WEBVTT 00:00.330 --> 00:02.497 Thank you , Vice Admiral Whitworth and 00:02.497 --> 00:04.719 Mr Casa for that wonderful discussion . 00:04.719 --> 00:06.941 Next , we'll have a cio panel featuring 00:06.941 --> 00:08.941 the chief information officers from 00:08.941 --> 00:11.052 across the intelligence community and 00:11.052 --> 00:13.219 Department of Defense . The panel will 00:13.219 --> 00:15.108 be moderated by the acting Deputy 00:15.108 --> 00:16.719 Intelligence Community chief 00:16.719 --> 00:18.552 Information Officer , Mr Michael 00:18.552 --> 00:20.719 Castelli . Please welcome the panel to 00:20.719 --> 00:21.719 the stage . 00:52.819 --> 00:54.986 Good morning . Thank you , Captain for 00:54.986 --> 00:57.152 the introduction and thank you all for 00:57.152 --> 00:59.319 joining us this early in the morning . 00:59.319 --> 00:59.279 As you can see , we have a really great 00:59.290 --> 01:02.680 panel here today . Um So we're gonna um 01:03.139 --> 01:05.083 it's an honor to be here . It's an 01:05.083 --> 01:07.250 honor to be with these folks . Um It's 01:07.250 --> 01:09.472 an honor to be with all of our partners 01:09.472 --> 01:11.472 from across the IC dod and the five 01:11.472 --> 01:13.639 eyes and of course , the public sector 01:13.639 --> 01:15.583 um with this panel , I think we're 01:15.583 --> 01:17.750 gonna get a broad perspective of their 01:17.750 --> 01:19.917 thoughts on a few different things and 01:19.917 --> 01:22.028 we'll kind of reach them back to what 01:22.028 --> 01:21.889 things you heard yesterday and , and 01:21.900 --> 01:24.122 the admiral said this morning , right ? 01:24.122 --> 01:26.122 For instance , how does the IC work 01:26.122 --> 01:28.233 with the private sector ? I'm sorry , 01:28.233 --> 01:30.456 with um state and local authorities for 01:30.456 --> 01:32.511 national disasters , right ? And how 01:32.511 --> 01:34.567 does that relate to the mission . Um 01:34.567 --> 01:36.844 How do we secure the it infrastructure ? 01:36.844 --> 01:38.956 Right ? As , as , as um , the senator 01:38.956 --> 01:40.844 mentioned yesterday , we're under 01:40.844 --> 01:42.844 constant threat . So how do we work 01:42.844 --> 01:45.011 towards , you know , um combating that 01:45.011 --> 01:45.010 threat ? And then , um things that 01:45.019 --> 01:47.075 Doctor Merritt mentioned yesterday , 01:47.075 --> 01:49.241 how do we ensure that the workforce is 01:49.241 --> 01:51.352 prepared and positioned to succeed as 01:51.352 --> 01:53.408 we move forward ? So , before we get 01:53.408 --> 01:55.519 started with the questions , I'm just 01:55.519 --> 01:55.440 gonna ask the panel if they would just 01:55.449 --> 01:57.449 introduce themselves and what their 01:57.449 --> 01:59.671 position is . Uh and which organization 01:59.671 --> 01:59.610 they're in this way ? When they're 01:59.620 --> 02:01.676 speaking , we know we can understand 02:01.676 --> 02:03.731 their perspective . Doug Doug Casa , 02:03.731 --> 02:07.330 Dia Cio , I Mark Shale NGA Cio , 02:07.599 --> 02:10.630 Sue do OD and I Cio uh Ryan Klotz , the 02:10.639 --> 02:13.320 Deputy Cio at CIA Jennifer Crone from 02:13.330 --> 02:15.330 NSA . I'm here under a bit of false 02:15.330 --> 02:17.552 pretenses . I was originally invited to 02:17.552 --> 02:19.663 be on the panel when I was the deputy 02:19.663 --> 02:21.830 Cio at NSA . But I've since moved over 02:21.830 --> 02:24.052 to the CFO side . Uh Good morning , Ben 02:24.052 --> 02:26.163 Davis , the Cio for Treasury's Office 02:26.163 --> 02:28.163 of Intelligence and Analysis . Good 02:28.163 --> 02:30.219 morning to Roger Greenwell . I'm the 02:30.219 --> 02:32.163 CIO for Duo . So good morning . So 02:32.163 --> 02:33.886 Jimmy Hall and the CIO for the 02:33.886 --> 02:35.941 Intelligence and Research Bureau and 02:35.941 --> 02:37.997 State Department plus uh Director of 02:37.997 --> 02:40.108 Technology and Innovation . So as you 02:40.108 --> 02:42.219 can see , we have a broad perspective 02:42.219 --> 02:44.330 from Dod the IC . Uh So this would be 02:44.330 --> 02:46.497 great . I'm really looking forward and 02:46.497 --> 02:46.259 even now a little bit of the CFO so may 02:46.270 --> 02:48.492 maybe we hear how , how many plays into 02:48.492 --> 02:50.659 things . So this morning , the , the , 02:50.659 --> 02:52.770 the admiral and yesterday , Brigadier 02:52.770 --> 02:55.740 Mc mc Baron mentioned um how the 02:55.750 --> 02:57.583 intelligence community , how the 02:57.583 --> 02:59.528 infrastructure , how the community 02:59.528 --> 03:01.639 respon helps the state and locals and 03:01.639 --> 03:03.806 their national and responsive national 03:03.806 --> 03:06.979 natural disasters . Um So that got me 03:06.990 --> 03:09.046 thinking right . Similarly , we have 03:09.046 --> 03:11.101 the same issues here and the admiral 03:11.101 --> 03:13.157 made it very clear , right ? We have 03:13.157 --> 03:15.323 nat natural disasters here . Um recent 03:15.323 --> 03:17.546 hurricanes , forest fires in the past . 03:17.546 --> 03:19.601 So um I'd like to start with uh Mark 03:19.601 --> 03:21.639 and Doug . Um how is it that your 03:21.649 --> 03:23.816 agencies help support that , that kind 03:23.816 --> 03:25.816 of response as it from the national 03:25.816 --> 03:27.871 security perspective and , and , and 03:27.871 --> 03:29.427 working with , with your uh 03:29.427 --> 03:31.850 organizations ? What ? Absolutely thank 03:31.860 --> 03:33.804 you for the question , Michael . I 03:33.804 --> 03:35.804 appreciate it . Um NGA has a unique 03:35.804 --> 03:38.027 position when requested and when tasked 03:38.027 --> 03:40.139 as our admiral mentioned , uh we 03:40.149 --> 03:42.830 respond , we help out FEMA associated 03:42.839 --> 03:45.690 with responding to any kind of natural 03:45.699 --> 03:47.699 disasters uh pretty much around the 03:47.699 --> 03:50.399 world , uh NGS products such as our IC 03:50.410 --> 03:52.299 or our intelligence community GIS 03:52.299 --> 03:54.243 portal , as well as our map of the 03:54.243 --> 03:55.910 world are highly effective in 03:55.910 --> 03:58.077 supporting disaster relief and pushing 03:58.077 --> 04:00.149 that information as requested out to 04:00.160 --> 04:02.104 the furthest reaches within the um 04:02.110 --> 04:04.429 within the United States , with FEMA 04:04.440 --> 04:06.607 and any other organization , state and 04:06.607 --> 04:08.718 local governments that are requesting 04:08.718 --> 04:11.020 the information . The IC GIS report 04:11.259 --> 04:13.315 portal actually provides a hurricane 04:13.315 --> 04:15.509 tracker that uh first responders can 04:15.520 --> 04:17.631 use to understand where the hurricane 04:17.631 --> 04:19.742 is going to come into . It's a little 04:19.742 --> 04:21.798 bit more , much higher fidelity than 04:21.798 --> 04:24.020 the one you actually see on accuweather 04:24.020 --> 04:26.242 or on some of the newscasts so that the 04:26.242 --> 04:28.298 first responders can actually target 04:28.298 --> 04:30.242 exactly where to respond . We also 04:30.242 --> 04:32.720 manage , uh T , uh T levels and things 04:32.730 --> 04:35.519 like that so that the first responders 04:35.529 --> 04:37.418 can know where those T surges are 04:37.418 --> 04:39.529 actually going to happen . Uh Again , 04:39.529 --> 04:41.307 map of the world helps disaster 04:41.307 --> 04:43.829 responders create custom maps that they 04:43.839 --> 04:46.260 can actually use to , to generate where 04:46.269 --> 04:48.380 they're going to be going to actually 04:48.380 --> 04:50.269 do search and rescue and to do uh 04:50.269 --> 04:52.325 response and uh disaster clean up as 04:52.325 --> 04:55.190 well . Um For Hurricane Helene as well 04:55.200 --> 04:57.311 as hurricane Melton , NGA worked very 04:57.311 --> 05:00.019 closely with uh FEMA and uh as well as 05:00.029 --> 05:01.807 local authorities to be able to 05:01.807 --> 05:04.339 understand uh where people are . Uh 05:04.359 --> 05:06.303 again , uh Admiral Whitworth ca uh 05:06.303 --> 05:08.500 captured it very well . We actually 05:08.510 --> 05:12.309 actually provided some um uh unmanned 05:12.320 --> 05:14.320 aerial vehicles to actually go into 05:14.320 --> 05:16.487 these areas at FEMA'S request in order 05:16.487 --> 05:18.264 to be able to go where no first 05:18.264 --> 05:20.320 responder could go to determine . Is 05:20.320 --> 05:22.376 there somebody in that car that fell 05:22.376 --> 05:24.598 down ? That cliff is a bridge out ? Can 05:24.598 --> 05:26.598 we actually reach these points ? So 05:26.598 --> 05:28.598 those are some of the ways that NGA 05:28.598 --> 05:30.709 responds to some of those disasters . 