only authorized users with the proper credentials are 
accessing their networks.
    Soon, DHS will be rolling out Phase 3 of the CDM program. Phase 3 
is focused on what is happening on the network and looks to protect the 
network by monitoring traffic across the boundary and performing 
software code inspection, application weakness detection, development, 
and supply chain risk management. Phase 3 also seeks to help agencies 
manage security events by preparing for and responding to security 
incidents using a new automated risk assessment process to replace the 
current manual, time-intensive process.
    The requirements for CDM Phase 4 are still evolving, but DHS has 
indicated that it will focus on how data is protected through 
technologies such as micro-segmentation, digital rights management, and 
other advanced data protections.
    Data from all phases of the CDM program is channeled to agency-
level dashboards for display and action. Information from these agency 
dashboards is aggregated into a Federal-level dashboard to provide a 
Government-wide view of how agencies are performing and identify the 
greatest areas of risk for corrective action. This data also can be 
analyzed and presented in meaningful ways to various consumers and 
decision makers such as senior leaders interested in trend analysis and 
technical experts looking to take a deep dive into the detailed 
technical information.
                       deployment across agencies
    Not only is DHS incrementally rolling out cyber capabilities, it 
has taken a staggered approach to deploying those capabilities to all 
Federal agencies. In Phase 1, agencies were divided into buying groups 
of 5-7 agencies (Groups A, B, C, D, E, and F) with a single integrator 
responsible for deploying a solution to agencies in each group, 
typically over a 3-year period. For Phase 2, DHS issued 2 task orders 
each with a 2-year duration. The first task order addresses privileged 
users (i.e., users with extra power or control over the computer system 
who have the ability to do the most harm) at 65 Federal agencies. This 
task order effort is commonly referred to as the privilege management 
(or ``PRIVMGMT'') task order. The second task order--which CGI Federal 
currently is delivering--is CREDMGMT, which has a 2-year duration and 
covers all users at 23 CFO Act and 3 other agencies.
    The CDM program often is discussed in the context of tool 
acquisition. Yet, the integration and consulting services provided are 
key to Federal agency success. Given the shortage of cybersecurity 
professionals, the vast number of security products available, and 
competing IT priorities, Federal agencies often are in need of 
cybersecurity experts and skilled IT resources. The CDM program 
recognizes these needs and provides not only cyber expertise, but also 
services for training, testing, and governance to help agencies develop 
processes and policies.
                     a new cdm acquisition strategy
    As with all programs of this size, there are trade-offs to be 
considered. For example:
   the economies of scale and repeatability of using a 
        consistent solution across the Federal Government versus 
        tailoring to a specific agency's existing infrastructure and 
        processes;
   using a single integrator with deep expertise in a solution 
        across a large number of agencies may speed overall deployment, 
        but delay agency-specific process changes; and
   a single integrator supporting an agency for a long period 
        of time will have a deep understanding of the agency's 
        environment, but may not have the required expertise in all 
        cyber products.
    As a result, DHS and GSA-FEDSIM carefully evaluated these trade-
offs with the lessons learned on the original CDM contract and 
addressed them in the new series of CDM acquisitions, called Dynamic 
and Evolving Federal Enterprise Network Defense (or ``DEFEND'').
    Some of the benefits of the new DEFEND strategy include:
   Providing a longer period of performance to encourage a 
        strategic partnership between the integrator, agency, and DHS 
        while helping to address the challenge of processing background 
        investigations for multiple integrators;
   Creating a separate acquisition process for tools and 
        implementing a CDM Approved Products List (``APL'') to remove 
        the tool vendors' dependency on integrators;
   Providing flexible funding scenarios, such as incremental 
        funding, allowing agencies to jointly fund efforts with DHS, 
        and surge options; and
   Providing agencies at different levels of maturity with the 
        flexibility to address their most pressing needs.
                      a collaborative partnership
    As noted earlier, CGI Federal currently is delivering the CREDMGMT 
solution to 26 agencies under a 2-year task order. To date, this 
complicated IT implementation effort has enjoyed remarkable 
collaboration among CGI Federal, the agencies, and DHS (supported by 
GSA-FEDSIM), allowing the team to make great progress. In fact, early 
deployments already have provided agencies with insight into potential 
issues that now can be addressed.
                       an impressive undertaking
    While everyone feels the urgency brought on by continuous cyber 
attacks, it is important to not lose sight of the fact that providing 
security to networks as large and complex as those of the U.S. 
Government is an enormous undertaking. This is one of the first efforts 
of its type; therefore, it is critical to lay a solid foundation on 
these programs before building more advanced capabilities.
    CGI Federal is proud to support the CDM program and help its 
Federal agency clients protect our country's networks, assets, and 
information. CGI Federal relishes this rare opportunity to work across 
the entire Federal Government to identify trends and connect agencies 
to share best practices and lessons learned.
    Let me close first by thanking the folks at DHS, and particularly 
the National Protection and Programs Directorate, for their partnership 
and urgency in supporting the CDM implementation. It would be an 
understatement to say that DHS is responsible for overcoming numerous 
critical challenges in the protection of our country every day. CGI 
Federal respects DHS's focus on schedules, budgets, and its relentless 
drive to get the best from industry. I also want to thank this 
subcommittee for its continued oversight to ensure the continued 
success of the CDM program. Mr. Chairman, I look forward to answering 
any questions that you or the subcommittee may have.

    Mr. Ratcliffe. Thank you, Mr. Mossburg. Chair now 
recognizes Mr. Hodgkins for his opening statement.

     STATEMENT OF A.R. ``TREY'' HODGKINS, III, SENIOR VICE 
 PRESIDENT, PUBLIC SECTOR, INFORMATION TECHNOLOGY ALLIANCE FOR 
                         PUBLIC SECTOR

    Mr. Hodgkins. Thank you, Mr. Chairman, Ranking Member 
Richmond, and Members of the committee. On behalf of the 
members of the IT Alliance for Public Sector, or ITAPS, thank 
you for the opportunity to share our perspectives today on the 
Department of Homeland Security Continuous Diagnostics and 
Mitigation program.
    ITAPS represents almost 90 of the most innovative companies 
offering IT goods and services in the Federal public sector. We 
applaud the committee's efforts to understand and explore the 
CDM program, the state of CDM tool acquisition, and what 
barriers and policy or practice exists for rolling out CDM 
across the Federal Government.
    Last year, ITAPS provided the administration with numerous 
recommendations to modernize Federal cybersecurity practices, 
including how to protect Federal networks through accelerated 
adoption of EINSTEIN and the CDM program. These recommendations 
include requiring regular automated vulnerability scanning of 
Federal networks, updating procurement guidance to reflect the 
fleet of cyber threats, expanding existing programs to recruit 
and retain a strong cybersecurity work force, and leveraging 
new technology and integrating security tools into IT 
deployments.
    DHS is implementing recommendations included in the 
President's IT modernization report. These range from securing 
Government systems and commercial clouds, something not 
included in the original CDM plan, to completing the 
acquisition strategy for new long-term task orders that offer 
CDM life cycle support to agencies. ITAPS suggests that 
Congress focus on the following.
    No. 1, accelerate procurement cycles to keep pace with 
cyber threats. The committee should work to ensure that there 
are sufficient numbers of adequately trained contracting 
personnel to deploy CDM tools in a timely fashion to keep up 
with the evolving threat landscape.
    No. 2, accelerate adoption of CDM through oversight. The 
committee should exercise oversight to ensure that agencies are 
prioritizing funding for CDM solutions, because agencies are 
reluctant to contribute to funding their own security. Many do 
not put a line item in their budget requests and seek to solely 
rely upon DHS funding for CDM deployment. Unpredictable Federal 
appropriations substantially contribute to this condition, as 
agencies are not able to effectively plan, identify, acquire, 
and deploy cyber tools in truncated budget cycles.
    No. 3, experienced personnel with appropriate skill sets 
and vendors with proven success at an enterprise scale are 
critical to the success of CDM. The committee should work with 
DHS to ensure that the acquisition plan for Phase 3 
contemplates the skills necessary for effective implementation, 
the budget to attract and retain individuals with such skills 
and vendor qualifications based on experienced success.
    No. 4, protect data, protect Federal data. It has been 
almost 3 years since the OPM data breach, and DHS has yet to 
implement Phase 4 of CDM, to provide data-level protection 
capabilities, such as digital rights, management, micro-
segmentation, and data masking.
    No. 5, enhance accountability for agency adoption and 
deployment of CDM through robust use of the CDM dashboard. The 
Federal dashboard compiles summary feeds from all the agencies 
regarding their adoption and deployment of CDM. This tool will 
eventually provide a broad view of the Government's cyber 
posture to help DHS and OMB determine where resources are 
needed to strengthen agency systems. The CDM dashboard is also 
one specific means for Congress to hold agencies accountable 
for their progress.
