[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]



                     EVALUATING FEDERAL CYBERSECURITY  
                                GOVERNANCE

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                    CYBERSECURITY AND INFRASTRUCTURE
                               PROTECTION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             FIRST SESSION
                               __________

                            OCTOBER 25, 2023
                               __________

                           Serial No. 118-36
                               __________

       Printed for the use of the Committee on Homeland Security
                                     





              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 

              


                                     

        Available via the World Wide Web: http://www.govinfo.gov
                               __________

                   U.S. GOVERNMENT PUBLISHING OFFICE 

56-341 PDF                 WASHINGTON : 2024 














                     COMMITTEE ON HOMELAND SECURITY

                 Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas             Bennie G. Thompson, Mississippi, 
Clay Higgins, Louisiana                Ranking Member
Michael Guest, Mississippi           Sheila Jackson Lee, Texas
Dan Bishop, North Carolina           Donald M. Payne, Jr., New Jersey
Carlos A. Gimenez, Florida           Eric Swalwell, California
August Pfluger, Texas                J. Luis Correa, California
Andrew R. Garbarino, New York        Troy A. Carter, Louisiana
Marjorie Taylor Greene, Georgia      Shri Thanedar, Michigan
Tony Gonzales, Texas                 Seth Magaziner, Rhode Island
Nick LaLota, New York                Glenn Ivey, Maryland
Mike Ezell, Mississippi              Daniel S. Goldman, New York
Anthony D'Esposito, New York         Robert Garcia, California
Laurel M. Lee, Florida               Delia C. Ramirez, Illinois
Morgan Luttrell, Texas               Robert Menendez, New Jersey
Dale W. Strong, Alabama              Yvette D. Clarke, New York
Josh Brecheen, Oklahoma              Dina Titus, Nevada
Elijah Crane, Arizona
                      Stephen Siao, Staff Director
                  Hope Goins, Minority Staff Director
                       Sean Corcoran, Chief Clerk 
                       
                                 ------                                

            SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE 
                               PROTECTION

                Andrew R. Garbarino, New York, Chairman
Carlos A. Gimenez, Florida           Eric Swalwell, California, Ranking 
Mike Ezell, Mississippi                Member
Laurel M. Lee, Florida               Sheila Jackson Lee, Texas
Morgan Luttrell, Texas               Troy A. Carter, Louisiana
Mark E. Green, MD, Tennessee (ex     Robert Menendez,  New Jersey
  officio)                           Bennie G. Thompson, Mississippi 
                                       (ex officio)                                      
               Cara Mumford, Subcommittee Staff Director
           Moira Bergin, Minority Subcommittee Staff Director 











           
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Chairman, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Eric Swalwell, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     3
  Prepared Statement.............................................     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     5

                               Witnesses

Mr. Eric Goldstein, Executive Assistant Director, Cybersecurity 
  and Infrastructure Security Agency, U.S. Department of Homeland 
  Security:
  Oral Statement.................................................     6
  Prepared Statement.............................................     8
Mr. Christopher J. DeRusha, Federal Chief Information Security 
  Officer, Office of Management and Budget; Deputy National Cyber 
  Director for Federal Cybersecurity, Office of the National 
  Cyber Director:
  Oral Statement.................................................    14
  Prepared Statement.............................................    15

                                Appendix

Questions From Chairman Andrew R. Garbarino for Eric Goldstein...    35
Questions From Ranking Member Eric Swalwell for Eric Goldstein...    35
Questions From Chairman Andrew R. Garbarino for Christopher J. 
  DeRusha........................................................    36
Questions From Ranking Member Eric Swalwell for Christopher J. 
  DeRusha........................................................    38

 
                    EVALUATING FEDERAL CYBERSECURITY  
                              GOVERNANCE 

                              ----------                              


                      Wednesday, October 25, 2023

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 3:05 p.m., in 
room 310, Cannon House Office Building, Hon. Andrew R. 
Garbarino (Chairman of the subcommittee) presiding.
    Present: Representatives Garbarino, Gimenez, Ezell, Lee, 
Luttrell, Swalwell, Carter, and Menendez.
    Mr. Garbarino. The Committee on Homeland Security 
Subcommittee on Cybersecurity and Infrastructure Protection 
will come to order.
    Without objection, the Chair may recess at any point.
    The purpose of this hearing is to receive testimony from 
two Federal cyber leaders on the state of Federal cybersecurity 
governance.
    I now recognize myself for an opening statement.
    Thank you to our witnesses for being here to continue our 
subcommittee's discussion on a very important topic, Federal 
cybersecurity. Last month, we hosted industry leaders to give 
their perspectives on the Cybersecurity Infrastructure Security 
Agency's, or CISA's, Federal cybersecurity programs, 
specifically the Continuous Diagnostics and Mitigation, CDM 
program, and the National Cybersecurity Protection System, or 
NCPS. I am eager to hear directly from CISA and the Office of 
the National Cyber Director, ONCD, today on their views on 
those programs and the state of Federal cybersecurity efforts 
and governance more broadly.
    As the operational lead for and administrator of Federal 
cybersecurity requirements, CISA has a broad and important role 
in ensuring the security of Federal networks. As I said in the 
previous hearing, whether CISA acts as a service provider or an 
adviser toward other agencies is a fundamental question, and 
Congress and CISA must both be consistent in how they approach 
it.
    As one of the Executive branch's newest cyber roles, ONCD 
is tasked with leading national cybersecurity policy and 
strategy. ONCD's implementation of the National Cybersecurity 
Strategy will be a key test of its role in Federal 
cybersecurity governance.
    In our last hearing, there were several common themes I 
hope to further explore with Mr. Goldstein and Mr. DeRusha this 
afternoon. We learned that CISA must modernize by considering 
new technologies so programs like CDM evolve with the changing 
threat landscape.
    The Federal Government as a whole must adapt to defend 
against elusive threat actor tactics, like new Living-Off-the-
Land techniques seen in the recent Volt Typhoon activity.
    We also briefly dove into the breakdown of CISA's budget. 
With almost one-third of its fiscal 2024 budget request 
allocated to strengthening Federal cyber networks, it's 
important to further discuss how CISA measures the success of 
programs like CDM and reforms its legacy programs like 
EINSTEIN.
    Finally, I hope to discuss the administration's plans to 
raise the level of Federal cybersecurity resilience across the 
board with both our witnesses. Each relevant committee of 
jurisdiction in Congress must understand ONCD and the Office of 
Management and Budget's, or OMB's, plan to ensure the Federal 
agency funding proposals are--that Federal agency funding 
proposals are aligned with activities in the National 
Cybersecurity Strategy.
    Again, thank you to both our witnesses for being here. I 
look forward to your testimony and discussing these questions 
in greater depth.
    [The statement of Chairman Garbarino follows:]

                 Statement of Chairman Andrew Garbarino 
                 
                            October 25, 2023 
                            
    Thank you to our witnesses for being here to continue our 
subcommittee's discussion on a very important topic: Federal 
cybersecurity. Last month, we hosted industry leaders to give their 
perspectives on the Cybersecurity and Infrastructure Security Agency's, 
or CISA's, Federal cybersecurity programs, specifically the Continuous 
Diagnostics and Mitigation (CDM) program and National Cybersecurity 
Protection System (NCPS). I am eager to hear directly from CISA and the 
Office of the National Cyber Director, or ONCD, today on their views on 
those programs and the state of Federal cybersecurity efforts and 
governance more broadly.
    As the operational lead for and administrator of Federal 
cybersecurity requirements, CISA has a broad and important role in 
ensuring the security of Federal networks. As I said in the previous 
hearing, whether CISA acts as a service provider or an advisor toward 
other agencies is a fundamental question, and Congress and CISA must 
both be consistent in how they approach it.
    As one of the Executive branch's newest cyber roles, ONCD is tasked 
with leading national cybersecurity policy and strategy. ONCD's 
implementation of the National Cybersecurity Strategy will be a key 
test of its role in Federal cybersecurity governance.
    In our last hearing, there were several common themes I hope to 
further explore with Mr. Goldstein and Mr. DeRusha this afternoon.
    We learned that CISA must modernize by considering new technologies 
so programs like CDM evolve with the changing threat landscape. The 
Federal Government as a whole must adapt to defend against elusive 
threat actor tactics, like new living-off-the-land techniques seen in 
the recent Volt Typhoon activity.
    We also briefly dove into the breakdown of CISA's budget. With 
almost one-third of its fiscal year 2024 budget request allocated to 
strengthening Federal networks, it's important to further discuss how 
CISA measures the success of programs like CDM, and reforms its legacy 
programs like EINSTEIN.
    Finally, I hope to discuss the administration's plans to raise the 
level of Federal cybersecurity resilience across the board with both 
our witnesses. Each relevant committee of jurisdiction in Congress must 
understand ONCD and the Office of Management and Budget's, or OMB's, 
plan to ensure Federal agency funding proposals are aligned with 
activities in the National Cybersecurity Strategy.
    Again, thank you to our witnesses for being here. I look forward to 
your testimony and to discussing these questions in greater depth.

    Mr. Garbarino. I now recognize the Ranking Member, my 
friend from California, the gentleman Mr. Swalwell for his 
opening statement.
    Mr. Swalwell. Great. I thank you the Chairman for holding 
this important hearing and also keeping it. I told the 
witnesses before the Chairman came no one would have blamed 
him, considering the events of today, if he had just canceled 
this, but out of respect to you and your already being here, he 
wanted to make sure we got this done. I appreciate that.
    Federal agency networks house our most important and 
sensitive information, and it's no surprise that adversaries 
like Russia, China, Iran, North Korea, and others are routinely 
trying to access them. As global dynamics shift and technology 
evolves, we must continuously work to stay ahead of our 
adversaries.
    The good news is we have made tremendous progress in recent 
years. The Federal Government is now in the position to both 
lead by example and transform how vendors and consumers 
approach security. President Biden's Executive Order 14028 
finally set the Federal Government on the path toward adopting 
modern cybersecurity best practices, including the 
implementation of Zero Trust architectures, improving software 
supply chain security, and the deployment of Endpoint Detection 
and Response technology.
    By setting new security standards for the Federal 
Government, we will drive security improvements throughout the 
marketplace that mean better security for everyone. For its 
part, Congress has empowered agencies across Government to 
better execute their network security missions.
    Nearly 3 years ago, Congress authorized the Office of the 
National Cyber Director to develop and implement a National 
Cyber Strategy and to ensure that agency budgets are consistent 
with the goals of this strategy.
    Additionally, Congress has expanded CISA's authorities 
beyond issuing binding operational directives and emergency 
directives, to include persistent hunting authorities.
    With additional resources from Congress, CISA and Federal 
agencies have moved the Continuous Diagnostics and Mitigation 
Program forward, bringing to fruition long-standing goals of 
increased visibility into agency networks, enabling better 
detection and response to cyber incidents. I look forward today 
to hearing more from our witnesses on how these investments and 
initiatives have achieved tangible results.
    The bad news is we cannot wait for another attack to spring 
into action. Our adversaries are constantly evolving their 
capabilities, and new technologies are posing both challenges 
and opportunities.
    Emerging technologies like AI and quantum computing will 
continue to transform the cyber capabilities of our adversaries 
and the ability to defend our networks. The on-going migration 
to cloud computing has also shifted how we approach 
cybersecurity. To combat these risks, we must continue to 
modernize our networks and cyber defenses.
    The National Cybersecurity Strategy and the subsequent 
implementation plan lay out an impressive vision for how to 
approach cybersecurity for the threats of tomorrow. Under 
Director Easterly's leadership, CISA has continued to look 
forward, including the proposed Cyber Analytics and Data System 
to improve CISA's ability to process and analyze its vast 
amount of cybersecurity data.
    I hope to hear today more about CISA's plans for cyber data 
analytics and continuous diagnostics and monitoring going 
forward and how OMB and ONCD will help coordinate the 
improvement of Federal network security across the Federal 
Civilian Executive branch.
    Finally, I want to emphasize the importance of continued 
support for CISA and its mission. The programs we discuss today 
are essential to our national security, and the progress we 
have made by standing up and resourcing CISA have been the 
result of bipartisan cooperation in this committee and 
throughout the Congress.
    Unfortunately, last month, half of the Republican 
Conference, including the Chairman of our committee and the 
newly-elected Speaker, voted to cut CISA's budget by 25 
percent. Such a cut would devastate CISA's ability to operate 
key programs, to detect and respond to cyber incidents across 
the Federal Civilian Executive branch, leaving us more 
vulnerable to espionage and destructive attacks from our 
adversaries like Russia, China, Iran, and North Korea. At a 
time when there are conflicts in multiple parts of the world, I 
cannot comprehend how we would do anything to reduce our 
ability to defend against cyber attacks.
    Again, I appreciate my colleague, Chairman Garbarino, his 
outspoken support for CISA, and I hope that today's hearing 
will build awareness in Congress about the importance of 
sustained investments in cybersecurity.
    I thank the witnesses for being here and I yield back. 
Thank you.
    [The statement of Ranking Member Swalwell follows:] 
    
               Statement of Ranking Member Eric Swalwell 
               
                            October 25, 2023 
                            
    Federal agency networks house our most sensitive information. It is 
no surprise that our most formidable adversaries, like Russia, China, 
and Iran, routinely try to gain access to them. As global dynamics 
shift and technology evolves, we must continuously work to stay ahead 
of our adversaries. The good news is we have made tremendous progress 
in recent years. The Federal Government is now in a position to both 
lead by example and transform how vendors and consumers approach 
security.
    President Biden's Executive Order 14028 finally set the Federal 
Government on the path toward adopting modern cybersecurity best 
practices, including the implementation of Zero Trust Architectures, 
improving software supply chain security, and the deployment of 
endpoint detection and response technology. By setting new security 
standards for the Federal Government, we will drive security 
improvements throughout the marketplace and that means better security 
for everyone.
    For its part, Congress has empowered agencies across Government to 
better execute their network security missions. Nearly 3 years ago, 
Congress authorized the Office of the National Cyber Director to 
develop and implement a National Cyber Strategy and ensure agency 
budgets are consistent with the goals of the Strategy.
    Additionally, Congress has expanded CISA's authorities beyond 
issuing Binding Operational Directives and Emergency Directives to 
include persistent hunting authorities. With additional resources from 
Congress, CISA and Federal agencies have moved the Continuous 
Diagnostic and Mitigation program forward, bringing to fruition long-
standing goals of increased visibility into agency networks, enabling 
better detection of and response to cyber incidents.
    I look forward to hearing more from our witnesses on how these 
investments and initiatives have achieved tangible results. The bad 
news is we cannot wait for another crisis to spring into action.
    Our adversaries are constantly evolving their capabilities, and new 
technologies pose both challenges and opportunities. Emerging 
technologies like AI and quantum computing will continue to transform 
the cyber capabilities of our adversaries and the ability to defend our 
networks. The on-going migration to cloud computing has also shifted 
how we approach cybersecurity. To combat these risks, we must continue 
to modernize our networks and cyber defenses.
    President Biden's National Cybersecurity Strategy and the 
subsequent implementation plan have laid out an impressive vision for 
how to approach cybersecurity for the threats of tomorrow. Under 
Director Easterly's leadership, CISA has continued to look forward, 
including the proposed Cyber Analytics and Data System to improve 
CISA's ability to process and analyze its vast amount of cybersecurity 
data. I hope to hear more about CISA's plans for Cyber Data Analytics 
and continuous diagnostics and monitoring going forward and how OMB and 
ONCD will help coordinate the improvement of Federal network security 
across the Federal Civilian Executive branch.
    Finally, I want to emphasize the importance of continued support 
for CISA and its mission. The programs we will discuss today are 
essential to our national security, and the progress we have made by 
standing up and resourcing CISA have been the result of bipartisan 
cooperation in this committee and throughout Congress. Unfortunately, 
last month, half of the House Republican Conference, including Chairman 
Green and the new Speaker, voted to cut CISA's budget by 25 percent. 
Such a draconian cut would devastate CISA's ability to operate key 
programs to detect and respond to cyber incidents across the Federal 
Civilian Executive branch, leaving us more vulnerable to espionage and 
destructive attacks from our adversaries like Russia, China, and Iran.
    At a time when there are conflicts in multiple parts of the world, 
I cannot comprehend how anyone could think it is a good idea to reduce 
our support for cyber defense. I appreciate Chairman Garbarino's 
outspoken support for CISA and hope that this hearing today will help 
build awareness in Congress about the importance of sustained 
investments in cybersecurity.

