[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]


                   SAFEGUARDING THE FEDERAL SOFTWARE
                              SUPPLY CHAIN

=======================================================================

                                HEARING

                               BEFORE THE

               SUBCOMMITTEE ON CYBERSECURITY, INFORMATION
                 TECHNOLOGY, AND GOVERNMENT INNOVATION

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                           AND ACCOUNTABILITY

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             FIRST SESSION
                               __________

                           NOVEMBER 29, 2023
                               __________

                           Serial No. 118-77
                               __________

  Printed for the use of the Committee on Oversight and Accountability
  
  
                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]  


                       Available on: govinfo.gov
                         oversight.house.gov or
                             docs.house.gov
                              __________

                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
54-310 PDF                WASHINGTON : 2024                                


               COMMITTEE ON OVERSIGHT AND ACCOUNTABILITY

                    JAMES COMER, Kentucky, Chairman

Jim Jordan, Ohio                     Jamie Raskin, Maryland, Ranking 
Mike Turner, Ohio                        Minority Member
Paul Gosar, Arizona                  Eleanor Holmes Norton, District of 
Virginia Foxx, North Carolina            Columbia
Glenn Grothman, Wisconsin            Stephen F. Lynch, Massachusetts
Gary Palmer, Alabama                 Gerald E. Connolly, Virginia
Clay Higgins, Louisiana              Raja Krishnamoorthi, Illinois
Pete Sessions, Texas                 Ro Khanna, California
Andy Biggs, Arizona                  Kweisi Mfume, Maryland
Nancy Mace, South Carolina           Alexandria Ocasio-Cortez, New York
Jake LaTurner, Kansas                Katie Porter, California
Pat Fallon, Texas                    Cori Bush, Missouri
Byron Donalds, Florida               Jimmy Gomez, California
Kelly Armstrong, North Dakota        Shontel Brown, Ohio
Scott Perry, Pennsylvania            Melanie Stansbury, New Mexico
William Timmons, South Carolina      Robert Garcia, California
Tim Burchett, Tennessee              Maxwell Frost, Florida
Marjorie Taylor Greene, Georgia      Summer Lee, Pennsylvania
Lisa McClain, Michigan               Greg Casar, Texas
Lauren Boebert, Colorado             Jasmine Crockett, Texas
Russell Fry, South Carolina          Dan Goldman, New York
Anna Paulina Luna, Florida           Jared Moskowitz, Florida
Chuck Edwards, North Carolina        Rashida Tlaib, Michigand
Nick Langworthy, New York
Eric Burlison, Missouri

                                 ------                                

                       Mark Marin, Staff Director
       Jessica Donlon, Deputy Staff Director and General Counsel
             Raj Bharwani, Senior Professional Staff Member
                Lauren Lombardo, Deputy Policy Director
                      Peter Warren, Senior Advisor
      Mallory Cogar, Deputy Director of Operations and Chief Clerk

                      Contact Number: 202-225-5074

                  Julie Tagen, Minority Staff Director

                      Contact Number: 202-225-5051
                                 ------                                

 Subcommittee on Cybersecurity, Information Technology, and Government 
                               Innovation

                 Nancy Mace, South Carolina, Chairwoman
William Timmons, South Carolina      Gerald E. Connolly, Virginia 
Tim Burchett, Tennessee                  Ranking Minority Member
Marjorie Taylor Greene, Georgia      Ro Khanna, California
Anna Paulina Luna, Florida           Stephen F. Lynch, Massachusetts
Chuck Edwards, North Carolina        Kweisi Mfume, Maryland
Nick Langworthy, New York            Jimmy Gomez, California
Eric Burlison, Missouri              Jared Moskowitz, Florida
Vacancy                              Vacancy

                         C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page

Hearing held on November 29, 2023................................     1

                               Witnesses

                              ----------                              

Dr. James Lewis, Senior Vice President and Director, Strategic 
  Technologies Program, Center for Strategic and International 
  Studies
Oral Statement...................................................     3

Mr. Jamil Jaffer, Founder and Executive Director, National 
  Security Institute, Antonin Scalia Law School, George Mason 
  University
Oral Statement...................................................     4

Mr. Roger Waldron, President, The Coalition for Government 
  Procurement
Oral Statement...................................................     6

Ms. Jennifer Bisceglie (Minority Witness), Founder & CEO, 
  Interos, Inc.
Oral Statement...................................................     7

Written opening statements and statements for the witnesses are 
  available on the U.S. House of Representatives Document 
  Repository at: docs.house.gov.

                           Index of Documents

                              ----------                              

  * Statement for the Record; submitted by Rep. Connolly.
  * Questions for the Record, to Ms. Bisceglie; submitted by Rep. 
  Mace.
  * Questions for the Record, to Ms. Bisceglie; submitted by Rep. 
  Connolly.
  * Questions for the Record, to Mr. Jaffer; submitted by Rep. 
  Mace.
  * Questions for the Record, to Mr. Jaffer; submitted by Rep. 
  Connolly.
  * Questions for the Record, to Dr. Lewis; submitted by Rep. 
  Mace.
  * Questions for the Record, to Dr. Lewis; submitted by Rep. 
  Connolly.
  * Questions for the Record, to Mr. Waldron; submitted by Rep. 
  Mace.
  * Questions for the Record, to Mr. Waldron; submitted by Rep. 
  Connolly.

Documents are available at: docs.house.gov.

 
                   SAFEGUARDING THE FEDERAL SOFTWARE
                              SUPPLY CHAIN

                              ----------                              


                      Wednesday, November 29, 2023

                        House of Representatives

               Committee on Oversight and Accountability

 Subcommittee on Cybersecurity, Information Technology, and Government 
                               Innovation

                                           Washington, D.C.