    No. 6, the CDM program office should educate State, local, 
and Tribal governments about the CDM tools and capabilities 
available. States, localities, and Tribal governments are 
facing similar cyber challenges and threats, and governments 
have made cybersecurity a top priority, but many need help with 
protecting their data and networks. The committee should work 
with DHS to create an outreach program to ensure that these 
other government jurisdictions are aware of CDM, the tools and 
capabilities that are available, and how they can acquire CDM 
capabilities for their own use through Schedule 70 at GSA.
    No. 7, ensure adequate means to attract and retain a cyber 
skilled work force. Congress should create innovative means to 
attract cyber skilled applicants and retain them once hired. It 
should also look to rapidly draw down the security clearance 
backlog. Imagine what the Government cyber work force would 
look like and could do if just 10 percent of the over 700,000 
employees and contractors awaiting investigations could get 
cleared.
    To close, Mr. Chairman, the technology sector supports the 
CDM program and its various phases as an important and 
effective means to secure the Federal Government networks and 
systems. More improvements can be made, though, and I hope that 
our recommendations can help the committee focus on making CDM 
better. We look forward to the opportunity to work with 
Congress and the Department on this important issue, and I am 
happy to answer your questions at the appropriate time.
    Thank you.
    [The prepared statement of Mr. Hodgkins follows:]
           Prepared Statement of A.R. ``Trey'' Hodgkins, III
                            January 17, 2018
                              introduction
    On behalf of the members of the IT Alliance for Public Sector 
(ITAPS), we appreciate the opportunity to share our perspectives on the 
Department of Homeland Security (DHS) Continuous Diagnostics and 
Mitigation (CDM) program. We applaud the committee's efforts to 
understand and explore industry perspectives on the CDM program, the 
state of CDM tool acquisition, and what barriers there are, in policy 
or practice, to rolling out CDM across the Federal Government to 
improve cybersecurity across the Federal Government as cyber threats 
evolve.
    Last year, ITAPS, with its members, undertook an effort to provide 
the Trump administration with numerous recommendations to modernize 
Federal cybersecurity practices, including how to protect Federal 
networks through accelerated adoption of EINSTEIN and the CDM program. 
With the interconnected and global nature of today's digital 
environment, strong cybersecurity must be a fundamental underpinning of 
any effort to transform Federal IT systems and is essential to 
realizing the expected economic and efficiency benefits of IT 
modernization.
    The diversity of recommendations contained in our final report 
reflects the reality that enhancing cybersecurity requires a 
comprehensive strategy that leverages people, processes, and 
technological innovations to actively prevent cyber attacks, and 
holistically reduce enterprise cybersecurity risks. These 
recommendations outline actions that can be taken now to enhance the 
Federal Government's cybersecurity posture, such as requiring regular, 
automated, vulnerability scanning of all Federal network environments, 
updating procurement guidance to reflect the speed of cyber threats and 
the rapid evolution of security technologies, and expanding existing 
programs to recruit and retain a strong cybersecurity workforce.
    Importantly, our report also offers key themes and recommendations 
focused on taking advantage of new evolutions in technology and 
natively integrating strong security tools into IT deployments. To 
succeed in new shared service and cloud-based environments, it is 
critical for Government to prioritize implementing security 
technologies that can work together in an automated, holistic way to 
actively prevent, not just detect, cyber attacks across the entire 
Federal Government's network infrastructure. To keep up with the pace 
of modern cyber attacks and reduce risk on an enterprise-wide basis, 
security tools must be capable of automatic reprogramming based on new 
threat data to deliver consistent security across the entirety of the 
network, including all cloud and endpoint environments.
    Adopting IT systems with agile security technology that can protect 
digital infrastructure at scale is vital, because the Federal 
Government simply cannot continue to divert people and resources toward 
manually maintaining antiquated systems or manually correlating 
cybersecurity incidents. Indeed, new, and emerging technology trends--
including the increased adoption of cloud, shared services, and 
virtualized networks--also present critical opportunities to 
fundamentally simplify and automate how the Government consumes and 
delivers cybersecurity tools to reduce enterprise risks. The emergence 
of shared, cloud-based marketplaces where security capabilities can be 
seamlessly tested and deployed as application-based software--an 
alternative to time-intensive hardware procurement, evaluation, 
installation, and system integration cycles--represents the agility the 
Government must evolve to.
    Similarly, there must be a focus on making information sharing as 
automated and actionable as possible. This means collapsing the amount 
of time between when an organization receives a technical indicator and 
the implementation of a preventive control to enforce security based on 
that threat information. Further, Government and industry must mature 
information-sharing processes to focus on sharing more than isolated 
indicators of compromise and incentivize the sharing of correlated 
threat indicators that link together multiple steps of the adversary's 
playbook, aligned to each phase of the attack life cycle--including 
reconnaissance, weaponization, delivery, exploitation, and command-and-
control.
    Finally, our recommendations offer opportunities for continued 
public-private partnership. An integrated approach between Government 
and industry can enhance everyone's collective cybersecurity by 
fostering a shared understanding of the cyber threat landscape, 
facilitating a more robust and systemic public-private threat 
information-sharing environment, jointly developing effective policies, 
and partnering to raise education, awareness, and overall levels of 
cybersecurity skills. Private-sector innovation will be critical in 
replacing legacy Federal IT systems with next-generation solutions that 
both spur greater efficiencies and strengthen the security of the 
Nation's digital infrastructure.
    For this testimony, we will focus on our CDM recommendations from 
the report and concerns raised by our members regarding Phase 3 and 4. 
As you know, the 4-year-old CDM program is delivering capabilities to 
agencies in four phases: Phase 1 (What is on the Network?), Phase 2 
(Who is on the Network?), BOUND (Protecting the boundaries), Phase 3 
(What is happening on the Network?) and Phase 4 (Protecting the data on 
the Network). On May 15, 2017, DHS reported at an industry briefing 
that 24 major and almost 40 small agencies were engaged in implementing 
CDM Phases 1 and 2 requirements. DHS is planning for these agencies to 
transition to operational status by the end of fiscal 2018. The 
Department is also implementing recommendations included in the 
President's IT modernization report. These changes range from 
addressing securing Government systems in commercial clouds--something 
not included in the original CDM plan--and completing the acquisition 
strategy for new, long-term task orders to offer CDM life-cycle support 
to agencies. Finally, they are now providing solution development and 
implementation for Phases 3 and 4, in addition to future work. DHS and 
GSA have also added supply chain risk management into the program, 
requiring vendors to complete a questionnaire to provide DHS 
information on how their product was manufactured and to help the 
agency understand the supply chain of the products vendors are offering 
to be included on the CDM approved products list. We would recommend 
that Congress focus on the following:
    Cybersecurity threats to the U.S. Government are outpacing the 
Federal acquisition process, creating vulnerabilities. ITAPS has 
recommended to both the administration and the Congress that the path 
to increased cybersecurity protections for Government networks is 
through IT modernization, and that acquisition reform is essential to 
the ability to modernize IT in the Government and attain greater cyber 
assurance. In other words, we cannot have cybersecurity without IT 
modernization, and we cannot acquire the goods and services we need for 
either of these goals without changing the way we acquire IT. To make 
progress on this goal, ITAPS makes the following recommendations:
1. Encourage Full Utilization of and Update Government Procurement 
        Rules to Enable Agencies to Compete with Hackers
    Current procurement rules in place at various Federal Government 
agencies preclude them from effectively countering the hacker threat in 
a timely manner. It is critical that DHS and other Federal agencies 
have access to the same tools. This can only be achieved by encouraging 
full use of current procurement rules, and by looking for opportunities 
to update those rules where necessary. Currently, there are numerous 
ways Federal agencies can acquire products and services rapidly 
including:
   Through the Federal Acquisition Streamlining Act of 1994 
        (FASA), Congress mandated, to the maximum extent practicable, 
        the use of simplified acquisition procedures (SAPs) for 
        products and services not exceeding the simplified acquisition 
        threshold.
   The Competition in Contracting Act of 1984 (CICA) allows 
        Federal agencies to accelerate the acquisition process where 
        there is an urgent need, or where requiring full and open 
        competition could compromise National security.
   The U.S. General Services Administration (GSA) maintains a 
        supply schedule for information technology (Schedule 70), where 
        pre-vetted vendors with pre-negotiated terms offer 
        cybersecurity products.
   Congress authorized the Continuous Diagnostics and 
        Mitigation (CDM) program at DHS, which allows Federal agencies 
        to expand their CDM capabilities through the acquisition of 
        commercial off-the-shelf tools, with robust terms for technical 
        modernization as threats change.
   Congress has granted 11 agencies (including DHS) the ability 
        to enter into ``other transaction agreements,'' which generally 
        do not follow a standard format or include terms and conditions 
        normally found in contracts or grants, in order to meet project 
        requirements and mission needs.