    Mr. Garbarino. Thank you, Ranking Member Swalwell. It was 
the Chair of the full committee, not me.
    Mr. Swalwell. Sorry. The Chairman of the full committee. 
Yes. I wasn't clear.
    Mr. Garbarino. But I think a majority of the conference did 
vote to support CISA, and we're going to make sure our 
colleagues continue to be educated on what a great agency CISA 
is.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record.
    [The statement of Ranking Member Thompson follows:] 
    
             Statement of Ranking Member Bennie G. Thompson 
             
                            October 25, 2023 
                            
    At the start of last Congress, the SolarWinds Supply Chain 
compromise laid bare unacceptable gaps in our approach to securing 
Federal networks.
    The capabilities of our adversaries and the technology we relied on 
had evolved, but our approach to security had not. We failed to 
appreciate the challenges associated with securing--and maintaining 
visibility--in cloud environments; we did not have policies in place to 
ensure the security of software that underpins our information systems; 
and we tolerated a sluggish rate of maturation for our Federal network 
security programs. The SolarWinds compromise jolted Congress and our 
partners in the administration into action, and as a result we have 
made historic progress modernizing the Federal Government's approach to 
cybersecurity.
    The ambitious goals President Biden set out in Executive Order 
14028, Improving the Nation's Cybersecurity, and the National 
Cybersecurity Strategy, coupled with a long-overdue injection of 
resources and authorities from Congress, have put the Federal 
Government's networks on a more secure path. But I am concerned that 
the politicization of the Cybersecurity and Infrastructure Security 
Agency (CISA) by some of my colleagues could jeopardize the progress we 
have made over the past 3\1/2\ years.
    Last month, a concerning number of Republicans, including some on 
this panel and the new Speaker, voted to cut CISA's funding by 25 
percent. To further complicate matters, the Continuing Resolution--
which is sustaining existing Federal cybersecurity efforts--will expire 
in less than 25 days. Right now, there is no clear path for providing 
full-year funding. We already know that the world's most sophisticated 
hackers are interested in and capable of compromising Federal networks, 
and they won't take a break just because Republicans can't figure out 
how to fund the Government.
    Particularly in light of escalating global conflicts, we must 
remain vigilant in our commitment to providing the funding necessary to 
fully implement President Biden's Federal network security goals. 
Beyond the issue of resources, I want to emphasize the importance of 
clear, transparent, and deliberate communication with the private 
sector as the administration executes the directives under the 
Executive Order and the National Cyber Strategy.
    By demanding better security practices from those who sell 
information technology to the Government, the administration can drive 
critical changes in the market that will benefit everyone--but only if 
its private-sector partners understand and are prepared to meet these 
new requirements.
    This administration is advancing cyber policy at unprecedented 
speed--and I support these efforts. But we must be careful not to 
sacrifice sound policy for speed. Toward that end, I will be interested 
in understanding how the administration has gathered feedback from its 
private-sector partners to refine and adjust new security policies.
    Finally, I look forward to learning how recent investments 
modernizing Federal network security programs and expanding endpoint 
detection tools are driving down risk and improving our ability to 
rapidly detect malicious activity on Federal networks.

    Mr. Garbarino. I am pleased to have two witnesses before us 
today to discuss this very important topic. I ask that our 
witnesses please rise and raise their right hand.
    [Witnesses sworn.]
    Mr. Garbarino. Let the record reflect that the witnesses 
have answered in the affirmative.
    Thank you and please be seated.
    I would now like to formally introduce our witnesses.
    Eric Goldstein serves as executive assistant director of 
CISA's Cybersecurity Division. In this role, he leads CISA's 
mission to strengthen Federal networks against cyber threats. 
Prior to his time at CISA, Mr. Goldstein was the global head of 
cybersecurity policy, strategy, and regulation at Goldman 
Sachs. He also served at CISA's precursor agency, the National 
Protection and Programs Directorate.
    Chris DeRusha serves in a unique, dual-hatted role as 
federal chief information security officer, or CISO, at OMB, 
and is deputy national cyber director for federal cyber at 
ONCD. DeRusha has experience managing cybersecurity programs in 
both the public and private sectors, including as the chief 
security officer for the State of Michigan, the lead of 
vulnerability management at Ford Motor Company, and in multiple 
roles at OMB and DHS.
    Thank you both for being here today.
    Mr. Goldstein, I now recognize you for 5 minutes to 
summarize your opening statement.

      STATEMENT OF ERIC GOLDSTEIN, EXECUTIVE ASSISTANT DI-
        RECTOR,  CYBERSECURITY  AND  INFRASTRUCTURE  SECU-
        RITY  AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Goldstein. Thank you. Chairman Garbarino, Ranking 
Member Swalwell, Members of the subcommittee, it is a privilege 
to rejoin you again to talk about the criticality of CISA's 
Federal cybersecurity mission and the challenges that we face 
going forward.
    As the Ranking Member noted, every American depends every 
day on services provided by 102 Federal civilian agencies. Our 
adversaries recognize this criticality as well, attempting to 
execute damaging intrusions against our Federal agencies every 
single day.
    In this environment, CISA serves a critical role as the 
operational lead for Federal cybersecurity. It bears noting 
that nearly 3 years ago we were collectively engaged in 
responding to an intrusion campaign undertaken by Russian 
intelligence targeting Federal agencies. On the back of that 
intrusion campaign, we recognized collectively areas for 
improvement in resources, authorities, centralization, and 
accountability. We've made real progress over the past several 
years in advancing both CISA's role and, in partnership with 
entities like OMB and ONCD, raising the collective bar across 
the Federal enterprise.
    Now, CISA has three key roles as we execute our role as the 
operational lead for Federal cybersecurity. First, we provide a 
common baseline of security across those 102 Federal civilian 
agencies. We issue directives that drive requirements and 
prioritization to address the most urgent risk and, through our 
CDM program, we provide a common baseline of visibility across 
every agency.
    Second, we use our increasing visibility to drive urgent 
response to those vulnerabilities and threats that pose urgent 
risk to agencies so that they can be addressed, ideally, before 
harm occurs.
    Third, we work with each individual agency to assess their 
gaps and provide shared services and direct support as needed 
to ensure that we are raising the baseline across every agency, 
particularly those that might need the most help.
    Now, with the support of Congress and this committee, we've 
made some remarkable improvements over the past few years. A 
few years ago, our visibility into risks facing the Federal 
enterprise were limited. Today, we can see real-time data on 
vulnerability, other exploitable conditions and threats across 
millions of Federal IT assets across every Federal civilian 
agency. As the Ranking Member noted, we can persistently hunt 
for threats and vulnerabilities nearly automatically in real 
time.
    So that when there is a new, what we call a zero-day 
vulnerability, we don't need to ask agencies to send us a 
spreadsheet. We can look in the CDM system. We can undertake 
persistent hunts, and we can figure out quickly what's going 
on, and how do we need to drive change?
    Now, core to this visibility is our CDM program, which has 
become the default approach across the Federal enterprise to 
get that centralized visibility into risks and drive urgent 
change. As the CDM program has matured and grown, we need to 
ensure a sustainable funding approach where this program can 
maintain the gains that we've achieved while modernizing for 
the future.
    A few years ago, we didn't have the ability or the roadmap 
to integrate disparate data from across Government and the 
private sector. Today, we are urgently building the Cyber 
Analytics and Data System, or CADS, which is a modern scaleable 
environment where we can bring data from CDM, from threat 
hunting, from the private sector, and use it to identify risks 
that previously would have been invisible to us.
    Finally, a few years ago most agencies were on their own in 
providing these cybersecurity solutions that they need to 
address threats. Today, we are deploying scaleable, cost-
effective shared services, such as our Protective Domain Name 
System Resolver, which has blocked 330 million connections to 
malicious domains, our vulnerability disclosure platform, that 
has enabled remediation of over 1,500 vulnerabilities in 
Federal websites, and we continue to expand our portfolio in 
this area, including through our Attack Surface Management 
program that's going to provide unprecedented visibility into 
internet-exposed risks across the Federal enterprise.
    But all that being said, we know that we're on a midpoint 
in our journey. Working with our fellow agencies, with OMB and 
ONCD and the private sector, we are going to keep advancing and 
maturing to keep pace with the adversary. We look forward to 
continued support of Congress so we can sustain the progress 
we've made and make sure that we are modernizing in a way that 
creates the security environment that Americans expect of their 
Federal Government.
    Thank you again for the privilege of being here, and I look 
forward to your questions.
    [The prepared statement of Mr. Goldstein follows:] 
    
                  Prepared Statement of Eric Goldstein 
                  
                            October 25, 2023 
                            
    Chairman Garbarino, Ranking Member Swalwell, and Members of the 
subcommittee, thank you for the opportunity to testify today on behalf 
of the Cybersecurity and Infrastructure Security Agency (CISA) 
regarding our Federal cybersecurity mission.
    In January 2021, as the U.S. Government responded to a wide-spread 
intrusion campaign exploiting a malicious software supply chain 
compromise of SolarWinds software to gain access Microsoft cloud 
environments in 2020, CISA and our partners noted material gaps in 
Federal cybersecurity: A lack of resources, direction, centralization, 
and prioritization. With the support of Congress over nearly 3 years, 
we have made remarkable progress. We have used our Directive 
authorities to drive wide-spread measurable risk reduction across 
Federal Civilian Executive branch (FCEB) agencies. We have gained 
unprecedented visibility into threats and vulnerabilities targeting 
FCEB networks, including through our Continuous Diagnostics and 
Mitigation (CDM) Federal dashboard and wide-spread deployment of 
Endpoint Detection and Response (EDR) tools. We have provided 
effective, centralized shared services that save taxpayer resources and 
enable coordinated management of significant risks. We have partnered 
closely with the Office of Management and Budget (OMB) to increasingly 
manage the FCEB as a single enterprise and drive toward quantifiable 
performance measurement to show that our collective efforts are keeping 
FCEB agencies, and Americans' sensitive information, safe. Most 
notably:
   For the first time, we have real-time visibility into 
        vulnerabilities and misconfigurations across 102 agencies, 
        allowing timely remediation before intrusions occur--including 
        directing the remediation of over 12 million Known Exploited 
        Vulnerabilities (KEV) over the past 2 years.
   We have deployed EDR tools across 52 agencies, allowing our 
        analysts to actively hunt for intrusions and enable eviction 
        before adversaries are able to cause harm.
   We have provided new shared services that measurably reduce 
        risks, including by blocking millions of communications with 
        malicious websites and enabling researchers to find over 1,000 
        vulnerabilities in Federal websites before they are exploited 
        by adversaries.
   We have issued directives that have fundamentally 
        transformed how Federal agencies prioritize and fix 
        vulnerabilities, continuously monitor for security risks, and 
        harden frequently-exploited technology assets.
   We have taken proactive steps to transform vulnerability 
        management by publishing our Industrial Control Systems (ICS), 
        Operational Technology (OT), and Medical Device vulnerability 
        disclosure information in the Common Security Advisory 
        Framework (CSAF), a machine-readable format that enables 
        greater automation and better tooling across the vulnerability 
        management ecosystem.
   We launched a Federal Zero Trust Management Community of 
        Practice (CoP), which now has over 130 members and 31 unique 
        agencies including the 23 civilian CFO Act agencies and 8 
        critical small agencies. The CoP has advanced interagency Zero 
        Trust collaboration, increased agency expertise and readiness, 
        and built a community of value for our Federal partners.
    Even as we reflect on our accomplishments, we recognize that we are 
at a midpoint on our journey. Recent intrusions into cloud-based email 
environments demonstrate our continued need to drive strong 
accountability across Federal vendors, further advance our visibility 
into cloud and mobile environments, and advance adoption of zero-trust 
principles for agency environments and secure-by-design practices for 
all technology providers. 

            cisa's mission and role in federal cybersecurity 
            
    CISA leads the National effort to understand, manage, and reduce 
risk to the cyber and physical infrastructure on which Americans rely 
every hour of every day. One of CISA's core missions is to serve as the 
operational lead for Federal cybersecurity, charged with protecting and 
defending FCEB networks, in close partnership with OMB, the Office of 
the National Cyber Director (ONCD), and agency chief information 
officers and chief information security officers. In this role, we 
provide a common baseline of security across the FCEB and defend and 
secure the Federal enterprise through proactive, collaborative cyber 
defense and risk management. While agencies remain ultimately 
accountable for their own risk, CISA is responsible for ensuring that 
the most significant cyber risks to the Federal enterprise--the network 
of all Federal systems--are being addressed effectively and driving 
progress based upon accurate and timely data.
    As part of this mission, we serve as the lead for Federal 
cybersecurity shared services. We have learned that many cybersecurity 
capabilities can be provided more effectively, affordably, and in a 
scalable manner through a centralized model rather than having over 100 
individual FCEB agencies manage cybersecurity risk independently. 
Through our Cybersecurity Shared Services Office (CSSO), we provide 
high-quality services to advance and centralize cybersecurity 
capabilities across the FCEB and help agencies manage cyber risk. For 
example, our Protective Domain Name System service has blocked over 300 
million communications with malicious websites and our Vulnerability 
Disclosure Platform service has enabled remediation of over 1,000 
vulnerabilities in Federal websites over the past year alone. We 
continue to explore investments in modern shared services, whether 
provided by CISA or by contracted third parties, that will further make 
the best use of Federal cybersecurity resources and show clear return 
on investment. 