    The Subcommittee met, pursuant to notice, at 2:21 p.m., in 
room 2247, Rayburn House Office Building, Hon. Nancy Mace 
[Chairwoman of the Subcommittee] presiding.
    Present: Representatives Mace, Timmons, Langworthy, 
Connolly, and Lynch.
    Ms. Mace. Good afternoon, everyone. The Subcommittee on 
Cybersecurity, Information Technology, and Government 
Innovation will now come to order.
    And good afternoon. We welcome everyone who is here this 
afternoon.
    Without objection, the Chair may declare a recess at any 
time. And I will recognize myself for the purpose of making an 
opening statement.
    Good afternoon, and welcome to this hearing of the 
Subcommittee of Cybersecurity, Information Technology, and 
Government Innovation.
    Today more than ever, Federal agencies rely on information 
technology to carry out core functions of government. Digital 
information systems are used to help provide healthcare to 
veterans, pay Social Security beneficiaries, protect the 
homeland, administer our system of justice, and much more. The 
broad deployment of IT systems creates efficiencies and 
streamlines the government service delivery process. So, there 
is no disputing the gains from digital government are real, but 
so, too, as you all know and why you are here this afternoon, 
are the risks.
    Our increase in dependence on computer hardware and 
software has created an irresistible target for malicious cyber 
actors. These include foreign enemies who seek to do us harm 
and domestic activists bent on disruption, along with criminals 
chiefly seeking to line their own pockets. We know these risks 
from hard experience. A series of hacks have exploited 
vulnerabilities in software used to operate major Federal and 
non-Federal computer systems.
    For example, the 2020 SolarWinds breach, many of you are 
aware of, amongst the largest ever, was perpetrated by Russia-
based cyber criminals who gained access to systems and data by 
injecting malware into a widely used software update.
    More major software hacks have followed since then. That 
includes one involving Log4j, a common software component. And 
this past May, the popular file transfer software, Moveit, was 
compromised.
    These intrusions disrupt operations, they are costly and 
time-consuming to address for companies of all sizes. And they 
risk the exfiltration of sensitive data, including the personal 
identifiable information of millions of Americans. Ultimately, 
they erode trust and the ability of our government to execute 
its core functions reliably and securely.
    So, we need to ensure the software we use is safe. It is a 
challenging risk; the Federal Government spends about a hundred 
billion annually in IT goods and services, including software. 
When you acquire a product, you inherit any risks associated 
with its supply chain. And the software supply chain is often 
opaque, its providence is often unclear, including that of the 
underlying source code. And even if the origins are known, it 
could also have been later altered or tampered with.
    Congress has taken some steps to shore up the software 
supply chain. Section 889 of the 2019 NDAA prohibited Federal 
agencies from buying certain telecom and video surveillance 
equipment, including that made by specific companies tied to 
China. Congress also authorized the creation of Federal 
Acquisition Supply Council or FASC as a centralized interagency 
hub to identify and mitigate government IT procurement risks.
    One way to make the software supply chain more transparent 
is through SBOMs. An SBOM, or Software Bill of Materials is 
analogous to a food nutrition label. It reveals the origin and 
component elements of software, as well as modifications later 
made. An SBOM can help government purchasers identify software 
vulnerabilities, like source code originating from China or 
Russia. The goal is to secure the software supply chain without 
unduly shrinking the pool of software providers and products 
available to the government. We do not want to give up the 
benefits we all gain from software-driven efficiencies, 
including the savings they yield to taxpayers. That is why we 
have a representative of the Federal contractor community 
testifying here today, along with experts on the methods and 
intentions of cyber threat actors.
    But before we hear from them, do you want to make an 
opening statement.
    Mr. Lynch. I think the Ranking Member will be along. So, if 
we could go to introduction of the witnesses.
    Ms. Mace. We will pause. When Mr. Connolly gets here, he 
will do his opening statement.
    Mr. Lynch. Thank you.
    Ms. Mace. All right. So next, I am pleased to introduce our 
witnesses for today's hearing. Thank you for being jammed up 
there today. You guys look super cozy. Small desk, four people.
    Our first witness is Dr. James Lewis, Senior Vice 
President, Director of Strategic Technologies Program at the 
Center for Strategic and International Studies.
    Our second witness is Mr. Jamil Jaffer, founder and 
Executive Director of the National Security Institute at George 
Mason University's Antonin Scalia Law School.
    Our third witness is Mr. Roger Waldron, President of The 
Coalition of Government Procurement.
    And our fourth and final witness today is Ms. Jennifer 
Bisceglie, founder and CEO of Interos, Inc.
    Welcome, everyone, and we are pleased to have you this 
afternoon.
    So, pursuant to Committee Rule 9(g), the witnesses will 
please stand and raise your right hands.
    Do you solemnly swear or affirm that the testimony you are 
about to give is the truth, the whole truth, and nothing but 
the truth, so help you God?
    Let the record show the witnesses all answered in the 
affirmative. We appreciate all of you being here today and look 
forward to your testimony. I will remind our witnesses--I do 
not know what that was--we appreciate everybody being here 
today. I will remind the witnesses that we have read your 
written statements, and they will appear in full in the hearing 
record. Please limit your oral statements to 5 minutes. And as 
a reminder, please press the button on the microphone in front 
of you so that it is on, and everyone can hear you. When you 
begin to speak, the light in front of you will turn green. And 
after 4 minutes, the light will turn yellow. When the red light 
comes on, your 5 minutes has expired, and I will politely ask 
you to stop, to please wrap up.
    So, our first witness, Dr. Lewis, I invite you to please 
begin your opening statement.

                        STATEMENT OF JAMES LEWIS

                         SENIOR VICE PRESIDENT

                              AND DIRECTOR

                     STRATEGIC TECHNOLOGIES PROGRAM

              CENTER FOR STRATEGIC & INTERNATIONAL STUDIES

    Dr. Lewis. Thank you, and I thank the Committee for the 
opportunity to testify. Forty-five years ago, China's leaders 
realized that the economy was in shambles, and they decided to 
open China to the West. This economic opening created immense 
business opportunities for the world, and the U.S. expected 
that the relationship with China would steadily improve. It was 
profitable for both sides, but there were always problems, and 
chief among those problems was that China decided that to 
modernize and grow, it needed to acquire technology. China did 
this in many ways, but chief among them is cyber espionage.
    China leads in intellectual property theft and now collects 
the personal information of American citizens. Chinese 
intelligence services exploit information technology, including 
devices, software, internet apps, and the cloud. Anything that 
connects to the internet creates an opportunity for spying. And 
when China provides the software, it makes this task easier.
    The way that software is built creates opportunities. 
Software products blend code from a variety of sources. This 
could include software from China or other hostile nations. One 
concern is the use of Chinese software development kits, 
basically chunks of code that can be inserted into bigger 
programs. This has been done in many U.S. commercial products. 
The use of Chinese software creates opportunities for espionage 
and the disruption of services. A Federal user may download a 
shopping or travel app for personal use and not know that it 
includes Chinese software.
    The problem is that the U.S. and China have deeply 
interconnected supply chains. This interconnection creates 
vulnerability and risks, but they cannot be undone overnight. 
We can, however, manage this risk.
    Since the 2021 SolarWinds incident, the U.S. has taken a 
number of steps to improve software supply chain security--
changes to the Federal acquisition regulations, and to FedRAMP, 
will lead to acquisition of more secure software and services.
    Other important measures include the Software Bill of 
Materials process that you mentioned, SBOM, managed now by the 
Department of Homeland Security, and the new Department of 
Commerce Office of Information and Communications Technology. 
SBOMs provide insight into the source of the software products. 
We often do not know where the code came from. And since there 
can be multiple participants--a prime, a sub, tertiary 
suppliers--SBOMs are crucial. It lets the U.S. identify 
software that comes from risky sources in a way we cannot now 
do. Commerce's ICTS office will review information technology 
subject to its jurisdiction and can prohibit or impose measures 
on transactions that create risk.
    The office was really created to deal with TikTok, to make 
an approach to TikTok that would withstand judicial scrutiny. 
So, they are beginning their work. I think everyone is 
optimistic about them. The office also builds on the work of 
several executive orders in this Administration, and its 
predecessor, issued in the last few years.
    Safeguarding the Federal software supply chain points to 
the need for a thorough review of software applications and 
internet-connected devices acquired by the Federal Government. 
SBOM, the new office, the executive orders, and changes in the 
acquisition regulations will let the United States better 
manage a complex national security problem. But we are only at 
the start. I thank the Committee for the opportunity to testify 
and look forward to your questions.
    Ms. Mace. Thank you. I will now recognize Mr. Jaffer for 
your opening statement.