    In addition to encouraging Federal agencies to fully use these 
procedures, procurement policy, and acquisition procedures must evolve 
more rapidly to match the pace of information technology development 
and adoption by hackers, criminals, and other bad actors. Currently, 
little guidance exists in the Federal Acquisition Regulations (FAR) 
regarding the procurement of cybersecurity technology; rather, the FAR 
leaves cybersecurity implementation to each individual Federal agency. 
Agency officials and contractors must consult a myriad of different 
agency regulations to ascertain if and how other agencies have 
implemented their acquisition regulations regarding cybersecurity. This 
diversity in agency cybersecurity regulations undermines security 
requirements and policies governing Federal procurements. Harmonizing 
cybersecurity acquisition requirements would allow agencies to: (1) 
Target security to highest-priority data and threats; (2) obtain 
greater value through reduced compliance obligations and increased 
contractor focus on high-value cybersecurity investments; and (3) 
enhance agency cybersecurity through the adoption of best practices, 
tempered through public review and comment.
   The Director of the Office of Management and Budget (OMB), 
        in consultation with the administrator of the Office of Federal 
        Procurement Policy (OFPP), as key National priorities should: 
        (1) Provide clear direction to security and acquisition 
        officials across Government that cybersecurity solutions should 
        be acquired and implemented rapidly; (2) advise and train 
        security and acquisition officials on existing authorities 
        available for the rapid acquisition and implementation of 
        cybersecurity solutions; (3) expeditiously identify impediments 
        to the rapid acquisition and implementation of cybersecurity 
        solutions that need to be addressed by Congress and report 
        those impediments to the relevant committees of jurisdiction 
        for redress; and, (4) provide reciprocity of security 
        clearances for cybersecurity professionals to deploy CDM from 
        agency to agency .
   The administration should assess disparate cybersecurity 
        acquisition requirements across agencies and make 
        recommendations to harmonize requirements to the greatest 
        extent possible.
2. Protect Federal Networks through Accelerated Adoption of Einstein 
        and Continuous Diagnostics and Mitigation (CDM)
    A significant number of recent Federal breaches resulted from 
compromised identities, including those of privileged users. The 
EINSTEIN and Continuous Diagnostics and Mitigation (CDM) programs, when 
fully deployed,\1\ will help Government agencies acquire vital security 
capabilities and tools to better secure Government networks and 
systems. The EINSTEIN program is designed to detect and block cyber 
attacks from compromising Federal agencies, and to use threat 
information detected in one agency to help other Government agencies 
and the private sector to protect themselves. The CDM program provides 
Federal departments and agencies with capabilities and tools that 
identify cybersecurity risks on an on-going basis, prioritize these 
risks based upon potential impacts, and enable cybersecurity personnel 
to mitigate the most significant problems first.
---------------------------------------------------------------------------
    \1\ As evidenced by GAO-16-294, DHS Needs to Enhance Capabilities, 
Improve Planning, and Support Greater Adoption of Its National 
Cybersecurity Protection System, thoughtful deployment has to consider 
compatibility with newer/modern technology adoption so agencies can 
reflect a holistic security risk posture while aligning with the 
administration's IT modernization goals.
---------------------------------------------------------------------------
    Our primary recommendations in this space are the need for 
deployment, procurement flexibility, and improvements in the workforce 
development process. Currently, Federal agencies recognize the value in 
deploying CDM solutions. They also recognize, however, that these 
deployments could be paid for by DHS in the following appropriations 
cycle. Agility and speed are very important in this context. 
Ultimately, a plan and a strategy are inconsequential without 
deployment. There is a distinct risk of a moral hazard where agencies 
will fail to prioritize cyber funding in the short term, thinking that 
the associated costs will be borne by DHS, as the cybersecurity 
executive agency, leaving them susceptible to risk of a significant 
breach in the interim. Further, DHS partners with GSA on the 
development of contract vehicles for these programs, and there is a 
need for more trained contracting personnel to accelerate deployment of 
these new contract vehicles.
    Most departments and agencies have already deployed a variety of 
authentication and authorization solutions as part of both their 
internal and citizen-facing applications. ITAPS recommends that any 
Government-wide solution add value and not create disruption and 
unintended expense by replacing the existing work that has been done. 
The applications that have been built and secured with these existing 
Federal Identity, Credential, and Access Management (FICAM) solutions 
are servicing millions of people today. Agencies should be encouraged 
and funded to do what is best for meeting their business requirements: 
Leveraging APIs to further extend their baseline solutions and adding 
additional safeguards, like privileged account and shared account 
management. Any new policies coming out of this program should consider 
and augment the investments and the services already being provided, 
not direct them to new platforms and distract them from the ancillary 
opportunities.
    In the wake of the OPM breach, Government officials worked 
tirelessly to improve systems. These are committed individuals, and the 
sense of urgency following the breach resulted in quick and decisive 
action to resolve significant challenges that became immediately 
apparent. Long-term success in implementing those decisions, however, 
may be hamstrung by backlogs in the procurement process. Reacting to 
specific events to shore up defenses is different than proactive 
planning. As we look forward, we believe there is opportunity for DHS 
and its partner agencies to leverage the lessons learned in the cyber 
sprint and apply them proactively to enhance overall cyber posture 
across the Federal Government.
3. CDM Capability Deployment: Recommendations based on earlier CDM 
        Phases.
    DEFEND/Phase 3 has yet to be delivered as only one Task Order 
Request (TOR) has been awarded and work has yet to begin. DEFEND is a 
significant departure from prior iterations having incorporated 
feedback received from agencies during earlier phases to offer greater 
choice and increased flexibility.
    Due to the heterogeneity of large enterprise environments the 
technologies to secure, monitor, and maintain an agency's enterprise 
systems vary widely. Similarly, the ability of many vendor solutions to 
properly scale to support complex environments and integrate with 
existing toolsets may be unproven. Issues with the deployment of 
technologies to address CDM requirements not only impacts the project 
schedule, but consumes limited agency resources and hinders the overall 
success of CDM within a given agency.
    We recommend that the CDM program should endeavor where possible to 
recommend solutions that can demonstrate past performance of successful 
implementations at enterprise scale. Additionally, due to the size and 
complexity of any given agency, the CDM program should recommend vendor 
subject-matter experts be incorporated into the procurement of any new 
CDM tool deployment initiative over a certain size. The inclusion of 
experienced, trained, and vetted resources will greatly increase the 
likelihood of a timely, successful implementation with minimal user 
impact.
    The CDM program should also drive real change in cybersecurity. We 
need a different approach where technology--enabled by strong 
collaboration--can be deployed rapidly to security platforms so they 
can communicate with each other over open communication protocols. 
Organizations in both the public and private sector need security tools 
that are interoperable and interchangeable to protect against existing 
and prospective threats. As cybersecurity solutions become 
interoperable, they become more efficient and cost-effective. They also 
become easier to maintain than an IT environment of disparate systems. 
Over time, more interoperable cybersecurity systems will also 
contribute to closing the skills gap, as these systems become more 
widely deployed, require less manual intervention and rely upon more 
consistent skill sets.
    Customers deserve the ability to deploy best-of-breed security 
solutions, but if they need to install a complete infrastructure just 
to do so, then agencies lose. By having interoperable standards for 
interface and exchange formats, the industry could move to a more plug-
and-play capability for security products. This has been successful in 
the past with efforts such as the Security Content Automation Protocol 
(SCAP), currently in use in the Host-Based Security System (HBSS) and 
CDM programs. SCAP provides a wide variety of vendors the ability to 
exchange compliance and patch validation content.
    We encourage the Government to work with the private sector to make 
the vision of a truly open and interoperable cybersecurity ecosystem 
become a reality. Such an ecosystem promotes a great deal of 
competition and innovation. At the same time, it also promotes 
collaboration--making sure that systems work together. The real benefit 
is an environment that promotes enough competition to deliver 
innovative solutions, coupled with collaboration to ensure that these 
new and innovative solutions can work together. Much like the railroad 
industry that agreed on basic rules of the road--e.g., size and gauge 
of the tracks and right of ways--the security industry needs rules of 
the road to allow cooperation, so that firms can compete on 
implementations to allow for as much innovation as possible.
4. DHS must develop a strategy to evolve and extend CDM protections 
        beyond the network to include protecting Federal data and 
        assets.
    In the wake of the OPM data breach in June 2015, OMB and DHS 
reviewed the state of cybersecurity across Government and developed the 
Cybersecurity Strategy and Implementation Plan (CSIP), the 
Cybersecurity National Action Plan (CNAP), the revised OMB Circular A-
130 and a host of other Federal policies such as the Cybersecurity Act 
of 2015 aimed at improving our cyber posture. One of the key findings 
and requirements included in these Federal cyber policies and the 
fiscal year 2017/fiscal year 2018 DHS Continuous Diagnostics & 
Mitigation (CDM) budget requests was to evolve the CDM program beyond 
network security to include data-level protection capabilities (digital 
rights management, micro-segmentation, data masking, etc.) for 70+ 
agencies.