    hardening the terrain: driving risk reduction before harm occurs 
    
    Our work begins by making it harder for adversaries to exploit FCEB 
networks. Core to this priority is the CDM program, which is our 
foundational effort to enable real-time, continuous visibility into 
risks affecting Federal agencies to drive timely risk reduction.
    Within the last 3 years, the CDM program's scope, scale, and impact 
on Federal cybersecurity has grown significantly. Previously, FCEB 
operators and CISA counterparts lacked sufficient operational 
visibility--insight into what devices, software, and users were 
operating within the environment--to effectively mitigate risks prior 
to a breach. Operators had no automated way to share valuable 
intelligence with other Federal agencies; it was all manual data calls. 
Now, because of the CDM program, agencies and CISA can respond to cyber 
threats in a coordinated and expedited fashion by sharing data between 
dedicated CDM Agency Dashboards and CISA's CDM Federal Dashboard. The 
frequency, precision, and level of detail of this information sharing 
has been a key enabler of CISA's operational visibility throughout the 
FCEB. CISA's cyber defense operators are increasingly turning to the 
Federal Dashboard to aid in incident response while agency cyber 
leaders and practitioners alike are shaping operational and strategic 
activities based on the evolving ``current state'' data provided by 
CDM. As a result, our relationships across the FCEB have progressed to 
much more effective, valued, and collaborative partnerships that 
promote identifying, understanding, and reducing risks across the 
Federal enterprise.
    As an example, in early summer 2023, CISA leveraged CDM 
capabilities as part of a broader response to two concerning cyber 
events. CISA operators analyzed near-real-time agency dashboard reports 
to coordinate targeted notifications for the MOVEit Transfer 
vulnerability and understand prevalence within minutes. Additionally, 
in response to the recent wide-spread email security gateway exploit, 
CISA threat hunters utilized the CDM EDR platform in collaboration with 
the impacted agency to directly access the agency's environment to 
search of instances of threat activity working shoulder-to-shoulder 
with agency staff. This demonstrates what the Federal enterprise gains 
by evolving our collective, interactive cyber defense posture.
    The expansion of CDM's operational visibility capabilities, enabled 
through enhanced authorities in Executive Order (EO) 14028 and the 
National Defense Authorization Act (NDAA) for fiscal year 2021, have 
greatly increased the value of the CDM investment through newly-
accessible use cases that enhance threat hunting and vulnerability 
management. CISA now utilizes the CDM Federal Dashboard, a tool of 
operational first resort, to assess and coordinate effective response 
to cyber threats. We're proud of the progress we've made over the last 
decade and are looking forward to continuing to advance CDM's 
capabilities in the future.
    As we look to evolve the CDM program, we will extend the portfolio 
of deployable cyber defense capabilities while updating our operating 
model to protect the critical investments made to date. Over the next 
several years, CDM will incorporate mobile devices, cloud services, and 
the internet of things (IoT) into CISA's operational visibility. We 
will deploy new protections for Federal agency data repositories; 
provide rich, host-based insight into High-Value Assets (HVAs); and 
integrate modern network sensor capabilities. Additionally, we will 
ensure operationalization of our CDM investments to drive risk-based 
decisions, respond to threats, and contribute to agencies' efforts to 
implement Zero Trust architecture principles.
    While CDM is a foundation of FCEB cybersecurity, it is not our only 
mechanism to drive change. Through our Automated Testing program 
(formerly known as Cyber Hygiene), we assess internet-facing assets 
across every FCEB agency. This program provides near-continuous 
vulnerability scanning across all types of internet-facing assets as 
well as bi-weekly, deep-dive scanning for internet-facing web 
applications.
    We also conduct penetration tests, red team assessments, and 
vulnerability assessments to identify exploitable conditions internal 
to Federal agencies. The Federal Attack Surface Testing (FAST) program 
leverages new legal authorities granted by the fiscal year 2021 NDAA to 
conduct ``no notice'' continuous penetration testing, including across 
seven FCEB agencies in the past fiscal year. This led us to 
successfully identify critical and high findings on several agencies' 
internet-facing web applications. In collaboration with the agencies, 
CISA re-tested the findings to validate agency remediation actions to 
ensure proper fixes were deployed. The SILENTSHIELD program also 
exercises fiscal year 2021 NDAA authorities. The long-term, no-notice 
approach afforded by these authorities enabled CISA to get an accurate 
depiction of an agency's true security posture. Within its first 
program year, SILENTSHIELD successfully targeted, compromised, 
escalated, and maintained access to an agency's network and is enabling 
long-term FCEB cybersecurity and architecture investments.
    Recognizing that every agency must prioritize their finite 
cybersecurity resources, we maintain the KEV catalog as the 
authoritative source of vulnerabilities that have been exploited in the 
wild, sending a clear message to all organizations to prioritize 
remediation efforts on the subset of vulnerabilities that are causing 
immediate harm based on adversary activity. CISA's efforts are enabling 
FCEB agencies to deny threat actors opportunities to gain access to 
Federal networks and reduce risk of compromise due to internet 
accessible KEVs that frequently compromise public and private entities. 
These activities are yielding clear results:
   Since the creation of the KEV catalog in November 2021, FCEB 
        agencies have remediated more than 12 million KEV findings 
        including over 7 million this calendar year alone.
   FCEB agencies have demonstrated a 72 percent decrease in the 
        percentage of KEVs exposed for 45 or more days.
   The mean-time-to-remediate KEVs is an average of 9 days 
        faster than for non-KEVs, and 36 days faster for internet-
        facing KEVs.
   From fiscal year 2022 to fiscal year 2023, CISA observed a 
        79 percent reduction in the FCEB's attack surface due to 
        internet-accessible KEVs, based on analysis of Automated 
        Testing capability data, despite an increase in KEV catalogue 
        entries during this time frame. 
        
                   leveraging our directive authority 
                   
    Effectively securing the FCEB requires a coordinated action to 
address urgent risks. While our directive authorities have proven 
highly beneficial in emergency situations, we have derived even greater 
value in mandating common steps to mature key cybersecurity 
capabilities that yield enduring benefit. CISA works in consultation 
with NIST and in conjunction with OMB and FCEB agencies to develop 
these directives, and this collaboration has proven invaluable to 
managing cyber incidents and driving collective action.
    For example, in fiscal year 2022 CISA issued two Emergency 
Directives (EDs) requiring agencies to enumerate and remediate all 
instances of VMWare and Log4J, critical vulnerabilities that pose grave 
risk to the Federal enterprise and report all findings to CISA. Through 
issuance of these directives, agencies remediated 56,400 Log4J findings 
and nearly 2,000 vulnerable VMWare instances. CISA's efforts 
significantly reduced the risk that threat actors could exploit these 
existing vulnerabilities, protecting Federal information and enhanced 
enterprise network security. In fiscal year 2023 CISA issued two 
Binding Operational Directives (BOD). BOD 23-01: Improving Asset 
Visibility and Vulnerability Detection on Federal Networks drove 
significant visibility improvements for agencies and CISA and vastly 
improved Federal cyber defense. BOD 23-02: Mitigating the Risk from 
Internet-Exposed Management Interfaces directed agencies to better 
secure Networked Management Interfaces in response to threat activity 
targeting network devices supporting underlying network infrastructure. 
CISA has been identifying these interfaces across Federal agencies and 
working with them to reduce their attack surface in compliance with the 
directive requirements.
    CISA is prioritizing development of additional directives to 
address operational risk and drive action to reduce overall attack 
surface and ensure better coordination across the Federal enterprise. 
In fiscal year 2024, CISA is focused on directive requirements to 
improve threat detection, incident response, and secure cloud 
management. Furthermore, CISA plans to address gaps and redundancies in 
legacy directives as a part of a broader strategic approach. Going 
forward, CISA will remain committed to analyzing ways to leverage its 
Directive Authority to address foundational cybersecurity challenges 
and ultimately reduce the likelihood of a future cybersecurity 
incident. 

expanding our operational collaboration model: increased participation 
                         and value for partners 
                         
    Our Joint Cyber Defense Collaborative (JCDC) continues to cultivate 
multi-directional information sharing, operational collaboration, and 
strong working relationships with members of the FCEB to counter 
persistent, emerging cyber threats and comprehensively strengthen the 
evolving Federal cyber domain.
    In fiscal year 2023, JCDC established a portfolio-based approach to 
FCEB engagements, enabling more focused operational engagements with 
individual FCEB agencies and improving on-going collaboration and 
multi-directional information exchange across the FCEB. This approach 
organizes our FCEB engagements into 7 portfolios, each with dedicated 
CISA portfolio managers and cyber experts. The seven portfolios are 
Energy and Science, Financial and Business, Interior Services, Security 
and Foreign Affairs, Medicine and Agriculture, Infrastructure and 
Government Administration, and Education and Labor. Each portfolio 
includes CFO Act Agencies as well as smaller and micro agencies. In 
fiscal year 2023, CISA held 68 kickoff meetings (including meetings 
with 21 CFO Act agencies).
    To further drive focused and impactful information exchange and 
joint collaborative action, CISA also established critically important 
communications pathways through Slack, including channels built around 
FCEB cybersecurity news, FCEB indicators of interest, cybersecurity 
vulnerabilities impacting the FCEB, a channel specific to agency CISOs, 
and a dedicated channel for micro agencies. 

  achieving persistent visibility: real-time analysis of fceb networks 
  
    The authorities granted to CISA to enable persistent access and 
proactive hunting have fundamentally changed the way we work with 
agencies to identify, assess, and remediate malicious activity on 
Federal networks. Since 2021, CISA has procured over 1.2 million EDR 
licenses to assist agencies in deploying advanced, host-based 
protections that provide advanced monitoring, detection, and 
remediation capabilities on Government laptops, workstations, and 
servers. EDR supports threat-hunting and deep visibility in behaviors 
and activity on covered endpoints, making it one of the most effective 
cyber defense technologies available. Each of these EDR tools includes 
the ability for CISA threat hunters to have direct and persistent 
access to agencies' EDR platforms. With this access, our threat hunters 
can easily conduct hunt operations across Federal agency organizational 
boundaries, greatly enhancing CISA's ability to rapidly identify and 
correlate malicious behavior in accordance with fiscal year 2021 NDAA 
authorities and EO 14028 requirements.
    This translates to a paradigm shift in CISA's Threat Hunting 
services. Coupled with the operational visibility afforded through the 
CDM Federal Dashboard, CISA acts as a force multiplier to assist agency 
cyber operators in the investigation and remediation of cyber threats. 
In the past, providing this level of support to agencies required CISA 
to send fly-away teams with their own equipment to embed with agencies 
on-site, often in a process that took days or weeks to complete. Now, 
CISA can provide this support in near-real time. Throughout fiscal year 
2024, CISA will be executing proactive hunts of agencies continually 
targeted by malicious actors and baselining the FCEB enterprise to 
inform strategic initiatives, modernization, and optimization. 

creating a modern cyber defense agency: toward integrated data analysis 

    Through years of managing the National Cybersecurity Protection 
System (NCPS), CISA gained a first-hand view of evolving adversary 
techniques and changes in the technology environment, including 
previously unseen tactics, tools, and techniques, increased 
sophistication, and persistence with highly advanced evasion 
capabilities. As our adversaries and technology change, we are adapting 
accordingly.
    The legacy NCPS program, to include the EINSTEIN sensor suite, was 
built to provide intrusion detection and prevention capabilities, 
advanced analytics, and information-sharing capabilities to mitigate 
cyber threats to Federal civilian networks. Looking ahead, CISA has 
proposed several program and activity changes reflected in the 
President's fiscal year 2024 budget, focused particularly on the 
transition of certain legacy NCPS systems into the proposed Cyber 
Analytics and Data System (CADS) program.
    To understand the transition to CADS, one must begin by 
understanding a fundamental transition within CISA. For much of CISA's 
history, including as our precursor organization, we had minimal access 
to relevant and actionable cybersecurity information. The past 2 years 
have seen a fundamental shift: as described throughout this testimony, 
our analysts now have unprecedented access to ever-increasing amounts 
of operational data from our sensors and EDR tools deployed across 
agency networks, from our shared services, and from our partners. To 
make best use of this data, we need an operating environment that is 
highly interoperable with many systems and their highly diverse input 
and output requirements, capable of consuming massive data amounts, 
including multiple sources of threat intelligence and information and 
rapidly-growing data volumes, and is reliable, adaptable, and includes 
the most robust security measures to protect all systems, data, and 
users. CADS will ingest data from myriad sources, apply robust 
automation and analytics, and provide CISA's full suite of 
cybersecurity teams with access to analytical results, threat insights, 
and detailed visualization with capabilities to share results and 
mitigations in real time.
    NCPS intrusion detection capabilities, specifically EINSTEIN 1 and 
EINSTEIN 2, will continue to be sustained under the legacy NCPS program 
and will undergo sensor suite upgrades and modernization. EINSTEIN 3A 
(E3A) Domain Name Service (DNS) intrusion prevention services will be 
sunset after fiscal year 2024. To protect the Federal enterprise 
against the latest threats and support emerging technologies, CISA is 
actively working on upgrading these intrusion detection and prevention 
capabilities. The latest example is the Protective DNS resolver, a 
state-of-the art recursive DNS resolver service that replaces the 
sunset E3A DNS services and prevents Government internet traffic from 
reaching known malicious destinations.
    CADS is designed to provide a critical capability as CISA continues 
to evolve: A modern, scalable, unclassified analytic infrastructure for 
CISA's cyber operators. CADS will serve as the cornerstone of CISA's 
Joint Collaborative Environment (JCE), the central technology ecosystem 
by which CISA and its partners will integrate, analyze, collaborate, 
and act on cybersecurity information to conduct cyber defense 
operations. A key recommendation of the 2020 U.S. Cyberspace Solarium 
Commission Report, the JCE will support real-time data and information 
sharing and operational collaboration by integrating internal and 
external information sources, including CADS, threat intelligence 
platform feeds, and various-source inputs. 

            the future of cisa's federal cybersecurity role 
            
    A strong operational lead agency is essential for the rapid 
identification and mitigation of near-term urgent threats and 
vulnerabilities as well as ensuring a consistent baseline for long-term 
capability investments and risk management decisions. To achieve this 
vision, CISA is focused on growing in several key areas.
    First, we will further define and strengthen CISA's role as the 
operational lead for FCEB cybersecurity. Specifically, we are taking 
steps to strengthen CISA's ability to lead operational collaboration 
across the FCEB, including by providing collaboration tools, 
facilitating information exchange, and planning for operational risk 
reduction. Going forward, we will continue to evolve governance 
processes and capabilities for communications mechanisms such as Slack 
to enable joint action, foster transparency, and increase visibility 
across the FCEB. CISA is also exploring potential technology solutions 
for a threat intelligence platform that allows us to on-board partners 
into trusted enclaves to openly exchange threat information, as well as 
building out a cyber playbook to enhance mutually-supportive FCEB 
response and coordination during cyber events.
    Second, to further ensure unity of effort, shared visibility, and 
consistently effective security capabilities--and in line with the 
National Cybersecurity Strategy and its Implementation Plan--we will 
strengthen CISA's role as the shared service provider where there are 
clear gaps or requirements to do so. This includes assessing the 
expansion of our shared services to FCEB agencies to provide scalable, 
cost-effective capabilities that drive down known security risks, while 
growing into our role as the lead for providing and setting benchmarks 
for cybersecurity shared services.
    Third, we will strengthen our ability to gain operational 
visibility across FCEB agencies, through capabilities such as our CDM 
program, and using this visibility to more quickly address potential 
intrusions and drive remediation. CISA looks forward to working with 
Congress, OMB, and ONCD to optimize CISA's ability to build and sustain 
the operational visibility required to achieve this vision, such as 
through the development of a plan for centralized services as outlined 
in the National Cybersecurity Strategy Implementation Plan.
    Fourth, we will further drive and support adoption of modern 
security practices, such as Zero Trust principles and secure cloud 
implementations. We will partner closely with OMB and ONCD to ensure 
agencies' long-term plans will align with and enable our operational 
needs like defensible networks, operational visibility, and expedited 
response. We will further build on newly-proposed procurement clauses 
to help agencies incorporate cybersecurity and transparency 
requirements into each of their contract relationships.
    Fifth, we will bolster our ability and capacity to provide agencies 
with hands-on support, including through our Federal Enterprise 
Improvement Teams, to help agencies accelerate progress toward 
implementing Zero Trust architectures and implement our directives.
    Finally, at a strategic level, we will continue working to defend 
the FCEB enterprise as a cohesive, interdependent organization, where 
agencies maintain their responsibility and authority to manage their 
own systems while centralized investments effectively address cross-
agency risks. 

                               conclusion 
                               
    As described in our Cybersecurity Strategic Plan, ``we must be 
clear-eyed about the future we seek, one in which damaging cyber 
intrusions are a shocking anomaly, in which organizations are secure 
and resilient, in which technology products are safe and secure by 
design and default.'' We must first build this future within and across 
our own Federal agencies--the American people expect and deserve 
nothing less.
    We will continue to take swift action to make the FCEB a hard 
target for our adversaries. This work will continue to take 
investment--in technology, in people, in partnerships. The past several 
years have shown the progress we can make with the support of Congress 
and our inter-agency partners, while leveraging insights and expertise 
from industry. Now is the time for us to take the next steps forward--
and we must take them together.
    Thank you again for the opportunity to be to appear [sic] before 
the subcommittee. I look forward to your questions.