                       STATEMENT OF JAMIL JAFFER

                     FOUNDER AND EXECUTIVE DIRECTOR

                      NATIONAL SECURITY INSTITUTE

                       ANTONIN SCALIA LAW SCHOOL

                        GEORGE MASON UNIVERSITY

    Mr. Jaffer. Chairwoman Mace, Ranking Member Connolly, and 
Members of the Subcommittee, thank you for the opportunity to 
testify today about the threat facing our Nation from potential 
vulnerabilities in the Federal software supply chain.
    Let me start out by saying we are in a constant, if low 
level, state of conflict with adversaries in a cyber domain 
today. Russia has come after our government, our think tanks, 
our universities, our critical infrastructure. They are deep 
inside our systems. They have long-term sustained access to 
almost every aspect of the U.S. Government and the private 
sector, including our water supply, our electric supply, our 
banking system.
    The same is true of China. China is deep inside our 
networks and has been for years. They look to exploit that--
both Russia and China today look to exploit that capability 
primarily for intelligence collection and to establish a 
capability to remain on our infrastructure to use in the case 
of conflict. They do not attempt today to use it for that 
purpose.
    Other nation state actors, unfortunately, likewise have 
significant capability. The Iranians and North Koreans, while 
being somewhat further behind than the Russians and Chinese, 
have today a significant capability to access and influence our 
critical infrastructure and our government.
    This is a challenge because today the world is on fire. We 
have a war going on in the heart of Europe between Russia and 
Ukraine. We have a war going on between Israel and Hamas, a 
nation state Iranian-backed threat actor. We also see constant, 
consistent threats to our allies and partners in the Indo-
Pacific, including Taiwan, Japan, South Korea, and Australia by 
China, and a consistent set of launches of ballistic missiles, 
nuclear capable ballistic missiles by North Korea. Each of 
these nation states has cyber capabilities. Many of which they 
deploy today across the globe and here in the United States by 
exploiting software vulnerabilities in the supply chain.
    So, the challenge we face is one that is not insignificant, 
to the contrary it is one that is massive, serious, and present 
today, and we must address. Now, there are a number of things 
that we as the Federal Government can do to address these 
problems and a number of important steps that the Chairwoman 
herself mentioned--section 889 is a step in the right 
direction. We have also banned certain types of capabilities.
    The U.S. Government once bought Russian antivirus software 
in the form of Kaspersky. We have now barred that from U.S. 
Government systems, and that is a good thing. As are the bars 
on Huawei, ZTE, and other Chinese capabilities.
    But the problem goes deeper, as Jim has correctly laid out, 
a number of nation state actors play in the open-source 
software space, and they engage in efforts to exploit providers 
in the U.S. Government. We saw that perhaps famously in the 
case of the SolarWinds hack that the Chairwoman referred to 
earlier. But we also saw it long before that in the case of the 
NotPetya attack conducted by Russia against Ukraine, but that 
spilled worldwide and caused over $10 billion of damages.
    So, the government can take action to strengthen its own 
systems. We can talk about buying software that is secure by 
design and resilient by design. These are things that the 
government and today the Administration has talked about 
extensively. CISA has put out guidance on secure by design. The 
National Cybersecurity Strategy refers to resilience by design 
concepts as well.
    But it goes beyond simply buying better and more capable 
software. It requires our government actors and our government 
procurers to be able to procure the leading edge of software 
technology to buy from U.S. startups. We have talked for 
decades about the need for the U.S. Government to be more 
forward leaning and more capable and more flexible when it 
comes to buying capabilities.
    The challenge, of course, is one of priorities and one of 
risk-taking. Our Federal Government officers should not be 
risk-taking when it comes to buying foreign software. They 
should, however, take risks and lean forward when it comes to 
buying American startup software and capabilities as we think 
about how to better defend the Nation and cyber domain. That 
requires culture change within the executive branch and culture 
change within the executive branch's overseers here in 
Congress.
    Finally, the U.S. Government cannot simply remain on the 
defensive. If we are going to really effectively address 
threats to our government and industry in the cyber domain, we 
have got to go on the offensive. That requires taking the fight 
to the enemy. We have done quite a bit of that by leaning 
forward on active defense and persistent engagement. We need to 
do more. It does not work when our government is unwilling to 
lean forward, take the fight to the enemy in any domain, much 
as in cyberspace. Deterrence can and does work in the cyber 
domain. We just do not practice it.
    Thank you for the opportunity to address the Committee, and 
I look forward to your questions.
    Ms. Mace. Thank you. I will now recognize Mr. Waldron for 
your opening statement.

                       STATEMENT OF ROGER WALDRON

                               PRESIDENT

                THE COALITION FOR GOVERNMENT PROCUREMENT

    Mr. Waldron. Good afternoon, Chairwoman Mace, Ranking 
Member Connolly, and Members of the Subcommittee. Thank you for 
the opportunity to appear before you to address the Federal 
software supply chain. The Coalition for Government Procurement 
is a nonprofit, nonpartisan association of firms selling 
commercial services and products to Federal Government. Our 
members collectively account for more than $145 billion in 
mission support for the Federal customer. Our members include 
small, medium, and large business concerns from across the 
commercial market. They include software, commercial software 
firms, cloud providers, system integrators, and IT suppliers. 
As such, they are well aware of the challenges involved in 
addressing vulnerabilities in the Federal software supply 
chain.
    The threat for near-peer adversaries and other bad actors 
has made cybersecurity and supply chain risk management 
fundamental to Federal procurement in the commercial sector. 
Recognizing the importance of this matter, there are three 
points I would like to make.
    First, the government should continue prioritizing buying 
commercial solutions where appropriate. The Federal Acquisition 
Streamlining Act of 1994 established a preference for the 
acquisition of commercial items. This preference reduces risk, 
increases competition, improves pricing, provides greater 
access to innovation, and it improves security. Commercial 
software firms recognize that security failure risks 
reputational harm which would translate into loss of business. 
For this reason, drawing on their experience across industry 
sectors, like healthcare, banking, finance, and energy, they 
understand that they must invest in security, and they do so. 
Government should capitalize on this expertise.
    Second, cybersecurity requirements reporting and other 
administrative compliance regimes should not burden commercial 
firms unnecessarily. Some requirements are necessary, but 
unnecessarily burdensome requirements drive companies out of 
the government marketplace, reducing government access to the 
innovation and capabilities of the commercial market.
    As the Administration's recent draft memo on the Federal 
Risk and Authorization Management Program, FedRAMPs stated: 
``Unthinking adherence to standard agency practices in a 
commercial environment could lead to unexpected or undesirable 
security outcomes.''
    Some government mandates for certifying commercial products 
could create compliance risks when the mandates are not 
required outside of the government or are ambiguous. The 
government should accept commercial standards whenever 
possible, and required certification should focus on what is 
being provided actually meets those standards.
    Third, and finally, the Federal cybersecurity and software 
supply chain framework is in a state of flux and coordination 
is needed. There are various pending rules and regulations, 
like FedRAMP; first cloud cybersecurity; CMMC, the 
Cybersecurity Maturity Model Certification that DOD contractors 
are going to have to sign up to; NIST 800-171 is in the process 
of being rewritten; software bill of materials. There are 
several proposed FAR cybersecurity clauses and more to come. 
Section 889, any activities of the Federal Acquisition Security 
Council, all of which are in various stages of government 
review and/or public comment.
    The government has the opportunity here to provide needed 
harmonization of these rules and regulations to assure an 
efficient and consistently implemented cyber regime. 
Coordination could be achieved by further establishing roles 
and responsibilities for CISA and for the activities of the 
Federal Acquisition Security Council to manage cybersecurity 
and supply chain obligations and reporting for Federal 
contractors. This will reduce duplication and overlap in the 
cybersecurity and software supply chain framework. Such 
consistency will assure that all stakeholders understand the 
rules of engagement in the government space and will be more 
able to easily adjust as those rules evolve to meet the 
challenges of a dynamic cyber and supply chain environment.
    In closing, Chairwoman Mace, Ranking Member Connolly, and 
Members of the Subcommittee, thank you for the opportunity to 
appear before you today. I look forward to addressing any 
questions you might have.
    Ms. Mace. Thank you. I will now recognize Ms. Bisceglie for 
your introductory statement.