   The recent DHS CDM program update (attached) and the fiscal 
        year and fiscal year DHS CDM Congressional budget 
        justifications (attached) states its intention to move to a new 
        Phase 4 of ``data level protection capabilities'' to ``include 
        additional tools and services to protect sensitive and high 
        value assets data'' for Federal Government agencies.
   The 2018 White House Federal IT Modernization Report to the 
        President also stresses the importance for Federal agencies 
        with high-value assets and sensitive information to deploy 
        ``data-level protection capabilities and shared services within 
        180 days.''
    It's been almost 3 years since the OPM data breach and, 
unfortunately, the Department has yet to provide any data-level 
protection capabilities via Phase 4 or any other phase of CDM. In light 
of the numerous data breaches experienced by the Federal Government in 
recent years, it is critical for DHS to begin implementing CDM Phase 4 
as soon as possible, in order to ensure sensitive and high-value 
information is protected. We are aware that the Department is focusing 
on full implementation of CDM Phase 2 & 3, but we believe it should be 
deploying CDM Phase 4 simultaneously, in order to improve our 
Government's cybersecurity capabilities and protect high-value assets 
at the data level. We encourage DHS to focus on building awareness with 
agency CDM leaders on how to get funding and support for rolling out 
data protection/Phase 4 capabilities.
    Considering the current state of the acquisition capabilities of 
the CDM program and the cyber threat landscape that Federal ``.gov'' 
agencies face, we recommend posing the following questions to DHS, GSA, 
and any other agencies that have identified high-value assets:
   What is your acquisition time line to roll out Phase 4 or 
        ``data-level protection'' capabilities in fiscal year 2018?
   Have DHS and GSA considered accelerating the adoption of 
        Phase 4 capabilities for all Government agencies? What is 
        delaying the release of Phase 4 task force orders?
   What CDM training is taking place to ensure Federal agency 
        Chief Information Officers (CIOs) and Chief Information 
        Security Officers (CISOs) are prepared to deploy Phase 4 CDM 
        protections?
   How are CIOs and CISOs planning and budgeting to adopt such 
        ``data-level protection'' capabilities?
   Can agencies that are ahead of the curve utilize CDM program 
        funding to deploy data-level protection capabilities right now?
5. Encourage DHS to continue progress with the CDM Federal dashboard 
        and educate Federal agencies on the use and benefits.
    We recommend that DHS continue and expand the use of the CDM 
Dashboard to help agencies with their vulnerability management. 
Developing the Dashboard features and values, highlighting those 
benefits, and providing the values through the Dashboard across the 
variety of Federal infrastructures is one challenge. The other obvious 
challenge is to normalize any score or ``grade'' that the agency 
receives fair and relevant. Because of the: (1) Variation in network 
infrastructure, (2) the variety of measurement tools, and (3) the 
qualitative nature of the scoring, DHS will be challenged to develop a 
methodology that appears ``fair'' and delivers actual value to the 
agencies as well as the entire Federal infrastructure. Historically, 
FISMA and FITARA scores were honed through time. We expect CDM scoring 
to take a similar path.
    The Federal dashboard will compile summary feeds from all the 
agency dashboards, which will give the administration a broad view of 
the Government's cyber posture. Eventually, the Federal dashboard will 
help DHS and OMB decide where best to direct their resources to 
strengthen agency systems. The CDM dashboard is one specific area where 
transparency and public disclosure of agency performance can drive 
accountability for their progress.
6. DHS and GSA should work with State/local and Tribal governments to 
        educate them on their access to the CDM tools for network 
        monitoring and security through GSA's Schedule 70.
    State/local and Tribal governments are facing similar cyber 
challenges and threats. The Governors have made cybersecurity a top 
priority, but they need help with protecting their data and networks. 
Purchasing has not been high by State/local and Tribal governments, so 
DHS and GSA should conduct an outreach campaign to assist State/local 
and Tribal governments with using the CDM catalog.
    Thank you again for the opportunity to share these thoughts. If you 
have any questions, please feel free to let me know. We look forward to 
working with the committee and your colleagues in Congress to improve 
the cyber posture for Federal networks and the private sector.

    Mr. Ratcliffe. Thank you, Mr. Hodgkins. The Chair now 
recognizes the gentleman from Wisconsin, Mr. Gallagher, for 5 
minutes for questions.
    Mr. Gallagher. Thank you, Mr. Chairman. Thank you to all 
the witnesses for taking the time to be with us on this 
important topic.
    It sounds like everyone shares a relatively optimistic 
assessment of CDM so far. So I would just--to put it in plain 
terms, given that in Phase 1 we have basically learned how many 
devices were on Federal networks that Federal agencies did not 
know about to the sort-of shadow IT phenomenon, which presents 
a huge problem for all of us, I just--for whoever wants to take 
the question, do you feel confident that we have a total 
picture of what is on Federal networks at this point? If not, 
how long will it take to have total visibility into what 
devices are connected and connecting to our networks? Do not 
all jump at once. We can just go--we can go from here that way, 
yes.
    Mr. Hodgkins. I can go first, Gregg. Just share that we do 
not believe the Government has total visibility into the assets 
it possesses on its networks and systems. It has done 
inventories for specific purposes, for example, risk 
mitigation, but it does not understand everything it owns.
    One of the things that we have identified in the 
procurement process that can help change that is, No. 1, the 
Government should create the inventory, but, No. 2, it should 
begin to keep track of the things it is buying and deploying as 
it buys them. Currently, the systems that are used to acquire 
these tools, for example, in CDM and any other capability the 
Government acquires do not inventory those goods and services 
as they are acquired.
    So there is no running track, no running inventory, no 
automated means of keeping track of what we are buying and what 
perhaps we are retiring. So we think that would be an area that 
could be improved, yes.
    Mr. Gallagher. Sir?
    Mr. Mossburg. Go down the line in order?
    Mr. Gallagher. Yes.
    Mr. Mossburg. So I would echo, I do not think that we have 
got the complete picture yet of all of the IT assets, but the 
point is, as--or the goal is, as Phase 1 is completed, that you 
would get to a point where you had a complete inventory. I 
think what Trey said is very important. It does not end, right? 
We are going to keep buying and keep adding to the inventory, 
and so the process has got to be kept in place and it is got to 
be an on-going vigilance to achieve that.
    The other element I would add is, the scope is--as 
addressed in Defend, which is the next phase of CDM, has got to 
expand between on-prem, or on-premises, inventory out into the 
cloud and mobile devices to make sure that we are really 
drawing the circle around the right goal, if you will.
    Mr. Gallagher. Sure, sure.
    Mr. Carayiannis. I think that was one of the challenges 
that the beginning of the program people encountered was a lot 
of the agencies--there was more there than they thought. I 
think people had to kind-of step back, understand that, 
document all that, before they can progress and move forward.
    Certainly, if you have all that data of all those assets, 
all that information and collecting all that, there is a lot of 
interesting things you could do about that and report on it and 
track it. Tracking not just an individual asset, but 
potentially even someday component parts that make up that 
asset, which will also be important from a cybersecurity threat 
perspective.
    Mr. Gallagher. Thank you.
    Mr. Dimina. I agree with everything said so far. I will 
just add that continuous monitoring should be looked as a 
journey, not a destination. There has been great success so 
far, and that visibility is not complete, but there is a solid 
foundation for cybersecurity program here. That data can 
provide immense value both from a risk-scoring perspective and 
for the ability for agencies and DHS to respond to incidents 
and perform threat analytics.
    So I agree with the comments that there is more progress to 
come, but I think there is a success story here and the 
foundation has been built.
    Mr. Gallagher. Sure. Then obviously as that Phase 1 journey 
continues and evolves, we want to make sure we are making 
progress on the other phases. Mr. Hodgkins, I think you 
mentioned something about Phase 4, and I just wonder, could you 
tell me, how would a delay in implementation of Phase 3 and 4 
impact our ability to protect the Federal.gov domain? Besides 
adequate funding levels, what does the CDM program need to make 
sure that we are reaching our goals in those subsequent phases?
    Mr. Hodgkins. Well, I touched on a number of elements that 
Congress could perhaps focus on to improve. One is that 
agencies now are--they seem to be relying on the pool of money 
that Congress gives to DHS for this activity as a means of 
funding all of the CDM activities even within the agencies. The 
inconsistent budget process has also contributed, because 
agencies cannot begin to spend dollars until they are 
appropriated. If their planning, their execution, their 
identification of contractors, identification of which tools 
they need happens and we end up with a fiscal year where only 5 
months are actually appropriated, it is too short of a time 
frame to effectively complete that, deploy the activity, and 
get the dollars obligated for a contractor.
    So it creates tremendous challenges. Those are some areas 
that delay the implementation of a lot of programs, including 
CDM. Delaying CDM in the way that you are talking about Phase 3 
and 4 do not get us to the end point that we have all discussed 
or raised in some form or fashion as fast as we need to get 
there. The threats are happening now, and we need to move 
forward. I mentioned accelerating acquisition cycles. There is 
a variety of ways that we can do that to try and improve that.