05:30.709 --> 05:32.764 Uh And then they answer the question 05:32.764 --> 05:34.820 from a dia perspective really in two 05:34.820 --> 05:36.820 ways . One of course , is through J 05:36.820 --> 05:38.542 Wick . So providing top secret 05:38.542 --> 05:38.279 connectivity under any scenario , 05:38.290 --> 05:41.609 whether that um is natural disasters or 05:41.619 --> 05:43.675 anything else . Uh And , and I think 05:43.675 --> 05:45.508 the most recent hurricane was an 05:45.508 --> 05:47.619 example of that of the coup functions 05:47.619 --> 05:49.730 that we had the support of relocating 05:49.730 --> 05:51.675 intelligence operation centers and 05:51.675 --> 05:53.897 continue to provide that connectivity . 05:53.897 --> 05:53.579 The second way is actually in 05:53.589 --> 05:55.645 partnership with NGA . So we jointly 05:55.645 --> 05:57.811 run the common operating environment . 05:57.811 --> 05:59.756 And so it's not just providing the 05:59.756 --> 06:01.645 network coms , it's providing the 06:01.645 --> 06:03.867 desktop environment that users log into 06:03.867 --> 06:06.089 to do their day to day jobs . So that's 06:06.089 --> 06:08.422 voice video and then data and operating . 06:08.422 --> 06:10.920 That common operating function uh is 06:10.929 --> 06:13.040 something that we do in partnership , 06:13.040 --> 06:15.040 but also a requirement for any coop 06:15.040 --> 06:17.040 scenario that we support across the 06:17.040 --> 06:19.207 combatant commands or any other senior 06:19.207 --> 06:21.207 leader um through flyway kits as an 06:21.207 --> 06:23.318 example that we support across the IC 06:23.318 --> 06:25.540 and dod . Great . Thank you very much . 06:25.540 --> 06:27.651 Um I'm going to now shift to a little 06:27.651 --> 06:29.707 bit more of a traditional role of um 06:29.707 --> 06:32.119 how the CIO S work with their partners , 06:32.309 --> 06:34.531 the CIO S for instance , with regard to 06:34.531 --> 06:36.640 cybersecurity . Um I'm going to uh 06:36.660 --> 06:38.827 direct the question to Doug and Mark , 06:38.827 --> 06:40.993 but of course , with this question and 06:40.993 --> 06:42.771 all others , I generally invite 06:42.771 --> 06:44.882 everyone to just kind of chime in and 06:44.882 --> 06:44.489 you know , can riff off each other and 06:44.500 --> 06:46.222 make it a little bit more of a 06:46.222 --> 06:48.222 conversation , I think . Um So , so 06:48.222 --> 06:50.989 Doug and , and Mark um where do you see 06:51.000 --> 06:53.230 the IC and Dod uh working to add 06:53.239 --> 06:55.072 address , uh working together to 06:55.072 --> 06:57.128 address this constant cyber security 06:57.128 --> 06:59.350 threat . Right . It's , it's constant . 06:59.350 --> 07:01.683 So how are you doing , working together ? 07:01.683 --> 07:03.906 So I'll just start with that two ways . 07:03.906 --> 07:06.128 One , in partnership with OD and I , we 07:06.128 --> 07:08.350 run the Security Coordinations Center . 07:08.350 --> 07:10.017 So the SEC is responsible for 07:10.017 --> 07:12.183 communicating cyber threats , but then 07:12.183 --> 07:14.239 also the patching and the migrations 07:14.239 --> 07:16.350 towards those cyber threats . So that 07:16.350 --> 07:18.461 is one certainly big area where we're 07:18.461 --> 07:18.380 helping integrate the community . The 07:18.390 --> 07:21.250 second uh which is what we recently 07:21.260 --> 07:23.538 stood up over the past couple of years . 07:23.538 --> 07:25.649 As part of J Wick's modernization are 07:25.649 --> 07:27.816 cyber security inspections and this is 07:27.816 --> 07:29.927 a partnership with Dod , specifically 07:29.927 --> 07:32.038 JF HQ , Doen . Um But then also other 07:32.038 --> 07:34.739 IC elements such as NSA um to where we 07:34.750 --> 07:36.970 look at the health of the cyber 07:36.980 --> 07:39.147 security environment that agencies are 07:39.147 --> 07:41.250 connecting to JW that goes through 07:41.260 --> 07:43.540 everything from uh as deep as red 07:43.549 --> 07:46.119 teaming to looking at just the current 07:46.130 --> 07:48.929 state of infrastructure of end of life , 07:48.940 --> 07:51.162 whether it's patched and stig et cetera 07:51.162 --> 07:53.739 and providing a risk assessment based 07:53.750 --> 07:55.583 on those findings . And then the 07:55.583 --> 07:57.809 opportunity to identify what are the 07:57.820 --> 07:59.931 advancements we need to make in cyber 07:59.931 --> 08:02.153 security health that's done directly in 08:02.153 --> 08:04.880 partnership with Dod uh through Dod Cio 08:04.890 --> 08:06.834 as and as I mentioned , JF HQ . Do 08:08.140 --> 08:10.670 thanks Mark from an NGA standpoint . 08:10.679 --> 08:12.735 Our cyber security operation cell or 08:12.735 --> 08:16.670 CSO produces frequent uh cyber threat 08:16.679 --> 08:18.679 alerts . It actually transmits this 08:18.690 --> 08:21.619 information on a daily basis across the 08:21.630 --> 08:24.000 community like Doug mentioned . Uh We 08:24.010 --> 08:25.954 share these with the Dod and I see 08:25.954 --> 08:28.066 communities for situational awareness 08:28.066 --> 08:30.049 and coordinate countermeasure 08:30.059 --> 08:32.710 implementation . If you see something , 08:32.719 --> 08:34.886 you have to say something . So we have 08:34.886 --> 08:37.108 got to get this information out . So we 08:37.108 --> 08:39.219 collectively as a community can begin 08:39.219 --> 08:41.330 to respond to whatever the threat may 08:41.330 --> 08:43.386 be . Uh Again , some of our products 08:43.386 --> 08:45.052 have highlighted scanning and 08:45.052 --> 08:47.275 exploitation of uh attempts against our 08:47.275 --> 08:49.386 vulnerabilities within our networks . 08:49.386 --> 08:51.663 As soon as you know about these things , 08:51.663 --> 08:53.775 you need to share that information so 08:53.775 --> 08:55.830 that you can begin to fix it again . 08:55.830 --> 08:57.997 It's a collective action to defend our 08:57.997 --> 09:00.163 critical infrastructure . And yet , if 09:00.163 --> 09:02.330 we know something that's going on , we 09:02.330 --> 09:04.441 have to be there . We also need to be 09:04.441 --> 09:06.663 able to take advantage of the knowledge 09:06.663 --> 09:08.441 of emerging trends . As we as a 09:08.441 --> 09:10.608 community see things that are going to 09:10.608 --> 09:12.830 happen , we have to be able to be aware 09:12.830 --> 09:14.997 of those things so we can develop some 09:14.997 --> 09:17.163 of the countermeasures associated with 09:17.163 --> 09:19.275 addressing those issues . Some of the 09:19.275 --> 09:21.441 way that NGA is furthering our ability 09:21.441 --> 09:23.552 to respond to the cyber threats is we 09:23.552 --> 09:23.000 provide joint training for our 09:23.010 --> 09:25.010 workforce so that they can begin to 09:25.010 --> 09:27.121 understand the criticality associated 09:27.121 --> 09:29.219 with cyber security and cyber 09:29.229 --> 09:31.451 protection of our networks . We're also 09:31.451 --> 09:33.507 implementing a zero trust capability 09:33.507 --> 09:35.820 within our networks to provide further 09:35.830 --> 09:38.840 protections of our networks . Again , 09:38.849 --> 09:41.071 if you assume that the network has been 09:41.071 --> 09:43.182 compromised . You're in a much better 09:43.182 --> 09:45.293 position to be able to detect threats 09:45.293 --> 09:47.349 than if you just think everything is 09:47.349 --> 09:49.405 going to be ok as far as the network 09:49.405 --> 09:52.210 goes . And from the NSA perspective , 09:52.219 --> 09:54.163 the zero trust journey is one that 09:54.163 --> 09:56.275 we've been on for quite a long time . 