[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]


                  EVALUATING CISA'S FEDERAL CIVILIAN EXECUTIVE 
                   BRANCH CYBERSECURITY PROGRAMS
=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                    CYBERSECURITY AND INFRASTRUCTURE
                               PROTECTION

                                OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 19, 2023

                               __________

                           Serial No. 118-29

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                                    

        Available via the World Wide Web: http://www.govinfo.gov
        
        
                                ________

                   U.S. GOVERNMENT PUBLISHING OFFICE                    
54-816 PDF                  WASHINGTON : 2024                    
          
-----------------------------------------------------------------------------------           

                    COMMITTEE ON HOMELAND SECURITY

                 Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas             Bennie G. Thompson, Mississippi, 
Clay Higgins, Louisiana                  Ranking Member
Michael Guest, Mississippi           Sheila Jackson Lee, Texas
Dan Bishop, North Carolina           Donald M. Payne, Jr., New Jersey
Carlos A. Gimenez, Florida           Eric Swalwell, California
August Pfluger, Texas                J. Luis Correa, California
Andrew R. Garbarino, New York        Troy A. Carter, Louisiana
Marjorie Taylor Greene, Georgia      Shri Thanedar, Michigan
Tony Gonzales, Texas                 Seth Magaziner, Rhode Island
Nick LaLota, New York                Glenn Ivey, Maryland
Mike Ezell, Mississippi              Daniel S. Goldman, New York
Anthony D'Esposito, New York         Robert Garcia, California
Laurel M. Lee, Florida               Delia C. Ramirez, Illinois
Morgan Luttrell, Texas               Robert Menendez, New Jersey
Dale W. Strong, Alabama              Yvette D. Clarke, New York
Josh Brecheen, Oklahoma              Dina Titus, Nevada
Elijah Crane, Arizona
                      Stephen Siao, Staff Director
                  Hope Goins, Minority Staff Director
                       Natalie Nixon, Chief Clerk
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                Andrew R. Garbarino, New York, Chairman
Carlos A. Gimenez, Florida           Eric Swalwell, California, Ranking 
Mike Ezell, Mississippi                  Member
Laurel M. Lee, Florida               Sheila Jackson Lee, Texas
Morgan Luttrell, Texas               Troy A. Carter, Louisiana
Mark E. Green, MD, Tennessee (ex     Robert Menendez,  New Jersey
    officio)                         Bennie G. Thompson, Mississippi 
                                         (ex officio)
               Cara Mumford, Subcommittee Staff Director
           Moira Bergin, Minority Subcommittee Staff Director
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Chairman, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Robert Menendez, a Representative in Congress From 
  the State of New Jersey:
  Oral Statement.................................................     3
  Prepared Statement.............................................     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     5
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Prepared Statement.............................................     6

                               Witnesses

Mr. Brian Gumbel, President, Armis, Inc.:
  Oral Statement.................................................     9
  Prepared Statement.............................................    10
Mr. Stephen Zakowicz, Vice President, CGI Federal, Inc.:
  Oral Statement.................................................    13
  Prepared Statement.............................................    14
Mr. Joe Head, Chief Technology Officer, Intrusion:
  Oral Statement.................................................    17
  Prepared Statement.............................................    19
Mr. Rob Sheldon, Senior Director, CrowdStrike:
  Oral Statement.................................................    21
  Prepared Statement.............................................    23

 
   EVALUATING CISA'S FEDERAL CIVILIAN EXECUTIVE BRANCH CYBERSECURITY 
                                PROGRAMS

                              ----------                              


                      Tuesday, September 19, 2023

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:05 a.m., at 
Room 310, Cannon House Office Building, Hon. Andrew R. 
Garbarino [Chairman of the subcommittee] presiding.
    Present: Representatives Garbarino, Gimenez, Ezell, Lee, 
Carter, and Menendez.
    Chairman Garbarino. The Committee on Homeland Security 
Subcommittee on Cybersecurity and Infrastructure Protection 
will come to order. Without objection, the Chair may recess at 
any point. The purpose of this hearing is to receive testimony 
from industry experts on CISA's two flagship cybersecurity 
programs for the Federal Civilian Executive branch. I now 
recognize myself for an opening statement.
    Thank you for our witnesses for being here to talk about a 
very important topic CISA's Federal cybersecurity programs. One 
of CISA's core missions is the protection of the Federal 
Civilian Executive branch, or FCEB. Although CISA has been 
pulled in many different directions in recent years, it is 
crucial that it continues to focus on its foundational 
responsibilities, chief among them being the protection of FCEB 
networks. Today, we will focus on two programs, the Continuous 
Diagnostic and Mitigation Program, or CDM, and the National 
Cybersecurity Protection System, or NCPS, which includes 
EINSTEIN.
    In recent years, CISA officials have indicated their intent 
to revamp and improve these programs. We will discuss with 
industry partners who participate in and have perspectives on 
these two programs, some of the successes they have had so far, 
and the ways they can improve in the future. CDM provides tools 
to agencies to defend their networks, which feed data into 
dashboards to allow agencies to monitor their real-time network 
security. Conceptually, those agency-specific dashboards send 
data to a Federal Government-wide dashboard that CISA uses to 
monitor the state of FCEB security. The current model provides 
2 years of CISA-sourced funding for CDM tools at agencies, 
after which point agencies must pick up the bill.
    NCPS is a set of capabilities that includes EINSTEIN, 
CISA's Intrusion Detection and Intrusion Prevention System. 
EINSTEIN sensors reside on the perimeter of an agency's network 
and detect and block known malicious traffic. While this 
perimeter security function is important, it is not sufficient 
for a cybersecurity program, given the current threat landscape 
and the ability of bad actors to evade many perimeter security 
mitigations. What is more, EINSTEIN has faced long-standing 
downsides, including limitations in detecting and preventing 
encrypted traffic and focusing only on what we already know is 
malicious traffic.
    NCPS's authorization expires at the end of the fiscal year. 
In the President's fiscal year 2024 budget request, CISA 
included a $425 million request for the Cyber Analytics and 
Data System, or CADS, which is meant to take the place of NCPS. 
CISA intends to transition certain legacy capabilities of 
EINSTEIN into the new CAD system, and others will be taken over 
by new CADS capability. While CISA has not provided many public 
details about its plans to build CADS, I am looking forward to 
hearing from our witnesses their thoughts on how CISA should be 
approaching this new analytic capability.
    As the administrator of Federal cybersecurity requirements, 
CISA has the broad and important role in ensuring the security 
of Federal networks. While the ultimate responsibility for an 
individual agency's security is the head of that agency through 
programs like CDM and EINSTEIN, CISA has the potential to make 
a real impact on Federal network security. The direction CISA 
takes with these programs, and to what extent they are 
administered as true shared service with the CISA covering 
continued cost, will dictate CISA's posture toward other 
Federal agencies moving forward.
    Whether CISA acts as a service provider or an advisor 
toward other agencies is a fundamental question, and Congress 
and CISA must both be consistent in how they approach it across 
CISA's many missions and programs. I look forward to our 
witnesses' testimony and to discussing these questions with 
them in depth.
    [The statement of Chairman Garbarino follows:]
               Statement of Chairman Andrew R. Garbarino
                           September 19, 2023
    Thank you to our witnesses for being here to talk about a very 
important topic: CISA's Federal cybersecurity programs. One of CISA's 
core missions is protection of the Federal Civilian Executive branch, 
or FCEB. Although CISA has been pulled in many different directions in 
recent years, it's crucial that it continues to focus on its 
foundational responsibilities, chief among them being the protection of 
FCEB networks.
    Today we will focus on two programs: the Continuous Diagnostics and 
Mitigation program, or CDM, and the National Cybersecurity Protection 
System, or NCPS, which includes EINSTEIN. In recent years, CISA 
officials have indicated their intent to revamp and improve these 
programs. We will discuss with industry partners, who participate in 
and have perspectives on these two programs, some of the successes they 
have had so far and ways they can improve in the future.
    CDM provides tools to agencies to defend their networks, which feed 
data into dashboards to allow agencies to monitor their real-time 
network security. Conceptually, those agency-specific dashboards send 
data to a Federal Government-wide dashboard that CISA uses to monitor 
the state of FCEB cybersecurity. The current model provides 2 years of 
CISA-sourced funding for CDM tools at agencies, after which point 
agencies must pick up the bill.
    NCPS is a set of capabilities that includes EINSTEIN, CISA's 
intrusion detection and intrusion prevention system. EINSTEIN sensors 
reside on the perimeter of an agency's network and detect and block 
known malicious traffic. While this perimeter security function is 
important, it is not sufficient for a cybersecurity program given the 
current threat landscape and the ability of bad actors to evade many 
perimeter security mitigations. What's more, EINSTEIN has faced long-
standing downsides, including limitations on detecting and preventing 
encrypted traffic and focusing only on what we already know is 
malicious traffic. NCPS's authorization expires at the end of this 
fiscal year.
    In the President's fiscal year 2024 budget request, CISA included a 
$425 million request for the Cyber Analytics and Data System, or CADS, 
which is meant to take the place of NCPS. CISA intends to transition 
certain legacy capabilities of EINSTEIN into the new CADS system, and 
others will be taken over by new CADS capabilities. While CISA has not 
provided many public details about its plans to build CADS, I am 
looking forward to hearing from our witnesses their thoughts on how 
CISA should be approaching this new analytic capability.
    As the administrator of Federal cybersecurity requirements, CISA 
has a broad and important role in ensuring the security of Federal 
networks. While the ultimate responsibility for an individual agency's 
security is the head of that agency, through programs like CDM and 
EINSTEIN, CISA has the potential to make a real impact on Federal 
network security. The direction CISA takes these programs, and to what 
extent they are administered as true shared services with CISA covering 
continued costs, will dictate CISA's posture toward other Federal 
agencies moving forward. Whether CISA acts as a service provider or an 
advisor toward other agencies is a fundamental question, and Congress 
and CISA must both be consistent in how they approach it, across CISA's 
many missions and programs.
    I look forward to our witnesses' testimony and to discussing these 
questions with them in more depth.

    Chairman Garbarino. I now recognize the Ranking Member, the 
gentleman from New Jersey, Mr. Menendez, for his opening 
statement.
    Mr. Menendez. Good morning. I want to thank Chairman 
Garbarino for holding this important hearing to assess how CISA 
is modernizing its signature Federal network security programs 
to keep pace with the rapidly-evolving threat environment and 
advancements in technology. Two-and-a-half years ago, the solar 
wind supply chain attack forced the Federal Government to 
overhaul its approach to securing its networks and supply 
chains. The Biden-Harris administration made revamping Federal 
network security a top priority, issuing an ambitious Executive 
Order that brought to bear the full resources of every Federal 
agency with a cybersecurity mission. Together with Congress, 
the administration made historic investments in improving 
Federal network security.
    Not since the 2015 Office of Personnel Management breach 
had there been as much momentum for change in how we secure 
Federal networks. While President Biden and Congress certainly 
deserve credit for giving needed attention to Federal network 
security, it is critical that we continue our work to modernize 
Federal network security to avoid crisis-driven policy making. 
We must ensure that the programs we rely on to secure our 
networks can adapt to and integrate with new technologies and 
modern network architectures. We must endeavor to stay a step 
ahead of our adversaries, building upon our recent momentum to 
better detect malicious activity quickly and mitigate the risk 
posed by cyber intrusions.
    CISA plays a central role in securing our Federal networks 
as the administrator of the National Cybersecurity Protection 
System, commonly referred to as NCPS, and the Continuous 
Diagnostics and Mitigation Program, commonly referred to as 
CDM. These programs complement CISA's other important powers, 
including the authority to issue security guidance and best 
practices, binding operational directives and emergency 
directives, which require agencies to take expedited action to 
secure their networks against a pressing threat or 
vulnerability.
    Over the past 2\1/2\ years, CISA has laid out its plans to 
modernize both NCPS and CDM programs. Earlier this year, CISA 
announced plans to sunset and replace its EINSTEIN intrusion 
detection system, which has limited effectiveness against novel 
threats and newer network architectures and shift remaining 
NCPS capabilities to a new program called the Cyber Analytics 
and Data System. Together, the legacy EINSTEIN capabilities and 
CADS will become the joint collaboration environment, commonly 
referred to as JCE, which CISA predicts will be, ``best-in-
class analytical environment'' that utilizes increased 
automation to more efficiently analyze classified and 
unclassified data.
    JCE holds tremendous promise, but successful implementation 
requires a clear vision and buy-in from both Federal and 
private-sector partners. CISA has worked to rapidly mature its 
CDM program to ensure that its Federal customers can tailor it 
to accommodate their unique security requirements. CDM is 
limited, however, in that it is deployed on IT technologies, 
not operational technology, or internet of things devices. 
Moreover, the Government Accountability Office recently found 
that CISA lacks the authority to test CDM tools on agency 
networks, which undermines its ability to ensure those tools 
are working as anticipated. I am interested in learning from 
witnesses today how we can improve the security value of both 
programs.
    Before I close, I want to remind my colleagues that 
Government shutdowns are bad for Federal network security. We 
are nevertheless 2 weeks away from Government funding running 
out. During the last shutdown, which lasted 35 days, CISA 
issued its first emergency directive to Federal agencies ever. 
Having employees and IT contractors across the Government and 
at CISA furloughed at the time was not helpful. A continuing 
resolution would also impair CISA's critical work, as it would 
restrict CISA's ability to start new programs that match the 
current threat environment.
    It is detrimental to our national security to slow 
investments in our Federal network security programs at such a 
critical moment in their maturation. Moving forward, the House 
and Senate need to pass a Homeland Security Appropriations bill 
that provides needed funding to CISA to carry out its vital 
missions. Now is not the time to take our foot off the gas. 
With that, I thank the witnesses for being here today. I look 
forward to their testimony.
    [The statement of Hon. Menendez follows:]
                   Statement of Hon. Robert Menendez
                           September 19, 2023
    Two-and-a-half years ago, the SolarWinds supply chain attack forced 
the Federal Government to overhaul its approach to securing its 
networks and supply chains. The Biden-Harris administration made 
revamping Federal network security a top priority, issuing an ambitious 
Executive Order that brought to bear the full resources of every 
Federal agency with a cybersecurity mission. Together with Congress, 
the administration made historic investments in improving Federal 
network security.
    Not since the 2015 Office of Personnel Management breach had there 
been as much momentum for change in how we secure Federal networks. 
While President Biden and Congress certainly deserve credit for giving 
needed attention to Federal network security, it is critical that we 
continue our work to modernize Federal network security to avoid 
crisis-driven policy making.
    We must ensure that the programs we rely on to secure our networks 
can adapt to and integrate with new technologies and modern network 
architectures.
    And we must endeavor to stay a step ahead of our adversaries, 
building upon our recent momentum to better detect malicious activity 
quickly and mitigate the risks posed by cyber intrusions.
    CISA plays a central role in securing our Federal networks as the 
administrator of the National Cybersecurity Protection System, commonly 
referred to as NCPS, and the Continuous Diagnostics and Mitigation 
program, commonly referred to as CDM. These programs complement CISA's 
other important powers, including the authority to issue security 
guidance and best practices, Binding Operational Directives, and 
Emergency Directives, which require agencies to take expedited action 
to secure their networks against a pressing threat or vulnerability. 
Over the past 2\1/2\ years, CISA has laid out its plans to modernize 
both NCPS and CDM programs.
    Earlier this year, CISA announced plans to sunset and replace its 
EINSTEIN intrusion detection system--which has limited effectiveness 
against novel threats and newer network architectures--and shift 
remaining NCPS capabilities to a new program called the Cyber Analytics 
and Data System (CADS). Together, the legacy EINSTEIN capabilities and 
CADS will become the Joint Collaboration Environment, commonly referred 
to as JCE, which CISA predicts will be a ``best-in-class analytic 
environment'' that utilizes increased automation to more efficiently 
analyze classified and unclassified data. JCE holds tremendous promise, 
but successful implementation requires a clear vision and buy-in from 
both Federal and private-sector partners.
    CISA has also worked to rapidly mature its CDM program to ensure 
that its Federal customers can tailor it to accommodate their unique 
security requirements. CDM is limited, however, in that it is deployed 
on IT technologies, not operational technology or internet of things 
devices. Moreover, the Government Accountability Office recently found 
that CISA lacks the authority to test CDM tools on agency networks, 
which undermines its ability to ensure those tools are working as 
anticipated. I am interested in learning from witnesses today how we 
can improve the security value of both programs.
    Before I close, I want to remind my colleagues that Government 
shutdowns are bad for Federal network security. We are nevertheless 2 
weeks away from Government funding running out. During the last 
shutdown--which lasted 35 days--CISA issued its first Emergency 
Directive to Federal agencies ever. Having employees and IT contractors 
across the Government--and at CISA--furloughed at the time was not 
helpful. A continuing resolution would also impair CISA's critical 
work, as it would restrict CISA's ability to start new programs that 
match the current threat environment.
    It is detrimental to our national security to slow investments in 
our Federal network security programs at such a critical moment in 
their maturation. Moving forward, the House and Senate need to pass a 
Homeland Security appropriations bill that provides needed funding to 
CISA to carry out its vital missions. Now is not the time to take our 
foot off the gas.