    Mr. Garbarino. Thank you, Mr. Goldstein. It's always 
impressive to me how you memorize that entire statement. 
Sometimes I have to look at my own name before I say it out 
loud.
    Mr. Swalwell. Garbarino.
    Mr. Garbarino. Thank you.
    Mr. DeRusha, I now recognize you for 5 minutes to summarize 
your opening statement.

      STATEMENT OF CHRISTOPHER J. DE RUSHA, FEDERAL CHIEF 
        INFORMATION  SECURITY  OFFICER, OFFICE OF MANAGE-
        MENT AND  BUDGET;  DEPUTY NATIONAL CYBER DIRECTOR 
        FOR FEDERAL CYBERSECURITY, OFFICE OF THE NATIONAL 
        CYBER DIRECTOR

    Mr. DeRusha. Thank you, Chairman Garbarino, Ranking Member 
Swalwell, and Members of the subcommittee. I really appreciate 
you holding this important hearing today to discuss Federal 
cybersecurity governance.
    I'm always pleased to testify in front of you with my good 
friend and colleague Eric Goldstein from CISA, and we look 
forward to updating you on the progress we're making on 
governance efforts, in particular where we've made good strides 
in implementing Executive Order 14028, which we colloquially 
refer to as the cyber EO, OMB's national--or, sorry, Zero Trust 
Strategy for the Federal civilian government, and then the 
President's recently-released National Cybersecurity Strategy.
    As was mentioned, I am both the Federal chief information 
security officer and deputy national cyber director in ONCD, 
and in both of these roles I'm focused on ensuring that the 
Federal enterprise is taking a holistic view and approach to 
confronting threats. We often refer to this as collective 
defense.
    That unity of effort enables us to align this National 
Cybersecurity Strategy, which was developed by the Office of 
the National Cyber Director and issued by the President, with 
the policy guidance that's coming from OMB and all the 
operational assistance programs just outlined by Eric from 
CISA.
    It's all in the name of ensuring that departments and 
agencies have the direction, the resources, the information, 
but most importantly the support that they need to be able to 
protect the Federal systems and data.
    I'll tell you we're making meaningful progress toward 
achieving our goals of collective defense. Honestly, the 
importance of strong governance to that end cannot be 
overstated.
    So in May 2021, President Biden's Executive Order 14028 set 
us on the path to aggressively and ambitiously shift our 
mindset to one that is very clear-eyed about the adversaries' 
capabilities and intent.
    Over the last 2 years, the evidence is clear. The Federal 
enterprise is better defended when we employ modern Zero Trust 
architecture and principles. Agencies are implementing higher 
levels of encryption and leveraging common toolsets that 
establish vigilance within our Federal systems. We've also seen 
deployment of phishing-resistant multifactor authentication as 
a proven way to combat an adversary's ability to gain a 
foothold in any system.
    We must continue to aggressively invest in making our 
systems more defensible by employing widely-accepted Zero Trust 
principles to better detect and contain our adversaries who are 
seeking to disrupt us from achieving our goals.
    With the President's issuance of the National Cybersecurity 
Strategy in March of this year, we're building on this progress 
by setting an affirmative vision for managing risk in the 
digital age.
    The strategy outlines two fundamental shifts to achieving 
that goal: First, we need to rebalance responsibility for 
managing cyber risk by expecting more of the most capable and 
best-positioned actors--that includes the Federal Government--
to make our digital ecosystem secure and resilient rather than 
placing this burden on individuals, small businesses, local 
governments, and critical infrastructure operators, who often 
do not have sufficient expertise and resources to do it on 
their own.
    Second, our economy and society must incentivize activity 
and make cyber space more reliable over the long term. The 
strategy outlines how the Federal Government will use all 
available tools to reshape incentives and achieve unity of 
effort in a collaborative, equitable, and mutually-beneficial 
manner.
    The Federal Government's taking a data-driven approach to 
measuring the investments and progress that we're making toward 
achieving the actions that are set out in the strategy. In 
July, we released a transparent roadmap to achieve these goals, 
the National Cybersecurity Strategy Implementation Plan. The 
plan details high-impact Federal initiatives, from protecting 
American jobs by combating cyber crime to building a skilled 
cyber work force equipped to excel in our increasingly digital 
economy.
    Each initiative is assigned a responsible agency and has a 
time line for completion. In fact, 18 agencies are leading 
initiatives, and ONCD is coordinating the activities of this 
whole-of-Government plan, which will include an annual report 
to the President and Congress on the status of the 
implementation.
    To ensure funding proposals are aligned to the President's 
budget request, ONCD and OMB have issued a joint cybersecurity 
priorities memo to inform the fiscal year 2025 budget bill. The 
Federal Government's ability to deliver services to the 
American people while providing the confidence that their data 
is protected is contingent upon a strong foundation of 
cybersecurity. The strategic path set by this administration is 
enhancing collective defense to ensure our Federal systems are 
safe, secure, and resilient.
    Thank you for the opportunity to testify today, and I look 
forward to your questions.
    [The prepared statement of Mr. DeRusha follows:] 
    
              Prepared Statement of Christopher J. DeRusha 
              
                            October 25, 2023 
                            
    Chairman Garbarino, Ranking Member Swalwell, and Members of the 
subcommittee, thank you for holding this important hearing to highlight 
Federal cybersecurity governance efforts. I am pleased to testify 
before you today with the Cybersecurity and Infrastructure Security 
Agency's (CISA) Executive Assistant Director for Cybersecurity Eric 
Goldstein, a key partner in this effort.
    I will use this opportunity to update you on progress the Federal 
Government has made in implementing the President's Executive Order on 
Improving the Nation's Cybersecurity (E.O. 14028), the Office of 
Management and Budget's (OMB) Zero Trust Strategy, and the President's 
National Cybersecurity Strategy (NCS). These efforts, and many others, 
have shifted the Federal enterprise toward achieving greater collective 
defense.
    As I stated in my testimony before this subcommittee last year, 
E.O. 14028 recognizes a hard truth: ``The United States faces 
persistent and increasingly sophisticated malicious cyber campaigns 
that threaten the public sector, the private sector, and ultimately the 
American people's security and privacy.'' The E.O. outlines a bold 
cybersecurity modernization agenda and serves as our roadmap for 
securing the Federal enterprise. Following publication of the E.O., OMB 
released the Federal Zero Trust Strategy (M-22-09) in January 2022 and 
six additional implementation memos to guide agencies in meeting the 
goals of E.O. 14028.
    Released in March of this year, the President's NCS builds on these 
foundational initiatives and provides an affirmative vision for cyber 
space. The NCS calls for changes to the underlying dynamics of the 
digital ecosystem, to shift the advantage to its defenders, and 
persistently frustrate the forces that threaten it. The President's 
vision is a defensible, resilient digital ecosystem where it is 
costlier to attack systems than defend them; where sensitive or private 
information is secure and protected; and where neither incidents nor 
errors cascade into catastrophic, systemic consequences. In creating 
these conditions, we can and must seize the opportunity to take full 
advantage of technological advances while instilling America's values.
    A key objective of the NCS is achieving public-private 
collaboration at scale to reduce cyber risk at a systemic level. I 
appreciate the subcommittee's approach to tackling hard cybersecurity 
problems and was encouraged to see the subcommittee seeking feedback 
from our private-sector partners last month. The private sector owns 
and operates the majority of our critical infrastructure and develops 
the leading digital technologies we use in our own environments, so 
their feedback and participation in incident response exercises, 
roundtable discussions, and other forums like this are critical to 
strengthening the entire ecosystem.
    As Federal chief information security officer and deputy national 
cyber director for Federal cybersecurity, I am focused on Government-
wide improvement and ensuring the Federal enterprise is taking a 
holistic approach to confronting evolving cyber threats. My role 
encompasses the oversight, governance, and accountability of Federal 
cybersecurity efforts, as well as aligning budgetary resources to 
policy guidance through our annual priorities memo and working with our 
resource management colleagues in OMB to assess agency funding needs.
    CISA plays many critical roles as the operational lead for Federal 
cybersecurity, most importantly as Federal agencies' security 
coordinator. A model where hundreds of Federal agencies are left on 
their own to defend themselves is not sustainable. CISA programs and 
services provide an enterprise-view of risk across Federal agencies, 
enabling a collective approach to defense, and often free up agencies' 
scarce dollars and resources to be allocated elsewhere.
    My testimony here today alongside CISA's executive assistant 
director for cybersecurity, Eric Goldstein, illustrates the constant 
coordination occurring between the Office of the National Cyber 
Director (ONCD), OMB, and CISA. This collaboration is essential as it 
enables us to align the NCS published by ONCD on behalf of the 
President with the policy guidance issued by OMB and the operational 
cybersecurity assistance and programs CISA offers to departments and 
agencies. 

                    setting the strategic direction 
                    
    The President's NCS calls for two fundamental shifts in how the 
United States allocates roles, responsibilities, and resources in cyber 
space.
    First, the most capable and best-positioned actors in cyber space 
must be better stewards of the digital ecosystem. Today, end-users, 
like your constituents, bear too great a burden for mitigating 
cybersecurity risks. Individuals, small businesses, local governments, 
and many critical infrastructure operators have limited cyber expertise 
and resources. Yet, these users' choices--even when well-intentioned--
can have a significant impact on our National cybersecurity. Across 
both the public and private sectors, we must expect more of the most 
capable and best-positioned actors--including the Federal Government--
to make our digital ecosystem secure and resilient.
    In a free and interconnected society, protecting data and assuring 
the reliability of critical systems must be the responsibility not only 
of the owners and operators of the systems holding our data and 
enabling our daily lives, but also of the technology providers building 
and servicing these systems.
    Second, our economy and society must incentivize activity that 
makes cyber space more reliable over the long term. Protecting the 
systems we have now, while investing in and building toward a future 
digital ecosystem that is more inherently defensible and resilient are 
both priorities. The strategy outlines how the Federal Government will 
use all available tools to reshape incentives and achieve unity of 
effort in a collaborative, equitable, and mutually beneficial manner. 
We must ensure that market forces and public programs alike reward 
security and resilience, build a robust cyber workforce that draws from 
all parts of our society, embrace security and resilience by design, 
strategically coordinate research and development investments in 
cybersecurity, and promote the collaborative stewardship of our digital 
ecosystem with our allies and partners.
    Our approach to Federal cybersecurity governance embodies these two 
major shifts. The Federal Government can better support the defense of 
critical infrastructure by making its own systems more defensible and 
resilient. This administration is committed to improving Federal 
cybersecurity through near-term efforts like multi-factor 
authentication, endpoint detection and response, encryption, logging, 
and establishing skilled security teams. We are also committed to 
longer-term efforts to implement Zero Trust architectures and modernize 
both information technology and operational technology infrastructure. 
This includes the annual release of a cybersecurity budget priorities 
memorandum to Federal departments and agencies. This annual guidance, 
issued jointly by ONCD and OMB, outlines the administration's cross-
agency cyber investment priorities and directs agencies to prioritize 
cybersecurity efforts that will bolster key initiatives laid out by the 
NCS. By aligning our budget requests with our priorities, we will 
ensure that agencies are investing in durable, long-term solutions that 
are secure by design. 

                      implementation and outcomes 
                      
    The strategic objectives outlined in the NCS require a strong focus 
on implementation. The Federal Government is taking a data-driven 
approach and will measure investments and progress toward meeting the 
goals of the strategy. The Federal Government is leading by example, 
ensuring its own networks and systems are adopting best-in-class 
security measures.
    Additionally, over the last 2\1/2\ years, we have seen departments 
and agencies across the Executive branch drive forward in implementing 
E.O. 14028 and the Federal Zero Trust Strategy (M-22-09). Across the 
Federal enterprise, agencies submitted Zero Trust plans that align to 
the vision and goals laid out in M-22-09 (Moving the U.S. Government 
Toward Zero Trust Cybersecurity Principles). Agencies have made 
meaningful progress paying down technical debt and modernizing security 
practices and tooling. Agencies are implementing higher levels of 
encryption, using proven methods, and leveraging common toolsets that 
establish constant vigilance within our Federal systems. Additionally, 
the deployment of strong, industry-leading phishing-resistant multi-
factor authentication makes it harder for an adversary to gain a 
foothold in any system.
    In furtherance of E.O. 14028's goals, OMB has issued several 
guidance documents to better protect Federal networks and minimize the 
Government's risk exposure. M-21-30 (Protecting Critical Software 
Through Enhanced Security Measures) is intended to: (1) Protect 
critical software and critical software platforms from unauthorized 
access and usage; (2) protect the confidentiality, integrity, and 
availability of data used by these software and software platforms; and 
(3) allow agencies to quickly detect, respond to, and recover from 
threats and incidents involving critical software and critical software 
platforms. Additionally, M-21-31 (Improving the Federal Government's 
Investigative and Remediation Capabilities Related to Cybersecurity 
Incidents) established requirements for logging, log retention, and log 
management across Federal Civilian Executive branch agencies. This will 
ultimately increase information sharing, empowering both accelerated 
incident response and more effective information system defense. Work 
continues on implementation of Section 4, Enhancing Software Supply 
Chain Security, of E.O. 14028. M-22-18 (Enhancing the Security of the 
Software Supply Chain through Secure Software Development Practices) 
and M-23-16 (Update to Memorandum M-22-18) seek to minimize the risks 
associated with running unvetted technologies on agency networks. OMB 
and CISA have worked in partnership to release the Self-Attestation 
Common Form, which directs software producers to provide Government 
users with assurances that they have taken specific measures to secure 
the development of their software products.
    Implementing the bold changes within E.O. 14028 requires 
partnership with the private sector. On October 3, the Federal 
Acquisition Regulation Council published two proposed rules for public 
comment that implement Section 2, Removing Barriers to Sharing Threat 
Information, of E.O. 14028: (1) Cyber Threat and Incident Reporting and 
Information Sharing, and (2) Standardizing Cybersecurity Requirements 
for Unclassified Federal Information Systems. These proposed rules 
would require establishing minimum, consistent cybersecurity standards 
that apply to contracts for Federal information systems; incident 
reporting and CISA and Federal Bureau of Investigation access to 
contractor facilities and systems for forensic analysis; and implements 
IPv6 capability requirements, among others. In addition to implementing 
the requirements of Section 2 of E.O. 14028, these rules also propose 
changes necessary to implement the Internet of Things Cybersecurity 
Improvement Act of 2020. These proposed rules open the dialog with the 
public and our industry partners on the steps necessary to remove 
barriers to information sharing, provide consistent processes for 
threat reporting, and implement consistent cybersecurity standards. We 
will continue to work with our industry partners to ensure the vision 
of E.O. 14028 is fully realized.
    The Federal Government is also leading the way in transitioning to 
Post-Quantum Cryptography (PQC). Per National Security Memorandum-10, 
``the United States must prioritize the timely and equitable transition 
of cryptographic systems to quantum-resistant cryptography, with the 
goal of mitigating as much of the quantum risk as is feasible by 
2035.'' Federal agencies were asked to conduct an initial inventory of 
their cryptographic systems vulnerable to a Cryptanalytically Relevant 
Quantum Computer (CRQC) and the initial cost estimates to transition 
those systems. Agencies delivered on this request this summer. This is 
the first time an inventory such as this has been collected, and as 
such there is continued work that will be needed with agencies to 
refine the inventories and cost estimates. Agencies will be updating 
this inventory annually and initial analysis indicates agencies are 
already thinking through the costs of the upgrades and transition to 
PQC. Next year, OMB will be delivering a more in-depth report to 
Congress on the status of agency transition to PQC, to include a risk 
analysis and initial cost estimates.
    Long-term and large-scale change requires continued and consistent 
investment, complemented by innovative funding mechanisms, such as the 
Technology Modernization Fund (TMF). The TMF has played a critical role 
in supporting agencies on their journey to more modern cybersecurity 
practices, serving as a catalyst to show what's possible across 
Government and scale lessons learned while maintaining rigorous project 
vetting and sustained oversight. With the $1 billion investment from 
Congress through the American Rescue Plan Act, the TMF Board has 
invested over $600 million in 29 projects across 23 agencies to help 
address immediate security gaps and elevate the foundational security 
of Federal agencies, with an emphasis on Zero Trust, multi-factor 
authentication, and standardizing secure data and information sharing. 