                    STATEMENT OF JENNIFER BISCEGLIE

                             FOUNDER & CEO

                             INTEROS, INC.

    Ms. Bisceglie. Thank you. And good afternoon, Chairman Mace 
and Members of the Subcommittee. Thank you for inviting me to 
testify as a subject matter expert on supply chain risk 
management with today's focus on securing the Federal software 
supply chain.
    My company, Interos, is built on almost 30 years of 
personal experience in global supply chain risk management. 
Over the past 19 years since I started Interos, I have seen the 
discussions turn from a lack of understanding of this issue to 
simple compliance and resiliency, and now the product integrity 
or software pedigree or SBOM to preempt and protect from 
intentional, malicious attack.
    To support our customers, Interos began to build out of 
what is now the world's largest business relationship graph. 
Using artificial intelligence, we are responsible for mapping 
and continuously monitoring the business relationships, 
business dealings, and supply chains of more than 300 million 
businesses around the world and the billions of relationships 
between them.
    I will first share two of our observations, and then follow 
those with four recommendations. First, we believe we are still 
struggling with finding a common definition for the supply 
chain risk management as well as a standard way to measure the 
challenge. And I think you heard that from my peers on the 
panel today.
    As we tend to separate hardware from software from service 
supply chains, we will continue to create artificial silos and 
increase the available attack vector for both the intended and 
unintended enemy. When in actuality, all we are talking about 
is simply who is doing business with each other and what risks 
those relationships might entail.
    Our second observation is that supply chain risk management 
must be viewed as an investment versus an expense. Interos is 
the technology of choice for the only true supply chain 
mismanagement shared service in the world currently hosted by 
the U.S. Navy to help them provide the transparency and 
pedigree of what is coming into various offices in the Navy, as 
well as the ongoing monitoring of said national security 
systems in a proactive and information sharing way. However, 
none of this is happening through a federally funded program of 
record. We are still handling supply chain security across the 
Federal Government as a rob Peter to pay Paul fashion.
    We have four recommendations for the Committee to consider 
to better protect our Nation's critical infrastructure. First, 
awareness in education are critical to communicate that supply 
chain risk impacts everyone within the Federal infrastructure 
which actually instructs the private sector.
    Second, actually fund the programs. Assign someone within 
the agency to only issue and measure the success. Even with 
reports from GAO, updates to FITARA and FISMA, the various 
executive orders, we can point to the prioritization without 
alignment or uniform rollouts, which drives up the costs and 
makes management as well as effectiveness very difficult.
    Third, make automated supply chain security for hardware, 
software, and services be the cost of doing business, not only 
with the Federal Government, but also between private sector 
organizations. How many more examples of the ripple effect of 
our business connections and how easily disturbances can be 
shared. Everything from NotPetya, to the Target Breach, to 
Log4j, Moveit, SolarWinds, not to mention as already been 
mentioned today, we are also targets for countries such as 
China, Russia, and Iran. Why do we let public and private 
sector organizations continue to fund service-based supply or 
risk assessments and not leverage technology for continuously 
monitoring the problem?
    Finally, and simply, implement contractual language that is 
effective and will actually be used. In addition, there are 
multiple industry associations working on standards for supply 
chain mismanagement, such as those in the room today. Doing as 
much as possible via internal policy changes and contractual 
language as a way to inform suppliers of how to do business 
with you and to mitigate risks coming into your organization is 
a much less expensive way to approach the problem than 
regulation and legislation.
    In conclusion, the solution needs to be viewed as an 
investment in national security, not just an expense, which 
moves us into the offense position, as was just mentioned, and 
needs to include upscaling the people responsible for buying 
and using software supply chain security requirements, not just 
putting the requirement in a contract as wording. It is the use 
of the SBOM--to KNOW/PREVENT/FIX, as Google likes to say--will 
make the difference for the Federal software supply chain, this 
country's security posture, and our global competitiveness. 
Thank you for the opportunity to present our views, and I look 
forward to answering any questions.
    Ms. Mace. Thank you. I would now like to recognize myself 
for 5 minutes of questioning. I will start with you, Mr. 
Jaffer, and good afternoon.
    Your written testimony states that for far too long the 
U.S. has been taking cyber attacks and hacks on the chin with 
limited response. In the cyber domain, we have largely been 
unwilling to establish, much less enforce effective red lines.
    My first question to you, Mr. Jaffer, this afternoon. 
Should this Administration draw a line in the sand to deter 
cyber warfare launched from China, Russia, and other enemy 
nation states?
    Mr. Jaffer. Thanks, Chairwoman. Yes, I absolutely think we 
need to make very clear our red lines in the cyber domain. Part 
of the challenge that I think that we face in this domain is 
that we talk about our concerns, but we do not actually 
effective them. We do not talk about what our capabilities are 
on the cyber domain. We do not talk about what our red lines 
are. We do not talk about what we would do if those red lines 
are crossed. And then worst, the world is seeing on the rare 
occasion the U.S. established red lines, we do not enforce 
them. And that is the real fundamental failure. The reason why 
deterrence is not working in the cyber domain, and we keep 
getting hit over and over, and our adversaries come at us even 
more in a more challenging way is because they are testing our 
boundaries. Until we set clear boundaries and enforce them, 
this will continue and get worse. That actually makes it more 
dangerous----
    Ms. Mace. How do we change the behavior?
    Mr. Jaffer. Look, I think we have to extract consequences 
and costs, and we have to do it in a way that is seen not just 
by that threat actor, but by other threat actors as well. That 
is the only way we are going to see real deterrence in this 
domain. Frankly, it applies across the board, not just in 
cyber, but it is more present in cyber than others.
    Ms. Mace. Yes. Government purchasers need to take more 
risks and being willing to buy from small American startup 
companies. As you mentioned before in your testimony, how would 
taking those risks help safeguard the software supply chain, 
for example?
    Mr. Jaffer. Well, you just heard about what Interos does 
and the capabilities it brings to bear. This is the kind of 
company and other companies like it that have leading-edge 
capabilities. Whether it is software supply chain management or 
in actual defensive capabilities or, you know, lean forward 
offensive capabilities. Until we can really buy the best and 
brightest in technology across the board, which is built here 
in the United States, it is going to be impossible for the 
government to be at the cutting edge. We do not buy it because 
we have got these huge programs of record that make it easy for 
people to buy from existing contractors and not lean forward.
    Ms. Mace. Yes, I agree. Ms. Bisceglie, I have a couple of 
questions for you. In your written testimony it states that the 
use of the SBOM that will make the difference for the Federal 
software supply chain, this country's security posture, and our 
global competitiveness. Do you think SBOMs can make software 