    Chairman Garbarino. I want to thank the Ranking Member for 
that rousing opening statement. Other Members of the committee 
are reminded that opening statements may be submitted for the 
record.
    [The statements of Ranking Member Thompson and Honorable 
Jackson Lee follow:]

             Statement of Ranking Member Bennie G. Thompson
                           September 19, 2023
    We all remember learning about the SolarWinds intrusion in December 
2020, which highlighted how vulnerable Federal agencies were to foreign 
espionage campaigns and how outdated our Federal network cyber defenses 
were. While the creation of the Cybersecurity and Infrastructure 
Security Agency in 2018 represented a major step forward in developing 
an organization charged with leading the operational defense of Federal 
networks, Congress did not initially provide the agency with sufficient 
resources to match the modern threat environment.
    Fortunately, upon taking office shortly after the SolarWinds 
incident, President Biden quickly took critical actions to modernize 
our cyber defenses. By issuing Executive Order 14028, President Biden 
began a process of updating the Federal Government's cybersecurity to 
combat the threats we face from our adversaries. Along with the $650 
million Congress provided to CISA in the American Rescue Plan Act and 
steady increases in CISA's budget, efforts over the last 3 years have 
brought meaningful gains in improving CISA's visibility and response 
capabilities throughout the Federal Civilian Executive branch.
    Investments in endpoint detection and response technologies across 
Federal agencies have helped improve the Continuous Diagnostics and 
Mitigation program and has brought the Federal Government in line with 
the cybersecurity practices standard in much of the private sector. In 
recent cyber incidents, we have seen how an improved CDM dashboard and 
increased visibility have enabled CISA to move quickly to identify 
vulnerabilities across the Federal Government and mitigate risk. I look 
forward to hearing from our witnesses about how CISA can continue to 
improve the CDM program, including how it can gain visibility into 
operational technology, a priority for me.
    In this year's budget request, the administration has now proposed 
a much-needed restructuring of the National Cybersecurity Protection 
System. By establishing the Cyber Analytics and Data System, CISA hopes 
to more efficiently analyze the ever-increasing amount of data it 
receives from Federal agencies, State and local governments, and 
critical infrastructure. Hearing from private-sector partners should 
help ensure CISA develops this new program in a way that reflects the 
expertise of leading cybersecurity companies, while maintaining and 
evolving the network detection and prevention capabilities of the 
EINSTEIN program. Without sustained support for CISA's Federal network 
security programs going forward, the progress we have made in recent 
years may stall.
    A Government shutdown or a year-long continuing resolution would 
restrict CISA's ability to move forward with efforts to continue CDM 
modernization or deploy the new CADS program. Operating under a CR is 
problematic for any agency; in the world of cybersecurity, where our 
adversaries are constantly innovating, operating under last year's 
budget or no budget at all could be devastating for our national 
security.
    I hope my Republican colleagues will stop holding Government 
funding hostage to their inhumane and ineffective border proposals and 
instead come to the negotiating table to develop a bipartisan full-year 
appropriations agreement.
    I am proud of the tremendous achievements we have had in recent 
years to provide CISA the resources and authorities it needs to better 
secure Federal agencies. Only with bipartisan support for CISA and its 
mission can we continue to build on our previous work.
                                 ______
                                 
               Statement of Honorable Sheila Jackson Lee
                           September 19, 2023
    Chairman Garbarino, and Ranking Member Swalwell, thank you for 
holding today's hearing on ``Evaluating CISA's Federal Civilian 
Executive Branch Cybersecurity Programs''.
    I look forward to the questions that will follow the testimony of:
   Mr. Brian Gumbel, president, Armis;
   Mr. Stephen Zakowicz, vice president--consulting services, 
        CGI Federal;
   Mr. Joe Head, chief technology officer, Intrusion; and
   Mr. Rob Sheldon, senior director of public policy and 
        strategy, Crowdstrike (Democratic Witness).
    I welcome the witnesses and thank them for their testimony before 
the House Homeland Security Committee.
    The purpose of this hearing is to assess CISA's efforts to 
modernize its two signature Federal network security programs, the 
Continuous Diagnostics and Mitigation program (CDM) and the National 
Cybersecurity Protection System (NCPS).
    The Federal Executive branch is comprised of civilian Federal 
agencies that provide the full scope of benefits and services to 
residents of the States and territories as well as support of domestic 
law enforcement and homeland security needs.
    Cybersecurity for non-civilian agencies is primarily managed under 
the Department of Defense.
    The Federal Executive branch cybersecurity coordination was not as 
robust as national defense networks, but this dramatically changed 
following the SolarWinds attack.
    In December 2020, the Federal Government learned the Russian 
government had executed a malicious cyber campaign targeting Federal 
networks and certain critical infrastructure.
    Russian hackers used a combination of traditional tactics, 
techniques, and procedures (e.g.: password guessing) and a supply chain 
attack to infiltrate targeted networks.
    In a supply chain attack, malicious actors infiltrate a target 
network by exploiting security vulnerabilities in the network of a 
trusted partner to gain access to the targeted network.
    In this case, one of the trusted partners was Solar Winds, a U.S.-
based vendor whose Orion Platform provided network monitoring services 
to entities across the world, including the U.S. Government.
    To execute the attack, hackers gained access to SolarWinds and 
injected malicious code into an Orion software update sent to customers 
in March 2020.
    The malicious code created a backdoor in the affected networks that 
caused servers to communicate with a U.S. IP address after a dormant 
period.
    In response, hackers sent additional malicious code to some, but 
not all, affected networks.
    Ultimately, the additional malicious code allowed hackers to access 
elevated credentials and move around a victim's network, monitoring 
activity and slowly taking data.
    To deceive security products on customers' networks, actors 
disguised their activity as normal network traffic and were able to 
persist through the creation of additional credentials from other 
applications.
    A total of 18,000 SolarWinds customers downloaded the compromised 
version of Orion, but far fewer have identified activity beyond the 
creation of a backdoor.
    Nearly 40 Federal agencies downloaded the compromised SolarWinds 
Orion update.
    It is important to note that about 30 percent of both Government 
and non-Government victims of the Russian cyber campaign had no direct 
connection with SolarWinds.
    According to news reports, hackers also breached networks by 
``exploiting known bugs in software products, by guessing on-line 
passwords and by capitalizing on a variety of issues in the way 
Microsoft Corp.'s cloud-based software is configured.''
    Bugs can also be called Zero-Day Events that if exploited could 
cost significant disruption in the function of application or services 
that rely on computers or remote computing services.
    The SolarWind Orion exploit was not intended to damage or disrupt 
computing systems, it was designed to spy on networks and spread to 
other systems.
    The SolarWinds campaign illustrated many of the shortcomings in the 
Federal Executive Branch civilian cybersecurity, which lacked the 
ability to effectively monitor and respond to threats on civilian 
agency networks.
    At that time there was also no overarching Federal law requiring 
private entities to report cybersecurity incidents, there is little 
public information on the number of victims that installed the infected 
versions of Solar Winds Orion or experienced second-stage intrusions.
    At the time of the attack, there was a critical need to modernize 
the Federal Government civilian agency cybersecurity and SolarWinds 
became the catalysis to begin this important work.
    Until the SolarWinds attack civilian Federal agencies had been slow 
to adapt to the demands of new technologies, network architectures, and 
the evolving threat landscape.
    Harnessing that momentum to revamp Federal civilian agency network 
security, the Biden-Harris administration implemented ambitious 
policies to transform how the Federal Government and its contractors 
secure their networks and supply chains, most notably through Executive 
Order 14028, Improving the Nation's Cybersecurity.
    Under the skilled guidance of the Biden-Harris administration CISA 
has worked quickly to revamp its signature FCEB network security 
programs, the National Cybersecurity Protection System (NCPS) and the 
Continuous Diagnostics and Mitigation program (CDM).
    These programs complement other authorities provided to CISA under 
the Federal Information Security Modernization Act, including the power 
to issue Binding Operational Directives, Emergency Directives, and 
technical security guidance to FCEB agencies, among other things.
    Additionally, the William M. (Mac) Thornberry National Defense 
Authorization Act for Fiscal Year 2021, authorized CISA to hunt for 
malicious activity across FCEB's networks, with or without an agency's 
permission.
    CISA's authorities outside NCPS and CDM, though critical to its 
FCEB network security mission, are outside the scope of this hearing.
    Prior to the SolarWinds attack another major civilian agency attack 
in 2015 involved the Office of Personnel Management.
    In 2015, the Office of Personnel Management data breach targeted 
information provided by security clearance applications submitted under 
the Standard Form 86 (SF-86).
    At the time this attack was one of the largest breaches of 
Government data in U.S. history, the attack was carried out by an 
advanced persistent threat based in China.
    In the aftermath of the 2015 Office of Personnel Management (OPM) 
breach, Congress enacted the Federal Cybersecurity Enhancement Act.
    That legislation authorized NCPS and directed the department to 
deploy a Federal intrusion detection and prevention system to better 
detect breaches of Federal networks.
    NCPS is a ``system of systems'' that, in addition to the EINSTEIN 
intrusion detection system, includes data analytics, information 
sharing, and core infrastructure capabilities.
    Earlier this year, CISA announced plans to restructure NCPS and, 
over time, sunset the EINSTEIN intrusion prevention program.
    EINSTEIN is designed to observe traffic going in and out of agency 
networks and relies on detecting known threats and, therefore, has 
limited effectiveness in modern network architectures or against novel 
attacks.
    The remaining NCPS capabilities include data analytics, information 
sharing, and core infrastructure capabilities, which will be integrated 
into CADS.
    CADS and the legacy EINSTEIN capabilities will be housed within the 
new Joint Collaboration Environment (JCE).
    CISA boasts that the JCE will be a ``best-in-class analytic 
environment that centralizes mission-relevant classified and 
unclassified data to enable more efficient analysis in large part due 
to increased automation.''
    Last year, Congress extended CISA's NCPS authorities until 
September 30, 2023, and they will expire at the end of the month unless 
Congress acts.
    CISA intends for the new CADS program to support expanded 
capabilities that will improve the intake, integration, and automated 
analysis to facilitate the rapid identification, detection, mitigation, 
and prevention of malicious cyber activity.
    According to CISA, CADS marks a significant expansion of NCPS's 
existing systems engineering, information technology infrastructure, 
and cyber operations tools and services.
    The new JCE--and CADS, in particular--have the potential to 
dramatically improve how the Federal Government identifies and 
mitigates threats to Federal networks.
    These new capabilities, however, rely on close collaboration with 
CISA's private-sector partners and vendors.
    It is not clear that CISA has clearly articulated a complete vision 
for how it will implement its plans for JCE or CADS.
    CISA also does not have a concrete plan for replacing or retaining 
EINSTEIN capabilities, even though ``the visibility provided by 
existing EINSTEIN sensors remains a crucial enabler of CISA's mission 
to protect FCEB agencies.''
    In June, the General Services Administration issued a Request for 
Information on behalf of CISA seeking industry feedback on how to 
modernize the ``legacy capabilities'' of the EINSTEIN program.
    I am interested in knowing if CISA has responded to the GSA or 
intends to respond to the question regarding EINSTEIN.
    I thank today's witnesses and look forward to asking questions 
following the testimony of witnesses.
    Thank you.

    Chairman Garbarino. I am pleased to have four witnesses 
before us today to discuss this very important topic. I ask 
that our witnesses please rise and raise their right hand.
    [Witnesses sworn.]
    Chairman Garbarino. Let the record reflect that the 
witnesses have answered in the affirmative. Thank you. Please 
be seated.
    I would now like to formally introduce our witnesses. Brian 
Gumbel is the president of Armis, where he leads the company 
and its efforts to drive innovation in cybersecurity and 
emerging technology. Mr. Gumbel has spent 25 years in the tech 
industry, where he has worked for many companies, and is part 
of several advisory boards.
    Steven Zakowicz is the vice president of CGI Federal, where 
he leads the DHS CISA account for the company. In this 
capacity, he leads a large team supporting 7 Federal agencies' 
participation in CISA's CDM program. In part of this role, Mr. 
Zakowicz oversaw a team providing environmental, health and 
safety, and regulatory compliance solutions and services to the 
chemical and energy companies. He also serves as a member of 
the American Council for Technology and Industry Advisory 
Council and the Washington Exec Cyber Council.
    Joe Head is the chief technology officer and cofounder of 
Intrusion. He has held many roles with the company since its 
founding in 1983, and prior to that, he worked at Honeywell 
Optoelectronics. That was a tough one.
    Finally, Robert Sheldon is the director of public policy 
and strategy at CrowdStrike. He leads corporate engagement on a 
variety of U.S. Federal, State, and local government policies, 
programs, and initiatives. He is the company's representative 
to CISA's Joint Cyber Defense Collaborative and the IT Sector 
Coordinating Council. In addition to his role at CrowdStrike, 
Mr. Sheldon serves as an adjunct professor lecturer on 
international cybersecurity policy at American University 
School of International Service.
    Thank you all for being here today. Mr. Gumbel, I now 
recognize you for 5 minutes to summarize your opening 
statement.

       STATEMENT OF BRIAN GUMBEL, PRESIDENT, ARMIS, INC.

    Mr. Gumbel. Chairman Garbarino, Ranking Member Menendez, 
and Members of the subcommittee, thank you for the opportunity 
to testify regarding our experience and perspectives on key 
programs designed to protect our Nation's most critical assets. 
As the leading asset intelligence security company, we share 
the mission and passion with all of you to ensure the 
protection and security of our Nation's critical assets. Many 
legacy programs tend to focus on what's commonly known as 
managed IT assets, but the growth beyond traditional managed 
assets is absolutely staggering. Our submitted testimony has a 
chart that highlights the explosion in what is referred to as 
unmanaged assets, or IOT, the internet of things, also 
operational technology, OT, and IOMT, which is medical 
technology.
    When we discuss critical infrastructure, we must talk about 
and account for all unmanaged assets. We are encouraged by the 
focus and resources this committee and key agencies like CISA 
are putting toward building dynamic, resilient, and effective 
cybersecurity frameworks. A few of these programs that exist 
today, namely the CDM and EINSTEIN programs, have been in place 
for several years but need updating considering the expanding 
threat surface.
    In the recent Executive Order on improving our Nation's 
cybersecurity, there are references made to the Federal 
Government partnering with private sector. This is a positive 
development, and Armis looks forward to teaming with those 
agencies who are most responsible for protecting our Federal 
Government systems. The Executive Order states, incremental 
improvements will not give us the security we need; instead, 
the Federal Government needs to make bold changes and 
significant investments in order to defend the vital 
institutions that underpin the American way of life. It 
mentions that the Federal Government must bring to bear the 
full scope of its authorities and resources to protect and 
secure its computer systems, whether they are cloud-based, on-
premise, or even hybrid. That the scope and protection of 
security must include systems that process data, such as 
information technology or IT, and that those that run the vital 
machinery that ensure our safety, operational technology, or 
OT.
    The convergence of technologies and the discrepancies 
between devices offers a more complex and challenging task than 
the Federal Government has had to face just a few years ago. At 
Armis, our growing customer base consists of almost 50 percent 
of the Fortune 100, many large State and municipal governments, 
airports, ports, defense contractors, and key Federal agencies. 
These customers partner with us to achieve complete visibility 
and intelligence for all assets within their converged 
environments. Without such, we cannot be fully prepared for the 
growth of today and the uncertainties of tomorrow.
    As stated in CISA's Binding Operational Directive, B.O.D. 
23-01, continuous and comprehensive asset visibility is a basic 
precondition for any organization station to effectively manage 
cybersecurity risk. This directive focuses on asset discovery 
and vulnerability enumeration. To keep pace with technological 
change and rapidly-evolving threat landscape and deliver upon 
the letter and spirit of this Executive Order, bold change is 
needed now. CISA should align the CDM program updates to 
directives like B.O.D. 23-01 and should ensure that CDM 
dashboard is reflective and inclusive of existing and 
innovative technologies.
    The Federal Government can no longer rely on legacy models, 
contracts, or solutions. What has worked in the past simply 
will not suffice now. Our adversaries are using automation to 
move at the speed of now, as should we. Armis is committed to 
working with CISA and other leading agencies to bring a 
holistic and inclusive approach where more complete and 
contextual cyber situational awareness and intelligence can 
lead to a resilient and responsive security posture.
    I want to thank you all again for the opportunity to engage 
with the subcommittee. The resources of our entire organization 
stand ready to assist in the honorable mission of protecting 
our most critical national assets. I look forward to any 
questions that you may have.
    [The prepared statement of Mr. Gumbel follows:]
                   Prepared Statement of Brian Gumbel
                           September 19, 2023
    Chairman Garbarino, Ranking Member Swalwell, and Members of the 
committee, thank you for the opportunity to testify and share our 
perspective on civilian agency cybersecurity programs. I applaud the 
committee's efforts in working to provide oversight and help improve 
impactful programs such as Continuous Diagnostics and Mitigation (CDM) 
and Einstein. In accordance with a core function of the NIST 
Cybersecurity Framework that highlights the need to go beyond merely 
identifying devices but also understand the interdependence each asset 
has with each other and their relative importance to business 
objectives, we are honored to bring a contextual asset intelligence 
platform to our customers, partners, and Federal agencies.
    Armis is THE leading asset intelligence cybersecurity company. We 
have been recognized by industry-leading analysts and publications as a 
platform provider who brings a level of insight, awareness, and 
actionable intelligence to our customers. Today it is important to not 
only know what exists in your network and cloud infrastructure, but the 
interdependencies and vulnerabilities within each asset. We are honored 
to be under consideration to become a member of CISAs JCDC, sharing the 
mission and passion with all of you in ensuring the protection and 
security of our Nation's critical assets.
    We are encouraged by the focus and resources this committee and key 
agencies like CISA have put toward building dynamic, resilient, and an 
effective cybersecurity framework in protecting these assets. On May 
12, 2021, the Executive Order on Improving our Nation's Cybersecurity 
states ``Incremental improvements will not give us the security we 
need; instead, the Federal Government needs to make bold changes and 
significant investments in order to defend the vital institutions that 
underpin the American way of life . . . ''. It mentions that ``The 
Federal Government must bring to bear the full scope of its authorities 
and resources to protect and secure its computer systems, whether they 
are cloud-based, on-premises, or hybrid.'' And that ``The scope of 
protection and security must include systems that process data 
(information technology (IT)) and those that run the vital machinery 
that ensures our safety and national sovereignty (operational 
technology (OT)).''
    In the Armis State of Cyberwarfare and Trends report 2022/2023 
where 6,021 IT security professionals where surveyed we found that 73 
percent of IT professionals in the United States say their company has 
experienced one or more cybersecurity breaches. Threat activity against 
the global Armis customer base increased by 15 percent from September 
to November 2022 with the largest threat activity coming from critical 
infrastructure organizations followed by health care organizations as 
compared with other industries.
    Our job as the industry leader is to raise awareness and identify 
areas in need of attention and improvement. Our experience has shown 
that intrusions outside traditional IT ``managed devices'' have become 
more prevalent. Programs and frameworks that in the past have been 
primarily focused on these managed devices will be limited in their 
ability to address the larger growing attack surface.
    At Armis our comprehensive contextual intelligence engine includes 
over 3 billion assets and growing and includes the entire spectrum of 
IT/OT/IoT/IoMT assets. We bring a level of contextual asset 
intelligence to our customers that introduces a holistic and responsive 
platform to assist in their mission. Our public-sector customers 
include several States, large city agencies, and cities and counties as 
well as the following highlighted below:
   An agency within HHS as well as numerous State agencies 
        leverages Armis for Asset visibility and intelligence through 
        integrations.
   A large defense contractor leverages the Armis platform for 
        Asset Discovery, Intelligence, and Vulnerability Management
   A DOD agency leverages our platform for Asset Management and 
        Security Workflow Remediation
   Department of Energy leverages Armis to increase automated 
        identification and organization of the asset infrastructure 
        across an entire lab.
    Our enterprise and commercial customers include Drug and 
Manufacturing companies, Utility, Transportation, Aviation, and 
Healthcare organizations, and many others.
    Our mission is to help organizations understand where and what 
exists in their environments and help put them in a position to 
identify and manage vulnerabilities to respond rather than react to a 
breach. You can't protect what you can't see and without addressing a 
visibility gap, organizations cannot be fully prepared for the growth 
of today and uncertainties of tomorrow.
    We work with organizations throughout the globe to gain complete 
visibility into their managed and unmanaged assets. A ``whole-of-
nation'' approach cannot be achieved without a complete view and deep 
level of intelligence of both managed and unmanaged assets.
    As you can see in the chart below, the growth and in our opinion 
the growing attack surface introduce vulnerabilities heretofore unseen 
and even unknown. The convergence of technologies and the dependencies 
between devices has introduced a more complex and challenging task for 
those who are responsible for securing critical assets and operational 
environments.