09:56.275 --> 09:58.789 NSA has two missions . Syin and cyber 09:58.799 --> 10:01.289 security . We produce and collect 10:01.299 --> 10:03.719 Sigint and we ensure cyber security for 10:03.729 --> 10:05.880 not only NSA itself but for all 10:05.890 --> 10:07.890 national security systems , whether 10:07.890 --> 10:09.779 they're owned and operated by the 10:09.779 --> 10:11.834 government or contractors , whatever 10:11.834 --> 10:14.001 classification level , whether they're 10:14.001 --> 10:15.946 in or out of the IC or dod , if it 10:15.946 --> 10:18.001 touches national security , it's the 10:18.001 --> 10:20.112 responsibility of the NSA director in 10:20.112 --> 10:22.168 his capacity as National manager for 10:22.168 --> 10:24.390 national security systems . And then of 10:24.390 --> 10:26.279 course , we have within NSA , the 10:26.279 --> 10:28.279 responsibility for securing our own 10:28.279 --> 10:30.334 enterprise and networks . So when we 10:30.334 --> 10:32.501 think about uh cyber security at NSA , 10:32.501 --> 10:34.668 we're thinking about from those , both 10:34.668 --> 10:36.890 of those perspectives . So when I think 10:36.890 --> 10:39.223 about the things that worry me the most , 10:39.223 --> 10:41.168 I think about the fact that to get 10:41.168 --> 10:43.168 anywhere in cyber security requires 10:43.168 --> 10:45.057 constant , constant vigilance and 10:45.057 --> 10:47.469 continuous investment . Um It can't be 10:47.479 --> 10:49.701 something that , yeah , we took care of 10:49.701 --> 10:51.757 that last year . You're never done . 10:51.757 --> 10:53.757 You're never good enough . What you 10:53.757 --> 10:55.812 thought was good enough today is not 10:55.812 --> 10:55.590 going to be good enough and tomorrow 10:56.065 --> 10:59.125 and what you do today is going to have 10:59.135 --> 11:01.534 ramifications for not only yourself but 11:01.544 --> 11:03.955 for other agencies going forward . And 11:03.965 --> 11:05.854 if you do a terrific job , if you 11:05.854 --> 11:07.965 succeed beyond all expectations , the 11:07.965 --> 11:10.187 result is that nothing happens . Uh And 11:10.187 --> 11:12.354 then you get up in the morning and you 11:12.354 --> 11:14.465 have to do it again . So this worries 11:14.465 --> 11:16.576 me for a number of reasons . Um , the 11:16.576 --> 11:18.687 political cycle is sometimes fickle . 11:18.687 --> 11:18.440 People wanna know . What's the cool new 11:18.450 --> 11:20.783 thing ? What are we doing this year now ? 11:20.783 --> 11:23.006 Cyber security was last year . We can't 11:23.006 --> 11:25.117 do that . We need the moment you take 11:25.117 --> 11:27.394 your eye off the ball , you lose focus , 11:27.394 --> 11:29.339 you open up a , a possible area of 11:29.339 --> 11:31.450 vulnerability or risk and then a risk 11:31.450 --> 11:33.780 to one is a risk to all at NSA uh 11:33.789 --> 11:36.429 internally to ourselves . We had as , 11:36.440 --> 11:38.329 as much as we had worked on Cyber 11:38.329 --> 11:40.551 security . It's been part of what we've 11:40.551 --> 11:42.773 done for 70 years uh back before it was 11:42.773 --> 11:44.884 even called Cyber Security was called 11:44.884 --> 11:47.107 Information assurance or communications 11:47.107 --> 11:49.273 Security . Um Even though that was all 11:49.273 --> 11:51.496 in place , uh we had a bit of a wake up 11:51.496 --> 11:51.159 call about 11 years ago . There were 11:51.169 --> 11:53.469 some um undisclosed uh unauthorized 11:53.479 --> 11:55.812 disclosures you may have heard about it . 11:55.812 --> 11:58.419 Um So as a result of that , uh NSA had 11:58.429 --> 12:00.540 to take a good hard look at ourselves 12:00.540 --> 12:03.000 and made a tremendous investment , not 12:03.010 --> 12:05.090 only in funding and moving a lot of 12:05.099 --> 12:07.321 money over but also in people . We took 12:07.321 --> 12:09.377 some of our very best folks at NSA , 12:09.377 --> 12:11.377 some of whom were working the , the 12:11.377 --> 12:13.488 mission , operational things and said 12:13.488 --> 12:15.377 we need to lock down on our cyber 12:15.377 --> 12:17.543 security and we implemented secure the 12:17.543 --> 12:19.766 enterprise , secure the network , which 12:19.766 --> 12:21.877 are essentially what we talk about as 12:21.877 --> 12:23.989 zero trust today . So I know what it 12:24.000 --> 12:26.239 took for us to do that , having watched 12:26.250 --> 12:28.472 it from uh different roles and now from 12:28.472 --> 12:31.729 within NSA the enormous um intensity 12:31.739 --> 12:33.799 and the uh investment and the 12:33.809 --> 12:36.010 continuous focus year after year . And 12:36.020 --> 12:37.964 that was just to get us to what we 12:37.964 --> 12:40.450 think is good enough . So one of the 12:40.460 --> 12:42.516 things that really worries me is how 12:42.516 --> 12:44.682 can we keep up that focus ? How can we 12:44.682 --> 12:46.738 keep up that level of investment now 12:46.738 --> 12:48.793 that I'm on the CFO side , I see how 12:48.793 --> 12:50.516 much is competing for the same 12:50.516 --> 12:52.627 resources and knowing how we're going 12:52.627 --> 12:54.849 to have to be able to make sure that we 12:54.849 --> 12:54.820 make room for that . And then I think 12:54.830 --> 12:58.169 about it was that hard for NSA . And 12:58.179 --> 13:00.401 security is literally our middle name . 13:00.401 --> 13:02.623 This is what we're , this is one of our 13:02.623 --> 13:04.512 primary missions . It's something 13:04.512 --> 13:06.623 that's a top priority and we had this 13:06.623 --> 13:08.790 huge wake up call . How much harder is 13:08.790 --> 13:10.623 it for other agencies ? And it's 13:10.623 --> 13:12.901 wonderful . We're , we're all partners , 13:12.901 --> 13:15.123 we all work together . That's what Doda 13:15.123 --> 13:17.346 and JW is all about . But it also means 13:17.346 --> 13:17.330 that we're only as strong as our 13:17.340 --> 13:20.002 weakest link . So that's why NSA invest 13:20.013 --> 13:22.442 so much in not only continually upping 13:22.453 --> 13:24.509 our own game , but sharing that with 13:24.509 --> 13:26.564 our partners , not only on the stage 13:26.564 --> 13:28.843 but in the audience . Um we have within 13:28.853 --> 13:30.982 so our , our ciso and our team within 13:30.992 --> 13:33.132 works really closely with the rest of 13:33.143 --> 13:35.143 the IC and dod to share our best 13:35.153 --> 13:37.264 practices , our lessons learned , our 13:37.264 --> 13:39.320 maturity models so that we can all a 13:39.320 --> 13:41.320 rising tide lifts , all boats . And 13:41.320 --> 13:43.375 then also through our cyber security 13:43.375 --> 13:45.431 division , we do tremendous outreach 13:45.431 --> 13:47.653 and we've established such a high level 13:47.653 --> 13:49.542 of partnership across the defense 13:49.542 --> 13:51.709 industrial base , issuing guidance and 13:51.709 --> 13:53.846 direction and issuing warnings and um 13:53.966 --> 13:56.705 uh threat intelligence . And then in 13:56.716 --> 13:58.716 some cases , actually providing NSA 13:58.716 --> 14:01.176 services free of charge to um industry 14:01.185 --> 14:03.575 because uh the good thing is we , the 14:03.585 --> 14:05.918 bad thing is we're all in this together . 