    Mr. Gallagher. Well, I have run out of time, but thank you 
for raising the budgetary picture. I know we are grappling with 
that this week, and we tend to talk about it only in the 
context of hard defense, but it impacts everything the Federal 
Government does. So, thank you. Thank you, Mr. Chairman.
    Mr. Ratcliffe. Thank the gentleman. The Chair now 
recognizes the Ranking Member, Mr. Richmond, for his questions.
    Mr. Richmond. Thank you. I will start with all the 
witnesses. There is a work force component to CDM, in that 
agencies need to organize their cybersecurity and other 
personnel to implement the use of CDM. How is the shortage of 
skilled cyber professionals throughout the Federal Government 
impacting CDM performance? In any order?
    Mr. Hodgkins. It is actually having a tremendous impact, 
Mr. Richmond. I noted, for example, that it is a challenge for 
both the Federal Government and contracting employees to be 
deployed when they can not get their clearances through that 
process in an efficient and timely fashion. There are over 
700,000 sitting there. Truly, imagine what we could do if we 
could get just 10 percent of that through and deploy those 
people for work for the cyber work force.
    We also have challenges in that, you know, people come into 
the Federal Government, they learn skills, and then they move 
into the private sector. People from the private sector is also 
a challenge getting them to come back in. There are a number of 
exercises underway now to try and identify incentives for 
companies to lend, if you will, their best and brightest to 
come and work on some of these problems in the Federal 
Government.
    The center of excellence exercise that is going on now 
through the White House to deploy the IT modernization plan is 
an example of trying to implement that, where they are seeking 
to bring in subject-matter expertise from outside to help 
address and define requirements to solve problems like 
cybersecurity and then they can execute internally with their 
own employees and they can also bring in additional contract 
personnel.
    Mr. Mossburg. Thank you. Thanks for the question, 
Congressman. As I noted in my opening remarks, I was very 
appreciative that this committee had both tool vendors and 
systems integration at the table. I think that is an important 
part to consider in addressing the skills gap that you raised.
    There is no question that there is a skills challenge in 
the Federal Government and also in the private sector, and it 
really is going to take continued collaboration between them 
both to make sure we have got the necessary skills to implement 
successfully the CDM program.
    Mr. Richmond. Well, but you also mentioned in your 
testimony about the learning curve. I guess my next question 
would be: Is there a need for more training on how to use CDM 
capabilities like the dashboard and then, No. 2, do agencies 
need help developing or updating their internal governance to 
make sure it is compatible with CDM?
    Mr. Mossburg. Yes, I think the answer to both questions is 
yes. The scope of both training and governance is included in 
the CDM program so that as these technologies are implemented 
and processes are put in place, that training and governance is 
part of the individual task orders and agency implementations.
    Mr. Richmond. OK.
    Mr. Carayiannis. Congressman Richmond, as it relates to the 
dashboard specifically, absolutely there is a need for training 
to ensure that once it is fully operationalized at the agency 
level and even at the Federal level that personnel are trained 
to get the maximum value out of what it is presenting, the risk 
scores, calculations that are occurring, understanding what 
threats might be out there. Having to have trained personnel to 
be able to understand and act on that is critically important. 
So an on-going training element just around the dashboard 
itself I would highly recommend, and that was in my opening 
remarks.
    Mr. Dimina. So I would add to that that--the private sector 
is dealing with the same problem. The cyber skills shortage is 
real and across the board, and it is impacting Government, it 
is impacting private sector. I do think there are opportunities 
to look at how can we--and that problem would not be solved in 
the short term. That is going to take a while to solve across 
the board between industry and Government, and that continued 
partnership.
    I do think there are some things the industry can do from a 
technology perspective to help offset some of those challenges. 
There is work on-going in part of the cybersecurity industry in 
a space called orchestration automation. Those tools are 
maturing. While that would not solve the problem completely, 
those can help add efficiencies to the program.
    Additionally, what the core of our testimony from Splunk 
and my testimony today is about is leveraging what has already 
been invested and leveraging the data that is already present 
in the CDM system to gain greater efficiencies and to enhance 
the mission at DHS. Speaking from personal experience in my 
time working in cyber operations, the data being collected 
today is being used for risk profiling and for risk 
prioritization and for visibility, and that is great. That is a 
core requirement of the security program. But there is an 
opportunity to also use that data from an operational 
perspective and to assist in the mission for threat hunting and 
understanding the tactics and techniques of APTs out there.
    So I do believe that is a problem, and I do believe 
technology can help. It would not completely solve it, but 
there are ways to improve the productivity of the investments 
made today.
    Mr. Richmond. Thank you, and I yield back.
    Mr. Ratcliffe. Thank the gentleman. Chair now recognizes 
myself for questions.
    So following up on your comment earlier, Mr. Dimina, about 
CDM being a journey, not a destination, and some of the 
testimony that we have already heard, I mean, I think at Phase 
1 not having full visibility, that is understandable. 
Obviously, we all want it to be rolled out to all four phases 
more quickly, and I know there is challenges with respect to 
that. But I guess as we approach sort-of the halftime or 
intermission of this program, if you will, I guess I want to 
hear on the record from all of you that once we get to Phase 4, 
as fully implemented, do we still foresee CDM as a program that 
will be effective and agile and nimble enough to deal with the 
cyber threats that we are facing at that point in time? I will 
just go across the board.
    Mr. Dimina. So there is a lot to that question. I think--
and thank you for the question, sir. I think regarding 
specifically Phase 4, you know, the requires are not still 
defined there, so I think there is some work that still needs 
to be done to figure out what is going to be accomplished, how 
it is going to be accomplished to offer data protection.
    I think the challenge and an issue that needs to be 
addressed there, is there are major disruptions occurring in 
the private sector to the way IT is delivered and handled. 
Traditional IT is being replaced by server-less models, the 
rise of micro-services and containers and software-defined 
networking. So as DHS and team and CDM leadership figure out 
their approach for Phase 4, I think that is an issue and 
question that will need to be addressed, because where does 
data reside in a server-less architecture? That is a challenge 
ahead.
    Beyond that, I think looking at continuous monitoring as a 
program and to answer your question about where does it go, you 
know, today we have a foundation. You cannot secure what you 
cannot see. But the vision would be something that is near real 
time. To Congressman Richmond's point in his opening remarks, 
providing situational awareness. You could envision a State 
where we have the equivalent of a cyber weather map, whereas 
meteorologists today look at atmospheric data to predict 
weather threats and weather patterns across the country, once 
we reached that State and we have successful real-time 
monitoring and being able to access data at a granular level, 
we could predict from activity occurring in one part of the 
Government or see warning signs that would happen at other 
parts.
    You know, in a perfect world, and if we take that one step 
further, you know, we could have the equivalent of a tornado 
warning, where attacks against one part of the Government are 
being seen and reacted to in real-time, and then the cyber 
defenders in our Government can take proactive actions to 
defend in advance of those attacks.
    Mr. Carayiannis. Congressman, I guess a couple thoughts 
around that. First, I think once we get to Phase 4 and 
potentially beyond, an opportunity that I think CDM provides is 
the tuning of it and extracting more value out of it over the 
course of time, kind-of from moving from more of a cyber 
hygiene program to more of a highly-tuned response program 
where I could quickly interact with anything and everything 
that I have from an information source perspective, be able to 
leverage that information to react, rather than days and weeks 
to hours to minutes.
    I think one of the challenges that CDM has identified--and 
you have heard some of the comments about that today--and one 
of the opportunities that CDM presents is to really orchestrate 
a highly-defined environment that could accelerate people's 
time to action and in time to action dealing with a threat that 
is out there. The threat will continue. It will continue to 
progress and become more nimble, and so we need to able to do 
the same thing. I think CDM is a great start to do that. It is 
tuning that environment and making it more productive over the 
course of time for all.
    Mr. Mossburg. Thank you, Congressman, for the question. I 
will just put a small fine point on this. I think that it truly 
is a journey, not a destination. I do not think this is 
something that we need to think about as getting to done. I 
think this is something that we need to continually improve and 
remain vigilant on.
    I think we ought to strive for a vision that is not even 
real-time or predictive, but really gets--or, excuse me, not 
even real-time, but predictive in nature and begins to look at 
behavioral analytics and some of the activities that can be 
correlated across the domain or the enterprise to begin to 
predict where we may run into problems, both internal to an 
agency and external to an agency. I think that is the vision 
that we ought to strive for.
    Mr. Hodgkins. I would just add, to echo the comments, that 
CDM will survive if it can evolve. It has got to keep pace with 
the threats. It has also got to keep pace with the evolution of 
technology, the innovation of technologies, you know, as was 
noted, new forms of computing capabilities as they come down 
the pike.
    Then it has also got to--this is not an operation occurring 
in isolation. The Federal Government is undertaking significant 
strides to modernize specific networks and systems, and those 
will begin to incorporate new cybersecurity capabilities that 
can then be connected with CDM or can share information with 
CDM in new ways that we cannot do today.