                               conclusion 
                               
    This administration, both through Executive action and by working 
with Congress, has made cybersecurity an immediate priority. Together, 
we have been extremely active in laying the strategic groundwork for 
the future of Federal cybersecurity to enable the U.S. Government to 
deliver the services on which the American public depends. Building 
upon the work that has been accomplished through E.O. 14028 and the 
Federal Zero Trust Strategy, we will continue to help departments and 
agencies implement the priorities laid out in the NCS with the 
diligence this work requires and the urgency the moment demands.
    Realizing our vision of a defensible and resilient digital economy 
requires both whole-of-Nation collaboration to rebalance the 
responsibility of securing cyber space and realigning our incentive 
structure to favor long-term investments. I appreciate this 
subcommittee's interest and support and I am confident that through 
partnership and frank discussions about where we need additional 
improvement, we will build a more defensible Federal enterprise.
    Thank you for the opportunity to testify today, and I look forward 
to your questions.

    Mr. Garbarino. Thank you, Mr. DeRusha.
    Members will be recognized by order of seniority for their 
5 minutes of questioning. An additional round of questioning 
may be called after all Members have been recognized. I now 
recognize myself for 5 minutes for questioning.
    Mr. Goldstein, as I said in my opening statement, we 
gathered input from private-sector witnesses in our last 
hearing evaluating CISA's Flagship Federal Cybersecurity 
Programs, the CDM program and the National Cybersecurity 
Protection System Program. There are a few outstanding 
questions directly from our witnesses that I have about these 
programs specifically.
    I want to start with how is CISA modernizing CDM to 
consider newer technologies like cloud-based services to 
complement legacy providers?
    Mr. Goldstein. This is absolutely foundational to our 
success. We know that the traditional model where we focus on 
securing on-premises infrastructure and assets doesn't scale to 
meet the--how agencies actually use technology today or how 
adversaries are targeting us.
    So even in fiscal year 2024, we are making significant 
investments in expanding CDM's visibility into mobile assets 
and cloud assets. We work closely with industry both through, 
for example, industry days, requests for information, and going 
to, for example, events where industry is presenting on the 
latest technology to make sure that we are adapting those 
innovations into the program accordingly.
    Now, certainly where there are innovative companies that 
have solutions that can help with our enterprise, we want to 
hear from them. So my ask would be, if there are companies that 
are not part of the program today that think they have a 
solution that could help to reach out to us, because we want to 
understand the state-of-the-art and apply it quickly to our 
shared goals.
    Mr. Garbarino. What's the best way to reach out to you?
    Mr. Goldstein. So we have a vendor engagement. So you can 
just go to the website and look at vendor engagement. We have a 
single portal where any vendor can reach out to CISA and be 
part of our programs.
    Mr. Garbarino. The response is pretty quick?
    Mr. Goldstein. Yes, sir.
    Mr. Garbarino. OK. Great. Now I have another one: How does 
CISA measure the success of its Federal cyber programs, 
considering it spends almost one-third of its budget on 
strengthening FCEB networks?
    Mr. Goldstein. Yes, sir. We were really excited a few 
months ago to issue our first-ever Cyber Strategic Plan that 
for the first time actually had measures of effectiveness for 
security outcomes.
    So we are really focused now on actually measuring very 
specific security outcomes. For example, the mean time to fix 
vulnerabilities, how many of what we call known exploited 
vulnerabilities are actually present on Federal networks, how 
quickly can we detect intrusions. So we are focused on 
measuring security outcomes that then we can show are a result 
of the investments that we're making.
    On some of these measures, like mean time to reduce 
vulnerabilities, we're making a lot of progress. Other measures 
we know are more forward-leaning and will take more time to 
collect data to measure against.
    Mr. Garbarino. Have the results been getting better?
    Mr. Goldstein. They have been. I will offer one example. 
For the known exploited vulnerabilities that are visible from 
the internet across Federal networks, we have seen a 79 percent 
reduction over the past year, based upon our Attack Surface 
Management efforts and driving agencies to adhere to BOD 22-01. 
So we are seeing major progress in really key areas, but 
certainly more work to do.
    Mr. Garbarino. I just want to ask this one also: Has CISA 
seen incidents on Federal networks that could have been 
prevented through the use of technologies in CDM? Where was the 
disconnect?
    Mr. Goldstein. Certainly, it is still the case that every 
organization experiences malicious cyber activity, and there 
are certainly control gaps that may enable an intrusion to 
progress further than we would like it to. I think where we are 
today is we have the visibility that we need to identify 
conditions that adversaries can exploit, and we have the 
visibility we need in most cases to identify adversary 
activity.
    The work we are doing now is to make sure that we can drive 
action against that information. So we know that, for example, 
there are still exploitable vulnerabilities across Federal 
networks. The more that we can work with agencies to make sure 
that they also have the resources that they need to fix 
vulnerabilities and make sure they have the right controls in 
place, consistent with a Zero Trust Strategy, that's going to 
help us to help take us to the next level in our maturation.
    Mr. Garbarino. Does CISA believe CDM could benefit from a 
true shared services model like EINSTEIN?
    Mr. Goldstein. We are absolutely looking at the right mix 
of delivery models across our portfolio. So, of course, right 
now we do offer several services via a shared service model. 
For example, I mentioned our Protective DNS program.
    You know, as we evaluate the next generation of 
technologies that will be delivered through CDM, we are 
absolutely going to be flexible in the delivery model that will 
add the most value at the best use of taxpayer dollars.
    Mr. Garbarino. Thank you very much. I don't have time for 
another question. I'll probably get you on the second round.
    I now recognize Ranking Member Swalwell for 5 minutes for 
any questions he may have.
    Mr. Swalwell. Thank you, Chairman.
    Earlier this month, the Federal Acquisition Regulatory 
Council, also known as FAR, issued a proposed rule requiring 
Federal contractors to report cyber incidents on CISA within 8 
hours of discovery.
    This time line is not consistent with other Federal cyber 
incident reporting mandates, including the 72-hour reporting 
time line authorized in the Cyber Incident Reporting for 
Critical Infrastructure Act, CIRCIA.
    As the proposed rule acknowledges, inconsistent reporting 
requirements can result in the regulatory community shifting 
focus away from security and toward compliance, which could 
ultimately jeopardize the security of Federal networks.
    Mr. Goldstein, public comments for the FAR Council's 
proposed rule are due in December, as I understand it. The 
proposed rule for CIRCIA should be released in March. To what 
extent was CISA able to engage with the FAR Council in advance 
of the proposed rule released on October 3 to ensure that time 
lines and definitions are harmonized to the greatest extent 
possible?
    Mr. Goldstein. Yes, sir. We engage significantly with the 
FAR Council, including our partners at OMB, in development of 
these proposed rules, and we very much look forward to 
understanding feedback from industry on the proposal.
    I will note, as a general matter, Federal contractors are 
equally stewards of Americans' data, as are Federal agencies, 
and it is absolutely of the utmost importance that we have 
significant visibility into cybersecurity incidents and risks 
affecting Federal contractors.
    Just as we expect Federal agencies to report incidents to 
CISA on an urgent time frame, we certainly anticipate expecting 
similar requirements from Federal contractors who we trust with 
so much of the work of the Federal Government.
    Mr. Swalwell. Mr. DeRusha, how is the administration 
ensuring that any AI-related Executive Orders and policy 
guidance will support continued expansion of AI use for cyber 
defense?
    Mr. DeRusha. Yes. Thank you for the question. So AI policy 
is a top topic for us at the White House right now, and the 
President will be issuing some Executive action on that soon. 
In close follow to that will be a draft memorandum released by 
the Office of Management and Budget which will talk about our 
proposal for Government use and safe use of AI.
    You know, I think the key thing here is we need to use this 
technology. We need, as you mentioned, for defensive purposes. 
Our adversaries are going to use it, so that would be one 
reason, but also to stay apace with, you know, where technology 
is moving and global economic competitiveness.
    So I think you'll see very shortly from the administration 
proposal, which very much embraces the technology for all of 
its positive aspects, but also is going to propose some 
significant, you know, methods of finding safeguards and 
security throughout.
    Mr. Swalwell. Thank you. Mr. Goldstein, we are approaching 
a potential Government shutdown on November 17. Can you lay out 
for me what would the effect be on CISA if there were a 
Government shutdown?
    Then also, could you lay out for me what would the effect 
be on CISA if a 25 percent cut was actually imposed, as has 
been voted on in the past here in the House?
    Mr. Goldstein. Yes, sir, absolutely. On the first question, 
a lapse in appropriation, while we will rigorously interpret 
our legal requirements in determining accepted personnel, you 
know, our core operational functions will be able to remain 
functional, but all of our strategic or more systematic work to 
engage with agencies, to deploy technology, to advance 
technology, to the Chairman's question, all of that work will 
be on hold.
    So we will be in a period of stasis where even as our 
adversaries evolve, we will not be able to advance our mission 
in the least, including in our critical interactions with 
Federal agencies outside of urgent----
    Mr. Swalwell. So, for example, like, would JCDC meet in a 
Government shutdown?
    Mr. Goldstein. So the urgent work that JCDC does to manage 
imminent incidents and vulnerabilities would continue. The 
critical planning work and publication work that JCDC does 
would not.
    Mr. Swalwell. Can you speak to the 25 percent cut?
    Mr. Goldstein. Absolutely. A significant cut to our budget 
would be catastrophic. We would not be able to continue even 
sustaining some of the core functions across programs like CDM, 
like our shared services.
    You know, right now we are at the point where we have 
reasonable confidence in our visibility into risks facing 
Federal agencies. We would not be able to sustain that 
visibility with that significant of a budget cut, and our 
adversaries would unequivocally exploit those gaps.
    Mr. Swalwell. Thanks. I yield back.
    Mr. Garbarino. The gentleman yields back.
    I now recognize my friend from Florida, Mr. Gimenez, for 5 
minutes of questioning.
    Mr. Gimenez. Thank you. Now, being that I've been in public 
service for a long time, let me tell you that I have never ever 
heard somebody in a bureaucracy tell me that a cut to their 
budget would not be catastrophic. So I didn't think you were 
going to say anything differently.
    I'm not saying it's not, I'm just saying I've never heard 
it--``Yeah, we can sustain a 25 percent cut or a 5 percent cut 
or 2 percent cut, or any kind of cut''--'cause it's always 
going to be catastrophic. I always can tell you, being that I 
was a head of bureaucracies, sometimes you can sustain some 
cuts if you look deep enough. I'll let that go for now.
    All right. Reduce vulnerabilities, what does that mean?
    Mr. Goldstein. Yes, sir. So when a malicious actor--Russia, 
China, Iran, North Korea--wants to break into a network, the 
way that they will usually do it is they will find a technology 
product that was designed in a way that they can run a piece of 
software on it and gain access.
    Most technology products at some point in time have these 
vulnerabilities. Technology is designed by humans. Humans make 
mistakes. A vulnerability is just a mistake in how a technology 
product was designed. So when--if I'm the Chinese government, 
the first thing that I do to break into a Federal network is 
I'm going to look at all the technology products, I can see 
they're running. I'm going to find one that has a known mistake 
and I'm going to use that mistake to gain access into the 
network.
    So what we do at CISA is we prioritize those products that 
have those mistakes that are most important that are being used 
by the most severe adversaries. We then use our visibility to 
find them, and then we go out to agencies and say, ``You've got 
to fix this right away'', and then we can see when they do it. 
If they don't do it, then we escalate to senior leadership of 
the agency to make sure that the problem is fixed before the 
adversary gets there.
    Mr. Gimenez. Can I be as bold to say that ``reduce 
vulnerabilities'' goes beyond that or should go beyond that? It 
seems to me that whatever you do, how secure you think you're 
going to be, somebody is always going to crack you. Am I off on 
that? Somebody is always going to find a way, if they really 
want to, to get through the system.
    Is that true or not true?
    Mr. Goldstein. So what I'd say, sir, is we know that many 
adversaries are opportunistic and adversaries want to find a 
network to break into. If we can make the Federal Government 
and the agencies and systems we care most about as hard as 
possible, many agencies are going to shift their focus 
somewhere else.
    Mr. Gimenez. I'm not saying that you shouldn't, but I'm 
also now maybe laying the predicate for something else, which 
is resiliency.
    So once a system is cracked and it's tied to some vital 
infrastructure, how do we make sure that that infrastructure, 
once we know that that system has been penetrated, that we 
somehow can decouple that infrastructure so that it continues 
to work?
    Mr. Goldstein. Yes, sir. We couldn't agree more. This is 
foundational to the principles of Zero Trust that my cowitness 
mentioned. The idea behind Zero Trust is, even if an adversary 
breaks into a system, they shouldn't be able to achieve an 
objective that harms the services upon which Americans depend.
    So by making sure that we understand where the most 
important data and systems are that we harden those systems, 
specifically. To your point, sir, absolutely. If an adversary 
breaks into a network, you know, that's bad, but the real harm 
we're trying to prevent is those most critical systems and 
making sure that those are maximally secure and resilient under 
all conditions. That absolutely is the core goal that we're 
trying to achieve.
    Mr. Gimenez. Where do you think we--where are we on that? 
How far along are we on that?
    Mr. Goldstein. So we have made tremendous progress. So we 
made tremendous progress in identifying the systems that are 
most critical. As my co-witness noted, pursuant to the 
President's cyber Executive Order, we have made significant 
progress in driving adoption of the Zero Trust security 
measures to reduce the likelihood of a truly damaging 
intrusion.
    Now, to your point, Congressman, you know, adversaries 
invest significant time, significant money, and we know better 
than to say that security is perfect in any event, but 
certainly that is exactly our focus and where we are driving 
meaningful change.
    Mr. Gimenez. In infrastructure, that's vital. Let's say 
pipelines, et cetera, electricity and all that is. Have we 
worked on a way to decouple from technology, go back and have 
the redundancy of, say, back-up systems, the old way of doing 
things all manual? Yes, it's not going to be as efficient, but 
at least they'll work. Have we tried to strengthen America in 
that way?
    Mr. Goldstein. Yes, sir. We spend tremendous time outside 
of our Federal cybersecurity mission working with the private 
sector and with the Sector Risk Management Agencies.
    I will note, for example, this country's major energy 
companies have really focused on what they call a black start, 
which is their ability to maintain resilience of some 
transmission and distribution under all conditions. Similarly, 
our major pipeline companies have invested significantly in 
being able to revert to manual operations, and that's useful 
for a cyber attack or for a national disaster. So certainly, 
companies are investing in just that need, sir.
    Mr. Gimenez. Thank you. My time is up. I yield back.
    Mr. Garbarino. The gentleman yields back.
    I now recognize Mr. Carter from Louisiana for 5 minutes of 
questioning.
    Mr. Carter. Mr. Chairman, thank you.
    Mr. DeRusha and Mr. Goldstein, thank you both. Technology 
is moving fast. So the technology modernization fund is helping 
Federal agencies improve their cybersecurity. How effective has 
it been?
    Mr. DeRusha. Congressman, I am a board member on the TMF. 
I've found it to be extremely effective. We received a billion-
dollar appropriation under the American Rescue Plan. You know, 
over the past couple of years we've made over $600 million of 
investments just targeted at cybersecurity alone.
    That's almost 30 different projects across 23 agencies, 
where there's a significant portion of that project just 
focused on enhancing the security----
    Mr. Carter. Given the nature of the threats that are out 
there with cybersecurity, if you had to sustain a 25 percent, a 
10 percent, a 5 percent cut, would that not--wouldn't that 
decrease your ability to protect our cyber space?
    Mr. DeRusha. It would and meaningfully so.
    Mr. Carter. I mention it because my colleague said a moment 
ago that no one has ever said that they can sustain cuts. I 
understand no one likes to have cuts. But in an area of 
cybersecurity, one of the major threats to the security of 
America, to talk about cutting those areas is very, very 
dangerous.
    Mr. DeRusha. Congressman, it would simply mean we would 
manage less risk. So----
    Mr. Carter. Said differently, we would have more risk to--
--
    Mr. DeRusha. That is correct.
    Mr. Carter [continuing]. Come at us.
    Mr. DeRusha. That is correct.
    Mr. Carter. Mr. Goldstein.
    Mr. Goldstein. Yes, sir. Fully agree. You know, as I 
mentioned, one of the critical areas of maturation for Federal 
security is not just advancing CISA's resources and authorities 
in the years to come, but also making sure that the Federal 
agencies have the ability to deploy modern technology and 
infrastructure that is, in fact, securable. The TMF has been 
absolutely a critical resource in that regard, and certainly 
any cuts to it would set us dramatically back on the progress 
that we're trying to achieve.
    Mr. Carter. In staying ahead of the bad actors who are 
moving at rapid pace, not only are you maintaining, but you're 
constantly having to adjust as you find new threats that I 
imagine are coming on every single day.
    Mr. DeRusha. Congressman, specific to the TMF, what's 
really helpful about it is if you have an incident, you need 
restoration, you need remediation immediately, those are funds 
if you put the project forward that you can get fairly fast.
    Or if you're working on a Zero Trust migration or 
modernization at your agency, maybe you can fast-forward that 
by a year, a year-and-a-half by leveraging TMF funds. So, I 
mean, you are literally managing more exigent risk faster with 
the TMF as a resource.
    Mr. Carter. Pay me now or pay me later, and the risk later 
is far, far, far greater in our National security.
    One of the major shifts we've seen across the Federal 
Government has been increased cloud adoption, which has 
numerous benefits but also requires a shift in the approach to 
securing Federal networks.
    Mr. DeRusha, how is the administration ensuring that 
Federal cloud migration includes cloud-native security?
    Mr. DeRusha. Well, it's a top priority since EO 14028 and 
then strongly reinforced in the President's National Cyber 
Strategy. This is what we're talking about, that those are the 
most resources, the most skill and capability which, in large 
part, the cloud service providers all fall in that bucket.
    They really need to be ensuring that they are doing 
everything they can to protect their own platforms, their own 
resources. We may need to make sure that they're doing 
everything we would expect them to do. That is, in part, 
subject of the new Cyber Review Board effort that we've taken 
on.
    Also, as they provision products and services to their 
customers, which often include Federal agencies, we want to 
make sure that they're making it easy for their customers, that 
they're putting their configuration settings and giving that 
environment with the most secure settings in place, not saying, 
here you can have the optionality to put security in place but 
as a default turned on. That's been a big part of CISA Secure-
by-Design and Secure-by-Default, which are different things, 
efforts and push which are closely aligned between Office of 
National Cyber Director and CISA's implementation.
    Mr. Carter. Thank you very much.
    Very quickly--I've just got about 53 seconds left--Mr. 
Goldstein, what is CISA doing to increase the use of cloud-
native security solutions in the CDM program?
    Mr. Goldstein. Yes, sir. So we are deeply focused on both 
ensuring that as we leverage CDM tools to gain visibility 
across agencies, we, for example, are deploying cloud security 
posture management, or CSPM, solutions as part of that 
approach.
    Separately from the CDM program, I mentioned that we are 
rolling out this calendar year our Attack Surface Management 
program that is going to give us extraordinary advances in our 
visibility of Federal assets that are operating both on 
premises and in the cloud.
    I'll offer one more note, sir, which is, working with 
individual agencies and our partners at OMB and ONCD to ensure 
that agencies are deploying the right security tools in their 
cloud infrastructure and that they are driving the cloud 
providers to make those tools on by default without added 
charge.
    Mr. Carter. Would you agree--real quickly, would you agree 
that the bad actors out there could care less if we're 
Republicans or Democrats?
    Mr. Goldstein. Of course, sir.
    Mr. Carter. They want to attack Americans. They want to 
take our industry. They want to attack our infrastructure. They 
don't care about what party battles we may have. Is that 
correct?
    Mr. Goldstein. Yes, sir.
    Mr. Carter. So we have to make sure that we keep you fully 
funded that you can defend us against those threats. Thank you. 
I yield back.
    Mr. Garbarino. The gentleman yields back.
    I think I'd like to just say that I'm very proud that this 
entire subcommittee, both sides, bipartisanly voted against 
those cuts in the appropriations bill.
    I'd even go on to further say, Mr. Carter, that I think 
even a CR is not good for what we're doing here with 
cybersecurity. We have to do a fully funded appropriations 
package to make sure we keep up with technology. I think the 
rest of--all of our colleagues understand that. I think this is 
probably one of the most bipartisan committees in Congress.
    So, with that, I now yield to my friend from Mississippi, 
Mr. Ezell, for 5 minutes.
    Mr. Ezell. Thank you, Mr. Chairman.
    Our Nation's adversaries continue to find new ways to 
undermine our national security. We see this in the increased 
cyber attacks. For example, in 2020 Russian hackers altered a 
code in the software SolarWinds to compromise a secured data of 
several Federal agencies and critical infrastructure providers. 
This attack was one of the most wide-spread hacking campaigns 
ever launched, from what I understand.
    In 2021, the Biden administration released an Executive 
Order to improve the Nation's cybersecurity. Since it has been 
2\1/2\ years since the Executive Order, I hope that agencies 
have made progress in implementing the requirements outlined. 
However, lately there have been some reports that the National 
Security Advisor sent a memo to agencies reinforcing the need 
to follow these requirements.
    Mr. DeRusha, which requirements of the Executive Order are 
agencies finding the hardest to follow and why is that?
    Mr. DeRusha. Well, Congressman, as you highlight, Executive 
Order 14028 laid out a bunch of aggressive actions in removing 