purchasing safe, the way that nutrition labels let us know if 
the food we buy is healthy, for example?
    Ms. Bisceglie. Yes, I think it is a great question. I think 
it goes back to the implementation. And I think that you just 
mentioned the same thing. It is not a compliance activity. And 
I think we are so focused in this government, and even in the 
private sector often about reputation and brand, and say, hey, 
I think I did enough because FITARA, FISMA, FedRAMP, what have 
you, they all said I did it, and I checked the box. That is the 
problem. When you think about SBOM or a food in an ingredient 
list, that is a compliance activity. It is really what is the 
red line? What is----
    Ms. Mace. Is FITARA outdated?
    Ms. Bisceglie. Yes.
    Ms. Mace. Yes, very much so. And should we update it and 
maybe make it better current with the times and the technology?
    Ms. Bisceglie. I think the move to look at something much 
more operationally focused and dynamic versus standard based--
--
    Ms. Mace. Yes, Congress just wants to do what we always 
have done and that is outdated, and that hurts us, correct?
    Ms. Bisceglie. I do not think it keeps up with the time 
with the best and the brightest.
    Ms. Mace. Yes. Thank you. Then your written testimony also 
states that Interos has built the world's largest business 
relationship graph. We have talked about AI before, and I am 
very impressed with what your company is doing with AI and the 
supply chain is extremely impressive. But it uses AI to 
continuously monitor the supply chains of millions of 
businesses around the world and billions of relationships 
between them. So, is AI a game-changer for the supply chain 
security, how do you see that, and how do we make sure the 
government makes use of it?
    Ms. Bisceglie. I think automation is a game-changer for 
supply chain security. Because supply chains are dynamic, and 
they change, and they are uncontrollable. So, we have to 
leverage technology and get out of human manual processes in an 
effort to make a difference. And AI is definitely the path to 
do that.
    Ms. Mace. OK. Thank you so much. I have a question for you, 
Mr. Lewis, Dr. Lewis. Your testimony says major Chinese 
software companies may be placing chunks of code in popular 
apps and online services. It says they are in effect invisible, 
embedded in a larger American product. So, China could use back 
doors into our computer systems so they can spy on us and 
disrupt file services. Would you agree?
    Dr. Lewis. Unfortunately, they have created back doors in 
code and used it.
    Ms. Mace. Is it just the code? Is it just software? Are 
they also putting software in hardware that we buy? Our 
government buys Chinese hardware, don't they?
    Dr. Lewis. They are a full-service intelligence operation. 
But they have already used, in two cases, this kind of 
software.
    Ms. Mace. But I cannot understand why we buy Chinese tech 
products for government agencies. It is mind-boggling to me. 
All right. With that, I will yield back. And I see my 
colleague, Mr. Connolly, my friend from Virginia, I would like 
to recognize you.
    Mr. Connolly. Thank you. Thank you, Madam Chairwoman. I am 
sorry I am late. We had a markup at Foreign Affairs, and 
Foreign Affairs is still under construction, so we are meeting 
in the big room in the visitor center. So, we had recorded 
votes I had to make. So, I am so sorry.
    Madam Chair, if it is more convenient for you, I can wait 
on the opening statement. Whatever you wish.
    Ms. Mace. Do you want to make your opening in closing?
    Mr. Connolly. Yes, if that works. OK. Great. So, I will 
start my questioning. Thank you so much.
    Mr. Jaffer, you are a cybersecurity expert and Executive 
Director of the National Security Institute at the Antonin 
Scalia School of Law.
    Mr. Jaffer. At George Mason University in your district.
    Mr. Connolly. Also known as ASS Law. Would you agree that 
adopting zero trust security model is important to supply chain 
risk management?
    Mr. Jaffer. Absolutely. Zero trust is a critical capability 
that we need to apply across the software supply chain and more 
generally across the government networks. That being said, it 
is not a silver bullet. Zero trust can be applied in a million 
different ways. You have got to do it. You have got to do it 
right. And, frankly, you have got to buy more secure software 
at the outset. And we have got to really hold the threat actors 
that are coming at us accountable. Today they can exploit U.S. 
Government systems with virtual impunity and pay almost no cost 
and certainly no public cost. That comes at a price as well.
    Mr. Connolly. How about continuous monitoring and automated 
response and conducting regular security training for 
employees?
    Mr. Jaffer. Well, you have hit on something that I am a big 
fan of. I believe continuous monitoring is critical. The idea 
that we do not continuously monitor out networks or employees 
is crazy given that we have complete authority to do so today. 
And security training is critical. But it has got to be, again, 
as Ms. Bisceglie said, it cannot be check-the-box training. It 
has got to be actually consistent, capable, and the like.
    Mr. Connolly. Right. Because you got to remember what the 
goal is. It is not training. It is to prevent bad things from 
happening.
    Mr. Jaffer. Exactly. Good point.
    Mr. Connolly. Do you think it would be worthwhile for 
Congress to conduct oversight in how agencies are doing in each 
of these categories we just discussed?
    Mr. Jaffer. Of course.
    Mr. Connolly. Ah. So, you are aware of the fact that the 
FITARA scorecard and our bipartisan FISMA metric in fact, 
already does that.
    Mr. Jaffer. I am.
    Mr. Connolly. Should we do more of it?
    Mr. Jaffer. I think, as Ms. Bisceglie said, you can do more 
of it better, I would say. It needs to be smarter, more 
flexible, more capable. The problem is, say, FITARA is a check-
the-box exercise, right? It is a bunch of rules. You have got 
to go through it. Everything you buy, or a lot of stuff you buy 
has got to be purchased through FITARA and reviewed. The 
problem is it does not really do the job effectively. So, 
scorecards are great, but they have to be flexible and good. 
And they have got to also allow you to buy highly capable 
moderate software.
    Mr. Connolly. Have you worked in the Federal Government, 
Mr. Jaffer?
    Mr. Jaffer. I have, unfortunately.
    Mr. Connolly. I think you understand we have to get basics 
first.
    Mr. Jaffer. Agreed.
    Mr. Connolly. And the fact of the matter is that scorecard 
says $30 billion according to the GAO. I challenge anyone to 
find another Federal piece of legislation that has effectuated 
government savings of $30 billion.
    Mr. Jaffer. Congressman, I am--saving government money and 
our taxpayer dollars is 100 percent the right thing, but we 
also want good security. And we want to buy modern capable 
software products.
    Mr. Connolly. Exactly. That is the goal, Mr. Jaffer.
    Mr. Jaffer. Agreed.
    Mr. Connolly. We need to retire legacy systems. We need to 
make sure we are up in the 21st century. We need to make sure 
everything can be encrypted and protected on behalf of the 
American taxpayer. And I think that is the goal.
    Mr. Jaffer. Totally.
    Mr. Connolly. Ms. Bisceglie--have I pronounced that 
correctly?
    Ms. Bisceglie. Yes, Bisceglie.
    Mr. Connolly. Ms. Bisceglie, why is it important that cloud 
service providers meet certain privacy controls, like 
identifying and enumerating system vendors?
    Ms. Bisceglie. Oh, I think, again, it creates a red line or 
a base that we all have to adhere to. And I think it is a 
start. I think it is an education. And I think it gives us some 
level of protection, but it does not keep you away from the 
conversation you were just having with Mr. Jaffer, which 
continuous monitoring in a dynamic environment is where we need 
to live.
    Mr. Connolly. Right. And what about developing and 
enforcing risk management plans for supply chains and 
establishing risk management teams for those supply chains.
    Ms. Bisceglie. I could not agree more. And I think under 
several administrations ago, you started seeing teams being set 