    As stated in CISA's Binding Operational Directive (B.O.D.) 23-01, 
``Continuous and comprehensive asset visibility is a basic pre-
condition for any organization to effectively manage cybersecurity 
risk.'' This directive focuses on Asset Discovery and Vulnerability 
enumeration. Many agencies and enterprises are fortunate to have strong 
endpoint technologies in place (EDR) and solutions that help protect 
the perimeter, but the attack surface continues to grow and the 
cybersecurity perimeter which was well-defined just a few years ago is 
now dynamic and borderless. The introduction of unmanaged devices and 
operational technologies present challenges that cannot be addressed 
with legacy models and legacy technology. Present-day challenges and 
national security threats are now implementing AI and automated 
capabilities to identify the weakest link in the chain. Automated 
threats from U.S. adversaries requires automation and scalability 
delivering prioritization of cyber defense operators.
    We applaud the activities toward the next-generation Einstein 
program, Cyber Analytics and Data System (or CADS). According to CISA's 
Eric Goldstein the system will integrate data from multiple sources, 
including ``public and commercial data feeds; CISA's own sensors such 
as Endpoint Detection and Response, Protective [Domain Name System], 
and our Vulnerability Scanning service, which has thousands of enrolled 
organizations across the country; and data shared by both public and 
private partners,''.
    Creating next generation programs are crucial and as our customers 
would attest, knowing where every asset exists, what the profile of 
that asset is, and whether it is aged, vulnerable, or compromised in 
real-time will help to make the investment in next generation and 
existing solutions more effective.
    We are committed to continuing to work with CISA and other leading 
agencies to bring a holistic and inclusive approach where more complete 
and contextual asset awareness, contextual intelligence, and attack 
surface definition can lead to increased resiliency and a responsive 
cybersecurity posture.
    Some important and consistent feedback we hear from existing and 
former Federal CISOs, and CIOs includes the following:

``The focus should be on building modern security models, not 
perimeter-based, and should acknowledge and focus on cloud, zero trust, 
and IT/OT convergence.
``Many of the legacy models and contracts served us well in the past, 
but a new approach and model is needed.''

    These converged technologies deliver more efficiencies in the way 
we work but they introduce new vulnerabilities and complexities that 
legacy technologies are not built to identify, profile, or defend.
    The ``bold changes'' highlighted in the E.O. call for a 
collaborative and inclusive programmatic and procurement directive that 
does not rely on legacy models, contracts, or solutions. What worked in 
years past will not suffice. Our adversaries are actively trying to 
exploit our visibility gaps, particularly in critical infrastructure. 
Our approach should be engaging with new and innovative 21st Century 
technologies. Lest we forget, bad actors are moving at the speed of now 
as should we!
                            recommendations
   Design and implement a procurement path that allows for more 
        expedient purchase and implementation of newer technologies 
        built to align with the growing attack vectors and surface.
   Improve coordinating between programs like U.S. Digital 
        Services, the Technology Modernization Fund, and CISA to create 
        programs which enable agencies to quickly integrate and 
        maintain newer technologies and services into their framework 
        portfolios.
   Fund the Technology Modernization Fund so that return on 
        investments can reliably cover both the simultaneous deployment 
        of new technology and the retirement of legacy services.
   Align program updates to stated directives. For example, if 
        Directives state cloud-first and all assets, agencies should 
        have the ability to implement those solutions that are not 
        limited to a subset of technologies. Currently the CDM program 
        addresses only IT devices rather than the full spectrum of 
        connected risk: IT/OT/IoT/IoMT. BOD 23-01 focuses on Asset 
        Discovery and Vulnerability Enumeration. Requiring that the 
        full spectrum of converged and connected technologies be 
        inventoried and reported would give these programs more 
        alignment to stated administration and agency objectives. 
        Having only most of your roof covered in a storm won't prevent 
        water from entering!
   The CDM program and dashboard should reflect all existing 
        and upcoming technologies that need integration vs. a limited 
        few to be effective.
   We encourage continued strong support of the CDM program 
        with the appropriate measures taken to be more inclusive of 
        technologies that may not be part of the existing program.
    Thank you again for the opportunity to speak with this committee. 
The resources of our entire organization stand ready to assist in the 
honorable mission of protecting our Nation's most critical assets.

    Chairman Garbarino. Thank you, Mr. Gumbel. Mr. Zakowicz, I 
now recognize you for 5 minutes to summarize your opening 
statement.

  STATEMENT OF STEPHEN ZAKOWICZ, VICE PRESIDENT, CGI FEDERAL, 
                              INC.

    Mr. Zakowicz. Chairman Garbarino, Ranking Member Menendez, 
and other distinguished Members of the Subcommittee on 
Cybersecurity and Infrastructure Protection, thank you for the 
opportunity to testify today. My name is Steve Zakowicz. I am a 
vice president at CGI Federal, and for the past 4 years, I have 
served as a project manager on CGI Federal's contract with the 
Continuous Diagnostics and Mitigation, or CDM, program. At the 
subcommittee's invitation, I'm here on behalf of CGI Federal 
today to provide perspective on the achievements of CDM and its 
path forward. Since 2016, CGI Federal has played an important 
role in the CDM program, providing capabilities to 
participating agencies through tailored solutions and a robust 
shared services platform.
    Our company is currently the system integrator on two CDM 
Dynamic and Evolving Federal Enterprise Network Defense, or 
DEFEND, contracts. The first provides tailored CDM solutions to 
seven large Federal agencies: Departments of Commerce, Justice, 
Labor, State, FCC, TVA, and USAID. The second provides a state-
of-the-art, cloud-based shared services platform currently 
supporting 65 smaller and independent Federal organizations 
leveraging those CDM capabilities.
    CGI Federal has almost 300 skilled professionals and 
specialized subcontractors supporting the CDM program today. 
Given our experience in the CDM program, I would like to use my 
opening remarks to highlight four points regarding the 
program's success to date and suggestions to meet evolving 
objectives.
    First, civilian agency partners must be appropriately 
resourced, funded, and committed for CDM to be successful. CISA 
cannot do this alone. Congress can help to ensure civilian 
agencies are approaching cyber preparedness with the 
appropriate level of attention and investment. Also, funding 
lapses or limitations stemming from uncertainties surrounding 
shutdowns and continuing resolutions do impact CDM's continuity 
and ability to carry forward new initiatives. Second, Executive 
Order 14028 called Improving the Nation's Cybersecurity 
enhanced CISA's ability to effectively perform its mission.
    For example, authorizing CISA to engage in cyber hunt, 
detection, and response activities through endpoint detection 
and response, or EDR, solutions deployed via CDM. Congress 
could bring stability to CISA's authority to perform these 
critical activities by codifying appropriate authorities within 
the Executive Order into law. I understand this is currently 
under consideration by Congress in pending updates to the 
Federal Information Security Modernization Act of 2014, also 
known as FISMA.
    Third, emerging opportunities exist to leverage CDM 
capabilities for State, local, Tribal, territorial, as well as 
critical infrastructure entities by using this existing shared 
service platforms and capabilities. The shared services 
approach can provide these target-rich but resource-poor 
stakeholders across the Nation the ability to leverage proven 
capabilities in a cost-efficient way to defend against threats 
they face, including nation-state actors and ransomware 
attacks.
    Fourth, the evolution of the CDM dashboard ecosystem is an 
especially promising development. The dashboard has become the 
first venue of consultation for a wide variety of users within 
CISA's cybersecurity division, including threat hunt, 
vulnerability management, and directives and guidance 
organizations. The level of visibility across the Federal 
enterprise provided through the dashboard, combined with agency 
network visibility through EDR, has been a force multiplier and 
is a terrific case study in the innovation and power of 
combining data from multiple sources to accelerate progress.
    In conclusion, I would like to affirm to the subcommittee 
CGI Federal's continued and unwavering commitment to our 
partnership with CISA on its core mission of strengthening 
America's cybersecurity. Thank you. I look forward to your 
questions.
    [The prepared statement of Mr. Zakowicz follows:]
                 Prepared Statement of Stephen Zakowicz
                           September 19, 2023
                              introduction
    Chairman Garbarino, Ranking Member Swalwell, and other 
distinguished Members of the Subcommittee on Cybersecurity and 
Infrastructure Protection, my name is Stephen Zakowicz. I am a vice 
president at CGI Federal Inc. (``CGI Federal''). As a wholly-owned U.S. 
operating subsidiary of CGI Inc. (``CGI''),\1\ CGI Federal and its 
7,100 employees partner with Federal agencies to provide solutions for 
homeland security, defense, civilian, health care, justice, 
intelligence, and international affairs. During the last 4 years, I 
have served as the project manager on CGI Federal's contract with the 
Department of Homeland Security (``DHS'') Cybersecurity and 
Infrastructure Security Agency (``CISA'') for the Continuous 
Diagnostics and Mitigation (``CDM'') Program. On behalf of CGI Federal 
and its employees, I am pleased to submit this written testimony to the 
subcommittee regarding the CDM Program.
---------------------------------------------------------------------------
    \1\ Founded in 1976, CGI is among the largest independent 
information technology (``IT'') and business consulting services firms 
in the world. With 90,250 consultants and professionals across the 
globe, CGI delivers an end-to-end portfolio of capabilities from 
strategic IT and business consulting to systems integration, managed IT 
and business process services, and intellectual property solutions. CGI 
works with clients through a local relationship model complemented by a 
global delivery network that helps clients digitally transform their 
organizations and accelerate results.
---------------------------------------------------------------------------
    CDM is a mission-critical Federal program that provides 
participating agencies with solutions and services to identify and 
combat cybersecurity risk. Since its original contract award in 2016, 
CGI Federal has provided this support to 100 participating agencies 
through tailored solutions and a robust shared services platform. CGI 
Federal is currently the prime contractor on two CDM Dynamic and 
Evolving Federal Enterprise Network Defense (``DEFEND'') Task Orders--
DEFEND C and DEFEND F. Under its DEFEND C Task Order, CGI Federal 
provides tailored CDM solutions to 7 large Federal agencies: Department 
of Commerce (``DOC''), Department of Justice (``DOJ''), Department of 
Labor (``DOL''), Department of State (``DOS''), Federal Communications 
Commission (``FCC''), Tennessee Valley Authority (``TVA''), and United 
States Agency for International Development (``USAID''). Under its 
DEFEND F Task Order, CGI Federal developed a state-of-the-art cloud-
based Shared Services CDM platform, and currently operates and provides 
access to that platform to 65 non-Chief Financial Officer Act (``CFO 
Act'') Federal agencies. Roughly 300 CGI Federal employees and 
subcontractors support the CDM program.
                     cdm: current program structure
    As stated in the DHS fiscal year 2024 Congressional Budget 
Justification for CISA, ``the CDM program provides the Department, 
along with other Federal agencies, with capabilities and tools to 
identify cybersecurity risks to agency networks on an ongoing basis. It 
prioritizes these risks based on potential impacts and enables 
cybersecurity personnel to mitigate the most significant problems first 
. . . Furthermore, CDM enables CISA and agencies to proactively respond 
to threats through the deployment of multiple different security 
capabilities, including data protection technologies, Endpoint 
Detection and Response (EDR), cloud security platforms, and network 
security controls, and enables CISA to continually evaluate the 
cybersecurity posture of [Federal Civilian and Executive branch 
(``FCEB'')] systems and networks.''
    As CISA describes on their public website, the CDM program is 
structured to provide cybersecurity protections and capabilities in 
four key areas:
   The Asset Management (AM) capability is aimed at providing 
        agencies with a centralized overview of their network devices 
        and the risks associated with such devices. Asset Management 
        enables an agency to maintain and improve its cyber hygiene 
        through 5 capabilities: hardware asset management (HWAM), 
        software asset management (SWAM), configuration settings 
        management (CSM), vulnerability management (VUL), and 
        enterprise mobility management (EMM).
   The Identity and Access Management (IDAM) capability is 
        intended to manage the access and privileges of agency network 
        users. Managing who is on the network requires the management 
        and control of account and access privileges, trust 
        determination for people granted access, credentials and 
        authentication, and security-related behavioral training.
   The Network Settings Management (NSM) capability is designed 
        to provide agencies with greater visibility into what is 
        happening on their networks, which also gives them a better 
        understanding of how the networks are being protected.
   The Data Protection Management (DPM) capability is intended 
        to provide additional protections to the most critical mission 
        data and systems on Federal civilian networks. While the other 
        CDM capabilities provide broader protections across Federal 
        networks, the DPM capability is focused on protecting sensitive 
        (especially private) data within the agency.
    These capabilities are centrally managed and reported through the 
CDM Dashboard Ecosystem, a cloud-based visualization and data analytics 
layer that allows agencies and CISA to obtain a top-level view of 
cybersecurity risk posture and access details regarding how individual 
systems and endpoints contribute to that risk posture. This allows 
agency personnel to quickly identify and address the highest risk 
cybersecurity vulnerabilities first.
    The current CDM program consists of 7 individual Task Orders to 
provide consistent, prioritized CDM capabilities to FCEB agencies. 
Those Task Orders are:
   CDM DEFEND A: Providing CDM program requirements to DHS
   CDM DEFEND B: Providing CDM program requirements to DOE, 
        DOI, DOT, OPM, USDA, and VA
   CDM DEFEND C: Providing CDM program requirements to DOC, 
        DOJ, DOL, DOS, FCC, TVA, and USAID
   CDM DEFEND D: Providing CDM program requirements to GSA, 
        HHS, NASA, SSA, and Treasury
   CDM DEFEND E: Providing CDM program requirements to DOED, 
        EPA, FDIC, HUD, NRC, NSF, SBA, and SEC
   CDM DEFEND F: Providing CDM program requirements to up to 75 
        small and medium FCEB agencies through a Shared Services 
        platform
   Dashboard Ecosystem: Developing and hosting a common CDM 
        Dashboard platform on behalf of CISA to receive and consolidate 
        information from participating CDM DEFEND agencies.
                          cdm past and present
    Since its inception in 2012, the CDM program has evolved to meet 
the priorities and relative maturity of the FCEB cybersecurity risk 
posture. When the CDM program began, it focused on implementing a 
standard set of commercial solutions to meet CDM-identified technical 
capabilities for enterprise visibility and protection. At that time, 
the program implemented cybersecurity risk management across the FCEB 
enterprise. Over time, however, the program recognized the need for 
flexibility to accommodate unique requirements and differing maturity 
levels from one agency to the next. Through CDM DEFEND, CISA addressed 
that need, and built a model focused on long-term, sustained 
engagement, delivering custom solutions tailored to each agency's 
unique environments and cybersecurity needs.
    Within the DEFEND model, CISA has further refined its approach to 
delivering cybersecurity services. For example, CDM DEFEND activities 
initially focused on delivering a single capability (e.g. Asset 
Management or Identity and Access Management) to all participating 
agencies. After deploying these foundational capabilities, CISA evolved 
to deliver services based on agency readiness model. In advance of 
agency engagement, CISA works with the agency to identify where program 
priorities align with an agency's ability to implement and maintain a 
specific capability. Using this readiness model, CISA validates that 
both CISA and the agencies are adequately funded and have the resources 
necessary to successfully deploy, operate, and maintain the 
cybersecurity solutions.
    The evolution of the CDM program is also driven by new regulations 
and executive guidance. For example, Executive Order 14028 ``Improving 
the Nation's Cybersecurity'' (the ``EO''), issued on May 12, 2021, 
provides greater visibility to agency environments as it grants CISA 
access to object-level cybersecurity data collected through CDM (see 
Section 7(f)). The EO also authorizes CISA to engage in cyber hunt, 
detection, and response activities through Endpoint Detection and 
Response (``EDR'') solutions deployed through CDM. These EO 
requirements grant CISA unprecedented visibility into agency network 
environments to proactively identify and remediate threats and apply 
observations in one agency environment across the FCEB enterprise.
    Through the CDM program, CISA has gained critical visibility into 
the cybersecurity posture across the entire FCEB enterprise and is 
well-positioned to quickly identify, assess, and remediate potential 
threats to agency network environments and, by extension, U.S. national 
security. Specific accomplishments include the broad roll-out of EDR to 
FCEB agencies and the onboarding of roughly 250 CISA threat hunters to 
conduct analysis through EDR and CDM Dashboard Ecosystem solutions. 
That access coupled with the availability of object-level data through 
the Dashboard Ecosystem has been a ``force multiplier'' in providing 
CISA the ability to identify, assess, and remediate anomalies across 
the Federal enterprise network.
                             future of cdm
    CISA continues to evolve its CDM program to meet the needs of its 
stakeholders. Further, as CISA prepares for the next generation of CDM, 
it has actively engaged with industry and identified likely future 
priorities that include:
   Issuing Task Orders based on CDM capability to be applied 
        across the entire FCEB community to promote consistency in 
        solutions across agencies.
   Delivering CDM capabilities to State, local, Tribal, 
        territorial (SLTT), and critical infrastructure (CI) 
        stakeholders.
   Expanding access to Shared Services across CDM capabilities.
   Enhancing alignment and collaboration among CISA, FCEB 
        agencies, and the cybersecurity tool vendor community.
                        concluding observations
    As a Federal contractor proudly supporting the CDM program, CGI 
Federal offers the following observations for consideration:
   Success of CDM's mission depends heavily on FCEB agencies 
        applying the resources and funding to invest in cyber 
        preparedness. Further, funding lapses or delays due to 
        government shutdowns or Continuing Resolutions impact program 
        continuity and ability to operate sustainably.
   Executive Order 14028 ``Improving the Nation's 
        Cybersecurity'' enhanced CISA's ability to effectively perform 
        its mission through, for example, authorizing CISA to engage in 
        cyber hunt, detection, and response activities through EDR 
        solutions deployed via CDM. Congress could ensure stability in 
        CISA's authority to perform these critical activities by 
        codifying these authorities into law.
   CISA could enable SLTT and CI stakeholders to leverage 
        existing CDM shared service platforms and capabilities to 
        defend against cyber threats such as ransomware attacks. These 
        strategies would allow stakeholders to leverage valuable 
        capabilities in a cost-efficient way to defend against threats 
        such as ransomware attacks.
   The use of the Dashboard Ecosystem and EDR as a ``first 
        venue of consultation'' for newly-identified critical 
        vulnerabilities or anomalous network activity by CISA 
        represents a force multiplier and a new era of centralized hunt 
        and response capabilities within the FCEB. These foundational 
        capabilities can be further leveraged in innovative ways to 
        improve our national security risk posture.
    CGI Federal appreciates the critical nature of the CDM program, as 
well as CISA's core mission. CGI Federal is proud to support CISA and 
the CDM program in working to secure the Federal Government's networks 
for citizens across the United States. CGI Federal also thanks the 
subcommittee for its continued oversight to ensure the continued 
success of the CDM program.