barriers to information sharing, modernizing our cybersecurity 
practices--we've talked about Zero Trust--improving software 
security supply chain--we've done a lot of work around that--
and also ensuring that we are as prepared as we can possibly be 
for managing incidents as they will continue to occur.
    You know, look, we've taken an approach of having a large 
strategy, multi-year, with the Zero Trust Strategy, but we've 
also focused on a few areas like multifactor and encryption. 
You know, traditionally implementing phishing-resistant 
multifactor authentication has been hard for agencies and there 
was a lot of work, but it is something that can really stop one 
of the most common types of attacks dead in its tracks. So 
there have been lots of challenges around that.
    At times, you could find that it's a contractor-operated 
system and it's not in the contract that they have to have MFA, 
and it's more expensive and they won't implement it. You can 
find work force and capacity constraints around it, 
modernization challenges where the tech needs to be modernized 
before it can employ modern encryption and authentication.
    So I think those are some of the areas that we've been 
really focused on but have also, you know, shown where there's 
lots of gaps and challenges across.
    Mr. Ezell. Thank you.
    Mr. Goldstein, what can CISA do to improve an agency's 
ability to follow these requirements?
    Mr. Goldstein. Thank you, sir. There's a few areas. The 
first is, as I mentioned in my opening, we are focused on 
working with individual agencies through a team that we 
maintain called the Federal Enterprise Improvement Team. This 
was actually created with the help of Congress through the 
American Rescue Plan Act several years ago.
    What this team does is actually deploys two Federal 
civilian agencies, sits down with the chief security officer 
and his or her team, and walks through their gaps and actually 
helps them figure out how they can make progress. So one way is 
just by providing that direct almost consultative support to 
agencies to help them address constraints and progress on their 
journey.
    We are also evaluating additional tools, technologies, 
services that in the future might be able to help agencies on 
this journey. But also just to tie it back, sir, to Mr. 
Carter's point, which is one real constraint here is agencies 
using old technology that actually isn't able to adapt to these 
modern security controls. The more that collectively we can 
invest not only in security but also modernization, that will 
smooth the path for adoption.
    Mr. Ezell. Thank you very much. You know, we're here to do 
as much as we can because we understand. I've spent my entire 
life as a law enforcement officer, and this is new to me and to 
the country if you look at it.
    So we want to do everything we can to help you and work 
with this committee to get it done.
    Thank you, Mr. Chairman. I yield back.
    Mr. Garbarino. The gentleman yields back.
    I now recognize my friend, and happy he's here. He got a 
little late, but if you ever have the opportunity he has a 
lovely singing voice. My friend from New Jersey, Mr. Menendez. 
I recognize him for 5 minutes.
    Mr. Menendez. Thank you, Chairman. Sometimes I do wonder 
why I show up for your committee, which it's a pleasure to see 
the witnesses and the Ranking Member, my friends across the 
aisle, my friends here, the staff, everyone except the 
Chairman.
    Currently, the CDM program is designed to monitor IT assets 
across Federal agencies. However, as technology evolves, risk 
of internet of things, devices, and operational technology 
continue to increase. We must ensure Federal network security 
programs reflect the current attack structure.
    Mr. Goldstein, how does CISA plan to ensure CDM can better 
monitor the full range of technology assets that pose a risk to 
Federal agencies?
    Mr. Goldstein. Yes, sir. We actually issued a binding 
operational directive a few months ago, Binding Operational 
Directive 23-01, that required agencies to conduct scanning of 
their assets at specific intervals and then provide automated 
results of those scans back to CISA.
    That directive specifically included IoT and OT assets for 
just that reason, because we know, as articulated in the IC's 
Annual Threat Assessment, that there are adversaries who seek 
not only to steal information but to cause destructive impacts. 
If you seek destructive impacts, you are going to seek to 
compromise likely operational technology, and we need to drive 
risk reduction in that space as well.
    So certainly as we continue to modernize and refresh 
technologies as part of CDM, we will make sure that the 
technology therein is capable of scanning for vulnerabilities 
in IoT and OT assets, but that is already a mandate for 
agencies to be doing today.
    Mr. Menendez. And you have a status following the issuance 
of that directive, in terms of how Federal agencies have been 
responding?
    Mr. Goldstein. Yes, sir. So at this point now all CFO Act 
agencies, who are the largest agencies, are compliant and 
reporting automated data to CISA. There are several dozen other 
agencies who are also doing so, and we are working with the 
residual agencies to make sure that they have the technology 
and resources they need to do the scanning and reporting at the 
right intervals. But thus far, sir, agencies are meeting the 
time lines as prescribed in the directive.
    Mr. Menendez. Great. It's good to hear. In April, CISA 
released an updated version of Zero Trust Maturity Model. This 
version is aligned with OMB Zero Trust Strategy, which seeks to 
bring Federal agencies in line with Zero Trust security goals 
by the end of fiscal year 2024.
    Mr. DeRusha, with less than a year until that deadline, 
what is your assessment of the status of Federal agency efforts 
to achieve OMB's Zero Trust security goals?
    Mr. DeRusha. We have made a lot of progress. You know, the 
key thing here--and you mentioned Capability Maturity Model, 
which we did align the strategy to--is that we have to make 
progress not in just one area.
    We have to make progress in identity management, in 
understanding where our sensitive data is and tracking that in 
an automated way, device management, you know, network 
segmentation and applications, right? It's across all of that. 
Then below all of those pillars, we need to make sure that we 
have the appropriate governance in place.
    So we've seen investments in all of these things. We asked 
each agency for a specific implementation plan. In some 
instances we set specific deadlines, and they've been meeting 
those. But we also gave some flexibility over that 3-year 
period for them to tell us sort-of what order of events they 
wanted to achieve the actions that we laid out.
    You know, we do a lot of governance and oversight of that. 
We use our FISMA metrics to track progress as well. So, you 
know, we have the data to show as well that we're making 
meaningful progress. But it will also, to get to the optimal 
state of Zero Trust, take some time. You know, I just want to 
be clear that that strategy was really an action plan to get 
onto this road map, and that we've got to move up that stack of 
Capability Maturity Model with continued investment.
    Mr. Menendez. So you mentioned a lot of progress, 
meaningful progress. You also mentioned flexibility. The 
deadline is approaching. Do you think that they will meet the 
goals by the end of fiscal year 2024?
    Mr. DeRusha. Yes. I believe we will meet the goals that we 
set out in that strategy by 2024. You know, in some instances 
there will be opportunities for improvement, but I think it's--
you know, we're going to keep going, right? Like, there's going 
to be another iteration.
    But technology moves so fast. That's part of why we set the 
3-year target. Like, we want to learn from these first 3 years. 
We've got communities of action. Agencies are learning from 
each other. We're going to take their input and feedback and 
then build that next layer of the strategy.
    Mr. Menendez. I would just encourage you to just keep 
moving as quickly as possible because, as you alluded to, the 
technology is quickly evolving. So we can't rest on sort-of the 
plans from a year ago, 3 years ago. We have to continuously be 
monitoring and implementing.
    But just one quick question for Mr. Goldstein before my 
time runs out: How is CISA supporting Federal agencies as they 
seek to implement the Zero Trust Maturity Model?
    Mr. Goldstein. Yes, sir. As my co-witness mentioned, we've 
created a Zero Trust community of practice where we have 
hundreds of participants across agencies who meet to discuss 
best practices, constraints, and the way ahead.
    Then additionally, through our Federal Enterprise 
Improvement Team, we provide agencies with direct support and 
guidance on their concrete issues.
    Then finally, it is also the case that there are aspects of 
the Zero Trust Maturity Model that can actually be addressed by 
CISA services. So where that's the case, we just want to make 
sure that we are offering those services to any agency that 
requires it.
    Mr. Menendez. Thank you so much. Mr. Chairman, I yield 
back.
    Mr. Swalwell. Actually, would the gentleman from New Jersey 
yield for a song request?
    Mr. Menendez. My time is up.
    Mr. Swalwell. Oh, that's too bad.
    Mr. Garbarino. The gentleman yields back.
    I now recognize the gentlelady from Florida, Ms. Lee, for 5 
minutes.
    Ms. Lee. Thank you, Mr. Chairman.
    I'd like to return to the discussion of Attack Surface 
Management. As we know, our sophisticated adversaries, like 
Russia and China, are constantly probing our Nation's Federal, 
State, and local critical infrastructure to try to identify 
vulnerabilities. It's very important that we be able--our 
network defenders must be able to identify where those 
vulnerabilities are before they are exploited by those 
adversaries. So they need to be able to view that network 
attack surface through the eyes of the adversary, continuously 
evolve to be prepared to defend those internet-facing assets.
    As we've discussed today, Congress invested in an Attack 
Surface Management program at CISA so that CISA can provide 
Federal and non-Federal stakeholders visibility into those 
vulnerabilities. I'd like to hear an update from you about how 
that is working. We're hearing good things back, but we'd like 
to know more about how that's working and where you see it 
going from here, how we can continue to expand that work.
    Mr. Goldstein. Yes, ma'am. It's a great question. So, you 
know, as you noted, there are going to be really two game-
changing advances as we fully deploy our Attack Surface 
Management capability.
    The first is getting better visibility into the assets 
across all of the entities who we want to support, whether 
Federal or non-Federal; and the second is to increase the 
number of organizations participating in our visibility 
programs by several multiples.
    So at this point, over the past year we did a series of 
technology evaluations. We have obligated the resources that 
Congress so helpfully provided, and we are now at the point 
where we are rolling out this capability with the full rollout 
to be completed by the end of this calendar year.
    I will already say that the visibility that we gain through 
this capability has proven invaluable in many of the recent 
significant vulnerabilities that we've seen reported in the 
cybersecurity space. Already our ability to understand 
prevalence and drive reduction has been absolutely critical. So 
we think this is going to be a tremendous value both for our 
Federal partners and for partners across the country.
    Ms. Lee. Then going back to the Chairman earlier talked 
about the subject, he asked questions about the subject of 
shared services. There too, I know this is a really important 
concept. It allows us to provide more services while also 
saving money because of those efficiencies.
    Is CISA at this point equipped, from an administrative and 
a resource perspective, to grow its shared services offerings 
for agencies?
    Second to that, do you envision a world where CISA might be 
actually providing, taking on the security responsibilities for 
some of the smaller agencies?
    Mr. Goldstein. Yes, ma'am. We are--we have provided a 
series of extraordinarily impactful shared services across 
Federal agencies. I mentioned Protective DNS and vulnerability 
disclosure as being only two examples.
    We also take a disciplined approach to thinking through 
which security abilities are appropriate for CISA to provide. 
Do they offer cost savings? Are they filling a gap that 
agencies aren't providing at scale? Is there benefit in CISA 
having some centralized visibility into the risks?
    I think vulnerability disclosure platforms is a great 
example, where we are providing a service that is required by a 
binding operational directive, and CISA having visibility into 
the vulnerabilities that are being identified in Federal 
websites then lets us drive broader improvements at scale.
    So where we identify additional services that can be 
provided that meet those criteria, we absolutely have the 
authorities to do so and look forward to working with Congress 
to ensure that the resources match.
    You know, to your second question, Congresswoman, it's a 
fantastic question. You know, we know today that there are many 
agencies who are so small that they are equivalently small and 
medium businesses for their IT infrastructure and security 
function. Those are agencies that really need significant help.
    So we are leaning forward with those agencies. For example, 
there is a designated CDM group where we provide almost CDM as 
a service with a cloud-based dashboard to help those agencies, 
but that certainly is a group that we are really focused on 
working with OMB and ONCD to understand where can we go next to 
make sure that as those agencies do provide critical functions 
we can support them in their security journey.
    Ms. Lee. Then the last thing, I'd like to go back to the 
topic of agency participation and agencies' voluntary 
participation, compliance, cooperation with CISA. I know that 
has been a challenge and you all have been working very hard to 
bring them in and get them to provide the information and take 
the steps that CISA is recommending.
    What is--what other things do you think you can do to be 
overcoming that challenge?
    Then, Mr. DeRusha, I'll also take that one to you on what 
OMB's role can be in ensuring that agencies cooperate with CISA 
and its efforts.
    Mr. Goldstein. I would really say it's a new day in that 
area. I think Congress has provided really impactful 
authorities to help CISA, for example, conduct threat hunting 
without prior authorization.
    Executive Order 14028 required agencies to enter into 
memoranda of agreement with us to provide granular data through 
CDM, and then certainly funding from Congress that enabled us 
to deploy these EDR tools also really helped. But, most 
importantly, we are now really showing reciprocal value to 
agencies, which ultimately is what matters most.
    So, you know, just this morning, actually, Chris and I 
spoke at a session with 30-some Federal CISOs, including the 
CISOs from every large agency. The goal was really to embark on 
a shared planning process together for fiscal 2024 so that we 
are not imposing burdens on agencies. We are working together 
on a shared journey, and we think that is going to be the most 
important piece here.
    I will just add that a key part of that is, of course, 
CISA's funding profile and making sure that as we are offering 
services those services are sustained. The last thing we want 
to do is get to a point where we have reasonable confidence and 
visibility and security measures and then have that be pulled 
back or degraded in a way that our adversaries, of course, will 
exploit.
    Ms. Lee. Thank you, Mr. Chairman. I'm out of time. I yield 
back.
    Mr. Garbarino. The gentlelady yields back.
    Now we're going to start our second round of questions. I'm 
going to yield to myself for 5 minutes.
    DHS and CISA have the authority to require agencies to take 
certain actions through BOD's and ED's. Mr. Goldstein, in your 
testimony you discuss the Known Exploited Vulnerabilities BOD 
and its successes in getting agencies to patch vulnerabilities.
    Mr. DeRusha, OMB and ONCD are responsible for overseeing 
agency compliance with such directives. How does OMB enforce 
compliance with these directives? What tools are at your 
disposal?
    Mr. DeRusha. Yes. So one of the tools we have are the 
Federal Information Security Modernization Act 2014 metrics 
that we jointly work with CISA, but they are OMB-driven 
metrics.
    You know, where we've put a lot of our emphasis are 
ensuring that we're both measuring agency performance in key EO 
14028 goals, but also some of these directives.
    So, for example, you mentioned the CADS. You know, we've 
got metrics in there that are measuring performance of 
implementation of that binding operational directive.
    Also for every BOD and binding operational directive and 
emergency directive, we work closely with CISA to ensure that 
we're getting all the data on agency implementation, like that 
is a full partnership. So we're employing our oversight and 
governance role there every day.
    Mr. Garbarino. Thank you. A recent CSIS report says there 
is a role for CISA in advocating for cyber investments on 
behalf of FCEB agencies, but CISA's role is not necessarily to 
help agencies strategize their cyber budgets.
    Mr. Goldstein, I'll start with you. How can CISA best 
strike that balance?
    Mr. Goldstein. Yes, sir. Our goal is really to understand 
(A), what is the appropriate baseline of security that every 
agency should adopt, what are the risk-based deviations from 
that baseline that agencies should adopt based upon their 
unique risk profile, where can we help, and then where do 
agencies have to invest?
    By working that process, we can then help agencies work 
with OMB, work with their CFO to advocate for the specific 
investments to meet the gaps that they see. So certainly 
agencies remain accountable for managing their networks, remain 
accountable for their investments, but we can help them ask the 
right questions about where to focus.
    Mr. Garbarino. Thank you.
    Mr. DeRusha, where does OMB and ONCD fit into this equation 
in addition to the joint memos that you issue?
    Mr. DeRusha. Yes, well, it's a core role of both, and, you 
know, again, with the dual-hat role, what's great is that we're 
really doing that together as a team. We analyze every agency 
submission. We do data calls to ensure that those investments 
that they're proposing align to our priorities.
    We actually can put and tag numbers now on Zero Trust 
investments, because we're saying, all the way from the 
capability, down to the tool set, the service, the contracts 
being let, human resources being put behind it, we're mapping 
all of that to ensure that the money being requested is really 
being spent on the right thing.
    Then we're--the second role is advocacy. You know, the 
resource management officer of an OMB is a tough job, 
especially in a year like this. They're trying to balance out a 
lot of priorities, and when we're working collectively using 
data, as I talked about before, just data-driven advocacy, to 
ensure that cyber budgets remain high.
    Mr. Garbarino. One more question.
    You both are responsible for two different aspects of the 
Federal cybersecurity. CISA is the operational lead. Federal 
Cybersecurity OMB is responsible for overseeing compliance and 
requirements.
    Mr. DeRusha, you now wear two hats between your OMB and 
ONCD role. A recent CISA report entitled ``CISA's Evolving .gov 
Mission'' highlighted the concern that Federal cyber governance 
organization and bureaucracy would negatively impact our cyber 
posture.
    Considering this, how do you distinguish between your two 
roles at OMB and ONCD; how much overlap is there between the 
two, and what is the benefit of having one single person fill 
both of these roles as opposed to consolidating into one 
entity?
    Mr. DeRusha. Well, look, I mean, I think what a future 
confirmed national cyber director does, you know, will be very 
important to answer that question. I'd say, for the past 2 
years, it's worked quite well.
    As you mentioned, ONCD was stood up and has some 
overlapping authorities with OMB, and the way we answered the 
question in the interim is, we fused, and it has worked really 
good and, I would say, has brought benefits that we really 
couldn't even anticipate at the time.
    You know, I sit in the leadership meetings every day of 
both organizations and can kind-of translate back-and-forth 
priorities, be a bridge between organizations just naturally, 
and to also really understand everything that ONCD is doing to, 
you know, implement the National Strategy and get success 
across the Nation and internationally, and bring those best 
practices, lessons learned, into the OMB side.
    So, you know, it's possible one day someone will say, 
``Hey, there's a better model'', but, you know, currently I 
don't see one. This is working pretty well.
    Mr. Garbarino. Thank you very much. I had a second one for 
Mr. Goldstein, but I'm out of time, so I'll now yield to my--
I'll send it to you so you can answer in writing.
    Mr. Swalwell. I'll yield----
    Mr. Garbarino. No, no, no, it's all good, it's good.
    I now yield to the Ranking Member, Mr. Swalwell, for 5 
minutes for his second round.
    Mr. Swalwell. Thanks.
    Mr. Goldstein, I had asked Mr. DeRusha about AI, and I just 
wanted to give you the opportunity to answer. How does CISA 
plan to utilize AI to improve its cybersecurity defense?
    Mr. Goldstein. Yes, sir. Thank you. Although we are, of 
course, focused on managing the risks of AI, particularly as it 
applies to Federal agencies and critical infrastructure, as a 
cybersecurity agency, we see are also really bullish on the 
benefits that it can provide.
    So we are certainly working within CISA and working with 
appropriate prudence, given the very valid security trust and 
safety risks that AI systems may have, to make sure that we are 
benefiting from that work as well. So certainly as we develop 
advanced analytics that detect adversary activity, as we work 
to detect vulnerabilities more at scale, we will certainly be 
working to benefit from the latest advances in AI.
    In addition, we want to make sure that our operators, our 
analysts, can leverage AI tools so that they can do less of the 
work that machines can do, and more of the work that only 
humans can do.
    So we are urgently embarking on that road, even while doing 
it with all due prudence.
    Mr. Swalwell. Mr. DeRusha, this year's breach of multiple 
high-ranking Government officials' emails highlighted that a 
single vulnerability in a software vendor could create risks 
across the Federal enterprise.
    What are you doing to make sure that we're not overly 
reliant on a small number of software vendors, and what more 
can we do to ensure that one critical vulnerability in a single 
vendor's software does not create risk across the entire board 
of Federal Government networks?
    Mr. DeRusha. Yes, Congressman, so the way I would describe 
what you're laying out is concentration risk. It's something 
that we talk about quite often and something we take very 
seriously.
    One direct action that we're taking, again, as I mentioned, 
the Cyber Safety Review Board, of which both Eric and I are 
board members--we're taking this on, and we're going to really 
look at how back-end authentication and identity management are 
occurring at these large cloud-service providers.
    That breach occurred at one, and there are many others 
we're not going to single out. We're going to look at this as 
what it was. It is a broad risk held by many. We're going to 
really ask hard questions of, is there anything else that we 
need to be doing, is there any other support that they need 
from us, and we're going to ensure that we interrogate that.
    Mr. Swalwell. Great. I don't have any further questions. 
Again, I just want to thank you all for engaging with us. I 
agree with the Chairman that a CR also is a nightmare, that you 
all need long-term certainty in planning, because the threat 
actors, they don't operate by CR, and they need us, you know, 
to be well-thought-out and prepared as we meet the threat 
environment. I'll yield back.
    Mr. Garbarino. I thank the gentleman. Yields back.
    I thank you all for your valuable testimony, especially on 
a dense topic like this--you made it very exciting--and for the 
Members, who have all left me, for their questions.
    The Members of the subcommittee may have some additional 
questions for the witnesses, and we would ask the witnesses to 
respond to these in writing. Pursuant to committee rule VII(D), 
the hearing record will be open for 7 days.
    Without objection, this subcommittee stands adjourned.
    [Whereupon, at 4:10 p.m., the subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