    Mr. Ratcliffe. My time is expired, but I have a question I 
want to ask, and if you can answer it quickly and if not 
incorporate some answers into some of the other Members' 
questions, but, you know, to this theme of CDM being a journey, 
my question I guess is for all of the folks up here: What is 
the low-hanging fruit for us as legislators? Where can we work 
to make effective changes to make the CDM journey faster and 
better and more effective, whether that is programmatic 
authorities or the parameters or acquisitions or appropriations 
with respect to CDM?
    I know, Mr. Carayiannis, you intimated almost a Phase 5, 
looking at something to that effect. So I would appreciate your 
thoughts on that.
    Mr. Carayiannis. Well, maybe thinking beyond CDM itself, 
what it is today and the four phases, one of the concepts we 
have kicked around and thought about is: How do you extend what 
the Government is doing around CDM to the community around the 
Government that is supporting the Government on an on-going 
basis? If you think about the Government doing more outsourcing 
on an on-going basis, you are now more dependent on those 
resources.
    So consequently, I think one thought that the CDM and the 
committee here should think about is how do we extend some of 
those principles and guidelines, guidance that you are giving 
and directives you are giving agencies today around CDM to some 
of the community that is closest to the Government and helping 
the Government perform its mission?
    Mr. Ratcliffe. Anyone want in?
    Mr. Dimina. I will agree. I will add to that. I think there 
is--going back to my testimony today, there is untapped value 
in CDM today. The data--the intent of the data being collected 
today is for risk scoring and for asset visibility, and that is 
great and that is important. That same data could be incredibly 
valuable for analysts working at DHS, the teams working with 
EINSTEIN in their mission.
    One area where I would suggest additional policy review or 
oversight is working with DHS to ensure the appropriate rules 
are in place to access that data for that purpose.
    Mr. Mossburg. A quick comment on the pace and the speech 
with which we can continue the journey with CDM. My colleague, 
Mr. Hodgkins, has mentioned the security clearance issue writ 
large a couple of times. I think in particular to CDM, when it 
comes to the contractor community working with DHS to implement 
for agencies, looking at the reciprocity of security clearances 
between DHS and the individual agencies, would go a long way to 
speeding time of delivery on the projects.
    Mr. Hodgkins. Mr. Chairman, I also noted several things in 
my opening statements. The committee can exercise oversight of 
the appropriations that the agencies take and ensure that they 
are putting in that line item to fund their CDM activities, 
where today we do not see that consistently. The committee can 
look to ensure that appropriate acquisition work force skills 
are both created and then deployed and that there are 
sufficient numbers, and then the committee can work both on 
this program and more broadly across Congress to think about 
how the Government can acquire commercial capabilities in a 
more rapid fashion.
    We have created a substantial number of Government-unique 
requirements that have slowed that process down, and those 
reviews are under way as we speak through various means, but 
that is a way that we can also look to improve the process the 
committee can participate in and looking to accelerate.
    The cyber work force also we have identified that there is 
a shortage of those skills, and that is a long-term solution. 
Then, finally, just oversight of the program, making sure that 
the different phases are advancing in the way that they are 
intended and they are advancing in the time frames that are 
intended.
    Mr. Ratcliffe. I thank you all and I appreciate the panel's 
indulgence. The Chair now recognizes the gentlelady from 
Florida, Ms. Demings.
    Mrs. Demings. Thank you so much, Mr. Chairman, and also to 
our Ranking Member and to our witnesses today. Thank you so 
much for being here.
    As we learned from the OPM hack in 2015, agencies need a 
strong secure system for managing who is authorized to access 
sensitive data. To address this, CDM Phase 2 calls for the 
creation of a centralized master user record, among other 
things, to help agencies manage credentials and privileged 
access.
    This question is for any or all of you. How effective do 
you think the master user record will be? Are there areas in 
Phase 2 where it is currently--and how it is currently designed 
where it falls short?
    Mr. Mossburg. I will take the first. I do think that the 
Phase 2, the credential management and the privilege management 
aspects of Phase 2 are very effective, have the potential to be 
very effective, not only in the creation of the master user 
record, but in the policy enforcement of having both the 
credentials that you and I are used to and a user ID and login, 
something that we know to access a system, but also a physical 
asset that we have and a PIV card, or a little ID card. The 
combination of both will go a long way to preventing the 
situations like we had with OPM or things that you are familiar 
with in the private sector, like the Target breach last year.
    Mrs. Demings. Others?
    Mr. Dimina. I agree with Mr. Mossburg. The only footnote I 
will add to that is, it is my understanding that the identity 
data is key and having information on user behavior is 
important. I think the challenge there is bringing it all 
together.
    My understanding is the identity data is not currently 
feeding into dashboard or being correlated with the existing 
CDM data, and the real power of this program is the ability to 
do analytics on this data. If that data is not brought together 
and analytics has not happened, it is a missed opportunity.
    Mr. Carayiannis. If I could add, data is key to everything 
here, so that master user record, the concept of being able to 
obtain data from not only one agency, but all agencies, being 
able to access that, bring all that together and associate that 
to an individual, it is key. So the concept of, you know, if I 
have very little data, then we are going to have a challenge 
being able to relate all that to a record, so that is critical 
in terms of the aggregation of that information to be able to 
leverage it.
    Mrs. Demings. Anyone else want to speak on it? OK, thank 
you. Also, for any or all of you, from your perspective, what 
examples do you believe already exist that you feel best 
demonstrates the value of CDM?
    Mr. Carayiannis. I will take that one first. So, thank you, 
Congresswoman. There was a recent example during the last 
WannaCry event that occurred where some of the agencies who 
have been making good progress leveraging and accessing, 
bringing data together, as a part of CDM was able to leverage 
that data quickly, do a report on all the information that they 
had of what systems would potentially be impacted by it and be 
able to quickly put an action plan in place to address that, 
and therefore, you know, not have to deal with a very painful 
experience.
    So it was--the good news is, in a very immediate way, while 
everything is not deployed immediately across the board--we 
have not gone through all the phases, where are we seeing some 
agencies get benefit from this by DHS directive, and I think 
there will be a lot more of that to come as the program 
continues to build and roll out.
    Mrs. Demings. That is great.
    Mr. Dimina. I will add to that. As I mentioned in my 
testimony, during Phase 1 deployments, there are several 
agencies that discovered they had additional end-points than 
they were aware of. So in one perspective, that can be looked 
at as a challenge. I see it as a positive. I see it as a 
success story.
    The first part of an effective cyber strategy is 
understanding your footprint and understanding your security 
posture. That information and that intelligence is a success 
story and step forward for those agencies in being able to 
appropriately defend their assets.
    Mrs. Demings. That is great. Others? Mr. Mossburg.
    Mr. Mossburg. I agree wholeheartedly with those two. I will 
take it from a slightly different angle. I think one of the 
biggest successes that the CDM program has demonstrated is an 
incorporation of lessons learned. After going through Phase 1 
and Phase 2, DHS and their partners at GSA and Fedsim changed 
the approach of the program to--in what is now called Defend to 
accommodate a couple of things.
    One very important one was an expanded access to the latest 
and greatest from industry, in particular with software 
products, by changing the way those software products could be 
procured by the agency through the integrator. So it enables 
greater access to that.
    The second was an expansion of the period of performance 
with the individual projects that will be executed in Phase 3 
and Phase 4. What is important about that is, as you have a 
longer relationship between integrator and agency to deploy the 
solution, you have greater re-use of the staff from a security 
clearance standpoint than you had previously. So it gets past 
some of those obstacles from a pace standpoint around the 
security clearance.
    Mrs. Demings. Thank you. Mr. Hodgkins.
    Mr. Hodgkins. I would just add that the program--one of the 
things that we would see as success is that it is something 
that can be applied in a relatively uniform fashion across the 
Government. It is not common to find consistent uniformity for 
Government requirements in contracting or in plans and 
protection programs of this nature, so it is a success that 
this is being rolled out in a consistent, uniform fashion. We 
have a repeatable activity and a repeatable successes, and 
measurable, repeatable conclusions that we can draw across 
agencies.
    Mrs. Demings. Thank you. Mr. Chairman, I yield back.
    Mr. Ratcliffe. Thank the gentlelady. The Chair now 
recognizes the gentleman from Nebraska, Mr. Bacon.
    Mr. Bacon. Thank you, Mr. Chairman. It is my first time in 
the committee, so it is good to be part of the subcommittee. It 
is an honor.
    Mr. Ratcliffe. We are glad to have you.
    Mr. Bacon. I am a retired 30-year Air Force guy with 
signals intelligence, and worked a little bit in cyber. One 
thing I took away from that is we have some of the best cyber 
capabilities in the world, particularly in the intelligence and 
the offensive side, but we also had the most vulnerabilities, 
and I--which you are working that part of it. So thank you for 
what you are doing.