    Chairman Garbarino. Thank you, Mr. Zakowicz. Mr. Head, I 
now recognize you for 5 minutes to summarize your opening 
statement.

   STATEMENT OF JOE HEAD, CHIEF TECHNOLOGY OFFICER, INTRUSION

    Mr. Head. Thanks so much. Pleasure to be here with you guys 
today. We spent a lot of time, as do most I guess, on making 
the submittal perfect and word crafting, but I think me reading 
it is boring. So, what I'd like to do is just talk to a few 
things that aren't on there that I think are important.
    You mentioned the CRs. We've got one critical breach we've 
been waiting on working for 4 years against the U.S. military, 
and they were first under a CR. Then when they were not under 
CR, they didn't have a budget. Then when they had a budget, 
they were back under a CR again, and we haven't spent dime one 
on anything yet.
    So, when you start looking at major programs like you're 
discussing today, it is a layup that they will continue 
somehow. But when you have a reaction to a breach, God help 
you. There's nobody coming. You can't get budget. You can't get 
help. So, I would urge you guys, I've talked to Kay Granger 
about doing some sort of cutout where you say, this percent of 
your budget can be spent on a breach response. I would 
encourage you guys to think of a way in law to accommodate 
that.
    If you look at the United States, all of us in the security 
business would like to say it's good. But I remember there was 
a comedian that says you go to a college and them bragging 
about their smarts is like going to an ER and everybody 
bragging about their health. The United States is not secure. 
We suck at security. There's a new breach every 37 seconds. I 
went to a meeting one time with the STRATCOM chief, and they 
had all the chiefs of industry lined up at one end, and the 
rest of us with little companies lined around the outside, and 
basically said, we spend more on R&D every day than you guys in 
revenue every year. We got it covered. Well, they don't.
    So, what I would urge you guys to think through is, how can 
you help the threat hunters do better? Then part of the thing 
that you guys could do with the CISA meetings is ask the simple 
question like a 4-year-old, if we do this, are we done? Are we 
finished yet? So, when they finish the program, can you truly 
say, every threat we have is fixed?
    You know, if somebody decides they are going to roll up and 
sink an aircraft carrier, we're going to unleash holy hell on 
them. They don't think twice, they won't do it. But in cyber, 
sure. Take down this, take down that, steal these secrets, 
bankrupt the only supplier outside of China that can do a 
thing. They do it with impunity. So, we need to get to the 
point in cyber where people are scared to hit the enter button, 
and they are not scared.
    So, I would suggest that, you know, I'm not here because 
I'm part of these programs. I'm here because I see how suck we 
are at security as a Nation and as a world. The offenders have 
asymmetry to their huge advantage. One guy in a room doing an 
all-nighter come up with zero day that ain't nobody going to 
see. I mean, I named my company Intrusion after intrusion 
detection systems. My joke was all IDS systems are this helpful 
system that hands you a Polaroid of the fist that just broke 
your nose. I don't need that. Can you just give me a system 
that stops the fist?
    So, I think if we ask the questions better. We ought to be 
asking, if I do this, am I done? Is my COM system undownable? 
One big thing that I think we need to do in law and policy that 
you guys could help a lot with is it's--I'm sorry, I'm Texan, 
so, I don't know about PCness, but, you know, back when the 
cowboys and the Indians were fighting, the Indians didn't make 
guns, they didn't make bullets, and the outcome was certain. 
They were screwed. You can't fight if you don't make the stuff. 
Right now, there's no computer in any office here that wasn't 
assembled in China. Everything they wanted on it was on it when 
they shipped it.
    So, when you start talking about being secure, gee, 
sanitation starts early, you know, and we need to have a 
cleaner environment to build things on. So, we don't make 
routers in America, we don't make servers, we don't make 
computers. We need to re-onshore some stuff.
    I think there's room. If you read my testimony, I talked 
about doing a cyber Manhattan Project and I think we should. 
There's some of us here at the table, and we could name others 
that should be on the group. It's not just a contractor loop. 
There's some genius-level folks around the community that know 
what to do, but they haven't been tasked to fix it. So, I'd 
encourage you guys to stir that up a lot. So anyway, for the 
non-ad hoc stuff, feel free to read what we wrote. Thanks for 
letting us be here.
    [The prepared statement of Mr. Head follows:]
                     Prepared Statement of Joe Head
    Good morning, and thank you Chairman Garbarino, Ranking Member 
Swalwell, and distinguished Members of the subcommittee. My name is Joe 
Head. I am the cofounder and chief technology officer of Intrusion--
proudly headquartered in Plano, Texas.
    It is both a privilege and an honor for me to be here today, 
sharing my technical expertise and insights, which I have accumulated 
over four decades of immersion in the cutting-edge realms of the 
cybersecurity industry. I wholeheartedly commend the dedicated 
individuals on this subcommittee and their staff for their tireless 
efforts. They understand the need to enhance the Federal Government's 
cybersecurity capabilities but are also channeling their energies 
toward advancing the mission of agencies like CISA, with a strong focus 
on developing next-generation software and technologies that are 
critical in the forthcoming cyber conflicts.
    I began designing and providing secure networks and other security 
solutions for the U.S. Government when Ronald Reagan was President. We 
built equipment for the hotline from the White House to the Kremlin 
during his second term. I co-founded my company Intrusion in 1983, just 
3 years out of college and we've been a public company since the '90's.
    I've had more fun designing and securing things than you should get 
paid for. My goal today is to help the committee spur innovation in 
security. The United States is not secure. There are some secure 
networks, but very, very few. Complacency with the state of our 
security is a serious risk. A relaxed defender is the most naive one. 
Cyber offense is winning everywhere. A great challenge of our time is 
to make defenders better able to defend. I have an old friend who liked 
to say that he'd rather be lucky than smart. A network or system not 
breached is not a matter of the defender being lucky or smart, it is 
sadly that an attacker just isn't interested enough to focus on 
breaching it.
    As you read my opening remarks, keep in mind that an outline of the 
Manhattan Project was not put in the Congressional Record before Los 
Alamos was built. Our Government needs people with technical depth and 
a winning mindset. My job is not to inform our enemies what we plan to 
do to win the cyber war but to methodically ensure we take this domain. 
We do know what to do. There are core experts both in Government and 
industry that understand what winning would require and how to get 
there. This path also includes how not to get there by spending 
billions unwisely.
    Today I too often see security plans and programs looking a lot 
like children's soccer--a bunch of kids clustered around the ball. In 
cyber, the kids are always automating the hottest buzzwords without a 
grand plan to produce an absolute win. The challenge is to wisely 
architect a plan, put the right people in charge of defining the 
requirements, manage a design production, and reliably deploy a cyber 
get-well plan.
    We must have a get-well plan in cyber which gets silently built and 
deployed, representing a master stroke in reversing the reality of our 
current predicament. Adversaries all over the world are killing it in 
cyber with massive asymmetry, winning and penetrating millions of 
systems that we need to be trustworthy. Many are capable hackers 
working inside adversary cyber operations or just as individuals on 
their own.
    It was in the 1990's while identifying a threat at an automotive 
manufacturer that I realized we needed a better way to find the needle 
in the haystack. I built a database to understand what the internet 
looks like, who owns what, which areas were unsafe to visit. This 
analytic engine has evolved into a mainstay of defense-in-depth 
cybersecurity. By the early 2000's we built a tool to inspect and audit 
internet travels. Today, we know what traffic is coming and going from 
monitored systems, but more importantly how to stop threats from 
impacting operations.
    Now is a critical time for the U.S. Government, U.S. critical 
infrastructure, and critical parts of U.S. industry. If the world was 
awesome at cybersecurity, there wouldn't be a breach every 37 seconds. 
The more you know, the worse it looks. Is it hopeless? No. Is there 
reason to believe that the USG will naturally solve the problem? No. 
But the entirety of the Nation faces continuous and advancing attacks 
precisely because of U.S. commercial and Governmental successes, so the 
USG must strategically cultivate protections.
    As a student of history, we have seen dramatic examples of 
innovation in the face of new threats. There were dramatic examples in 
WW2 when foreign threats and war drove U.S. innovation to new heights. 
Sadly, few programs in the cyber field are constructed to be game-
changers. Mostly they scale up and automate a few elements of a good 
security approach but are not master strokes of a comprehensive 
solution. In other words, when the projects are done you won't be truly 
secure. Well-automated partial solutions don't make you secure, they 
just delay risk and make companies poorer from the expenses. While we 
must improve our baseline defensive posture to exponentially increase 
the cost of attack, profit-motivated hackers, criminals, and 
adversaries have already doubled-down on their attack investments with 
extensive resourcing.
    We already know that signature-based defenses fall in the face of 
zero-days and basic offensive threats. Most defenses ignore attacks via 
trusted sources like supply chains and security tools. The adversary is 
operating faster than the decision cycle of defenders, hidden in the 
vast noise of network traffic. Similarly, most budget requests and 
coding projects are to scale up defenses that cannot see novel 
compromises that have never been seen before, much less stop these 
threats completely. We have the capability now to tell if the crown 
jewels leave on a path headed for the shadows. With the advent of 
machine learning, network tools have identified and blocked 
untrustworthy sites, automatically guiding both people and devices to 
avoid the untamed internet, or offering them a picture of the monster 
rather than letting them directly reach out and touch it. But the 
unknowns must also be stopped, which requires knowing what good looks 
like.
    Enemies are already exacting heavy costs on the United States with 
cyber. Threats have been quietly planted into our infrastructure. 
Today--our country is still too reliant on foreign factories and 
vulnerable supply chains. The United States does not make the 
computers, routers, switches, process controllers, dock cranes, pumps 
for gasoline, car parts, cameras, medicines, chemicals, and many other 
electronic things. But in cyber, it is much worse if your adversary 
made all the computers used in critical infrastructure or weapons 
systems. If your enemy left a back door or a designed-in a kill 
switch--they might use it. True security requires covering the supply 
chain threat as well as all other classes of threats like hackers and 
the insider threat.
                               solutions
    Why was I interested in testifying on this topic today? I believe 
that there is a chance that the United States can re-achieve the needed 
sense of urgency these threats require. Investments in critical 
infrastructure, strengthening supply chains, and reshoring critical 
manufacturing are all necessary investments for our security. We must 
continue to be proactive in our approach to cybersecurity.
    The allocation of over $400 million in funding for the transition 
from Einstein to CADS is a significant level of funding. It is 
imperative, however, that the CADS program design and implementation 
are meticulously executed to deliver not only enterprise-wide system 
monitoring and control but also the seamless handling of vast volumes 
of data and information. Intelligent and actionable outputs must be 
quickly and proficiently delivered to a broad audience. History has 
shown that well-intentioned technological advancements can be hindered 
by overly complex and convoluted designs, drowning users in a sea of 
tools and unnecessary complexity. We must keep in mind that offensive 
cyber operations can be cheap and flexible. Just like water can find 
any hole in a ship, building, or computer system and cause massive 
damage--a cyber attacker needs only to be creative enough to find or 
create one hole to get in and defeat you with cyber. We must remove 
those attacks from the shadows of the internet, cut through that 
barrage of noise, and enable network defenders and analysts to discover 
the anomalies in the trusted high ground, where the maturing U.S. cyber 
workforce can collaborate to investigate without having resources 
overwhelmed. We can start by identifying what good looks like. How 
should safe software and devices behave? Knowing these profiles drives 
proficient identification of threats.
    Concurrently, we must remain vigilant against the pitfalls of 
comprehensive coverage leading to comprehensive failure. Adversaries 
will monitor our progress and respond. In the realms of design, 
application, and deployment, we must consistently ask ourselves how to 
intelligently and efficiently innovate new capabilities and approaches 
into a far more effective solution. This ensures that our legacy 
solutions, designed to address legacy problems on a massive scale, are 
agile enough to perform effectively in real-world scenarios.
    To achieve success, systems like CADS must work quickly, easily, 
and reliably. That is difficult. Solutions need to respond immediately 
to a threat, preventing outbound communications and impact to system 
operations. The response should be simple and as automated as 
possible--and not labor-intensive--overwhelming our already-taxed 
defenders. Plans need to account for integration and sustainment at the 
outset. And be agile enough to know that new things will need to be 
included over time. Our systems need to be real-time, 24/7 without a 
nagging string of alerts. A system that is both powered by quality and 
comprehensive data.
    Beyond the outside threats, the CADS system should support zero-
trust principles to mitigate and uncover compromises of accounts and 
systems. Digitally this means understanding the following about a 
system and its users:
   Who are the users?
   How do they behave?
   What is their reputation?
   Who have they been associating with?
   What does normal activity look like for mission need?
   What are the indicators of malicious intent?
   What are common traits of targets for a particular attack?
   How can targets reduce their exposure before being targeted?
    Moreover, it's essential to examine how a relatively modest 
investment in pioneering technologies and capabilities could 
potentially revolutionize our cybersecurity approach. By allocating 
funding to these ``moonshot'' endeavors, even in the order of a few 
million dollars, we may uncover the next major breakthrough in cyber 
defense, at a cost that pales in comparison to the budget required for 
comprehensive systems like CADS.
    We strongly recommend these flagship programs and agencies 
acknowledge that without specific and targeted funding for strategic 
research and development, we run the risk of neglecting the cyber 
defenses necessary for the latter half of the 21st Century. DOD does 
this with DARPA and other programs. That's one model, but any 
substantial investment in major cyber defense programs, without 
accompanying funding for innovative and transformative technologies, 
could render these programs vulnerable. Much like the Maginot Line, an 
unforeseen breach in an inadequately defended area could undermine the 
entire defense system, rendering it futile and ineffective.
    As I conclude my opening remarks, I would like to emphasize to the 
committee that while the introduction of the CADS system seems to 
represent a significant stride in the right direction, we must not let 
complacency take root. We should actively seek ways to complement the 
capabilities of CADS with innovative functions and useable systems that 
align with our overarching mission of fortifying the U.S. cyber defense 
posture. By doing so, we can ensure that our Nation remains at the 
forefront of cybersecurity, prepared to confront the evolving 
challenges of the digital age.
    Just like the Manhattan Project would not have worked without a 
core team of geniuses backed up with a massive support and 
implementation program--now is as good a time as any to take charge. 
Congress can wisely pass laws and fund efforts that guide the course of 
this cyber conflict. We don't need to wait for our communications, 
power, logistics, and critical infrastructure to be taken offline in 
the lead-up to a conflict.
    Spending tens of billions on the latest partial buzzwords isn't a 
winning strategy, let's implement a winning cyber strategy on a tight 
time line at an achievable budget. This path doesn't stop the kids' 
soccer teams from doing what kids do with massive pieces of Federal 
budgets, so let's carve out 5 percent for a cyber Manhattan Project 
that surprises the world with a defensive cyber solution that came out 
of nowhere and reversed the asymmetry of this conflict which we are 
losing. Winning is better.
    Thank you again Mr. Chairman and Mr. Ranking Member for inviting me 
into this subcommittee's discussion today. I would be happy to answer 
your questions.