     Questions From Chairman Andrew R. Garbarino for Eric Goldstein 
     
    Question 1a. The President's Fiscal Year 2024 Budget Request 
outlined CISA's transition from the legacy National Cybersecurity 
Protection System (NCPS), which includes the capability known as 
EINSTEIN, to the new Joint Collaborative Environment (JCE) and the 
Cyber Analytics and Data System (CADS). While we understand CISA is 
currently undertaking this transition, there is a concern about the 
lack of clarity about how these programs will work and how they will be 
funded through the transition.
    What is your time line for CADS implementation? Are you on track to 
meet your time line's goals?
    Question 1b. What is your time line for JCE implementation? Are you 
on track to meet your time line's goals?
    Question 1c. How much money do you need to build out the JCE and 
CADS in the out-years?
    Answer. Response was not received at the time of publication.
    Question 2a. What efforts is the Federal Government undertaking to 
prepare for quantum computing?
    Are Federal agencies making sufficient progress in the migration of 
post-quantum readiness?
    Question 2b. What is CISA doing to aid this transition?
    Answer. Response was not received at the time of publication.
    Question 3. Threat actors are increasingly targeting mobile 
devices, like smartphones, and they're using increasingly sophisticated 
methods to do so.
    What actions are under way to protect Federal mobile devices from 
attack?
    Answer. Response was not received at the time of publication.
    Question 4. How does CISA help agencies comply with reporting the 
full inventory of assets on their network as required by BOD 23-01?
    Answer. Response was not received at the time of publication.
     Questions From Ranking Member Eric Swalwell for Eric Goldstein
    Question 1. On October 3, the FAR Council issued a proposed rule 
that would require Federal contractors to develop and maintain a 
software bill of materials (SBOM) for ``each piece of computer software 
used in the performance of a contract.'' SBOMs have the potential to 
expedite cyber incident response and make mitigation more efficient, 
but only if agencies are positioned to action SBOM information 
effectively.
    What efforts are under way to ensure that Federal agencies are able 
to make use of SBOM information once they begin receiving it?
    Answer. Response was not received at the time of publication.
    Question 2. As part of the implementation of Executive Order 14028, 
software vendors will need to self-attest their compliance with new 
secure software development requirements. Earlier this year, CISA 
released a draft self-attestation form and OMB established time lines 
for agencies to collect self-attestations.
    How is CISA incorporating feedback from industry to ensure that the 
self-attestation form's instructions and requirements are clear and 
accessible for vendors, large and small?
    Answer. Response was not received at the time of publication.
    Question 3. In response to the breach of several high-ranking 
Government officials' emails earlier this year, CISA and Microsoft 
announced that Microsoft would provide additional logging information 
to customers at no additional cost. I am pleased to see that Federal 
agencies will have access to more logging information as this kind of 
security is not a luxury but instead the kind of security-by-default 
all software customers need.
    How do you expect increased access to Microsoft logging will 
improve the security of Federal agency networks?
    Answer. Response was not received at the time of publication.
    Question 4. CISA is proposing to establish the new Cyber Analytics 
and Data System to improve its ability to integrate and analyze the 
data it receives. As we engage in oversight of this new program, it is 
important to understand how investments in CADS will be an improvement 
over existing efforts.
    How is CADS different from CISA's existing programs to integrate 
and analyze data? What is your time line for implementation?
    Answer. Response was not received at the time of publication.
    Question 5. A major goal of the CADS program is to have increased 
automation in the intake and analysis of the data CISA receives. 
Considering the constantly-evolving cyber threats our Nation faces, 
improving automation will be essential to staying ahead of our 
adversaries.
    What tools and capabilities are you seeking to have as part of CADS 
and what new technology acquisitions will be necessary to implement the 
program? What do you anticipate being the relationship between CADS and 
the technologies CISA currently acquires through CDM?
    Answer. Response was not received at the time of publication. 
    