14:05.918 --> 14:07.974 A risk to one is a risk to all . But 14:07.974 --> 14:09.974 the good thing is we're all in this 14:09.974 --> 14:12.196 together . And um since a lot of what I 14:12.196 --> 14:14.307 know about cyber security , I learned 14:14.307 --> 14:16.363 from Sue do , um I'll see if she has 14:16.363 --> 14:18.529 any comments . Um So I'm gonna take it 14:18.529 --> 14:20.474 from the perspective of a small IC 14:20.474 --> 14:22.929 element . Um It is a team sport , the 14:22.940 --> 14:26.900 value that us working together and 14:27.010 --> 14:29.729 see something , say something . The SCC 14:29.739 --> 14:32.080 is a , one of the seven Federal Cyber 14:32.090 --> 14:35.900 Centers is profound and we have to 14:35.909 --> 14:38.169 remember that that there , there should 14:38.179 --> 14:41.159 be no ego in this game . We have to 14:41.169 --> 14:43.336 make the phone calls , we have to look 14:43.336 --> 14:45.447 for the signatures , we have to go to 14:45.447 --> 14:47.613 the patch servers , we don't build our 14:47.613 --> 14:49.725 own , we need to go to the places and 14:49.725 --> 14:51.836 so the humans can work on the hardest 14:51.836 --> 14:54.058 things we have instead of reinventing . 14:54.058 --> 14:56.260 So for a small icy element , it's this 14:56.270 --> 14:58.539 partnership , it's this community that 14:58.549 --> 15:02.159 makes 100% of the difference . So Mike 15:02.169 --> 15:04.336 uh just capitalizing on from the state 15:04.336 --> 15:06.502 department's perspective . Uh when sue 15:06.502 --> 15:08.169 talked about a small uh state 15:08.169 --> 15:10.336 departments are small for sure . But I 15:10.336 --> 15:10.169 also like to and I've heard the senior 15:10.179 --> 15:12.179 leaders in the state Department say 15:12.179 --> 15:14.346 this and it's important for me to just 15:14.346 --> 15:16.401 note , you know , uh di diplomacy is 15:16.401 --> 15:18.568 our business , right ? And so clicking 15:18.568 --> 15:20.735 on those links uh is something that we 15:20.735 --> 15:22.901 must do , right ? State departments in 15:22.901 --> 15:25.123 270 locations , 190 countries , 100 and 15:25.123 --> 15:27.346 50 languages . And so we don't have the 15:27.346 --> 15:29.512 luxury of not communicating with our , 15:29.512 --> 15:31.623 our diplomatic partners , right ? And 15:31.623 --> 15:33.846 so when you talk about cyber security , 15:33.846 --> 15:33.609 it is important for us to see something , 15:33.619 --> 15:35.841 say something . But it's also important 15:35.841 --> 15:38.063 for me partnering with the folks on the 15:38.063 --> 15:39.841 stage , but also for you all to 15:39.841 --> 15:42.063 understand that the very dynamic of our 15:42.063 --> 15:44.230 our business is diplomacy and clicking 15:44.230 --> 15:46.341 on those links . And so we're only as 15:46.341 --> 15:48.508 weak as our uh we're only as strong as 15:48.508 --> 15:48.349 our weakest link for sure . But 15:48.359 --> 15:50.192 understanding our dynamic in our 15:50.192 --> 15:52.137 landscape will help us continue to 15:52.137 --> 15:54.303 protect uh our environment . We we too 15:54.303 --> 15:56.470 had our own um espionage case in State 15:56.470 --> 15:58.303 Department . So we , we too were 15:58.303 --> 16:00.359 struggling with things that we would 16:00.359 --> 16:02.581 think are easy . We've learned and I'll 16:02.581 --> 16:04.803 be honest with you . Part of what we've 16:04.803 --> 16:04.000 learned is just to follow our own 16:04.010 --> 16:06.121 processes . Right ? There are sops in 16:06.121 --> 16:08.232 place , their standards in place that 16:08.232 --> 16:10.454 we need to follow . And so just from my 16:10.454 --> 16:12.566 seat in the State Department is Intel 16:12.566 --> 16:14.732 Cio s that cyber security is important 16:14.732 --> 16:17.066 for what we do . Ju just to add to that , 16:17.066 --> 16:19.232 I think , you know , it's important to 16:19.232 --> 16:21.343 recognize this is not an IC problem , 16:21.343 --> 16:23.566 this is a whole of government problem . 16:23.566 --> 16:25.677 And so again , when you look at , you 16:25.677 --> 16:27.677 know , the interaction , you know , 16:27.677 --> 16:29.732 with the fact of everybody that's up 16:29.732 --> 16:31.399 here , represent IC dod State 16:31.399 --> 16:33.621 Department , et cetera , we all have to 16:33.621 --> 16:35.843 work together and we're facing a lot of 16:35.843 --> 16:37.954 the same challenges , you know , Doug 16:37.954 --> 16:40.066 talked a lot about the JC inspections 16:40.080 --> 16:42.024 and the work that goes on with the 16:42.024 --> 16:43.969 Department of Defense , you know , 16:43.969 --> 16:45.636 Joint Force Headquarters , uh 16:45.636 --> 16:48.000 Information Network . Um you know , 16:48.075 --> 16:50.205 there's a strong partnership there in 16:50.215 --> 16:52.974 terms of what dod , you know , drives 16:52.984 --> 16:55.234 responsibility for and what the IC 16:55.244 --> 16:57.934 drives responsibility for . And again , 16:57.945 --> 17:00.215 everything is a really uh it has to be 17:00.224 --> 17:02.455 about a partnership when we think about 17:02.465 --> 17:05.214 a lot of the , you know , controls that 17:05.224 --> 17:08.155 get put in place with various programs , 17:08.165 --> 17:10.974 whether it's N A or , you know , that's 17:10.984 --> 17:13.520 ran by NS say or , you know , the fact 17:13.530 --> 17:15.252 that the Department of Defense 17:15.252 --> 17:16.863 publishes security technical 17:16.863 --> 17:19.030 implementation guides . All of this is 17:19.030 --> 17:21.819 driven around a partnership between our 17:21.829 --> 17:24.430 organizations to make sure that every 17:24.439 --> 17:28.209 capability we put in place is , is 17:28.219 --> 17:30.579 secured to the extent that it needs to 17:30.589 --> 17:33.569 be . And security isn't always equal 17:33.579 --> 17:35.635 between all the systems , you know , 17:35.704 --> 17:37.760 and we recognize the investment that 17:37.760 --> 17:39.982 we're going to make in certain national 17:39.982 --> 17:42.093 security systems to protect that data 17:42.093 --> 17:44.148 may be different than the investment 17:44.148 --> 17:46.037 that we may place on , you know , 17:46.037 --> 17:48.260 certain other systems . So again , it's 17:48.260 --> 17:51.285 truly a partnership in recognizing how 17:51.295 --> 17:53.295 some of those differences come into 17:53.295 --> 17:55.324 play and what type of controls that 17:55.334 --> 17:57.390 need to be put into play and again , 17:57.390 --> 17:59.612 sharing information amongst all of us . 18:00.930 --> 18:02.874 Yeah , I I think I'm excited about 18:02.874 --> 18:05.041 where the community has gone . Um from 18:05.041 --> 18:06.819 a zero trust steering committee 18:06.819 --> 18:08.708 perspective , developing a common 18:08.708 --> 18:10.930 understanding of baseline of of a basic 18:10.939 --> 18:13.540 maturity model for zero trust allows us 18:13.550 --> 18:16.180 to uh commonly evaluate where we are on 18:16.189 --> 18:18.300 the various pillars of zero trust and 18:18.300 --> 18:20.411 then target investments to to enhance 18:20.411 --> 18:22.522 the maturity across that . I think at 18:22.522 --> 18:24.745 CIA we focus on not only implementation 18:24.745 --> 18:26.916 of zero trust but in the online and 18:26.926 --> 18:29.148 active systems that we have . How do we 18:29.148 --> 18:31.315 operationalize cyber defense ? I think 18:31.315 --> 18:33.315 that cyber security has long been a 18:33.315 --> 18:35.537 compliance action and activity and it's 18:35.537 --> 18:37.704 still necessary to ensure that sort of 18:37.704 --> 18:39.537 day one , the necessary security 18:39.537 --> 18:41.704 controls are implemented appropriately 18:41.704 --> 18:43.926 and that is through assessment and sort 18:43.926 --> 18:43.755 of the compliance effort . But once 18:43.765 --> 18:45.654 online , how do we operationalize 18:45.654 --> 18:47.765 cybersecurity ? How do I make it real 18:47.765 --> 18:49.821 time ? How do I collect and evaluate 18:49.821 --> 18:51.821 the telemetry that I collect off of 18:51.821 --> 18:53.821 systems to allow cyber defenders to 18:53.821 --> 18:56.043 quickly take action to find the needles 18:56.043 --> 18:58.265 of anomalous behavior . Uh in that sort 18:58.265 --> 19:00.432 of vast amount of data that we collect 19:00.432 --> 19:02.765 on systems um using modern technologies , 19:02.765 --> 19:04.932 A I and machine learning in particular 19:04.932 --> 19:04.682 to sort of model what is normal and 19:04.692 --> 19:06.859 then act when it's abnormal . Uh We've 19:06.859 --> 19:08.970 really put a lot of effort in sort of 19:08.970 --> 19:11.192 operational cyber security against sort 19:11.192 --> 19:13.661 of that shift from a compliance focused 19:13.671 --> 19:15.462 activity to one that is uh an 19:15.472 --> 19:18.949 operational imperative . And the o the 19:18.959 --> 19:21.070 only thing I would add as a now a cio 19:21.070 --> 19:23.292 of a small and a former director of the 19:23.292 --> 19:25.459 I CS EC is I wholeheartedly agree with 19:25.459 --> 19:27.792 everything that was stated on the stage . 