    Chairman Garbarino. Thank you, Mr. Head. Mr. Sheldon, I now 
recognize you for 5 minutes to summarize your opening 
statement.

     STATEMENT OF ROB SHELDON, SENIOR DIRECTOR, CROWDSTRIKE

    Mr. Sheldon. Chairman Garbarino, Congressman Menendez, 
Members of the subcommittee, thank you for the opportunity to 
testify today. Government functions are predicated on operable 
information technology systems. Because these functions 
underpin national security and other key services, Federal 
cybersecurity is a topic of paramount importance.
    CrowdStrike is a U.S. cybersecurity company with employees 
in the United States and abroad. We are a provider of endpoint 
security technologies, cyber threat intelligence, and 
cybersecurity services to CISA and a host of other Federal 
agencies. We are proud to be an alliance member of CISA's Joint 
Cyber Defense Collaborative, JCDC. We also have unique 
perspectives from being a leading commercial provider serving 
major technology companies, 15 of the top 20 largest U.S. 
banks, and thousands of small and medium-sized businesses.
    Over the past several decades, the Federal IT landscape has 
changed drastically. Beyond desktops and servers, we must now 
defend cloud environments, mobile devices, internet of things 
devices, and even specialized operation technologies. In 
parallel, the volume and severity of cyber threats to Federal 
systems is increasing.
    Over the past few years, adversaries like China and Russia 
have successfully breached the U.S. Government on multiple 
occasions. In July, Chinese threat actors once again exploited 
authentication flaws in a major software vendor's email and 
office productivity platform, this time resulting in threat 
actors' unauthorized access to the email of two Cabinet 
Secretaries.
    The Federal Government approach to cybersecurity is now 
evolving. An initial major cybersecurity program launched in 
2008, the National Cybersecurity Protection System, NCPS, and 
its EINSTEIN capability focused on perimeter defense. But this 
strategy has fallen out of favor as most enterprises no longer 
even have a perimeter to defend. A complementary program, 
Continuous Diagnostics and Mitigation, or CDM, was created in 
2012. This program offered a flexible portfolio of technologies 
to defend Federal networks. While CDM had a slow start, it has 
accelerated meaningfully over the past year, thanks in part to 
the addition of key endpoint detection and response, or DAR, 
efforts.
    This year, CISA officials announced the creation of two 
associated programs, the Joint Collaborative Environment, JCE, 
and the Cyber Analytics and Data System, CADS. CADS, in 
particular, will be central for supporting a variety of new 
data-intensive operational requirements. Among other things, 
this includes implementation of the Cybersecurity Incident 
Reporting for Critical Infrastructure Law, CIRCIA, passed last 
year.
    Beyond programs, Federal cyber policy has changed in recent 
years to better address threats. Congress provided CISA the 
authority to threat hunt across Government networks in the 
fiscal year 2021 National Defense Authorization Act. The White 
House issued Executive Order 14028 in May 2021. This initiated 
key efforts for endpoint security, log retention, cloud 
adoption, and incident response standardization. In 2022, the 
Office of Management and Budget, pursuant to Executive Order 
14028, issued a Federal Zero Trust Strategy that clarifies and 
aligns Government efforts on implementing zero trust 
principles. This year, the Office of the National Cyber 
Director issued a new National Cybersecurity Strategy and an 
associated implementation plan that provides a roadmap and 
dates for several important cybersecurity initiatives.
    I'd like to offer a few recommendations for Federal 
cybersecurity going forward. New programs such as CADS must be 
designed to enable flexibility and be built for scale. The 
expanded use of cloud workloads, growing log retention needs, 
and the use of artificial intelligence, or AI, each entail 
extensive data processing requirements. As noted above, the 
recent addition of EDR capabilities has strengthened CDM, but 
when the time comes to modernize that program itself, 
stakeholders should consider clear terms for long-term cost-
sharing and additional shared services approaches. The Federal 
Information Security Modernization Act of 2014, FISMA, is of a 
similar vintage as CDM and could benefit from reform. A bill 
that aligns disparate Federal IT policies accrued over the past 
10 years would improve cybersecurity outcomes.
    Looking ahead there are a number of emerging technologies 
that would further strengthen the Federal cybersecurity 
posture. These include Extended Detection and Response, or XDR, 
which enables integrated EDR like visibility and control to 
cybersecurity products beyond the endpoint, identity threat 
detection and response, which supports zero trust adoption 
objectives, and expanded use of AI, which can enhance a broader 
range of cybersecurity solutions, and managed security 
services, which can enable high-fidelity commercial support to 
distributed Federal security operations. Each of these is 
described in more detail in my written statement. Thank you 
again for the opportunity to testify today, and I look forward 
to your questions.
    [The prepared statement of Mr. Sheldon follows:]
                  Prepared Statement of Robert Sheldon
                           September 19, 2023
    Chairman Garbarino, Congressman Menendez, Members of the 
subcommittee, thank you for the opportunity to testify today. 
Materially all Federal Government functions are predicated on operable 
information technology (IT) systems. Given that these functions include 
the provision of key services that underpin national security and our 
way of life, Federal cybersecurity is a topic of paramount importance.
    CrowdStrike is a U.S. cybersecurity company, with employees across 
the country and globally. We bring a unique perspective on Federal 
cybersecurity issues. We are a provider of endpoint security 
technologies, cyber threat intelligence, and cybersecurity services to 
the Cybersecurity and Infrastructure Security Agency (CISA) and other 
Federal agencies. We are proud to be an original plank holder of CISA's 
Joint Cyber Defense Collaborative (JCDC). We also have unique 
perspectives from being a leading commercial provider serving major 
technology companies, 15 of the top 20 largest U.S. banks, and 
thousands of small and medium-sized businesses.
    Over the past two decades, the Federal IT enterprise has swelled in 
size and scope. No longer basic networks of desktops and servers, 
Federal IT today includes cloud workloads, mobile devices, internet of 
things (IoT) devices--and even specialized operational technology (OT).
    In parallel, the volume and severity of cyber threats to Federal 
systems has increased. Nation-state threat actors regularly seek--and 
too often, succeed--in breaching Federal enterprises. Over the past few 
years, major incidents have enabled adversaries like China and Russia 
to collect sensitive intelligence. In July, Chinese threat actors once 
again exploited authentication flaws in a major Federal vendor's office 
productivity and email platform--this time resulting in threat actors' 
unauthorized access to the email of two Cabinet Secretaries.\1\ Under 
slightly different geopolitical conditions or adversarial objectives, 
these incidents could have enabled scaled destructive attacks.
---------------------------------------------------------------------------
    \1\ See Nakashima, Ellen. Menn, Joseph. Harris, Shane. Chinese 
hackers breach email of Commerce Secretary Raimondo and State 
Department officials. The Washington Post, July 14, 2023. https://
www.washingtonpost.com/national-security/2023/07/12/microsoft-hack-
china/; and Results of Major Technical Investigations for Storm-0558 
Key Acquisition, Microsoft, September 6, 2023. https://
msrc.microsoft.com/blog/2023/09/results-of-major-technical-
investigations-for-storm-0558-key-acquisition/.
---------------------------------------------------------------------------
    The evolution in the IT environment and worsening of the threat 
landscape mean it's important to regularly review and assess the 
efficacy of Federal cybersecurity measures--which include policies, 
programs, and strategies.
a brief background on cisa's primary federal cybersecurity programs \2\
---------------------------------------------------------------------------
    \2\ For brevity, I have not described broader Federal cybersecurity 
initiatives like Trusted Internet Connection program (2007), the 
Comprehensive National Cybersecurity Initiative (2009), FedRAMP (2011), 
the Federal Information Security Modernization Act (2014), or the 
Federal Information Technology Acquisition Reform Act (2014), but I 
would like to acknowledge their contributions to the Federal 
cybersecurity infrastructure that exists today.
---------------------------------------------------------------------------
    By the early 2000's, Federal IT infrastructure had grown 
significantly. Cybersecurity protections were still fairly organic, 
with different agencies adopting different approaches, dedicating 
disparate resources, and achieving uneven outcomes. A significant 
uptick in cyber attacks targeting national laboratories, major defense 
industrial base entities, and the Federal Government agencies 
themselves highlighted the need for greater investment and more 
standardization.
    National Cybersecurity Protection System (NCPS).\3\ Established in 
2008, NCPS's goal was to protect Federal networks through a suite of 
perimeter defense technologies called ``EINSTEIN,'' as well as an 
associated analytic capability. Leveraging intrusion detection and 
later intrusion prevention capabilities, EINSTEIN would attempt to 
defeat threats prior to threat actors accessing sensitive systems, like 
endpoints, or sensitive data. While the program clearly improved 
Federal cybersecurity posture from the status quo ante, and the 
associated analytic capabilities supported broader initiatives, 
EINSTEIN itself was not ultimately well-suited to meet the full scope 
of cyber threats to the ``.gov.''
---------------------------------------------------------------------------
    \3\ See National Cybersecurity Protection System, CISA. https://
www.cisa.gov/resources-tools/programs/national-cybersecurity-
protection-system.
---------------------------------------------------------------------------
    Perimeter defenses are only one small part of cybersecurity. Two 
concepts help explain why. The first is the assumption of breach. Elite 
defenders have come to assume that threat actors can--and indeed, 
already have--breached perimeter defenses. Whether through a supply 
chain attack, malicious or unwitting insider, compromised identity, or 
any number of other methods, attacks often sidestep perimeter security 
measures and other defensive controls. Within this worldview, defenders 
must operate accordingly.\4\ The second concept is defense in depth. 
This practice essentially layers defensive technologies to provide 
defenders multiple opportunities to detect and respond to threats. If a 
threat actor is able to breach the perimeter, defenses at the network, 
endpoint, and identity layers provide additional chances to stop them 
before they can achieve their objectives.
---------------------------------------------------------------------------
    \4\ This assumption leads to the imperative to hunt, described 
below.
---------------------------------------------------------------------------
    However useful EINSTEIN was at inception or at its peak efficacy, 
its value has eroded over time. Mobile devices, remote work, cloud 
applications, and other changes in the IT landscape have dissolved the 
perimeter, even as the increased use of encryption has complicated 
detection of malicious traffic at the perimeter layer. Further, threat 
actors have become more adept in recent years at targeting endpoints, 
users, and identities directly. As a result, the security community--
including Government agencies and the White House \5\--have embraced 
concepts like Zero Trust, which essentially disavows the defensibility 
of the perimeter. While it's reasonable to maintain perimeter defenses 
as part of a layered security architecture for the ``.gov,'' it's also 
reasonable to consider EINSTEIN a legacy technology and to focus 
investments elsewhere.
---------------------------------------------------------------------------
    \5\ See Executive Order 14028, Improving the Nation's 
Cybersecurity, The White House. https://www.whitehouse.gov/briefing-
room/presidential-actions/2021/05/12/executive-order-on-improving-the-
nations-cybersecurity/.
---------------------------------------------------------------------------
    Continuing Diagnostics and Mitigation (CDM). By 2012, DHS had 
established a complementary, broader program called CDM. Rather than 
applying a uniform suite of protections across the ``.gov,'' CDM would 
offer a flexible portfolio of technologies to defend Federal networks. 
The program would deliver new capabilities in four phases: Asset 
Management; Identity and Access Management; Network Security 
Management; and Data Protection Management.\6\ A unifying requirement 
for tools acquired under the program is the ability to offer visibility 
through an integrated agency-level dashboard, as well as an aggregated 
Federal-level dashboard.
---------------------------------------------------------------------------
    \6\ See CDM Program Overview, CISA. https://www.cisa.gov/sites/
default/files/publications/
2020%252009%252003_CDM%2520Program%2520Overview_Fact%2520Sheet.pdf.
---------------------------------------------------------------------------
    Despite modest progress in early years, CISA officials report 
rapidly-accelerating progress over the past few years. According to a 
recent CISA blog, ``CDM is no longer a static effort to standardize 
agency capabilities and collect cybersecurity information, but rather 
the U.S. government's cornerstone for proactive, coordinated, and agile 
cyber defense of the Federal enterprise.''\7\ The post further credits 
Executive Order 14028 with strengthening the program's operational 
visibility, which highlights the addition of the Endpoint Detection and 
Response (EDR) program to CDM (explained in more detail, below). 
Further progress is possible with the extension of EDR to cloud 
workloads and mobile devices.
---------------------------------------------------------------------------
    \7\ See Evolving CDM to Transform Government Cybersecurity 
Operations and Enable CISA's Approach to Interactive Cyber Defense, 
CISA. July 23, 2023. https://www.cisa.gov/news-events/news/evolving-
cdm-transform-government-cybersecurity-operations-and-enable-cisas-
approach-interactive.
---------------------------------------------------------------------------
                       recent policy developments
    While the current major Federal cybersecurity programs administered 
by CISA are now 10-15 years old, Federal IT policy has accelerated. 
Stakeholders have made significant progress in the past few years, best 
illustrated by three key developments.
    Threat-Hunting Authorities. A central insight from the influential, 
bipartisan Cyberspace Solarium Commission Report of March 2020 was 
recommendation 1.4, which highlighted the need for CISA to perform 
continuous threat hunting across the ``.gov.''\8\ Pub. L. 116-283, the 
fiscal year 2021 National Defense Authorization Act (NDAA) Section 1705 
granted CISA this authority, which positions the agency to act as the 
operational defender of the Federal Government.\9\
---------------------------------------------------------------------------
    \8\ See Cyberspace Solarium Commission Report, March 2020. https://
www.solarium.gov/report, p. 41.
    \9\ See NDAA Enacts 25 Recommendations from the Bipartisan 
Cyberspace Solarium Commission, Sen. Angus King, January 2, 2021. 
https://www.king.senate.gov/newsroom/press-releases/ndaa-enacts-25-
recommendations-from-the-bipartisan-cyberspace-solarium-commission; and 
The National Defense Authorization Act for Fiscal Year 2021, https://
www.Congress.gov/116/bills/hr6395/BILLS-116hr6395enr.pdf, p. 695.
---------------------------------------------------------------------------
    Executive Order (E.O. 14028). The May 2021 Executive Order on 
Improving the Nation's Cybersecurity advanced a suite of measures to 
further bolster security of the ``.gov.'' Key among them were 
requirements to:
   Deploy Endpoint Detection and Response (EDR) capabilities, 
        which among other things serve as the foundational enterprise 
        cybersecurity technology for threat hunting;
   Implement Zero Trust Architectures, as well as generally 
        accelerate cloud and Software-as-a-Service (SaaS) utilization;
   Standardize incident response practices; and
   Maintain more robust and consistent logging, which supports 
        investigations and remediations.\10\
---------------------------------------------------------------------------
    \10\ See Executive Order on Improving the Nation's Cybersecurity, 
The White House, May 12, 2021. https://www.whitehouse.gov/briefing-
room/presidential-actions/2021/05/12/executive-order-on-improving-the-
nations-cybersecurity/.
---------------------------------------------------------------------------
    Federal Zero Trust Strategy. In January 2022, fulfilling a 
requirement from E.O. 14028, the White House Office of Management and 
Budget (OMB) issued a strategy for implementing Zero Trust across the 
``.gov.'' The memorandum identified specific outcomes and objectives 
that agencies must achieve over the coming years. This strategy serves 
a key roadmap that aligns industry and agency efforts over what will be 
a complex, multi-year process.\11\
---------------------------------------------------------------------------
    \11\ See Memorandum 22-09, Moving the U.S. Government Toward Zero 
Trust Cybersecurity Principles, Executive Office of the President, 
January 26, 2022. https://www.whitehouse.gov/wp-content/uploads/2022/
01/M-22-09.pdf.
---------------------------------------------------------------------------
                 forthcoming programmatic developments
    Budget request documents released over the past year foreshadow 
perhaps the most significant shift in the Federal cybersecurity program 
space since the advent of CDM. Specifically, CISA is in the midst of 
creating two new, closely-linked programs which will absorb elements of 
NCPS.\12\ First, according to these documents, CISA will create a 
program called the Joint Collaborative Environment (JCE). At a high-
level, JCE would split the NCPS program into two components. The first 
is EINSTEIN capabilities (i.e., perimeter defense), which would be 
maintained as legacy technology under JCE.
---------------------------------------------------------------------------
    \12\ This narrative draws on program descriptions within CISA 
Budget Overview for Fiscal Year 2024 Congressional Justification. 
https://www.dhs.gov/sites/default/files/2023-03/
CYBERSECURITY%20AND%20INFRASTRUCTURE%20SECURITY%20AGENCY.pdf. See also 
CISA Strategic Plan fiscal year 2024-2026. https://www.cisa.gov/sites/
default/files/2023-08/FY2024-2026_Cybersecurity_Strategic_Plan.pdf. For 
consistency, I have focused on characterizations from the President's 
Budget Request rather than from more recent but yet-to-be-finalized 
House and Senate Appropriations documents.
---------------------------------------------------------------------------
    The second component of JCE is much broader--and is itself a 
meaningful new program--called Cyber Analytics and Data System (CADS). 
A summary document for the fiscal year 2024 President's Budget Request 
describes CADS as ``a system of systems[] that will provide a robust 
and scalable analytic environment capable of integrating mission 
visibility data sets and providing visualization tools and advanced 
analytic capabilities to CISA's cyber operators.''\13\ CADS would 
absorb the remaining analytic capabilities from the NCPS program, serve 
as the hub for Cyber Incident Reporting for the Critical Infrastructure 
Act of 2022 (CIRCIA) analytics, and support a number of other data-
intensive operational activities.
---------------------------------------------------------------------------
    \13\ See Department of Homeland Security Fiscal Year 2024 Budget in 
Brief. https://www.dhs.gov/sites/default/files/2023_03/
DHS%20FY%202024%20BUDGET%20IN%20- BRIEF%20%28BIB%29_Remediated.pdf, p. 
4.
---------------------------------------------------------------------------
                  next steps in federal cybersecurity
    A core principle in cybersecurity is that the defender must have 
visibility into security-relevant events of the systems they defend. 
Today, this includes the endpoint, cloud, and identity planes in 
addition to the traditional network. Although stakeholders have made 
significant progress on Federal cybersecurity over the past few years 
in enhancing this visibility and control, several points stand out as 
next steps to further strengthen the security posture of the ``.gov.''
    JCE and CADS implementation. Clearly, the JCE and CADS efforts 
described above will require a significant investment of time and 
resources. Federal cybersecurity programs historically have a long 
``shelf-life,'' and strengths and weaknesses can both compound over 
time. This underscores two key, future-oriented considerations:
   It's important to design these programs to enable 
        flexibility. Changes in the IT or threat environment over time 
        may precipitate the need to reallocate resources between 
        program areas or initiatives.
   CADS in particular should be built for scale. The processing 
        of data for cybersecurity purposes increased exponentially 
        during the transition from the legacy antivirus age to the 
        current EDR age. This trend could continue for some time, 
        particularly as cloud workloads swell, log retention 
        expectations increase, and adversaries and defenders alike seek 
        to leverage Artificial Intelligence (AI). CISA must build CADS 
        data processing capabilities that can perhaps double (or more) 
        year over year for the foreseeable future.
    CDM modernization and sustainment. With the realignment in NCPS 
described above, CDM will in a sense become the ``mature'' Government 
cybersecurity program. This raises the question: at what point might 
CDM itself need to be modernized? From an operational standpoint, the 
EDR program has clearly breathed new life into CDM, so perhaps this is 
a question that can be resolved in the future. Nevertheless, when the 
time comes, stakeholders should consider two questions:
   While some EDR technologies were available through CDM prior 
        to E.O. 14028, it ultimately required a mandate from the White 
        House to deploy this essential technology across the ``.gov.'' 
        Cybersecurity professionals within CISA understood the 
        importance of EDR, and it was clear that EDR would support 
        CISA's hunting mandate. But CDM still works on the model of a 
        catalog. In the future, is there scope for CISA to more 
        proactively enforce the use of CDM technologies to fulfill its 
        mission?
   Although, as noted above, EINSTEIN's operational 
        capabilities have aged poorly, the NCPS program's architecture 
        has aged like a fine wine. Specifically, it worked on a shared 
        services model, meaning agencies got the benefit of EINSTEIN 
        protections without complex budgeting or cost-sharing 
        processes. With respect to the CDM program and associated 
        funding, Federal CISOs still sometimes hesitate to acquire new 
        technologies, given a real or perceived uncertainty about cost-
        sharing with CISA over time. In the future, is there scope to 
        adapt CDM, or elements thereof (e.g., EDR), to operate more 
        directly as a shared service, where CISA funds the program for 
        users directly?
    Emerging cybersecurity capabilities. The cybersecurity industry is 
evolving at an uncharacteristically rapid rate. So over the next few 
years, the conversation within the Federal cybersecurity community will 
shift to new priorities. A few emerging areas to monitor, and further 
integrate into Federal defenses as appropriate, include:
   Extended Detection and Response (XDR). Mature security 
        programs within the private sector are already augmenting EDR 
        to attain detection and response capabilities at other layers 
        of the enterprise security stack. XDR enables visibility and 
        control over network and identity (described below) data; the 
        aggregation of logs; and the integration of threat intelligence 
        within a unified workflow.
   Identity Threat Detection and Response. As security 
        practitioners increasingly confront risks from IT ecosystem 
        monoculture specifically, and identity-based attacks generally, 
        there's greater interest in defending enterprises at the 
        identity layer. This emphasis comports nicely with broader 
        Federal Zero Trust adoption efforts.
   Artificial Intelligence (AI). While the application of AI to 
        cybersecurity is not new, it is advancing. Although already 
        resident within leading endpoint security tools, multiple other 
        cybersecurity technologies will integrate AI and new AI-based 
        capabilities will emerge over the coming years. This will drive 
        speed, efficiency, and even make some tools more accessible 
        through the integration of a natural language interface.\14\ To 
        the extent possible, Federal cybersecurity executives should 
        view this opportunity holistically, consult broadly with 
        industry and academia, and engage in long-term planning.
---------------------------------------------------------------------------
    \14\ See, for example, Charlotte AI: Accelerate Cybersecurity with 
Generative AI Workflows CrowdStrike. https://www.crowdstrike.com/
products/charlotte-ai/.
---------------------------------------------------------------------------
   Managed Security Services. Enterprises--even very large 
        ones--increasingly leverage commercial managed security 
        solutions. Defenders should be prepared to respond to and 
        remediate cyber threats 24x7x365, and not all entities are able 
        to build programs that can match the agility of dedicated 
        commercial offerings. On the other hand, internal IT and 
        security staff, by virtue of their trust and familiarity with 
        the organization's mission space and constraints, are uniquely 
        positioned to develop processes, address risks, and otherwise 
        strengthen security maturity. So unburdening these internal 
        operators from tactical demands on their time pays enormous 
        dividends. This opportunity clearly applies in aspects of the 
        Federal IT ecosystem.
    Thank you again for the opportunity to testify today, and I look 
forward to your questions.