    I heard one of our senior generals say once that we have 
the biggest rocks, but we also live in the largest glass house 
when it comes to cyber. So it is a two-edged sword there, 
right?
    Mr. Mossburg, I know you talked a little bit about hygiene 
or the right cyber hygiene. Could you just talk a little more 
succinctly, what does that really mean? Where are we at in 
getting to that proper hygiene?
    Mr. Mossburg. Sir, I think--and I first referenced it with 
regard to Phase 1 and the focus on what is on individual 
networks, and after creating a master device record, an 
inventory of the assets that exist on the network, a rigorous, 
constant patching of that software and maintaining the proper 
configuration is that hygiene.
    So we are well into Phase 1, but as I think in early 
responses, not complete. We do not have that complete inventory 
yet. But you heard some of the responses here a second ago, 
with even some of the more recent issues and attacks that we 
have encountered from WannaCry to some of the recent hardware 
attacks, our agencies were better prepared because of the--one, 
the patching that was occurring, the hygiene that was occurring 
on the devices that had been identified, but also the data that 
had been collected for even when those devices were not yet 
being patched or having the proper hygiene applied to them, we 
at least knew about them, and then the agencies could 
prioritize their reaction to addressing them and prevent those 
attacks from causing harm.
    Mr. Bacon. You are having to do that with all 24 Federal 
agencies?
    Mr. Mossburg. Yes, that--all 24 will roll through the Phase 
1.
    Mr. Bacon. Do you have--is the software that you are using, 
is it the same for all 24? Because I think that would be pretty 
challenging.
    Mr. Mossburg. Well, and I think the goal of the CDM program 
is to have a common approach in these. Quite honestly, CGI is 
engaged in Phase 2 in the credential management. I would defer 
to the vendors that are rolling out Phase 1 on the specifics 
there.
    Mr. Carayiannis. I can make a comment about that, 
Congressman Bacon. At the end of the day, one of the challenges 
for a lot of the primes, taking the dashboard, deploying it 
within respective agencies, but to your question, lots of 
different technologies that will be used by a lot of different 
agencies. So I think that was one of the complicated elements 
of what CDM was trying to tackle was leveraging what was 
already out there, augmenting what was there, and putting into 
best practice and use of those to deal with the master user 
record, being able to populate it, have accurate information 
there. So that is been a big challenge I think for a lot of the 
prime contractors.
    Mr. Bacon. Some of these countries are so advanced in this 
area, it just takes one device that we have not had the patch 
for to find a vulnerability on, would you agree with that 
statement?
    Mr. Carayiannis. Yes, sir, I would.
    Mr. Bacon. Mr. Carayiannis, what is the Federal 
enterprise--where is the Federal enterprise in developing their 
CDM dashboards from your perspective? Are the barriers to fully 
implementing and using the dashboard technical, or is it 
administrative?
    Mr. Carayiannis. I would basically say that I think it is a 
combination of the two, so we have worked very hard to stay as 
close that we can with DHS, with the dashboard prime, as well 
as the prime contractors working within the agencies. We are 
learning a lot of what people need the dashboard to be able to 
do at the agency level, as well as the Federal level. We have 
been augmenting our software on an on-going basis. We have a 
release schedule at least twice a year. The idea around that is 
to continue to add additional components, upgrades, 
enhancements to our software to enable them to progress and to 
do more work, the work that they need to do to drive CDM to 
success.
    Mr. Bacon. I appreciate your challenge. I come from the Air 
Force. We tried to do a dashboard. That was hard enough for the 
Air Force, because you have different major commands underneath 
it, airlift, fighter, space. But those dashboards you are 
building is going to be a one-size-fits-all for all 24 
agencies.
    Mr. Carayiannis. So the current architected approach--and I 
think it is the right one--I made that comment in my opening 
remarks--one of the key elements of this is having consistency 
from a dashboard tool across the entire agency-level dashboards 
and at the Federal level. Having consistency, having DHS 
maintain that consistent approach ensures that you are seeing 
similar information types, risk scores, et cetera, rolling up 
to the agency and to the Federal level.
    If you did not do that, you have everybody doing something 
slightly different, to your very point about within the DOD 
environment, you know, you start seeing a lot of apples and 
oranges and lots of different variations. So consistency is 
paramount, in our judgment, from a dashboard perspective, to a 
CDM program success.
    Mr. Bacon. I just think with all the different missions, 
that is a challenge, because everybody has a different mission 
area and different unique requirements. But yet I understand 
you have got to standardize if you want to be able to defend 
the system better, so I had some more questions, but my time is 
out. Thank you for your expertise and thank you for your 
service.
    Mr. Carayiannis. Thank you, sir.
    Mr. Ratcliffe. Thank the gentleman. Chair now recognizes 
the gentleman from Rhode Island, Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. I want to thank all 
of our witnesses for your participation, testimony here today.
    Mr. Hodgkins, if I could start with you, obviously, this is 
a very important topic and appreciate all the contributions you 
have made to this discussion. But, Mr. Hodgkins, the 
administration has recently released the report to the 
president on Federal IT modernization that pushes strongly 
toward greater adoption of cloud-based applications and 
services.
    Now, CDM has traditionally been focused on identifying and 
protecting Federal assets within our Federal networks. As 
Federal assets are deployed in cloud architectures, how well is 
CDM positioned for this new paradigm? How does the program need 
to change to ensure it continues to be effective?
    Mr. Hodgkins. Well, as I noted in my testimony, Mr. 
Langevin, cloud deployment of Federal assets was not really a 
major focus of CDM when it was first formulated and put 
together. So that is an element that as we--and as I noted 
about the question on evolution, as those new technologies come 
into play, as those new efficiencies are identified and the 
Government adopts those, CDM will need to evolve to address the 
new risks that might occur because we are moving in different 
directions with new capabilities.
    Mr. Langevin. OK. As a follow-up, are certain CDM phases 
more or less effective in protecting cloud assets? I certainly 
would welcome comment from some of the other witnesses on the 
next question. Does DHS's ability to maintain situational 
awareness change with respect to cloud solutions?
    Mr. Hodgkins. On your first question, sir, the effort to 
identify the users should be something that can be transferred 
over when those activities move to the cloud so that you should 
still have the same type of identification and authentication 
capabilities, and those should be reusable, if you will. I am 
not aware that the others are positioned or directly thinking 
that the vendors at the table may be able to more directly 
answer that question for you.
    Mr. Carayiannis. I was going to make a comment about that, 
Congressman. So at the end of the day, I made some comments 
earlier about this universe of contractors or support elements 
in and around the Government, so if you think about the cloud 
environment itself, you have organizations that are providing 
Federally-certified cloud environments, which is a good thing. 
But I do think that some of the underlying principles and 
elements of what CDM is should be driven out more broadly to 
some of those suppliers so they are inheriting some of the 
inherent capabilities of and underlying tenets of what CDM is 
trying to do for the Government itself.
    Mr. Dimina. So I will add to that. I think there has been 
some progress with regards to how we secure the cloud, how do 
we monitor cloud, and this is where FedRAMP comes into play. I 
think DHS is looking at that. Cloud has been with us for some 
time, and it is not going anywhere. So I think that is a 
problem that is going to be solved.
    I think the bigger challenge is, what is going to happen as 
we move into the internet of things, where every device is 
connected? How do we secure and monitor mobile devices as we 
move and solve the human capital gaps we have in our work force 
and have more people work remotely? How do we deal with the 
changes and disruptions that are occurring from things such as 
containerization, and when traditional data centers do not 
exist anywhere, and where we are in a server-less environment?
    So I think those are the bigger challenges ahead. Cloud is 
certainly important, will be the mechanism for delivery of a 
lot of these technologies, but those are the ones that if you 
look longer term, 1 to 3 years out, that will need some proper 
planning. I think the most important piece here, if you look at 
the future CDM, is that careful and thoughtful planning has to 
go into the design decisions made today, because the worst 
possible outcome would be if a decision made now would prevent 
the use of some future yet-to-be-released cybersecurity 
technology or information technology asset. I think some of the 
delays in Phase 1 were a result of that heavy lift of a lot of 
those design decisions that had to happen, and we are seeing 
phases hopefully accelerate now as some of that design work is 
complete.
    Mr. Langevin. Well, this is a good follow-up, good segue 
into my next question. While CDM now provides a method to 
streamline acquisition of cybersecurity tools across agencies, 
it is still incumbent upon each agency to define and execute a 
risk management strategy and process. How are individual 
agencies utilizing the tools provided by CDM to create an 
overall risk management strategy and prioritize their 
acquisition of cybersecurity tools? Have you observed any 
changes or improvements since CDM has been implemented? Mr. 
Hodgkins, if we can maybe start with you.
    Mr. Hodgkins. Well, I think the answer to your last 
question is, yes, there have been improvements since CDM has 
been deployed. I think that agencies are required to make a 
different set of assessments and determine their risks more 
effectively, and CDM is deploying toolsets that helps them try 
to address and protect against those risks and threats.