19:27.792 --> 19:27.670 Um You know , as we , we need to 19:27.680 --> 19:29.847 continue to sow the seams to make sure 19:29.847 --> 19:31.989 we're sharing um relevant tactical 19:32.000 --> 19:33.778 cyber threat , intelligence and 19:33.778 --> 19:35.889 information at the speed of mission . 19:35.889 --> 19:37.889 So , you know , as you share with , 19:37.889 --> 19:39.778 with Cisa and , you know , sister 19:39.778 --> 19:41.944 shares with JF HQ do and the I CS EC . 19:41.944 --> 19:41.900 And we need to make sure we bring in 19:41.910 --> 19:44.077 another element of this and that's our 19:44.077 --> 19:46.132 international partners . So as I was 19:46.132 --> 19:48.410 walking out of the door of the I CS EC , 19:48.410 --> 19:48.339 we had a lot of focus and attention on 19:48.349 --> 19:50.489 making sure that we could share um at 19:50.500 --> 19:52.556 the speed of mission with our five I 19:52.556 --> 19:54.778 partners . So I hopefully will continue 19:54.778 --> 19:56.889 to uh grease the skids there and make 19:56.889 --> 19:59.030 sure that happens . Great . Thank you 19:59.040 --> 20:01.010 very much . That's great , great 20:01.020 --> 20:03.076 interaction . I love it now . So I'm 20:03.076 --> 20:05.076 gonna keep on this uh cybersecurity 20:05.076 --> 20:07.187 theme , but I'm also gonna change the 20:07.187 --> 20:09.353 focus a little bit . Um Yesterday , um 20:09.353 --> 20:11.520 Some of the folks were up here talking 20:11.520 --> 20:13.687 kind of directly talk to , to the part 20:13.687 --> 20:15.909 the private sector partners out there , 20:15.909 --> 20:18.020 right ? Using this , this as a , as a 20:18.020 --> 20:20.131 uh as a telephone to say how we can , 20:20.131 --> 20:22.409 how we can use them to help us , right ? 20:22.409 --> 20:24.631 Or how they um so I'd like to know what 20:24.631 --> 20:24.589 and I'm gonna ask this for Jennifer Sue 20:24.599 --> 20:26.819 and Roger , right ? Um How do you see 20:26.829 --> 20:28.829 the cyber threat evolving ? Right ? 20:28.829 --> 20:30.940 That's what's facing us . How is that 20:30.940 --> 20:33.107 evolving ? And then how can we use the 20:33.107 --> 20:35.107 private sector solutions to address 20:35.107 --> 20:37.329 those evolving threats ? So we'll start 20:37.329 --> 20:39.273 with Roger if that's OK . So I , I 20:39.273 --> 20:41.385 think if , you know , again , we look 20:41.385 --> 20:43.496 at the challenges that we're facing , 20:43.496 --> 20:45.718 you know , in the dod world . I think , 20:45.718 --> 20:47.829 you know , a couple of things come to 20:47.829 --> 20:49.829 mind , we could probably all sit up 20:49.829 --> 20:52.051 here and talk the rest of the afternoon 20:52.051 --> 20:52.010 on some of this that's going on in the 20:52.020 --> 20:54.329 cyber world . But , you know , to me , 20:54.339 --> 20:56.510 there's the element of risk management 20:56.520 --> 20:58.687 and authorization . Somebody yesterday 20:58.687 --> 21:00.520 mentioned about , you know , the 21:00.520 --> 21:02.609 challenges with the a to process and 21:02.619 --> 21:05.810 being able to uh work through those 21:05.819 --> 21:07.986 processes . And then , you know , Ryan 21:07.986 --> 21:10.041 mentioned the whole element of cyber 21:10.041 --> 21:12.152 defense . And really , when you think 21:12.152 --> 21:14.263 about it , from my perspective , it's 21:14.263 --> 21:16.097 how do we actually get those two 21:16.097 --> 21:18.979 elements actually working together as 21:18.989 --> 21:20.989 we think about , you know , the the 21:21.000 --> 21:23.339 risk management processes and making 21:23.349 --> 21:25.650 sure that the systems are actually 21:25.780 --> 21:28.479 built securely up front designed 21:28.489 --> 21:32.329 securely , um Are the cyber 21:32.339 --> 21:35.880 defenses actually in play ? Are we 21:35.890 --> 21:39.839 ensuring that the relevant data uh that 21:39.849 --> 21:42.270 needs to come from those systems is 21:42.280 --> 21:45.050 feeding in to our cyber defenders ? Is 21:45.060 --> 21:48.010 that data moving at real time ? Uh I 21:48.020 --> 21:50.131 will tell you , you know , we , we've 21:50.131 --> 21:52.353 had some lessons learned in this a very 21:52.353 --> 21:54.520 recently , things that we know we need 21:54.520 --> 21:56.400 to make improvements on . And so 21:56.410 --> 21:58.479 sometimes you real , you think that 21:58.770 --> 22:01.250 you've gone through , you've done all 22:01.260 --> 22:03.920 of the , the efforts that you need to 22:03.930 --> 22:05.986 do to secure data and you find out , 22:05.986 --> 22:08.208 well , somebody made a change somewhere 22:08.208 --> 22:10.208 in the environment and things don't 22:10.208 --> 22:12.263 necessarily operate the way that you 22:12.270 --> 22:15.000 would expect them to . So how do we 22:15.010 --> 22:17.560 again put those controls in place that 22:17.569 --> 22:19.939 actually help us to be able to 22:19.949 --> 22:22.930 recognize that a change occurred in the 22:22.939 --> 22:25.280 environment and give us that true 22:25.290 --> 22:28.119 continuous monitoring , not just from 22:28.130 --> 22:30.369 the patching of a system or a 22:30.380 --> 22:32.439 configuration vulnerability , but 22:32.449 --> 22:34.560 actually as it relates to our ability 22:34.560 --> 22:37.219 to monitor , defend all of the 22:37.229 --> 22:39.900 different systems . Again , we're faced 22:39.910 --> 22:42.243 with numerous challenges whether that's , 22:42.243 --> 22:44.410 you know , an external adversary or an 22:44.410 --> 22:47.530 insider threat . Uh Again , recognizing 22:47.540 --> 22:50.800 how are we pulling that data and 22:50.810 --> 22:53.410 getting it to the right people at the 22:53.420 --> 22:56.189 right speed at the right time that the 22:56.199 --> 22:59.920 data is good . Um You know , yesterday 22:59.930 --> 23:02.041 General Henry talked , you know about 23:02.041 --> 23:04.479 the principles of VATI and again , 23:04.489 --> 23:07.119 making sure that as we think about that 23:07.130 --> 23:10.069 cyber defense data , does everyone 23:10.079 --> 23:13.800 actually uh follow to that principle ? 23:13.810 --> 23:16.032 And are we making sure again , the data 23:16.032 --> 23:18.088 is getting to the hands of our cyber 23:18.088 --> 23:20.143 defenders and again , factoring that 23:20.143 --> 23:23.050 into the risk decision process . So 23:23.060 --> 23:24.949 again , it's really a fundamental 23:24.949 --> 23:28.410 change . I think in how we uh look at 23:28.420 --> 23:30.642 where we're going from a cyber security 23:30.642 --> 23:33.060 perspective . The other piece of course 23:33.069 --> 23:36.250 is zero trust and again , zero trust is 23:36.569 --> 23:38.736 uh a very important initiative . And I 23:38.736 --> 23:40.847 think this is gonna really have a , a 23:40.847 --> 23:43.319 major effect also on the way that we do 23:43.329 --> 23:45.670 cyber defense because we recognize that 23:45.680 --> 23:47.680 we're moving from , you know , more 23:47.680 --> 23:50.069 network centric defenses to data 23:50.079 --> 23:52.439 centric defenses . How do we actually 23:52.449 --> 23:54.569 train and ensure that our cyber 23:54.579 --> 23:56.589 defenders have the skills that are 23:56.599 --> 24:00.520 necessary in order to protect uh all of 24:00.530 --> 24:03.390 our information systems . And again , 24:03.400 --> 24:05.511 the other thing we have to realize we 24:05.511 --> 24:07.511 cannot people our way out of this . 