    Chairman Garbarino. Thank you, Mr. Sheldon. Members will be 
recognized by order of seniority for their 5 minutes of 
questioning. An additional round of questioning may be called 
after all Members have been recognized. I really do appreciate 
the participation, though, of my colleagues for being here 
today. This is a dense topic, but it is a very important one. 
So, I do appreciate you all being here, especially considering 
CISA right now is under attack from some of our colleagues, 
ranging from proposed defunding of salaries to up to a 25 
percent cut of their budget, something that I think after 
today's testimony from our witnesses, people will understand 
how important CISA is and that the focus needs to be on 
defense, especially when it comes to cybersecurity.
    So, I now recognize myself for 5 minutes of opening 
questions. Mr. Gumbel, for a long time, agencies have been 
required to maintain asset inventories. The base layer of CDM 
was meant to help this. You can't defend what you can't see. 
But even with a requirement in FISMA and tools in CDM meant to 
help identify and manage assets, agencies consistently struggle 
to accurately and continuously maintain asset inventories. CISA 
even put out a binding operational directive at the beginning 
of this fiscal year, again directing agencies to better manage 
their assets. What more can the CDM program do to help agencies 
get this right?
    Mr. Gumbel. Sure. Mr. Chairman, thank you for this 
question. I think there's a lot that they can do to help get 
this right. I think some of our recommendations are we need to 
create a more transparent and collaborative technology 
assessment process. We also need to, and I think we all can be 
aware of this, that the procurement process within Federal 
Government is not the easiest to get through, and it also 
excludes some of the newer technology, cloud-based 
technologies, and it's more leaning toward and geared toward 
legacy technologies. So, I think improvements there within 
procurement can absolutely help out.
    There's also a lot that can be learned from the private 
sector. The private sector has done incredible advancements 
around cloud-based technologies, around end-to-end solutions 
that offer full visibility into unmanaged devices. I submitted 
in my written testimony a bar chart that showed the explosion 
of unmanaged devices. Those devices, meaning the ones that you 
can't see traditionally, IP cameras, HVAC systems, building 
management systems, and printers, those things need to be 
looked at when we are looking at securing the American public.
    Chairman Garbarino. Thank you very much. I have heard from 
many companies that some of our best technologies are being 
kept out because of the procurement process right now.
    So, something we should work on. Mr. Zakowicz, NCPS has 
traditionally structured as a true shared service with CISA 
providing and covering the cost of operation. Whereas CISA 
provides funding and tools for CDM for the first 2 years, with 
agencies expected to carry on funding after that. Are there 
changes that would help improve agency adoption of CDM tools? 
What role does centralized funding play in that?
    Mr. Zakowicz. Thank you for the question. As I mentioned in 
my opening remarks, the funding associated with progress on CDM 
is not just in the hands of CISA. It's also in the hands of the 
agencies who have their own mission priorities and focus that 
they need to balance against the priorities that CISA provides 
and their own security. I think that one case study under the 
CDM program that we've seen under the shared services model is 
that unlike the 2-year funding model that you referenced, that 
shared services model does provide those services in perpetuity 
to those smaller agencies and organizations as long as they're 
using that standardized set of capabilities that are provided 
to those agencies.
    That model is not going to work for the largest, most 
complex federated agencies out there. They are going to have 
their unique requirements that won't necessarily allow them to 
take on a shared services approach. But there are a lot of 
agencies that currently don't qualify for the shared services 
program that could take advantage of those and that would allow 
centralized funding. It would allow reduction in total 
operating costs due to the purchasing power of that shared 
services platform, and could ultimately provide some additional 
benefit.
    Chairman Garbarino. Are there risks introduced by moving 
toward a true shared services model that increases 
interdependencies and thus increases the potential for 
cascading vulnerabilities across agencies?
    Mr. Zakowicz. So, I think the risks associated with moving 
to a shared services model generally, you know, come from an 
agency perspective around the lack of control in the solution, 
which can be a risk and a benefit depending on what your IT 
resources look like. The current shared service model under CDM 
provides multiple options of any given tool or capability, at 
least two, so that agencies can pick which one is best suited 
to their needs. Then it also provides additional watch 
capabilities so that there's a central organization within CISA 
keeping an eye on what alerts, what monitoring activities are 
occurring under those tools, and provides a, you know, checks-
and-balances process to then notify those agencies when issues 
are identified.
    Chairman Garbarino. Thank you. Mr. Head, as the head of 
your company, both CDM and NCPS--he made me do that, by the 
way--both CDM and NCPS are critical parts of Federal civilian 
cyber defense. It seems to me that these two programs, which 
ultimately are about visibility and continuous monitoring, 
should work better together. How should CISA be thinking about 
getting these programs to work better together?
    Mr. Head. I think if we start with the basics of the roles 
when we consider the options, you know, what data do I need to 
see what I need to see? One of the panel members makes a 
product that says here's your inventory all that stuff on your 
network. I think we also need to look at role. One of the 
things I like to look at is, you know, is your printer a bank 
teller? Is your printer an engineer? If not, why is it 
accessing customer records? So, when you start looking at 
things that shouldn't happen the way they are happening, you've 
got to answer the question, if I have a tool and I choose to 
make it proactive and to block and, I mean, do we want to spend 
our whole time analyzing or reporting on how we got eaten? Or 
do we want to flip the tables and say, no, we stopped this cold 
and they won't come after us again?
    I think a piece of that is you got to do to them what they 
just did to you. So, you know, we need to have some law changes 
in terms of punitive damages as well as unleash the military 
guys to have fun. So, whatever they do to us, we need to do 
them 10 times until they quit. This is terrible.
    Chairman Garbarino. Thank you very much. I now recognize 
Ranking Member Menendez for 5 minutes for any questions he may 
have.
    Mr. Menendez. Thank you, Chairman. Government funding is 
set to expire in just 11 days, creating a dangerous risk of a 
Government shutdown. Even in a best-case scenario where we keep 
the Government open, we will have a continuing resolution with 
no sign of a bipartisan full year appropriations bill in sight. 
This question is for all of you. What do you see as the main 
impacts a Government shutdown could have on the ability of CISA 
to defend networks? We will start with you, Mr. Gumbel.
    Mr. Gumbel. I think the shutdown will obviously cause 
delays and some cyber projects will come to a halt. The longer 
we delay, the longer the adversaries will have the chance to 
get in front of us. So, delays are just terrible for this 
Nation and it is going to cause some major impact.
    Mr. Menendez. Thank you.
    Mr. Zakowicz. Thanks. So, having done this for 4 years, 
I've lived through a couple of, you know, Government shutdowns 
and the impacts, I think really day-to-day operationally are 
ones of continuity and ones of resource availability. So, what 
are we able to do, what are we able to make progress on? 
Ultimately, what tradeoffs are each one of those agencies 
making as they're, you know, facing the questions of what, you 
know, resources are they going to have left, how are they going 
to keep the doors open? That does have an impact, not just on, 
you know, that shutdown in the moment, but also continuity, 
planning, and forward progress in some of these initiatives.
    Mr. Menendez. Thank you. Mr. Head.
    Mr. Head. As I mentioned before, the big programs under a 
CR continue at the previous funding levels, or 80 percent. The 
thing that just hits you the hardest is the new initiatives 
just get stopped completely and we need a lot of innovation in 
the cybers. So, I think you all need a way to fund during a CR, 
especially new programs and reactive breach responses. That's 
sadly lacking across the table and it is sort-of disheartening 
to the guys that are burning 20-hour days to do the work across 
all the agencies.
    Mr. Menendez. Just to quickly follow up on that, you 
mentioned the new initiatives. New initiatives are to match the 
evolving threat environment, correct?
    Mr. Head. Correct.
    Mr. Menendez. So when we are not implementing that, we are 
not only not keeping up, but we are falling behind in a 
relatively quick fashion.
    Mr. Head. Yes.
    Mr. Menendez. Thank you. Mr. Sheldon.
    Mr. Head. You can't start a new effort under a CR, but you 
can continue an old one. This is all new. It's new every day 
with a new breach, new zero day, new attack.
    Mr. Menendez. I appreciate that. Mr. Sheldon.
    Mr. Sheldon. Thank you. You don't get to have good 
cybersecurity outcomes if you don't have continuity in your 
cybersecurity programs. The absence of funding could disrupt 
that.
    Mr. Menendez. Thank you. Mr. Gumbel, just to come back to 
you to sort-of follow up on the point Mr. Head just made. How 
would a year-long continuing resolution that locks in last 
year's budget impact the ability of CISA to innovate to match 
the current threat environment?
    Mr. Gumbel. I'm sorry. Could you repeat that?
    Mr. Menendez. Sure. How would a year-long continuing 
resolution that locks in last year's budget impact the ability 
of CISA to innovate to match the current threat environment?
    Mr. Gumbel. My view is that we need to obviously match what 
CISA is doing in order to progress some of the changes in the 
systems that we're looking to put forth. So, I think it is a 
big concern.
    Mr. Menendez. Thank you. The current CDM program monitors 
traditional IT assets across Federal agencies. However, the 
attack surface is growing to include internet of things, 
devices, and threats to operational technology. As CDM 
continues to modernize, including all assets will be an 
important part of the program's maturation. Mr. Gumbel, can you 
elaborate on why you think including internet of things and 
operational technology assets in the CDM program is so 
important?
    Mr. Gumbel. The reason why it's so important is that only 
10 percent of networks have managed devices on them. The other 
90 percent are unmanaged devices. As you mentioned, Mr. 
Chairman, you can't protect what you can't see. All of these 
other devices are out there and they are invisible unless 
there's modern technology, there's cloud-based technologies, 
and there's ways in which you can view these assets. Without 
being able to view these assets, these are vectors for the 
adversaries to be able to get in and to be able to compromise 
our environments.
    Mr. Menendez. Great.
    Mr. Gumbel. So, it's a real big threat.
    Mr. Menendez. A quick follow-up to that you mentioned you 
can't protect what you can't see. How should CISA go about 
expanding its visibility into those devices?
    Mr. Gumbel. I think how they go about it is to allow modern 
companies to be able to bid when there's new contracts that 
come out. I think they have to evolve from legacy companies 
that have on premise solutions, allow cloud-based technologies 
to come in and provide a holistic view. I think the other thing 
that they can do is start looking at commonality between 
different leadership groups within organizations. Right now, 
you have some groups that you have just visibility into OT or 
IT. You have some that are focused just on IOT. There needs to 
be a conversion to leadership across all Federal agencies so 
that there's a holistic view of what's being managed and what's 
being unmanaged.
    Mr. Menendez. I appreciate that. Probably all of us on this 
subcommittee have had local governments in our district hit by 
ransomware attacks and other cyber incidents that have denied 
constituents access to vital Government services. One way to 
help State and local governments is to provide them expanded 
access to CDM services. We will ask you to keep this brief 
because I am over. Mr. Zakowicz and Mr. Sheldon, how should 
CISA enable expanded CDM shared services to State and local 
governments?
    Mr. Zakowicz. I think they've got a good blueprint to 
follow in the shared services capability they've already 
offered to the Federal entities. As you can imagine, the cyber 
maturity of agencies across our FCEB can, in a lot of ways, 
mirror the relative maturity of State and local critical 
infrastructure stakeholders where some are very well-resourced 
and others are not. So, I think there's a lot of learnings from 
that rollout of shared services that could be directly applied 
to State, local, Tribal, territorial, and critical 
infrastructure.
    Mr. Sheldon. Thank you. There are some lessons for sure 
that State and local entities can take from Federal Government 
programs like CDM. There are also, frankly, some lessons that 
the Federal Government can take from State and local entities 
that kind of more organically operate on shared services models 
in some instances.
    Mr. Menendez. Thank you.
    Chairman Garbarino. I now recognize the gentleman from 
Florida, Mr. Gimenez, for 5 minutes.
    Mr. Gimenez. Thank you, Mr. Chairman. Mr. Head, I was 
listening to your testimony, and it struck me, were you saying 
basically that the United States' cybersecurity efforts are 
mainly, if not exclusively, defensive in nature?
    Mr. Head. I would say that we are reactive defensive in 
that we are not taking actions to stop it before it happens. 
You know, and I think, there's, obviously, there's a difference 
between the offensive side and the defensive side. So, the 
military guys have offensive capabilities that they hold in 
reserve and that'll work independent. But my comment was more 
on the side of don't just wait until something happens and 
develop a process to know about it and report it sooner. Work 
on the technologies that stop the attack in the first place.
    Mr. Gimenez. But I think you also said that our 
cybersecurity threats, they kind-of operate with impunity. They 
know that nothing's ever going to happen to them.
    Mr. Head. Correct.
    Mr. Gimenez. Which means that they are not afraid of any 
offensive capability that their target may possess.
    Mr. Head. That's correct.
    Mr. Gimenez. Is that because is it illegal for us or a 
company to conduct offensive----
    Mr. Head. I think there's----
    Mr. Gimenez [continuing]. Or retaliatory operations against 
somebody who just attacked their network, et cetera, or what is 
that?
    Mr. Head. I think there's many levels to that. I've been 
asked several times about, should we take off the gloves and 
let people that are hit, hit back? I'm not a big fan of that 
approach because you could end up starting a nuclear war just 
by, you know, doing something crazy. So, I don't think we want 
to go vigilante, but I do think we need better clarity.
    When I first started looking at this a decade ago, we had a 
guy that had a bunch of documents stolen, and he put scripts in 
his documents so that when they got to wherever they were going 
to, they would call him and let him know where they ended up. 
They arrested him for operating shell scripts on a computer 
without permission. That's crazy. So, being able to trace. We 
need to clarify----
    Mr. Gimenez. Was that illegal?
    Mr. Head. Yes.
    Mr. Gimenez. It was illegal.
    Mr. Head. He didn't have permission from the guy that 
attacked him to run scripts on the attacker's computer. So, he 
included executable files in what was stolen, and he was 
arrested for that. So, there's a little bit of crack-smoking 
that goes on in the legal world that we need to fix.
    Mr. Gimenez. All right. So, somebody attacked him.
    Mr. Head. Yes.
    Mr. Gimenez. And he put something in there to make sure 
that he could find out who it was that attacked him?
    Mr. Head. Correct. They arrested him.
    Mr. Gimenez. Then the person that attacked him said, hey, 
you couldn't do that to me even though I attacked you first, 
and therefore, the guy that was attacked was the one ultimately 
jailed?
    Mr. Head. Yes.
    Mr. Gimenez. That sounds logical.
    Mr. Head. You don't have to look far for comedy in the 
cyber space. But I'm just saying, you know, you guys are really 
good about--a lot of us that have been in the defensive world 
forever we try to figure out how to operate within the laws and 
make it better. The reason I'm here is it suddenly dawned on 
me, a year or so, just change the law. Let's get rid of the 
crazy. It helps.
    Mr. Gimenez. I guess that is what I was trying to get to, 
that there may be laws that are actually hindering our ability 
to defend ourselves and maybe, look, I have no problem hitting 
back every once in a while, OK?
    Mr. Head. Absolutely.
    Mr. Gimenez. All right. Because then you should have as an 
attacker, you need to be fearful of what could happen to you, 
depending on who you attacked. I mean, can you imagine if we 
had after Pearl Harbor, we just said, well, I guess we will 
just wait for the next attack, OK. We are not going to take any 
offensive capabilities. Or in Europe, well, you know, we are 
just going to stay here in England, and we were not going to do 
D-Day because, you know, we are just going to defend ourselves. 
I don't think you could win too many wars that way. So, I find 
that very interesting.
    I don't know who can answer this, but artificial 
intelligence. If somebody can put out a crystal, you know, get 
a crystal ball and say, OK, what will artificial intelligence 
do in this realm, offensively and defensively? What do you all 
see?
    Mr. Sheldon. I could take a stab at that. Thank you, sir. 
So, artificial intelligence has made a lot of news recently 
because there's greater access to some consumer products that 
make LLMs, especially large language models, available for 
experimentation. But really, artificial intelligence and 
cybersecurity is not all that new.
    My company, for example, has had artificial intelligence 
and machine learning embedded in it at scale, deployed out 
across tens of millions of endpoints for the better part of 10 
years. That really drives some of our ability to identify and 
stop even very novel threats, attacks that haven't been seen 
before. So, there's a lot of ways in which defenders already 
are using AI and that is poised to continue as AI gets 
integrated into other product areas. So, it is a very exciting 
time from the standpoint of what the defenders are able to do.
    On the other hand, it's also the case that adversaries and 
different threat actors are experimenting with large language 
models and other forms of AI. It's something that us in the 
defense community need to look out for. It may be the case that 
there's some more developments in that over the next coming 
months because there are broader access to some of these tools 