    I believe that there is obviously room to grow, and I think 
that agencies can always do a better job of assessing their 
risks. But we are seeing improvement, and CDM is one of the 
factors that is contributing to that improvement and their 
ability to identify those risks and trying to position 
themselves to protect or defend against it.
    Mr. Langevin. OK.
    Mr. Mossburg. I would just briefly say I agree that we have 
seen the results since the beginning of the CDM program, but I 
think it is with the Defend portion that is recently and 
currently under way where we have got the streamlined 
acquisition process for the tools where we have the potential 
to see the greatest benefit for individual agencies to get 
quicker access to the tools that are specific to their agencies 
and also as technology evolves with the threats, take advantage 
in a more--in a quicker fashion some of the latest technology.
    Mr. Langevin. Very good. Thank you. Mr. Chairman, I have 
some additional questions I will submit for the record. If I 
could have our witnesses respond to them, that would be 
helpful. Thank you all very much. With that, I will yield back 
the balance of my time.
    Mr. Ratcliffe. Thank the gentleman. The Chair now 
recognizes the gentlelady from Texas, Ms. Jackson Lee, for 5 
minutes.
    Ms. Jackson Lee. Thank you, Mr. Chairman. Thank you to the 
Ranking Member, Ranking Member Richmond. This is an important 
hearing. In fact, the constant oversight of our cybersecurity 
system is really crucial for the defense of this Nation and, as 
well, the important responsibilities that are driven by the 
cyber system.
    I heard the words careful and thoughtful planning, and I 
think that is clearly the framework in which we should be going 
forward. I have a series of questions, but the thoughtful and 
careful planning causes me to want to pose a question to you. 
Even as I know that the Continuous Diagnostics and Mitigation 
program deals with the attempt to ensure that the Federal 
network is healthy, but it is the constant changing system--and 
there are many parts of it that are impacted by the human 
element.
    So just take--you are obviously in the private sector. You 
know that we are querying about the incident that occurred in 
Hawaii. Certainly it was a cyber system of sort. Would you 
speculate on the--what might have been needed, how that 
translates into what good the system that we are dealing with 
is trying to do? We are obviously--all of us are paying 
attention in terms of the massive investigation that is going 
forward, not only State, but I certainly believe a full Federal 
investigation should occur, because we have a very important 
role in the network that States have, as well.
    So would you take a moment to comment on how that could 
have happened and how in the instance of our system it is 
intended to avoid that? Who wants to start first?
    Mr. Hodgkins. I will answer, Ms. Jackson Lee. Thank you for 
the question. The only commonality that comes to mind based on 
the reporting that I have seen is human error. Human error is 
still one of the primary drivers for cyber vulnerabilities, 
whatever system you are looking at, and so we have to continue 
to address that with additional training, additional 
acquisition of more skills, bringing in more people with those 
skills, and make sure that we try to diminish the opportunity 
to human error to occur.
    Ms. Jackson Lee. Gentlemen, please.
    Mr. Carayiannis. Congresswoman Lee, as I think about your 
question, I think quite a bit about what CDM is trying to do, 
which is to automate as many processes as possible and try to 
take the human factor out of the situational analysis around 
assets, vulnerabilities, configurations, whatever the case may 
be. So to the extent that if you try to relate one of the 
other, yes, the incident as it was reported in the paper, it 
looks like it was a human error. I think there will always be a 
human element to what goes on. But CDM is itself--to relate it 
back which I think was the premise of your question--relate it 
back to what CDM is about, by taking more control from an 
automated perspective of your environments, and being able to 
do something in a very automated way, I think you start to 
minimize the impact that the human element might have.
    Ms. Jackson Lee. Yes. Thank you.
    Mr. Mossburg. I will take a slightly different--sorry about 
that.
    Mr. Dimina. Go ahead.
    Mr. Mossburg. Slightly different angle. I think another 
part of the CDM program overall scope will be remediation when 
an issue occurs. There will always be human elements that 
factor--as you mentioned, that will come into play, and there 
will always be that cause. We will continually be adapting to 
situations such as this.
    Our ability to remediate or mitigate when an issue does 
occur and then put processes in place to prevent it from 
occurring again and learn those lessons are as crucial as the 
automation and processes that we can implement.
    Mr. Dimina. So I am not an expert on the incident that 
happened, but I think a perspective I can give you that might 
help is what is going on in private sector to deal with the 
shortages in the human workers and skills and resources and 
training that has been discussed today.
    There is two trends that are under way. The private sector 
is certainly doubling down its investment in software 
approaches to these problems. Two of those trends are occurring 
on--so one I mentioned earlier today about automation 
orchestration. How do we add as much automation and adaptive 
capabilities to the system so we are not so dependent on 
humans? CDM certainly could benefit from that.
    On the second trend is the adoption of technologies such as 
machine learning and data analytics to understand--to help us 
as practitioners filter through the noise, so that only the 
important signals get through and our human time is spent more 
efficiently so that there is less burden on our human resources 
and less likely of an accident or an incident. These 
technologies are all receiving major investments in the private 
sector and will continue to in the near future.
    Ms. Jackson Lee. It is clearly important because of the 
large percentage of the infrastructure that is in the private 
sector. Let me quickly ask this question, if I might. CDM will 
be the first Government-wide effort to centralize the 
assessment of the cyber health of the Federal computer system. 
As we well know, it is massive, it is massive, more massive 
than Hawaii, more massive than another State or the collective 
States. It is the Federal Government impacting so much.
    How well-prepared do you think we are to correctly 
interpret the information that we will be receiving? Obviously, 
there is a human element there in receiving and interpreting 
that information.
    Mr. Dimina. So thank you for that question. I think it is a 
very important question, and it centers around the theme of my 
testimony today. CDM provides us a visibility of assets within 
Government perimeters. What is going on inside the network?
    There are additional programs out there such as the 
Einstein program that provides visibility into what is coming 
in and out of the network, that perimeter viewpoint. Both of 
these programs satisfy a critical and necessary need, but today 
there is no integration between the data of these programs.
    So I think to your question is: How do we increase the 
value we are getting from these investments? One of the ways is 
by allowing DHS and agencies to benefit from tools such as data 
analytics to fuse some of the information that they are getting 
from two programs to more effectively enable the mission to 
hunt for bad actors and identify the techniques and tactics 
that are used by these actors.
    Ms. Jackson Lee. I think it is a roadmap that we need to 
follow. If I could just--Mr. Chairman, indulge me for Mr. 
Hodgkins, a follow-up question that Mr. Richmond asked, let me 
combine a question here. Defending against cyber threats is an 
ever-changing landscape. Can CDM adjust to the rapid changes in 
technology and applications?
    The question I want to follow up, Mr. Hodgkins and Mr. 
Richmond, is by teaching our youngsters code, as you well know, 
there is a--you may know, there is an effort to teach code in 
minority communities, to increase the opportunity. Is that an 
element of providing for the work force? Is that a productive 
use as it relates to this kind of work? But the first question 
is, are we able to adjust to the rapid changes in technology 
and applications? Then, is training in code productive?
    Mr. Hodgkins. Thank you for the question. To your first 
question, yes, I think the program--it does have the ability to 
evolve and to position itself as technologies move forward. We 
have talked about some of that and my counterparts have also 
shared some elements of that, so I think that the system and 
the processes that are being put in place--and as we move into 
Phase 3 and Phase 4, in contract for those, we continue to re-
evaluate what does the environment look like, what are the 
threats, the new threats that perhaps did not exist when we 
were contracting for Phase 1, how do we incorporate those 
capabilities? How do we move forward? So the processes that are 
put in place to implement through phases CDM will continue to 
evolve and help the program evolve, as well.
    Our industry has been very strongly supportive--in answer 
to your second question--of a variety of programs to try and 
increase the level of interest in STEM activities across the 
board, and coding in particular. It is essential that we try 
and get to students early on. There is multitudes of research 
that have been shown that getting to students early on and 
securing their interests before other factors come into play 
and detract their--distract them, if you will, from taking a 
STEM-type career path or course path is important, and coding 
is an element that seems to attract a lot of attention and get 
a lot of attention of a lot of younger people who grew up in a 
computer world as a way that they can interact and build a 
successful career. So we have been supportive and will continue 
to be supportive of that.
    Ms. Jackson Lee. Thank you very much, Mr. Chairman. I too 
have additional questions that I would like to submit for the 
record. Thank you very much to all the witnesses. Thank you for 
your testimony. I yield back.
    Mr. Ratcliffe. Thank the gentlelady. That concludes our 
hearing today. I thank the witnesses for your valuable 
testimony and your insights today. I thank the Members for 
their questions. As indicated, some Members of the committee 
have additional questions for the witnesses, and we will ask 
you all to respond to those in writing.
    Pursuant to committee rule VII(D), the hearing record will 
remain open for a period of 10 days. Without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 3:31 p.m., the subcommittee was adjourned.]

                                 [all]