24:07.511 --> 24:09.456 I've mentioned this at conferences 24:09.456 --> 24:12.719 before the volume of data that we are 24:12.729 --> 24:15.560 all faced with . We can't just add 24:15.569 --> 24:17.569 people to look at this . We have to 24:17.569 --> 24:20.060 drive , you know , uh A I and ML to 24:20.069 --> 24:23.219 actually help uh analyze that 24:23.229 --> 24:26.140 information and actually enable us to 24:26.150 --> 24:28.140 make faster decisions . It's not 24:28.150 --> 24:30.206 necessarily to take the human out of 24:30.206 --> 24:32.680 the loop , but enable the human to make 24:32.689 --> 24:35.459 a much better , more informed decision 24:35.579 --> 24:37.357 and take advantage of automated 24:37.357 --> 24:39.709 responses where we can . So those are 24:39.719 --> 24:41.719 some of the big challenges that I'm 24:41.719 --> 24:44.329 seeing on the horizon . Something you 24:44.339 --> 24:45.950 said sounds very much like a 24:45.950 --> 24:48.006 conversation . We are just having at 24:48.006 --> 24:50.228 breakfast about how a lot of what we're 24:50.228 --> 24:52.172 doing on cyber security and really 24:52.172 --> 24:54.283 across everything we do doesn't scale 24:54.283 --> 24:56.450 manually . And we need to look at A IL 24:56.450 --> 24:58.506 I was actually remembering something 24:58.506 --> 25:00.617 Robert Cardillo had said that I think 25:00.617 --> 25:00.599 it may have been go and symposium where 25:00.609 --> 25:02.949 he said , if we just scaled how we used 25:02.959 --> 25:05.219 to look at imagery , we we would need 8 25:05.229 --> 25:07.540 million new analysts . And so maybe we 25:07.550 --> 25:09.494 need to look at a different way of 25:09.494 --> 25:11.494 doing it in the same way with cyber 25:11.494 --> 25:13.550 security . We are talking about tech 25:13.550 --> 25:15.772 debt and how so much of our systems are 25:15.772 --> 25:17.828 still in our sensors . Everything is 25:17.828 --> 25:20.050 still done manually and we're not going 25:20.050 --> 25:22.050 to be able to scale that because uh 25:22.050 --> 25:21.859 Michael , you had asked about um 25:21.869 --> 25:23.869 emerging trends and then how we can 25:23.869 --> 25:25.813 partner with what we need from the 25:25.813 --> 25:27.869 private sector , emerging trends , I 25:27.869 --> 25:30.036 don't know if it's emerging , but it's 25:30.036 --> 25:29.959 a continuing trend . Uh The cyber 25:29.969 --> 25:32.250 security uh challenge is going to get 25:32.260 --> 25:35.119 more complex and more expensive every 25:35.130 --> 25:37.969 day and uh funding is not going up uh 25:37.979 --> 25:39.979 commensurately . So we have to find 25:39.979 --> 25:42.880 smarter ways of doing more . Um of 25:42.890 --> 25:45.112 course , quantum resistant cryptography 25:45.112 --> 25:46.723 is something that's uh we're 25:46.723 --> 25:48.890 increasingly aware that uh there could 25:48.890 --> 25:51.112 be a clock ticking somewhere . And then 25:51.112 --> 25:53.334 one of the things I wanted to highlight 25:53.334 --> 25:55.390 is that as we and the government are 25:55.390 --> 25:57.557 shifting more to cloud and to hardware 25:57.557 --> 25:59.334 and platform as a service , the 25:59.334 --> 26:01.920 security uh profile and the security 26:01.930 --> 26:03.874 risk becomes even more of a shared 26:03.874 --> 26:06.060 responsibility between government and 26:06.069 --> 26:08.420 industry because it's we , we need to 26:08.430 --> 26:09.986 think about exactly who has 26:09.986 --> 26:11.763 responsibility for which layers 26:11.763 --> 26:13.819 ensuring that we all are on the same 26:13.819 --> 26:16.041 page and that everything is meeting the 26:16.041 --> 26:17.986 same standards and that requires a 26:17.986 --> 26:20.097 whole another level of , of trust and 26:20.097 --> 26:22.041 partnership and that's going to be 26:22.041 --> 26:24.152 really critical moving forward . If I 26:24.152 --> 26:26.263 could add to what you said , Jennifer 26:26.263 --> 26:28.152 on finding more efficient ways to 26:28.152 --> 26:30.319 figure out how to achieve what we need 26:30.319 --> 26:32.541 to do . Um There's been more planning , 26:32.541 --> 26:34.652 joint planning between the IC and Dod 26:34.652 --> 26:36.930 JWCC and C two E is an example of that , 26:36.930 --> 26:38.874 which I'm sure we're going to talk 26:38.874 --> 26:40.930 about . But that does also require a 26:40.930 --> 26:43.239 mindset shift on both sides to where 26:43.400 --> 26:45.622 just as an example , Roger , you know , 26:45.622 --> 26:47.844 you guys are , are the executive agents 26:47.844 --> 26:49.789 for nipper net , right ? So on the 26:49.789 --> 26:51.289 unclassified side , you're 26:51.289 --> 26:53.067 traditionally worried about the 26:53.067 --> 26:55.122 external actors and the threats that 26:55.122 --> 26:54.630 those pose . And then as Jennifer 26:54.640 --> 26:57.359 mentioned , uh in the IC and NSA 26:57.369 --> 26:59.819 insider threats is , is a big challenge 26:59.829 --> 27:01.885 for us , right ? And that's where we 27:01.885 --> 27:03.940 placed emphasis and the reality is , 27:03.940 --> 27:06.162 it's not more one than the other . It's 27:06.162 --> 27:08.107 both , we have to , we have to put 27:08.107 --> 27:10.218 equal emphasis on both internally and 27:10.218 --> 27:13.310 externally to those cyber threats . So 27:13.319 --> 27:15.541 I wanna just kind of rip off of some of 27:15.541 --> 27:17.597 the others . So we'll do can't human 27:17.597 --> 27:19.375 our way out . I was at the same 27:19.375 --> 27:21.541 conference secure by design was secure 27:21.541 --> 27:23.949 by design . Um So fed ramp is just a 27:23.959 --> 27:26.910 starting point . So for industry , um 27:26.920 --> 27:29.087 as I've walked the floor , there'll be 27:29.087 --> 27:31.087 the I'm fed ramp and I'm like , and 27:31.087 --> 27:34.900 then what um you have to also recognize , 27:34.910 --> 27:37.077 you're gonna need to figure out how to 27:37.077 --> 27:40.630 work in a disconnected cloud . So if 27:40.640 --> 27:42.751 the thought is that we're going to be 27:42.751 --> 27:45.280 doing something in on , on a classified 27:45.290 --> 27:47.457 network and we're gonna be calling out 27:47.457 --> 27:49.401 to your commercial cloud something 27:49.401 --> 27:51.179 somewhere . That's not what our 27:51.179 --> 27:53.401 architecture is . Um So please please , 27:53.401 --> 27:55.457 please be aware now if it's your own 27:55.457 --> 27:55.250 class stuff , we can have that 27:55.260 --> 27:56.927 conversation about where that 27:56.927 --> 27:59.239 partnership is , but fed ramp is the 27:59.250 --> 28:02.000 starting point , disconnected cloud . 28:02.010 --> 28:04.969 Um So make sure you understand kind of 28:04.979 --> 28:07.319 what the expectations are for your 28:07.329 --> 28:10.819 customer base as well . Um This is one 28:10.829 --> 28:13.170 I'm gonna probably toss back over to 28:13.180 --> 28:15.410 Jennifer , but it's the recognition 28:15.780 --> 28:18.650 that with this partnership of industry , 28:18.699 --> 28:21.060 you're seeing worldwide threats at the 28:21.069 --> 28:24.589 scale of private industry , we expect 28:24.599 --> 28:27.930 the um response at the , at the pace . 28:27.939 --> 28:30.161 But we also need to understand a degree 28:30.161 --> 28:33.260 of sharing of that information when you 28:33.270 --> 28:35.492 see something and we need to understand 28:35.492 --> 28:37.729 it to help protect our disconnected 28:37.739 --> 28:40.260 cloud space and that interaction . So 28:40.270 --> 28:42.579 it's that private , public partnership 28:42.589 --> 28:44.859 and understanding the state of cyber . 