up. What I shared in my testimony is that none of this is 
funded. And that is a problem.
    Mr. Connolly. Yes. So, we passed a bill in the last 
Congress finally authorizing FedRAMP. And FedRAMP, in fact, 
enforces those cybersecurity measures. Are you familiar with 
those provisions?
    Ms. Bisceglie. Yes. I am going through it right now.
    Mr. Connolly. Good.
    Ms. Bisceglie. I also think, though, again, that the 
compliance activity, I think it is a good baseline. It is not 
risk management.
    Mr. Connolly. Yes.
    Ms. Bisceglie. And you brought up a really good point a few 
minutes ago. We have to remember the enemy we are fighting 
against, which is not ourselves, it is not the FAR. And 
necessarily, saving money could be at odds with security.
    Mr. Connolly. Yes, that is true.
    Ms. Bisceglie. You know, we need to remember that.
    Mr. Connolly. And it is absolutely true. And I think Mr. 
Jaffer was getting at the same point. You want to measure the 
right things.
    Ms. Bisceglie. Correct.
    Mr. Connolly. And the right things we want are efficacious 
outcomes. So, training and awareness is a means to that end. It 
cannot be the end in and of itself. And I think previously we 
have written legislation that unwittingly rewarded the wrong 
metric. And so, we would have testimony from Federal agencies 
coming here saying 95 percent of our staff can be trained and 
made aware. And you think, OK, but are hacks more successful or 
less? Are there more of them or fewer? And, of course, that was 
a different question and a different answer. So, I could not 
agree with you more. Thank you. I yield back.
    Ms. Mace. Thank you. I will now recognize Mr. Timmons of 
South Carolina for 5 minutes.
    Mr. Timmons. Thank you, Madam Chairman. Mr. Jaffer, you 
talked about holding foreign adversaries, foreign actors 
accountable, creating a policy that would create an avenue for 
retribution or accountability, whatever you want to call it. I 
very much agree with you. I think we have a big problem right 
now because if a foreign adversary, a government fired a rocket 
and blew up a building, we would make the business that owned 
the building whole and then we would go to war. But if that 
same foreign adversary does a cyber-attack and cost that 
business hundreds of millions of dollars, their insurance is 
not going to pay for it because it is foreign government, and 
we are not going to do anything. So that is a problem.
    So, the question then comes what do we do? And I mean I 
think that the Federal Government needs to take the position 
that if a foreign government engages in a cyber-attack on a 
U.S. business or a U.S. entity, that they will then make the 
business--the government, the Federal Government, the U.S. 
Government will make that business whole, and then using 
whatever mechanisms we want, get the money or get retribution 
from the attacking country. Do you agree with that general 
premise?
    Mr. Jaffer. Look, I think as a general matter we have got 
to hold foreign nation state actors that come after us, whether 
it is our companies, our critical infrastructure, our 
government, accountable. We do not do enough of that today, 
right? That could be done in a variety of ways. It can be we 
prosecute them. The Justice Department have indicted dozens of 
Chinese state actors, dozens of Russian state actors. We are 
never going to get them into U.S. courts, right, but it sends a 
message.
    The real question, though, is how do you hold them 
accountable in the cyber domain or in other domains where they 
actually feel the pain. And today, nobody that comes after us, 
particularly the big nation states, feel any pain when they 
come after U.S. Government. Rarely the President might go to Xi 
Jinping and say, I have got a problem in these sectors, right? 
But by and large, we do not do that, and then we do not 
actually extract costs. That is the key in my mind.
    Mr. Timmons. Assuming--let us just move the conversation of 
attribution. Let us just say that everybody agrees that it was 
China.
    Mr. Jaffer. Right.
    Mr. Timmons. I mean, why would we not use economic 
sanctions to say: The cyber-attack costs this much. We paid 
that. We are going to do economic sanctions to address this. 
And if you do it again, we are going to multiply it by two. 
And, by the way, any other country in the world, if you do it, 
you are going to start out with a dollar for dollar, and then 
we are going to do two dollars for one dollar.
    Mr. Jaffer. Exactly. If we could extract that kind of cost 
and make it really cost them, they are going to think twice 
about using it. They might still do it at times, but it is 
going to reduce the overall amount of these things happening by 
a significant portion.
    Mr. Timmons. How do you then reconcile the issue where a 
lot of the cyber-attacks are coming from Eastern European, 
Southeast Asian countries that have limited rule of law, and 
the countries are not necessarily able to hold the people 
accountable? I mean, I guess, in my mind, in that scenario you 
say that this person at this address attacked us, and it cost 
us this amount. We will give you assistance to prosecute these 
people, to hold them to account. And if you want to let us help 
you do that, we will not charge you any money. We will then 
prosecute that person. But if you do not want to help us, if 
you do not want to address the lawlessness in your country that 
is adversely impacting our citizens, our economy, then we will 
extract dollar for dollar from you. And if they do it again, we 
will do the same thing, two for one.
    Mr. Jaffer. Three quick thoughts on that. One, it cannot 
just be an economic penalty. There has got to be other 
consequences as well. Economic penalties are good, we need to 
do more on that front.
    No. 2, you know as a former prosecutor and a member of the 
Air National Guard, right, we can encounter in the terrorism 
scenario, right? Where countries cannot control their own 
space, and it causes an impact. We say we are going to 
unilaterally take action. You cannot just say it is not my 
problem, right?
    Then, third, I think at the end of the day, what this 
really requires is the U.S. Government being clear about what 
policies are, where our lines are, and what we are going to do. 
And then when those things happen, we have to take action. We 
have gotten too used to setting red lines or not setting them 
at all because we are afraid of enforcing anything.
    Mr. Timmons. I definitely agree with you on that. Are you 
aware of any cyber-attack that has resulted in a loss of life.
    Mr. Jaffer. So, you know we have seen a lot of these 
ransomware attacks. There are a couple going on actually today, 
where hospitals were affected. We have heard that at least in 
one or two instances people have not made it to the hospital or 
may have suffered a heart attack or died as a result. Beyond 
that, right, we know that typically in the military context, 
cyber is used as an enabling capability and can enable attacks 
will actually have a real loss of life. So, the trillions of 
dollars our economy has lost is also huge and cannot be 
underestimated as a cost as well.
    Mr. Timmons. My biggest fear is it is going to require a 
huge loss of life such as a cyber-attack on critical 
infrastructure in the Northeast during a cold spell, where we 
are unable to heat our homes for millions of Americans. We 
would be unable do anything to address that. So, I think that 
Congress needs to act to increase the overall cybersecurity 
posture of the U.S. economy and the U.S. Government. And I look 
forward to working with you all in that endeavor. With that, I 
yield back.
    Ms. Mace. Thank you. I will now recognize Mr. Lynch for 5 
minutes.
    Mr. Lynch. Thank you, Madam Chair. Thank you, Ranking 
Member, as well, for putting together such a great panel. We 
are all aware of the Log4j mess that occurred back in 2020. And 
because of the omnipresence of that software on millions and 
millions of computers, it has taken us a long time to get the 
patches out there and to deal with that. And now there was a 
two or 3 weeks ago, we had a North Korean--a similar operation 
where a North Korean connected attackers injected, again, 