 Questions From Chairman Andrew R. Garbarino for Christopher J. DeRusha 
 
    Question 1a. The timely and accurate reporting of cyber-centric 
Federal Information Security Modernization Act (FISMA) metrics provides 
valuable data points for the Office of Management and Budget (OMB), 
Office of the National Cyber Director (ONCD), the Cybersecurity and 
Infrastructure Security Agency (CISA) and Congress to analyze the 
overall cybersecurity health of Federal agencies.
    What metrics do you think are most important when it comes to 
evaluating the security of Federal networks? Does OMB give guidance to 
agencies on how to prioritize these metrics?
    Answer. OMB works with agency chief information officers (CIOs) and 
chief information security officers (CISOs), as well as CISA, to ensure 
that agency metrics align with critical security outcomes. To that end, 
in 2022, OMB established a FISMA Metrics Subcommittee under the CISO 
Council tasked with automating and refining metrics to make them clear 
and actionable for agencies.
    While OMB does not directly instruct agencies to prioritize 
specific metrics, this administration has put significant emphasis on 
completion of the cybersecurity practices outlined and required in 
Executive Order (EO) 14028, Improving the Nation's Cybersecurity, as 
well as the subsequent Federal Zero Trust Strategy (M-22-09).
    As a result, the Executive Office of the President continues to 
hold an on-going dialog with agencies on their adoption of multifactor 
authentication, encryption of data, the deployment of Endpoint 
Detection and Response (EDR) solutions, and several other key metrics.
    Question 1b. How confident are you in the FISMA metrics data 
reported by agencies?
    Answer. OMB collects hundreds of key data points from agencies 
through the FISMA CIO metrics.\1\ We expect agencies to thoroughly 
review and assess their data for accuracy. Upon submission, OMB and 
CISA analyze agency data to identify anomalies that may indicate an 
error or misunderstanding of the metrics, and then work with agencies 
as needed to affirm or correct the data in question. That said, we are 
committed to continuous improvement, and consistently review and refine 
metrics to ensure accuracy and relevance.
---------------------------------------------------------------------------
    \1\ Fiscal year CIO FISMA Metrics v 1.0 (cisa.gov).
---------------------------------------------------------------------------
    We continue to improve FISMA metrics each year by refining and 
updating metrics and working toward automated reporting wherever 
possible. Automating metrics provides more consistent data across the 
interagency, creating clear comparisons while reducing agency time 
spent on collecting and reporting data. We also engage with agency 
experts and CISA to refine the metrics annually based on lessons 
learned.
    Question 1c. How is the administration leveraging this data to 
prioritize investments and drive meaningful cybersecurity improvements?
    Answer. To accelerate progress in shifting to a zero-trust posture 
and improving security across the Federal Government, we will continue 
to align resources to these priorities. By continuously analyzing 
quarterly FISMA metrics and engaging agencies, OMB and ONCD have made 
meaningful steps to utilize agency cyber data to inform resource 
decisions throughout the annual budget process.
    The fiscal year 2024 Cybersecurity Priorities Memo (M-22-16) was a 
first-of-its-kind document, jointly developed by OMB and ONCD, that 
outlined the administration's cross-agency cyber investment priorities 
for formulating fiscal year 2024 budget submissions to OMB. The fiscal 
year 2025 Cybersecurity Priorities Memo (M-23-18) built on this 
foundation with an investment focus on durable, long-term solutions 
that are secure by design. By providing agencies with clear guidance on 
key areas to be resourced--and utilizing FISMA metrics as a means to 
contextualize budget requests and areas requiring particular emphasis--
OMB is able to make targeted investments to drive specific security 
outcomes that maximize risk reduction and makes efficient use of 
funding.
    Question 2. Metrics around mean-time-to-detect and mean-time-to-
respond to cyber incidents provide a clear and transparent way to judge 
the effectiveness of our network defenses and justify the significant 
amount of money requested each year for Federal cybersecurity and IT 
modernization investments.
    What is the average mean-time-to-detect and mean-time-to-respond to 
cyber attacks for Federal agencies? Do certain agencies struggle more 
than others to improve them? If so, what are the challenges?
    Answer. Metrics around incident response time provide key insights 
into the effectiveness of our network defenses, and we generally seek 
to benchmark the Federal Government's responsiveness against industry 
averages. OMB has partnered with CISA and agencies to improve metrics 
on incident responsiveness, refining expectations regarding agency 
measurement, and working toward automation to improve data accuracy.
    Currently agency self-reported data around mean-time-to-detect and 
mean-time-to-respond to cyber incidents fluctuates greatly from agency-
to-agency, and therefore, the mean is not necessarily the best 
indicator of Government-wide responsiveness. Federal agencies vary in 
terms of the organization and maturity of Security Operation Centers 
(SOCs) that manage the detection and response to incidents, the risk 
and threat profile that agencies face, and the resources available for 
cybersecurity. These are just a few of the factors that contribute to 
the differences in response time to cybersecurity incidents.
    Question 3. The May 2021 Executive Order required Federal agencies 
to implement Endpoint Detection and Response (EDR) solutions to better 
protect the Federal Civilian Executive branch (FCEB) from cyber 
attacks. This requirement is overseen and funded through CISA's 
Continuous Diagnostics and Mitigation (CDM) program for up to 2 years, 
then each agency must pick up the funding for it.
    Do OMB and ONCD have the authority to clarify funding 
responsibilities and expectations for programs like CDM and EDR at 
individual FCEB agencies? Or is this a problem CISA must solve?
    Answer. The CDM and EDR programs are critical for tracking risk 
across the Federal enterprise. OMB and ONCD work with CISA to help 
prioritize deployment, and ensure the appropriate level of funding is 
requested through the President's budget. Additionally, through annual 
FISMA guidance, OMB outlines requirements for agencies to allocate 
resources for the CDM program.\2\ Specifically, CFO Act agencies are 
responsible for covering the operations and maintenance costs of their 
CDM-related tools and capabilities. FISMA guidance also calls on all 
agencies to work with OMB to build CDM requirements into outyear budget 
plans. OMB collaborates on these requirements with CISA in drafting the 
policy. In the case of EDR, OMB is working with CISA to help prioritize 
deployment and move agencies to enterprise-wide platforms that unify 
visibility across all components, which enables more rapid detection of 
and coordinated response to threats.
---------------------------------------------------------------------------
    \2\ M-23-03-FY23FISMA-Guidance-2.pdf (whitehouse.gov).
---------------------------------------------------------------------------
    Question 4a. In October 2021, OMB issued a memo on ``Improving 
Detection of Cybersecurity Vulnerabilities and Incidents on Federal 
Government Systems through Endpoint Detection and Response'' which 
required Federal agencies to work with CISA to identify EDR 
capabilities and gaps. OMB later issued a Federal Zero Trust Strategy 
in January 2022, which required all Federal agencies to implement EDR 
by 2024.
    What is the status of implementation of this directive?
    Answer. We are seeing wide-spread deployment of EDR capabilities 
across the Federal enterprise since the issuance of OMB's policy 
outlining requirements in using EDR.
    Question 4b. How many agencies have implemented it?
    Answer. As of the end of fiscal year 2023, 60 Federal agencies 
reported having 80 percent or more of their endpoints covered by EDR.
    Question 4c. If agencies haven't implemented it, what are the main 
challenges in doing so?
    Answer. We are actively working with CISA and agencies that have 
not fully deployed EDR across their environment. There are minimal 
barriers to deploy EDR across the vast majority of Federal devices with 
the support available to agencies through CISA. However, agencies may 
have systems that are not able to implement EDR, including certain 
research environments, operational technology, internet of things 
devices, and other unique instances.
    As CISA continues to expand its Continuous Diagnostics and 
Mitigation (CDM) program to encompass more of these devices that may 
not be able to leverage EDR, we are increasingly ensuring a 
comprehensive protective suite providing visibility and defense across 
agencies.
    Question 5. Can you please provide an update on the status of 
planned requirements for software vendors to submit security 
attestations for their products when selling to the Federal Government?
    Can you provide an update on the timing for implementation, and any 
new developments on how these requirements will be implemented?
    Answer. Ensuring software integrity is key to protecting Federal 
systems from threats and vulnerabilities and reducing overall risk from 
cyber attacks. In September 2022, OMB released M-22-18, which outlines 
a series of actions that will give the Federal Government confidence 
that the software we use is, indeed, securely designed.
    Throughout the process, we have worked with experts--both within 
Government and beyond--to hold public workshops to discuss best 
practices for implementing the National Institute of Standards and 
Technology's Secure Software Development Framework (SSDF), engage with 
industry groups, and solicit public comment on approaches for attesting 
to secure software development practices.
    Based on public engagement efforts, OMB released M-23-16 in June 
2023; this guidance reaffirmed the importance of secure software 
development practices and provided additional clarity for agencies and 
industry to ensure a smooth and effective process.
    OMB worked with CISA on finalizing a common form for these 
attestations to ensure a common approach, and--on November 16, 2023--
published a 30-day notice in the Federal Register. Once published, this 
will allow industry to sign an attestation one time, with the potential 
to be used many times by agencies across the Federal Government. 
Additionally, OMB is collaborating with CISA on the development of a 
central repository that will not only allow software producers and 
agencies to efficiently share these attestations, but provide our 
Federal cyber defenders additional visibility when determining cyber 
risk.
    An additional step in the process will involve the Federal 
Acquisition Regulatory (FAR) Council issuing a proposed rule to 
implement the self-attestation form in contracts. The intent is to 
ensure software leveraged by Federal agencies are developed with 
underlying secure software development practices in place. Over time, 
our hope is that utilization of the SSDF begins to become commonplace 
for the industry. 

 Questions From Ranking Member Eric Swalwell for Christopher J. DeRusha 
 
    Question 1. On October 3, the FAR Council issued a proposed rule 
that would require Federal contractors to develop and maintain a 
software bill of materials SBOM for ``each piece of computer software 
used in the performance of a contract.'' SBOMs have the potential to 
expedite cyber incident response and make mitigation more efficient, 
but only if agencies are positioned to action SBOM information 
effectively.
    What efforts are under way to ensure that Federal agencies are able 
to make use of SBOM information once they begin receiving it?
    Answer. The FAR Council proposed rule requires contractors to 
provide these SBOMs upon request. These tools are new to both industry 
and Government, and the use of them will mature over time. That said, 
CISA is leading the way in ensuring agencies and their partners are 
collaborating to build best practices around their development and use.
    Experts from the security field are creating best practices and 
ensuring there is a clear path for maturation. More information on 
these efforts can be found at cisa.gov/sbom.
    Question 2. As part of the implementation of Executive Order 14028, 
software vendors will need to self-attest their compliance with new 
secure software development requirements. Earlier this year, CISA 
released a draft self-attestation form and OMB established time lines 
for agencies to collect self-attestations.
    Is OMB considering additional guidance to Federal agencies on when 
to impose additional requirements beyond what is provided for in the 
self-attestation form in order to maximize consistency across the 
Federal Civilian Executive branch?
    Answer. OMB has engaged with both Federal agencies and software 
producers to ensure a productive and seamless rollout of the 
attestation process over the past 2 years. Additionally, OMB 
continuously reviews its policies and guidance to determine if agencies 
would benefit from additional guidance in the implementation of EO 
14028 requirements.
    Question 3. Over the course of the Republican Speaker fight, we 
have heard proposals for a long-term continuing resolution, which would 
lock in last year's budget and prevent starting new programs. The 
President's budget request proposed a 13 percent increase in civilian 
cybersecurity funding, yet with a long-term CR, Federal agencies would 
lack these critical resources.
    How would a long-term CR inhibit Federal agencies' ability to 
improve their cyber defenses?
    Answer. Investing in modern cybersecurity practices at Federal 
agencies is paramount to the successful implementation of the Executive 
Order on Improving the Nation's Cybersecurity. Agency CIOs frequently 
voice high implementation costs as one of the biggest barriers in 
implementing advanced cybersecurity measures such as multifactor 
authentication and logging. The fiscal year 2024 President's Budget 
reflected a critical increase to cybersecurity funding for many Federal 
agencies. We encourage Congress to appropriate resources to address 
critical cybersecurity needs.
    Question 4. Thanks to President Biden's Executive Order 14028 and 
American Rescue Plan Act funding, Federal agencies have enhanced their 
cybersecurity through the deployment of Endpoint Detection and Response 
technology, bringing Federal agencies in line with private-sector best 
practices. In January 2022, as part of its Zero Trust Strategy, OMB 
directed all Federal agencies to implement EDR by 2024.
    What is the status of EDR deployment across Federal agencies? What 
is OMB doing to ensure all agencies are in compliance? Has there been 
any consideration to changing the funding structure so that agencies 
are not on the hook for funding EDR systems going forward and instead 
providing EDR as a shared service operated by CISA?
    Answer. As of the end of fiscal year 2023, 60 Federal agencies 
reported having 80 percent or more of their endpoints covered by EDR. 
OMB is working with CISA to help prioritize EDR implementation and move 
agencies to enterprise-wide platforms that unify visibility across all 
components and enable more rapid future capability enhancement.
    Question 5. In response to the breach of several high-ranking 
Government officials' emails earlier this year, CISA and Microsoft 
announced that Microsoft would provide additional logging information 
to customers at no additional cost. I am pleased to see that Federal 
agencies will have access to more logging information as this kind of 
security is not a luxury but instead the kind of security-by-default 
all software customers need.
    Microsoft indicated that it would begin deploying enhanced logging 
in September. Can you update the subcommittee on the status of 
implementation at Federal agencies? How are you ensuring that Federal 
agencies are prepared to utilize access to this additional information?
    Answer. Adding logging into the suite of Microsoft products already 
procured by the Federal Government--and many private entities--enhances 
and creates consistent visibility during cybersecurity incidents and 
reduces our cybersecurity risk. Following their work with Microsoft to 
identify key logging activities to include in their offerings, CISA, 
with support from OMB and ONCD, is working directly with agencies to 
conduct a phased roll-out of additional logging capabilities.
    In addition, CISA is engaging with agencies to identify proven 
practices and lessons learned, so that all agencies can benefit from 
enhanced capabilities and additional information as the deployment 
process progresses.
    Question 6. National Security Memorandum-10, on Promoting United 
States Leadership in Quantum Computing While Mitigating Risks to 
Vulnerable Cryptographic Systems, directed OMB and ONCD to ``establish 
requirements for inventorying all currently deployed cryptographic 
systems'' to enable a prioritized transition to quantum-resistant 
cryptography. Federal agencies were then charged to create an inventory 
and submit it to ONCD and CISA. The first submissions were due in the 
spring, and must be submitted annually thereafter.
    How is ONCD working with agencies to improve the quality of agency 
inventories to ensure the Federal Government is on track to mitigate 
quantum risk and achieve the goals set out in NSM-10?
    Answer. Per NSM-10, to mitigate quantum risk, Federal departments 
and agencies were instructed to inventory their cryptographic systems 
within their High-Value Assets, high-impact information systems, and 
any other system that an agency determines is likely to be particularly 
vulnerable to a Cryptanalytically Relevant Quantum Computer. Agencies 
provided their submissions over the summer of 2023. Since that time, 
ONCD, in collaboration with OMB and CISA, evaluated the inventory 
submissions and engaged agencies to provide technical assistance to 
improve the data quality and information submitted. OMB, in 
coordination with ONCD and in collaboration with CISA, will provide to 
Congress a report on this inventory in 2024. This report will include: 
a strategy to address the risk posed by the vulnerabilities of 
information technology of agencies to weakened encryption due to the 
potential and possible capability of a quantum computer to breach that 
encryption; an estimate of the amount of funding needed by agencies to 
secure the information technology from the risk posed by an adversary 
of the United States using a quantum computer to breach the encryption 
of the information technology; and a description of Federal Civilian 
Executive branch coordination efforts led by NIST, including time 
lines, to develop standards for post-quantum cryptography.

                                 [all]