28:44.869 --> 28:47.910 So I know NSA does that a lot more . I 28:47.920 --> 28:49.864 just watch it from the outside and 28:49.864 --> 28:52.198 really hope that it's going very , very , 28:52.198 --> 28:55.599 very well . Um And then the as a small , 28:55.609 --> 28:57.442 it's the usage of the enterprise 28:57.442 --> 28:59.553 contracts that allowed us to bring to 28:59.553 --> 29:01.831 speed for our cybersecurity activities . 29:01.831 --> 29:04.053 That's profound . But please , please , 29:04.053 --> 29:06.220 please remember if you see something , 29:06.220 --> 29:08.890 say something to us too . It's a two 29:08.900 --> 29:12.280 way conversation . Great . Thank you . 29:12.810 --> 29:15.290 Excuse me . Thank you . So I'm keeping 29:15.300 --> 29:17.356 with the theme of partnering with uh 29:17.569 --> 29:19.569 the private sector . We just talked 29:19.569 --> 29:21.236 about how they can help us in 29:21.236 --> 29:23.458 cybersecurity . And more generally , if 29:23.458 --> 29:26.040 I could uh switch to um Jimmy Jennifer 29:26.050 --> 29:29.920 and Ben , right ? Um How can we partner 29:30.079 --> 29:32.135 with the private sector to help them 29:32.135 --> 29:34.135 address the technology gaps that we 29:34.135 --> 29:36.190 might be seeing ? How can we work on 29:36.190 --> 29:38.357 that partnership ? I think we'll start 29:38.357 --> 29:40.301 with benches if that's um as I was 29:40.301 --> 29:42.301 rethinking this question last night 29:42.301 --> 29:44.246 after yesterday's session , I kept 29:44.246 --> 29:46.468 coming back to a statement that ended , 29:46.468 --> 29:48.635 ended the five I panel yesterday where 29:48.635 --> 29:48.420 it was said , you know , partnerships 29:48.430 --> 29:50.486 are a way of life . I mean , I think 29:50.486 --> 29:52.486 you've heard that through the early 29:52.486 --> 29:54.430 discussions here . I think that is 29:54.430 --> 29:56.597 wholeheartedly true for the Department 29:56.597 --> 29:58.819 of Treasury and specifically , oi A , I 29:58.819 --> 29:58.359 think we do it really well on the 29:58.369 --> 30:00.313 mission side , you know , from the 30:00.313 --> 30:02.480 cyber security side , I think we don't 30:02.480 --> 30:04.480 do it as well as we should from a , 30:04.480 --> 30:07.239 from a cio engagement with industry 30:07.250 --> 30:09.194 perspective . So it's definitely a 30:09.194 --> 30:11.306 growth area and a priority focus area 30:11.306 --> 30:13.417 for fy 25 for Treasury specifically . 30:13.417 --> 30:16.380 Um I think I do it well here . Um but 30:16.390 --> 30:19.300 I'm too small and the threats are too 30:19.310 --> 30:21.366 high and the risk is too high for me 30:21.366 --> 30:23.421 not to expand on that partnership at 30:23.421 --> 30:25.588 pace with you all in the audience . Um 30:25.588 --> 30:27.754 So , so how can you help ? I think the 30:27.754 --> 30:29.199 first thing is I , I need 30:29.199 --> 30:30.977 transformational partners , not 30:30.977 --> 30:33.143 transactional partners . So understand 30:33.143 --> 30:34.921 my environment , understand the 30:34.921 --> 30:37.032 limitations of my environment where I 30:37.032 --> 30:40.290 am where I'm going um help me get there 30:40.300 --> 30:42.869 quickly . Um I , I essentially operate 30:42.880 --> 30:44.658 in a , in a nearly 200 year old 30:44.658 --> 30:46.324 building . It comes with some 30:46.324 --> 30:48.380 challenges inside that building that 30:48.380 --> 30:50.213 are unique to me that may not be 30:50.213 --> 30:52.491 present across the , the stage up here . 30:52.491 --> 30:54.602 So , so come , come in and help me um 30:54.602 --> 30:57.280 be a , be a um a change agent and uh um 30:57.290 --> 30:59.579 something that helps me maximize my 30:59.589 --> 31:02.739 solutions at pace . Um The , the second 31:02.750 --> 31:04.917 thing is , you know , I need the right 31:04.917 --> 31:07.060 solutions at the right time . My , my 31:07.069 --> 31:09.291 staff is small , we're focused down and 31:09.291 --> 31:11.530 in help me be the up and out and help 31:11.540 --> 31:13.707 me look over the horizon and make sure 31:13.707 --> 31:15.818 I'm looking at the right technologies 31:15.818 --> 31:18.040 and it may not be your technology . But 31:18.040 --> 31:20.151 help me look to where I need to be to 31:20.151 --> 31:22.484 get the right solution in place on time . 31:22.484 --> 31:24.373 Um I think I would be a little um 31:24.373 --> 31:26.707 remiss if I also said that part of that , 31:26.707 --> 31:28.762 the first step of that is on me , we 31:28.762 --> 31:30.818 need to outreach and engage with you 31:30.818 --> 31:32.873 more . Um We have a target of effort 31:32.873 --> 31:35.040 inside Treasury right now to make sure 31:35.040 --> 31:34.819 that we adopt some of the methods that 31:34.829 --> 31:36.940 my partners here on the stage have at 31:36.940 --> 31:38.773 their dispos to partner with you 31:38.773 --> 31:40.718 quickly with academia to , to test 31:40.718 --> 31:42.773 solutions , get them in the door and 31:42.773 --> 31:44.885 and get them deployed at pace instead 31:44.885 --> 31:47.051 of relying on a burdensome acquisition 31:47.051 --> 31:48.996 process that can take years to get 31:48.996 --> 31:50.551 solutions , the the rate of 31:50.551 --> 31:52.329 technological change , it isn't 31:52.329 --> 31:54.496 sufficient for that anymore . And then 31:54.496 --> 31:56.718 last but not least , um we're here , my 31:56.718 --> 31:58.718 team's here . Um We have needs , we 31:58.718 --> 32:00.940 wanna chat so please grab us , please , 32:00.940 --> 32:03.162 please start that partnership . Now , I 32:03.162 --> 32:05.051 don't wanna leave Omaha without , 32:05.051 --> 32:04.739 without meeting with you and making 32:04.750 --> 32:06.917 sure that you are helping me tackle my 32:06.917 --> 32:09.760 most pressing needs . Thanks Ben Jimmy . 32:09.790 --> 32:11.957 Yeah . Yeah , sure . So just , just to 32:11.957 --> 32:14.179 uh follow up from what Ben said . But , 32:14.179 --> 32:16.401 but before I do that , let me just talk 32:16.401 --> 32:18.457 a little bit about inr . So we we've 32:18.457 --> 32:20.623 been proudly uh providing intelligence 32:20.623 --> 32:20.369 support to State Department for 79 32:20.380 --> 32:22.491 years , right ? And that's all source 32:22.491 --> 32:24.547 intelligence . And so our mission is 32:24.547 --> 32:26.713 pretty simple uh to provide the timely 32:26.713 --> 32:28.602 and objective intelligence and to 32:28.602 --> 32:30.658 support the secretary support senior 32:30.658 --> 32:32.824 policy makers and also diplomats . And 32:32.824 --> 32:34.991 that's a global uh outreach and global 32:34.991 --> 32:37.047 mission aspect . And then the cio of 32:37.047 --> 32:39.050 Inr um I just oversee the TSSE I 32:39.060 --> 32:41.171 network globally for the department . 32:41.171 --> 32:43.540 And so I can't do that alone . Uh Many 32:43.550 --> 32:45.717 of you who met with me know that I , I 32:45.717 --> 32:47.717 say that and I say that honestly is 32:47.717 --> 32:49.883 that we , we can't get it done alone . 32:49.883 --> 32:52.050 Uh My colleagues up here would , would 32:52.050 --> 32:53.994 agree . Uh And so uh I think we'll 32:53.994 --> 32:55.883 start first with the resource , a 32:55.883 --> 32:57.994 augmentation we're doing that today . 