now than there have been over some time. So, it's something 
that merits watching.
    Mr. Gimenez. Thank you. I guess my time is up. I yield 
back.
    Chairman Garbarino. The gentleman yields back. I now 
recognize the gentleman from Louisiana, Mr. Carter, for 5 
minutes.
    Mr. Carter. Thank you, Mr. Chairman. Thank you all for 
being here. In 2021, President Biden issued Executive Order 
14028, which imposed a host of new mandates on agencies to 
strengthen the Federal Government's cybersecurity. One positive 
result of this order was a deployment of endpoint detection and 
response technologies across Federal agencies as a part of the 
CDM program. With that Executive Order now already 2 years old, 
the technological environment continues to evolve with advances 
that constantly test our defenses. For all of the witnesses, as 
we seek to constantly evolve the CDM program to stay ahead of 
our adversaries, what technologies and cyber defense practices 
do you think are most urgently needed to be deployed at Federal 
agencies based on today's ever-moving threat?
    Mr. Gumbel. Thank you, Congressman. For Armis, we view the 
only way for pure protection across all agencies is ubiquity 
and that view to have 100 percent visibility into all assets. 
Whether those assets be IT OT, IOT, or IOMT, it is critical 
that you have visibility into the unmanaged devices within an 
environment in order to provide that holistic view. Otherwise, 
you're at risk of adversaries getting one step ahead of the 
game and being able to infiltrate a network.
    Mr. Carter. Thank you.
    Mr. Zakowicz. I agree with the answer. I would say at least 
with my experience on the CDM program, that yes, historically 
the focus has been on IT-managed assets. They have done some 
work associated with operational technology, mobile assets, 
cloud assets, and I think that needs to be prioritized and 
accelerated to be able to get that complete view that my 
colleague's referencing.
    Mr. Head. I think one aspect that is worth saying is when 
you look at endpoint protection, there's some really good 
stuff. We use theirs and love it. But what you want to do is 
instrument a network in such a way that how do you know when 
you've been blindsided. So, I think, you know, if you look at 
IOT devices, there's not going to be endpoint software, you 
know, on a watch, or on a firmware device, or a lot of IOT 
things, door alarms, so on. So, you're going to have to have 
network-based things that look to see if those are acting in 
ways they shouldn't.
    So, you want a layered defense. People talk about that all 
the time, but when it comes to implementing it, we do sort-of 
light beer when you're ready for full-bodied. So, we need to 
really look at a more defense-in-depth with a lot more 
visibility.
    Mr. Sheldon. Thank you. I'd say there's still some progress 
that can be made within the EDR program itself by way of 
deploying it out to cloud environments, mobile devices, and the 
like, just to make sure that you have the same level of 
visibility control on those types of assets. Then beyond that, 
really thinking about a concept that the industry calls 
extended detection and response, which is the same idea of 
bringing that visibility and control out to other parts of the 
network security stack. So, making sure that you can get 
integrated workflows with data not just from the endpoint but 
also from the network, or from the perimeter, or being able to 
integrate logs, being able to integrate threat intelligence and 
similar things then giving people more coherent set of a 
control plain for being able to do the work that they do from a 
defensive standpoint.
    Mr. Carter. Mr. Sheldon, in your earlier testimony you 
discussed the need for CISA's proposed cyber analytics and data 
systems to be built to scale. I agree on the need to ensure 
that CADS has the capacity to process significant increases in 
data we can expect CISA to receive in the upcoming years. How 
can CISA ensure that it deploys the new program in a way that 
is flexible enough to handle future demands?
    Mr. Sheldon. Thank you, Congressman. This, I think, is 
probably one of the more interesting questions that CISA has to 
grapple with today. I think an interesting stress test for 
whatever plans they've developed for the CADS program is to 
think about, you know, would this work if we needed to--
whatever our sort-of best guess is, or our assumption about how 
much data we need to be able to process in that environment, 
would it be able to handle twice that, and then would it be 
able to handle twice that again? Doing some of those sort-of 
stress tests would, I think, position them well to understand 
whether they're developing architectures that can scale to the 
level that they will need to if they are doing more types of 
data-intensive programs across the Federal Government.
    For our case, we have 2 trillion events per day or more 
that we stream up to our cloud. So that's the type of big data 
that----
    Mr. Carter. I got 3 seconds. Let me just cut you off a 
second. I want to ask Mr. Gumbel, given where we are and the 
threat as they evolve, and the pace at which technology is 
moving, if you had a silver bullet that you can use with this 
committee or with Federal Government, what would that be to 
make sure that we are staying abreast and ahead of the bad 
actors?
    Mr. Gumbel. I want to repeat this again, but I do believe 
the silver bullet is to have end-to-end security for visibility 
for all of your assets. That's the only way to get full 
visibility and protection across your enterprise. To take a 
step further, is once you can identify those assets, understand 
where those vulnerabilities lie, and then take action upon 
those vulnerabilities to protect your environment holistically.
    Mr. Carter. How complex is it to do that and how long does 
it take?
    Mr. Gumbel. It is not that complex at all. We have 
organizations that, at scale, have rolled out tens of millions 
of endpoints in weeks. This is something that we can partner 
with the Federal Government to achieve.
    Mr. Carter. Thank you, Mr. Chairman. I yield back.
    Chairman Garbarino. The gentleman yields back. I now 
recognize the gentlelady from Florida, Ms. Lee, for 5 minutes.
    Ms. Lee. Thank you, Mr. Chairman. Mr. Gumbel, I would like 
to pick up right where we left off there. You have given us 
some very useful information today about our general status at 
this point that we have done a lot of work on endpoint 
detection, but as the attack surface continues to grow, so do 
our defenses and our preparation need to evolve. I am 
interested in what capabilities we need to be integrating into 
CADS to improve analytics and increase visibility, as you have 
been testifying about. Specifically, do we need to pay 
particular attention to the concept of encrypted communication? 
Are we capturing that now? Is there anything we need to be 
doing in that space?
    Mr. Gumbel. Sure. So, that was a lot to unpack. But I 
believe that, Congresswoman, the thing that we still need to do 
once you have the holistic view of an entire environment, you 
have to look at other vectors too. You bring up encryption, 
encryption is definitely of utmost importance and making sure 
that the encryption standards that the Federal Government holds 
across all agencies are kept up to date.
    You also have to make sure that you're looking at legacy 
providers and technologies that have been built 10, 20 years 
ago. Are they really up-to-date? Are they really current today 
if they are not modern in their approach? Because the 
adversaries are going to come forth with something new and they 
are going to bypass and get past those networks that are being 
defended today by legacy contracts. So, I think all of that 
needs to be taken into consideration.
    Ms. Lee. OK. Mr. Zakowicz, you indicated earlier on the 
subject of hunt and incident response through CDM that you 
thought we might need to look at changes in Congressional 
authority in order to be really utilizing that as part of our 
approach. Would you tell us a little bit more about that?
    Mr. Zakowicz. Sure. Thank you. So, there were two 
authorities granted within the Executive Order that I think 
were directly relevant to the CDM program's ability to gain 
insight and access into agency network environments like they 
hadn't been able to before. The first was associated with 
endpoint detection and response, or EDR, hunt and response 
activities. It's being done through an initiative granting 
threat hunters access to agency EDR tooling through what's 
called persistent access or pack capabilities. So, that's given 
them an opportunity to be able to look in those agency 
environments real time, directly using tools like CrowdStrike 
and others to understand what's happening in that space.
    Then the second is access to what's called object-level 
data. So, within the agencies, the detailed information on 
every endpoint that's being collected and rolled up and 
aggregated into this CDM dashboard having direct access to that 
object-level data allows them to within minutes search across 
the Federal enterprise for the presence of, let's say, zero-day 
vulnerability or known exploitative vulnerability. Identify the 
potentially vulnerable assets within an agency environment 
across the FCEB, and then use EDR in partnership with the 
agency to go further, interrogate that asset and understand 
what the risk profile really looks like. I think CISA's seen 
some success with that combination of capabilities with even 
recent breaches, being able to identify in minutes what may 
have taken hours or days or longer through data calls.
    Ms. Lee. Mr. Head, I would like to hear from you on what 
capabilities you think CISA should be including in the CADS 
program to help improve analytics and visibility.
    Mr. Head. If you look at the detail that I've seen, you 
know, publicly, they had things like DNS and signatures in 
there, but they didn't have flow. I think it is really 
important to be able to see flow in terms of oversight 
guidance. There's also the notion of how do you know who 
somebody is? So, on a network, a lot of the privacy concerns 
have led manufacturers into anonymizing the Mac addresses so 
that you don't know what the device is anymore. So certainly on 
Federal Government agency networks, you need to know what 
things are and they shouldn't be able to do anonymization and 
hide their activities.
    The other piece I would also mention is you get into the 
details of things like you ask about encryption. The purpose of 
encryption is to keep somebody from stealing your stuff. But if 
you're in the business of stealing stuff, encryption is hiding 
what you're stealing. So, the answer isn't to give everybody 
the keys, the answer is encompass in your logging what file 
moved from his machine to my machine. You shouldn't have your 
audit system be more prone to invasion and privacy concerns 
than your original network was. So, we can do things like MD5, 
all of the files as they flow, and say this file was the 
unreleased this and you sent it to him, why? So, I think it's 
possible to build an audit system without breaking the world, 
but it doesn't do just to start let's opine about things that 
are impossible. Let's write down methodically things that are 
easy and very effective.
    Ms. Lee. Thank you, Mr. Head. Mr. Chairman, I yield back.
    Chairman Garbarino. Thank you. The gentlelady yields back. 
I think since everyone is here, I am going to start my second 
round of questions. I want to start with Mr. Zakowicz. Amidst 
an increasingly complex threat landscape, technology 
innovations of the last decade and recommendations for 
improvements from the GAO and industry stakeholders, the CDM 
program must evolve to keep pace with the threat and improve 
Federal cyber defense. Do you envision any gaps in authorities 
needed to allow CISA to continue to strengthen the Federal 
Government's information infrastructure?
    Mr. Zakowicz. Thank you for the question. I think we've 
already covered a couple of specific authorities that I think 
would be beneficial to be codified in order for CISA to 
continue the mission that they have. I think we've also touched 
a little bit on I think there was reference in one of the 
opening statements to CISA's authority to actually conduct 
testing and verification in agency environments, to run, you 
know, penetration testing or network testing activities within 
the individual agency environments. While I'd say personally, I 
think that, you know, with the responsibility resting with the 
agencies themselves, that's something that would need careful 
consideration. I do think continuing to take a look at how 
actively they are able to engage with agency networks, agency 
environments, would be worthwhile to understand if that gives 
them the authorities they need.
    Chairman Garbarino. Thank you very much for that answer. 
EDR has been rolled out through the CDM program after it was 
acquired in the May 2021 Cyber EO. A few years ago, CISA was 
given an authority to proactively hunt for threats on agency 
networks. Mr. Sheldon, in your testimony you discussed the 
opportunities for EDR to inform CISA's threat hunting 
capabilities. How can CISA better leverage EDR data to improve 
threat hunt efforts?
    Mr. Sheldon. Thank you, Mr. Chairman. So, I think CISA is 
really far ahead of where they were a couple of years ago by 
virtue of the authorities that I mentioned that were given to 
them in Section 1705 of the fiscal year 2021 NDAA and then by 
virtue of having this now-very powerful EDR capability deployed 
out across many, many Federal agencies. I think the core task 
now is to ensure that, is it the case that every endpoint that 
can be protected with that type of capability is. It may be 
possible for them to think about extending it more over cloud 
environments and mobile devices, as I mentioned before. Then to 
think through the next set of problems, which is again, 
thinking about bringing that same type of control to other 
parts of the network and then really creating a unified 
workflow for their analysts to be able to do something 
productive with that very quickly when there's a threat.
    Chairman Garbarino. Thank you very much. Mr. Head, 
following up on your response to Ms. Lee before, how can AI be 
more incorporated into these programs, particularly, as CISA 
looks to evolve NCPS?
    Mr. Head. I think in lots of ways. Whenever you're drowning 
in a sea of big data, like you mentioned, trillions, all of us 
deal with, you know, tens of trillions of events, you know, on 
a periodic basis and just slugging through all that with humans 
just doesn't scale well. So, we all see that as our salvation 
for doing a thorough job across broad spectrum of assets that 
need protecting.
    I think zooming up a little bit, there's also big data that 
needs to come to bear outside the--remember the old game where 
you had to draw lines, three rows of three dots, and you drew 
your lines? I think a lot of times we are focusing in the box 
instead of outside. So inside, we are not spending much time to 
do surveys of what isn't covered and in that you can drive a 
sinking country through. So, I think we need to kind-of look at 
what are we missing as a paid research project for somebody.
    Chairman Garbarino. I am not sure how often we think 
outside the box when it comes to the Government. I only have a 
little time left. But I said at the beginning of this hearing, 
we are doing this to talk about the two programs, NCPS and CDM. 
And we are going to have Government witnesses, one from CISA, 
someone from somewhere else. This is for all of you and feel 
free to jump in. What should we be asking them at the next 
hearing when we have them in front of us specifically about 
these programs? We can start with Mr. Gumbel, and we can move 
down the aisle if you want.
    Mr. Gumbel. I think one of the biggest questions, Mr. 
Chairman, is ask them have they looked at modern technologies 
or are they only focusing on the contracts that they have with 
legacy providers that have built technologies 20 years ago? 
Those technologies that are either on premise, they're not 
cloud first, there are older ways in their thinking in the way 
that they protect networks and connect infrastructures. So, I'd 
say that would be the first thing that I would ask.
    Chairman Garbarino. Mr. Zakowicz.
    Mr. Zakowicz. Thank you. So, I would suggest focusing on, 
you know, across our national security, our economic security, 
where are the threats? Because I think they certainly exist 
within the Federal Executive branch, but they also exist 
outside of the Federal Executive branch. I think as CISA looks 
at applying their resources, their time, their focus, you know, 
is it internal to Federal? Is it external to State, local, 
Tribal, critical infrastructure? Where do we get the most 
benefit in our improving our security's posture?
    Chairman Garbarino. Thanks. Mr. Head.
    Mr. Head. I'd ask about how will they map what they're 
doing to the threat landscape? So, how are you going to stop 
these things with what you're doing? That gets down to the next 
level into what are you logging? What are you keeping? What can 
you see? What can you not see? When do you plan on doing that? 
You know, I've joked that, you know, there used to be a cartoon 
with the cat and the mouse, and the mouse would run through the 
garden hose and there'd be a big lump that was mouse size 
running through the hose. We don't see our secrets leaving out 
our ethernet cables like watermelons flowing. So, I think just 
the simple visibility of have they stolen us blind? Do we have 
any national secrets left? You know, the cables don't get hot 
and glow and melt, you know, as they're stealing our stuff. So, 
I'd look at CISA's programs and say, what are you doing that'll 
let us see an OPM breach instantly instead of finding it a year 
later? I found that one myself, you know, looking at data. So, 
the question is, how is what you're doing going to help that?
    Chairman Garbarino. Mr. Sheldon.
    Mr. Sheldon. Thank you. I think it's worth asking CISA if 
they've seen incidents or other issues on Federal networks that 
would be protected by technologies that exist within the CDM 
portfolio and the agency in question hadn't used those 
technologies than to just try and interrogate where was the 
disconnect? So, I think some of us have spoken about this 
today. It may be the case that there's an opportunity to 
clarify some of the longer-term funding for some of the CDM 
projects and to make that more consistent and then to really 
shift that program so it's operating more on that shared 
service type of basis that you had with NCPS and EINSTEIN. That 
may resolve some of the issues. There could be others, but it'd 
be interesting to hear about it.
    Chairman Garbarino. Thank you very much. I now recognize 
Mr. Menendez for 5 minutes for any questions he may have.
    Mr. Menendez. Thank you, Chairman. Thanks to progress made 
by the Biden administration and support from Congress, CDM has 
made important strides in recent years and has helped CISA more 
quickly respond to cyber incidents. Mr. Sheldon and Mr. Gumbel, 
are there recent examples you are aware of where CDM has helped 
CISA with incident response or the mitigation of 
vulnerabilities? What aspects of CDM have been most helpful 
with strengthening Federal cybersecurity? We will start with 
you, Mr. Gumbel.
    Mr. Gumbel. I'd actually really like to take this one for 
the record and get back to you with a thorough answer because 
I'm currently not aware of anything that's been that beneficial 
that I could speak to.
    Mr. Menendez. I respect that.
    Mr. Gumbel. OK.
    [The information follows:]