malicious code into a widely distributed software component in 
multiple applications, and we are at this again.
    So, how do we address this in a timely way so that our 
response is actually effective? Because, Ms. Bisceglie, this is 
only going to become more common, right? This is an activity 
that is--especially with the success they are having, right? 
There is no reason for them not to continue to do this for 
either--I think Norton Korea is doing it to raise revenue, but 
they are also doing it to get information as well.
    Ms. Bisceglie. I think the thing to realize is that a lot 
of the success is being enabled simply because technology 
connects us all. And if we can think about what came out of 
pandemic and realize that whether you are a physical supply 
chain or a digital or cyber supply chain, we are just hyper 
connected to everybody else. And so, the enablement is there. I 
think it is the reasons that folks are doing this that need to 
be considered. And I think a couple things I would like to 
point out, though. One, to your point, it is not going away. 
So, if you think about the fight that we have been having for 
the last 10-plus years just simply on cyber hygiene, supply 
chain risk hygiene needs to be leveled up. And I think the 
Ranking Member brought up a really good point. It cannot be 
training and awareness for the sake of training and awareness. 
But folks have realized what supply chain security is about and 
why they are doing it and what they are trying to protect. It 
is not just nation states that are trying to get us, it is 
bored 18-year-olds sitting in their parents' basements that are 
seeing what they can steal, and we have seen a lot of examples 
from that.
    Mr. Lynch. So, what is the Navy doing that others are not 
doing, and is that--can we replicate that across the 
governmentwide?
    Ms. Bisceglie. We absolutely can. And the contract, and the 
program is set up to do that. And I want to thank a lot of the 
Committee Members here for supporting it. If you think about 
how we, as a Federal Government, are funded, we are normally 
funded program by program. So, the Columbia class versus the 
Virginia class versus the F-35, they only look at their own 
discreet supply chains. And this is the very first funded 
program that looks across supply chains. And so, if I were to 
get very specific, we had the opportunity to support the Navy 
for 6 years before the Navy actually went to an enterprise-wide 
capability. We took 80 weapons programs and just leveraged our 
technology to map out 3 tiers. So prime, tier 2, and tier 3, 
60,000 suppliers. You can imagine how many times the same 
supplier was in multiple places.
    So, when SolarWinds happened, we were able to show them the 
ripple effect of which programs are going to be affected. It 
showed, for the first time, cross program funding and the power 
of resiliency. That is what the Navy has done. And the last 
Fiscal Year that we just finished, they actually extended the 
capability to the Missile Defense Agency and the DOD CIO cyber 
capability. So, they are already seeing cross agency success, 
not just cross program, and it is absolutely set up to look 
across the entire department.
    Mr. Lynch. So, the efficacy of continuous monitoring, would 
it be possible--I mean, is that what the Navy is employing in 
order to----
    Ms. Bisceglie. Absolutely.
    Mr. Lynch [continuing]. Now that they are doing it across 
several supply chains?
    Ms. Bisceglie. They are. They are a hundred percent 
continuous monitoring real time.
    Mr. Lynch. And they are using AI to do that?
    Ms. Bisceglie. They are.
    Mr. Lynch. OK.
    Ms. Bisceglie. So, you think about what happens should ACME 
Incorporated have a ransomware attack. Instead of every program 
having to do the research to figure out if they are going to be 
impacted, the artificial intelligence platform is able to 
actually alert them and tell them where the impact is coming 
from. It allows them to be responsive that much faster, which 
goes back to your original question, which is how do we get 
better at this?
    Mr. Lynch. In our contracting world, we have preferred 
customers, preferred firms that we deal with. So, we could 
basically say, in order to be a preferred customer, you have to 
have this protocol or this framework that is in compliance with 
our supply chain security. And like--I think you mentioned it 
earlier in your testimony, you said make it a cost of doing 
business, right? So, when a company comes to do business with 
the United States as a contractor, they have to have this in 
place. How disruptive would that be to our contracting process?
    Ms. Bisceglie. A lot less disruptive than when something 
goes wrong.
    Mr. Lynch. Fair enough. Fair enough. Yes.
    Dr. Lewis, anything else you would like to add to that?
    Dr. Lewis. A couple points that are probably worth the 
Committee looking at further. I only talked to a retired 
admiral, so maybe they do not know what they are doing. But I 
do not think anybody would rank the Navy in first place when it 
comes to cybersecurity. Something to look at. Second, there has 
been a long discussion for about a decade on the issue of 
accountability, and this Administration is doing OK on it, 
better than some of its predecessors, and that goes back to 
Clinton.
    But we are not ready to get into a game of whack-a-mole 
where a Chinese company hacked somebody, and then we do 
something back. Because that is not going to stop them. So, we 
do need a more comprehensive approach. Just these are topics 
you might want to look at because they have been discussed for 
a long time. There is, just recently, the Administration had 
something called the counter ransomware initiative that had 48 
countries, and it talked about these issues. How do we go back 
to people? And one thing to remember is other countries are not 
where the U.S. is. They are not ready to go to war over a 
cyber-attack. So, it is a complicated picture. Supply chain is 
part of it, but just part.
    Mr. Lynch. Madam Chair, thanks for your courtesy. I 
appreciate that. I yield back.
    Ms. Mace. Generosity. Mr. Langworthy, you are now 
recognized for 5 minutes.
    Mr. Langworthy. Thank you, Madam Chair. Each year Federal 
agencies spend more than a hundred billion dollars on IT and 
cyber-related investments. It is not always clear, however, 
that the source and providence of each technology component. 
This is especially true for software. In Executive Order 14028 
entitled, ``Improving Our Nation's Cybersecurity'', the 
National Institute for Standards and Technology was required to 
issue guidance regarding how vendors provide Federal purchasers 
a software bill of materials, SBOM, essentially an ingredient 
list for software that details every component, library, and 
module that makes up the product.
    Mr. Waldron, do you believe Executive Order 14028 is 
heading in the right direction? Do you believe that the Federal 
Government is considering implementing SBOM guidance or 
requirements?
    Mr. Waldron. Yes, it is the right direction. The question 
is the execution on the contracting side. In looking at 
developing some standard formats. The issue in Federal 
procurement is the Federal acquisition regulation, agencies 
have all kinds of supplemental regulations. When you start 
developing an SBOM and a format, you have got to talk to 
industry. You have got to sit down with industry, come up with 
a common nomenclature, understanding what is going to--actually 
what is actually going to be reported as part of those 
ingredients.
    Companies take this really seriously. It is a certification 
in a certain sense. When you submit that to the Federal 
Government, you are saying this is our software bill of 
materials, and the government is going to rely on that. And it 
creates compliance issues and risks for industry, too. So, they 
want to get it right. So, the more government and industry can 
talk about it to implement it more effectively, that is going 
to be critically important moving forward.
    Mr. Langworthy. And I must say that SBOM sounds a lot 
cooler than S-B-O-M. Appreciate that nomenclature. Shifting 
focus to you, Mr. Jaffer, could SBOMs offer a viable solution 