    In response to Ranking Member Menendez's question about examples of 
where the CDM program has been most beneficial and helped response and 
mitigation of cyber incidents, we submit the following:
    CDM has brought value to small and micro agencies and driven the 
implementation of new technologies into Federal IT programs. Agencies 
are better equipped to manage privileged accounts because of the 
identity efforts leading to more resilient and secure critical citizen 
services. EDR deployments likewise have been largely successful.
    However, our overall assessment of the core CDM efforts is not 
positive. Many of the original goals of CDM have been achieved and much 
of the deployment is secondary rather than integrated to agency 
operations.
    The CDM program however relies on a legacy model and approach, and 
it is our hope that a more open, full-industry approach can help CISA 
achieve its original CDM mission of: Reducing agency threat surface, 
increasing visibility into the Federal cybersecurity posture, improving 
Federal cybersecurity response capabilities, and Streamlining Federal 
Information Security Modernization Act (FISMA) reporting.

    Mr. Menendez. Mr. Sheldon.
    Mr. Sheldon. I'll just say briefly that it's sometimes the 
case that, you know, even we as vendors don't get perfect 
visibility on how, you know, how particular investigations have 
unfolded. There may be some good reasons for that from an 
operational security standpoint, just, you know, people in CISA 
who are working on different projects, issues, responding to 
incidents, they'll be in touch from time to time.
    The part about this that I do think is helpful and is 
clarifying is reporting that we will ultimately get from the 
CSRB, the Cyber Safety Review Board, and they've announced an 
investigation recently where they were going to look at the 
July breach of the Microsoft 365 platform that led to the 
ability of Chinese threat actors to read the email of two 
Cabinet Secretaries. It'll be interesting to get ultimately a 
reconciled view from different vendors, from Government 
agencies that have responded, and from other people out in the 
security research community about what precisely happened. 
That's a very useful thing for people to know so that we can 
learn and integrate lessons as appropriate.
    Mr. Menendez. I appreciate it. I just want to give you both 
a chance on the second part. What aspects of CDM have been most 
helpful with strengthening Federal cybersecurity? If you'd like 
to respond.
    Mr. Sheldon. I'm sorry, could you say that again?
    Mr. Menendez. Sure. What aspects of CDM have been most 
helpful with strengthening Federal cybersecurity?
    Mr. Sheldon. I think we've all mentioned EDR and 
highlighted that. So, at the risk of beating a dead horse, 
obviously it's a powerful capability. I think the design of CDM 
was to make available a portfolio of technologies so that if 
particular Government agencies had very specific needs, there 
might be something there that would be able to meet that need. 
So, it may well differ from agency to agency about what, on top 
of something like EDR, drives the most value.
    Mr. Menendez. I appreciate it. One challenge for Federal 
agencies is that many rely on outdated technology that is 
harder to secure. In recent years, Congress has tried to 
address this challenge by funding the Technology Modernization 
Fund, which supports efforts to update agency technology. This 
year, the Appropriations Committee has advanced legislation 
that would eliminate funding for the program. Mr. Gumbel, why 
is funding for the Technology Modernization Fund important for 
strengthening Federal cybersecurity?
    Mr. Gumbel. I think it's very important to be able to fund 
those projects so it enhances and continues the progress of 
securing the Nation. Without this continuous funding, there 
might not be the opportunity to look at modern technologies in 
ways that could protect the Federal Government. Any type of 
funding slowdown will halt any progress and the adversaries 
have the opportunity to just speed up time and be able to come 
after any of the exposures or links into networks that aren't 
protected.
    Mr. Menendez. You said any slowdown, correct?
    Mr. Gumbel. Any slowdown.
    Mr. Menendez. Yes. Following up on that, what kind of 
investment should be prioritized when looking to upgrade 
Federal agencies technology? Do you have any specific examples 
of more investments?
    Mr. Gumbel. Yes, I think the biggest message is don't 
always look at Government examples to upgrade your technology, 
look to private sector. Private sector has done in a lot of 
areas, has done very well in keeping their technologies modern. 
There's a lot of great use cases that the private sector is 
using to protect their products, to protect their customers, 
and to protect their IP. I think the Federal Government can 
learn a lot from that.
    Mr. Menendez. Within private sector, are there any 
industries that you feel are leading or ahead of the curve that 
we should potentially pay extra care to?
    Mr. Gumbel. Sure, sure. I think, you know, manufacturing is 
one, the financial services is another. Some industries that 
have a lot of operational technology machinery, oil, and gas, I 
think those are areas to look at as well.
    Mr. Menendez. I appreciate that. Thank you, Mr. Chairman. I 
yield back.
    Chairman Garbarino. The gentleman yields back. I now 
recognize the gentleman from Mississippi, Mr. Ezell, for 5 
minutes of questioning.
    Mr. Ezell. Thank you, Mr. Chairman. Guys, about 40-plus 
years ago, I went to work at the police department in my 
hometown. What I remember the chief and the administrators at 
the time talking about was bad communication. Mr. Head, when 
you were talking there a few minutes ago, it just reminded me 
of my early life in police service. People don't normally want 
to call the police unless they got a problem or something's 
going on. We show up, we respond. When you talked about the 
aircraft carrier come under attack and what we would do in 
response to that. I would like to know, and each of you jump in 
there, what we can do as a Congress to better hold some of 
these folks accountable for not getting the communication to 
the proper place so that we can say, why is this happening? Why 
can we not do something about it? Who can we hold accountable 
for these things? Anybody?
    Mr. Gumbel. Sure. I'll start off. I believe that there's an 
opportunity for Congress to look at some of these contracts to 
bridge some of the gaps of disparity. I will point to something 
for an example, B.O.D. 23-01 requires agencies to report on all 
assets connected to their networks. But however, CDM, this 
program explicitly excludes IOT, OT, and other managed 
technology. So, you have two different programs with two 
different views. This is just an example of areas or contracts 
that have this disparity. I think Congress can really help 
bridge the gap to make sure that everything's on the same 
playing field.
    Mr. Ezell. Thank you. Mr. Head, could you talk just a 
little bit more about some of your concerns that you were 
speaking about in your opening statement?
    Mr. Head. Sure. Reflecting on what you just asked about, 
one thing I've tried to understand a little bit is when someone 
reports a breach, FAA for a long time--I'm a pilot just for 
fun--and for a while there, if you had a near-miss, you report 
the near-miss and you're excused from losing your license over 
your participation in that. In the cyber space, it is not 
usually apparent when you report a thing whether they're going 
to get you for allowing it to happen or give you a Ferrari for 
finding it and stopping it. So, we haven't really got the risk/
reward down for how do you elicit insightful cooperation and 
insightful response within and without the organizations? I 
think there's a large jurisdictional--I can't say that--contest 
between who's supposed to help you.
    Mr. Ezell. Yes.
    Mr. Head. So that would certainly be helpful.
    Mr. Ezell. It is kind-of like in police world, if you have 
a problem and you don't know who to call, what do you do, 
you're stuck. So, I think that, you know, we as committee 
Members and you as very concerned folks, we have got to do a 
better job on our end. We have got to be able to have some very 
frank conversations because this is not going to stop. There 
are these bad actors in the world and they want our stuff. Like 
you were saying, you know, what have we got left that they 
don't have? So anyway, I want to thank you all for being here 
today. Mr. Chairman, I yield back.
    Chairman Garbarino. The gentleman yields back. I now 
recognize the gentlelady from Florida, Ms. Lee, for her second 
round of questions.
    Ms. Lee. Thank you, Mr. Chairman. Mr. Head, I would like to 
come back to you. You mentioned something in your opening 
statement and in your written testimony that you refer to as 
our Cyber Manhattan Project. Would you please share with us a 
little bit more about your vision there and how you think that 
would look?
    Mr. Head. Sure. That was the hardest part about writing it 
because when they started the real Manhattan Project, they 
didn't put it on public record and put it on C-Span, hey, we're 
just looking to build a bomb and nuke you. You know, shoot 
these guys because they are our lead scientists. So, I think 
what we should do is think about some percentage of our budget. 
In Texas, I think it was Lady Bird Johnson forever ago that put 
in the thing for 2 percent of all highway funds will be spent 
on plants and trees and beautification. We spend a lot of 
money. I describe it in the testimony that a lot of the cyber 
efforts remind me of your kids playing 5-year-old soccer. They 
are all just huddled around the ball chasing the latest 
buzzwords. At the end of the day, they are not a team and they 
didn't accomplish anything. That's kind-of prefaced by the we 
suck at cyber as a country.
    Although there's some really good folks in the industry and 
I think all of us put together in a quiet time would say, let's 
just fix it. Like the two buzzards' patience, hell, let's kill 
something. You know, so I think there's room in the oversight 
process to say to DISA, to DARPA, to somebody, gee, you're in 
charge of making this suck less every month.
    You know, and then there's been some rapid progress made in 
a lot of fronts, particularly after go back to World War II. 
But I think, you know, the measure of pissed-offness ought to 
be higher than it is for us getting attacked every day and 
doing nothing.
    So, I think I would challenge that back to you guys. This 
is like I told today coming and testifying with you guys, 
nothing against it, but on my list of top 10 things to do, it's 
3,742nd.
    But I think now the time is right for doing something and I 
think that the brains are right for doing something. So, I'd 
just love to see let's do something that's not ordinary. At the 
end of the day, we can say, that was bad, we fixed it.
    Ms. Lee. On that point, you also just referenced the 
concept of risk/reward.
    Mr. Head. Yes.
    Ms. Lee. Who is working with us? What are they reporting? 
When and how are they reporting it? I know I previously worked 
at an agency that implemented a bug bounty program----
    Mr. Head. Right.
    Ms. Lee [continuing]. To that end, so that in hopes that 
some of the good guys might help us identify issues that we had 
prior to the bad guys finding them. What are your thoughts on 
that type of solution or any other ideas you have to help us 
properly incentivize risk/reward?
    Mr. Head. Plenty. I would start, though, with removing the 
stupid. So, I was looking at one a few years ago that Congress 
funded and the Pentagon implemented, and it was basically free 
service for defense contractors. So, you could basically rent 
this dog that will come in and bite you and your children. So, 
anything they find, you're on the hook for paying the full cost 
of remediation, which could bankrupt you.
    So, the rightful answer would be don't ask, don't invite, 
don't participate, because you're renting a dog that could hurt 
you. Does that make sense?
    Ms. Lee. It does.
    Mr. Head. Because we're going against formidable 
adversaries and most people don't have the staff to play that 
game. Like I say, comedy abounds when you look at the rules 
that we put in place. But I think a reason to pass through all 
of those to say let's remove the worst first.
    Ms. Lee. All right. Mr. Sheldon, and I will ask each of you 
this preparing to come here today and the things that you think 
we need to have top of mind and we need to be working on, is 
there anything you haven't had the chance to tell us about 
today that you think we should know?
    Mr. Sheldon. Thank you for the opportunity. Really, just to 
drive more focus in the Federal space. So many of the attacks 
that we see, they don't involve malware, they don't involve 
classic indicators of compromise that we can block through 
existing solutions. It is really a compromised credential or 
something to that effect that might cause the breach.
    So, there are some solutions in place and some 
architectures that try to address that. Zero trust is one of 
them. That's something that I would encourage all of us as a 
community to think more about. How do we promote the adoption 
of that type of solution in the Federal space?
    Ms. Lee. Mr. Head.
    Mr. Head. I think I've talked too much and told you most of 
my ideas, so.
    Ms. Lee. Pass.
    Mr. Head. Thank you.
    Ms. Lee. Mr. Zakowicz.
    Mr. Zakowicz. Thank you. I was going to echo my colleague 
from CrowdStrike, and I'm impressed we went this long before 
saying zero trust for the hearing. But I think identity is an 
area we haven't spent much time talking about in this forum but 
is critically important to understand who is actually on the 
network.
    What are they doing? How do we make sure that people only 
have access to the things they need to get their job done?
    Ms. Lee. Fundamentally zero trust type of thinking?
    Mr. Zakowicz. Correct, yes. One of the fundamental pillars 
of zero trust is identity, and I think that is one that needs 
the most focus first.
    Ms. Lee. Access control.
    Mr. Zakowicz. Yes.
    Ms. Lee. OK. Mr. Gumbel, what about you?
    Mr. Gumbel. Yes. I'd say last because I've said a lot 
today, but I think ensure that procurements and programs are 
aligned to stated administrative, Executive Orders, and agency 
BODs. I think that's super important.
    Ms. Lee. All right. Thank you, Mr. Chairman. I yield back.
    Chairman Garbarino. Thank you very much. I really want to 
thank the valuable testimony from our witnesses today. Mr. 
Head, I am glad that the 3,741 other things on your list 
weren't available to you today. I want to thank the Members for 
their questions.
    The Members of the subcommittee may have some additional 
questions for all of you, and we would ask the witnesses to 
respond in writing. Pursuant to committee rule VII(D), the 
hearing record will be held open for 10 days. Without 
objection, the subcommittee stands adjourned.
    [Whereupon, at 11:25 a.m., the subcommittee was adjourned.]

                                 [all]