for securing the Federal software supply chain?
    And additionally, what are some of the concerns or 
drawbacks associated with SBOMs as a potential solution?
    Mr. Jaffer. Well, a couple of things. One, SBOMs can 
certainly help, but only if you use them for a good purpose, 
right? So, once you know what is in the software, people have 
to do something about it. And they have to actually design 
their software in a way that is secure and resilient inherently 
and holding people accountable for that rather than sort of 
what is in your soup. What makes the soup good is important.
    The second thing is, look, by exposing everything that is 
in a bill of materials, right, in the software, it also gives 
our adversaries information about what to go after. So, there 
are upsides and downsides. Net/net, I think SBOMs are 
worthwhile doing, but I agree with what Mr. Waldron said, you 
have got to do it in a smart way, in a way that is capable, and 
use it for actually useful purposes.
    Mr. Langworthy. Great. Code is changed regularly, so an 
SBOM that is accurate 1 day may be wrong the next day or even 
later that day. Are there any solutions to making this process 
easier for developers, especially small business developers who 
do not have the resources that the big companies and 
conglomerates do that have maybe--they have turned away by 
SBOMs because of the work requirement to maintain them?
    Mr. Jaffer. Use technology. You can imagine these things 
being updated in real time, but of course we are a government 
that is not, sort of, oriented to operate in that way. We are 
oriented to operate by stacks of paper. As Mr. Connolly was 
talking about, right, this is not a common thing. If we can 
have people update in real time. You know, I mean, look, you 
can get code in real time on GitHub. Why cannot we use a 
similar capability to update our SBOMs? It seems obvious. But 
the government is not good at buying new capable technology at 
a moment's notice, taking risks--we do not incentivize risk 
taking, even when it comes to buying American technology, that 
is crazy.
    Mr. Langworthy. So, do you believe AI will impact the SBOM 
landscape?
    Mr. Jaffer. No doubt it will. It could make it better. It 
could make it more challenging. At the same time, we just have 
to encourage our government and our government procurers to do 
things that are unusual and not just buying programs of record, 
buying capabilities, having money to do that. And when they do 
it, and they do not get it quite right, Congress will hold them 
accountable, but not punish them. Ultimately, you cannot 
incentivize risk if you are going to punish somebody for taking 
risks.
    Mr. Langworthy. Would the existence of SBOMs have helped 
Federal agencies defend or mitigate against the recent high-
profile attacks such as SolarWinds.
    Mr. Jaffer. It would have let us know what is in there, but 
stop them, no.
    Mr. Langworthy. OK. Well, every passing day brings a surge 
in both the quality, the quantity, and severity of 
cybersecurity threats facing our country. In the traditional 
notion of invulnerability, it no longer holds true, as threats 
now transcend physical borders originated from adversaries 
working remotely. We are committed to collaborating with the 
Oversight Committee and our colleagues to continuously advocate 
for robust policies that fortify our Federal cybersecurity 
defenses in response to this evolving threat landscape.
    I really appreciate all of you coming in here to testify 
today. It is very helpful. Thank you, and I yield back.
    Ms. Mace. Thank you. In closing, I want to thank our 
panelists, all of you for being here this afternoon and 
spending time with us, for your testimony today. And I will 
yield to the Ranking Member for a statement.
    Mr. Connolly. Thank you so much, Madam Chairwoman. I will 
enter my full statement into the record. And just this last 
Thanksgiving week and this last weekend, Microsoft reported 
that a North Korean nation state actor linked to a notorious 
cyber-crime group, Lazarus, stole a software sign-in key and 
inserted malware into a legitimate application developed by the 
Taiwanese multimedia software and AI developer, CyberLink. The 
malware, known as landload, infiltrates systems by dropping a 
fake PNG file to deploy malicious code. That code enables 
unauthorized users to steal sensitive data, establish 
persistent access to traditionally protected systems, and 
corrupt other connected systems. Hackers used landload to 
successfully compromise a hundred devices in multiple 
countries, including Japan, Taiwan, Canada, and the United 
States. The fullest extent of that attack and its damage we do 
not know yet. It is a week old.
    And that, on top of SolarWinds, on top of all kinds of 
other examples we do not even know about, I think, underscores 
the point that we have got to protect the Nation's assets--
supply chain, proprietary information, intellectual property, 
data bases, privacy.
    And I guess I would come back, Mr. Jaffer, I think you made 
a lot of good points, but I also would gently suggest, you are 
a little facile about checking the box when it comes to 
statutory requirements. Because--and that is why I asked you if 
you had worked for the Federal Government. Because, working for 
the Federal Government, you know, normal assumptions on how we 
work in the private sector do not apply.
    Ms. Bisceglie pointed out, if you look at weapons systems, 
we are all in our compartments, and we do not share. We do not 
work across the board. It is not our culture. If I have learned 
in my agency how to protect against cyber-attacks, that does 
not mean I am going to let you in on the secret.
    So, trying to change the culture by having metrics where 
you are going to be judged and metrics that will materially 
improve operations and save tax dollars and allow us to be 
cyber secure is kind of our goal. But you have got to create 
the architecture. And I have learned the hard way that in 
bureaucracies, you have got to create metrics people have to 
meet. And they have got to be meaningful metrics, right, as we 
discussed.
    And, you know, when we began FITARA, there were 250 people 
in 24 agencies with the title CIO. But who was in charge? 
Nobody. Everyone could assume responsibility under that system. 
So, trying to empower a CIO, a primary, Latin primus inter 
pares, the first among equals, so that there is somebody, and 
that somebody, according to our scorecard, has to report to the 
boss.
    Because, again, we know org charts matter. Likewise, data 
centers, not checking a box. We retired 4,000 Federal data 
centers. We did not even know how many there were when we 
began. We thought there were only 900. You remember? Vivek 
Chudgar thought there were 900. We cut it in half. Well, it 
turned out there were thousands. And we only knew that when we 
made them have to measure it. We eliminated 4,000 of them 
saving billions of dollars.
    So, I just, you know, we got to be respectful, I think, of 
the statutory architecture required if we are going to make 
progress. And next steps, we got to go after those legacy 
systems. We got to make sure that we are using software and 
supply chains that can be protected from a cyber point of view, 
so that we are avoiding what Microsoft reported just last 
weekend.
    So, on that note, thank you. I think this is a thoughtful 
subject, Madam Chairwoman, thank you for doing it, but I think 
we have a lot more progress to go. And we cannot assume the 
basics are in place. I wish we could, but we cannot. Thank you 
for being here.
    Ms. Mace. And I will add to that if our Federal agencies 
are unwilling to make those changes because they are kings 
around their own kingdoms, not willing to move forward, it will 
never happen.
    So, with that and without objection, all Members will have 
five legislative days within which to submit materials, and to 
submit additional written questions for the witnesses which 
will be forwarded to the witnesses for their response.
    So, if there is no further business, without objection, the 
Subcommittee stands adjourned.
    [Whereupon, at 3:19 p.m., the Subcommittee was adjourned.]

                                 [all]