32:57.994 --> 33:00.106 And so we've agreed to outsource some 33:00.106 --> 33:02.161 aspects of our work and that's gonna 33:02.161 --> 33:04.161 continue . Um In fact , uh I have a 33:04.161 --> 33:03.890 couple of contracts in place now that 33:03.900 --> 33:06.390 is just extension of my staff and it 33:06.400 --> 33:08.122 works well . I mean , the only 33:08.122 --> 33:10.289 difference between uh a government and 33:10.289 --> 33:12.456 contractors of color , a badge , their 33:12.456 --> 33:14.733 badges . And so it works . Uh secondly , 33:14.733 --> 33:16.789 the training and development piece , 33:16.789 --> 33:18.900 right ? And , and helping with um tho 33:18.900 --> 33:21.067 those training opportunities sometimes 33:21.067 --> 33:20.880 that we don't take advantage of that 33:20.890 --> 33:22.946 you are all aware of . And I , and I 33:22.946 --> 33:25.168 know from an industry perspective , you 33:25.168 --> 33:27.390 offer the expertise and innovation that 33:27.390 --> 33:29.612 we need . And so continue to bring that 33:29.612 --> 33:31.612 to the table and continue to engage 33:31.612 --> 33:33.779 with us . And then , uh lastly , I , I 33:33.779 --> 33:33.584 would like to see more uh across 33:33.594 --> 33:35.816 partnership where we either do training 33:35.816 --> 33:38.038 exercises together or we take advantage 33:38.038 --> 33:40.244 of your labs , uh or your facilities 33:40.255 --> 33:42.422 that you have that is skipped out that 33:42.422 --> 33:44.644 we can uh partner and train and develop 33:44.644 --> 33:46.922 and , and , and walk this dog together . 33:46.922 --> 33:49.144 And so from a partnership perspective , 33:49.144 --> 33:51.366 again , we can't get it done alone . Uh 33:51.366 --> 33:53.311 I try and have uh several industry 33:53.311 --> 33:55.477 engagement meetings a month and that's 33:55.477 --> 33:55.369 working out well . And so if you're on 33:55.380 --> 33:57.869 my , my list , uh be patient , uh and 33:57.880 --> 34:00.489 I'll get to you . So thanks from a dia 34:00.670 --> 34:03.400 perspective , you know , industry is 34:03.410 --> 34:05.819 such a key partner with everything that 34:05.829 --> 34:08.370 we do . Again , we can't do it alone 34:08.479 --> 34:10.535 either . In fact , one of the things 34:10.535 --> 34:12.716 that dissa does every year is what's 34:12.726 --> 34:15.085 referred to as our forecast to industry , 34:15.095 --> 34:17.275 which happened to actually occur just 34:17.285 --> 34:20.055 yesterday , uh back at near the Fort 34:20.065 --> 34:22.865 Mead , uh where we bring together all 34:22.875 --> 34:24.931 of our , you know , senior leaders , 34:24.931 --> 34:26.986 minus myself who's out here with you 34:26.986 --> 34:29.208 all . Uh but bring together most of our 34:29.208 --> 34:31.436 senior leaders , a lot of our program 34:31.446 --> 34:33.779 managers to actually meet with industry , 34:33.779 --> 34:36.812 to talk about what are upcoming needs , 34:36.822 --> 34:38.933 what are the areas that we're looking 34:38.933 --> 34:40.981 for opportunities ? Uh There are 34:40.991 --> 34:43.652 opportunities for industry to be able 34:43.662 --> 34:45.718 to support us . And then of course , 34:45.718 --> 34:47.718 you know , again , that interaction 34:47.718 --> 34:50.461 with our partners in play , you know , 34:50.471 --> 34:52.415 they're working with us today . We 34:52.415 --> 34:54.822 always have to figure out more , you 34:54.832 --> 34:57.191 know , our adversaries are evolving , 34:57.201 --> 34:58.923 our threats are changing , the 34:58.923 --> 35:01.729 landscape is changing . So how are we 35:01.739 --> 35:04.520 actually having those dialogues so that 35:04.610 --> 35:06.777 those things that you're supporting us 35:06.777 --> 35:09.600 on today ? We're actually conversing 35:09.610 --> 35:12.250 and recognizing what those changes are , 35:12.260 --> 35:14.149 what we may need to change from a 35:14.149 --> 35:16.600 government perspective , what we may 35:16.610 --> 35:20.000 need you as a provider to actually 35:20.090 --> 35:22.620 change in a system . And sometimes it 35:22.629 --> 35:24.407 seems like we , we don't always 35:24.407 --> 35:26.462 communicate that way . You know , we 35:26.462 --> 35:29.429 get very focused in terms of , well , 35:29.439 --> 35:32.239 the scope of the contract says this , 35:32.540 --> 35:36.114 that that's valid , but we also need to 35:36.125 --> 35:38.347 be able to make sure we're having those 35:38.347 --> 35:40.347 open conversations about threats so 35:40.347 --> 35:43.155 that if we need to change our contracts 35:43.165 --> 35:45.655 or we need to change our relationship , 35:45.844 --> 35:48.415 we have to make sure that our systems 35:48.425 --> 35:50.592 and our capabilities are continuing to 35:50.592 --> 35:52.203 evolve . So that's a two way 35:52.203 --> 35:54.495 partnership that we really need to work 35:54.504 --> 35:56.282 better with industry on from my 35:56.284 --> 35:58.340 perspective . Thank you , Jennifer . 35:59.679 --> 36:01.901 I'll , I'll jump in if you don't mind . 36:01.901 --> 36:04.123 Um I , yeah , I , I think I would offer 36:04.123 --> 36:06.068 kind of a response in , in sort of 36:06.068 --> 36:08.012 three ways I think for the systems 36:08.012 --> 36:10.123 integrator community , um we need and 36:10.123 --> 36:12.235 in fact , demand sort of diversity of 36:12.235 --> 36:14.457 solutions that you present to us in the 36:14.457 --> 36:16.457 context of cloud . For example , we 36:16.457 --> 36:18.401 have been on a journey uh as noted 36:18.401 --> 36:20.457 yesterday for 10 years . Uh with one 36:20.457 --> 36:22.568 provider , we now have access to four 36:22.568 --> 36:24.679 on the high side . Uh We need sort of 36:24.679 --> 36:26.901 diversity of solutions taking advantage 36:26.901 --> 36:26.429 of the investments that we're making in 36:26.439 --> 36:28.429 this multi cloud uh world . As an 36:28.439 --> 36:30.590 example for the technology service 36:30.600 --> 36:33.610 providers . Um we need uh relationship 36:33.620 --> 36:36.060 and partnership beyond the point of 36:36.070 --> 36:39.070 sale . What we find is that we , we 36:39.080 --> 36:41.169 identify a techno a need . We fill a 36:41.179 --> 36:43.401 gap with the technology . And two years 36:43.401 --> 36:45.623 later , we've 10% implemented and we're 36:45.623 --> 36:47.735 not optimized , we're not taking of , 36:47.735 --> 36:49.901 of the investments made and then we're 36:49.901 --> 36:51.735 ripping and replacing and almost 36:51.735 --> 36:53.901 starting over . So like engagement and 36:53.901 --> 36:56.123 partnership beyond the point of sale is 36:56.123 --> 36:58.123 super critical so that we can fully 36:58.123 --> 36:57.949 optimize and leverage the tools and 36:57.959 --> 37:00.015 technologies that are uh implemented 37:00.015 --> 37:02.181 across our networks . And third , it's 37:02.181 --> 37:03.848 really a call to arms for our 37:03.848 --> 37:05.848 government employees here uh in the 37:05.848 --> 37:08.070 room to hold the vendors accountable um 37:08.070 --> 37:10.181 to hold them accountable for offering 37:10.181 --> 37:12.292 the diverse solutions uh that we , we 37:12.292 --> 37:14.292 need to solve uh new and unique and 37:14.292 --> 37:16.515 emerging problems . The things that got 37:16.515 --> 37:18.681 us here are not necessarily the things 37:18.681 --> 37:20.792 that will get us there uh challenging 37:20.792 --> 37:22.959 the status quo . Uh Many of us rely on 37:22.959 --> 37:24.903 these vendors uh within our um our 37:24.903 --> 37:27.219 infrastructures um uh to support key uh 37:27.229 --> 37:29.909 activities . Uh But at the same time , 37:29.919 --> 37:31.808 they have a financial interest in 37:31.808 --> 37:33.919 maintaining status quo and we need to 37:33.919 --> 37:35.919 be bold enough to challenge it when 37:35.919 --> 37:37.586 necessary uh and disrupt when 37:37.586 --> 37:39.586 appropriate um to deliver those new 37:39.586 --> 37:41.808 technologies that we need to solve kind 37:41.808 --> 37:43.586 of tomorrow's problems . Yeah , 37:43.586 --> 37:45.475 actually , I'd like to make a few 37:45.475 --> 37:48.129 points on that note . Um One in , in 37:48.139 --> 37:50.361 terms of working with industry , as you 37:50.361 --> 37:52.472 know , as cio S , we offer enterprise 37:52.472 --> 37:54.639 services such as cross domain identity 37:54.639 --> 37:56.800 management , et cetera where it , it 37:56.810 --> 37:59.000 hurts us in our collaboration , not 37:59.010 --> 38:01.121 only within our own agency and across 38:01.121 --> 38:03.066 the community is when we replicate 38:03.070 --> 38:04.959 those services within our mission 38:04.959 --> 38:07.080 elements . I see that a lot , I I see 38:07.090 --> 38:09.209 us standing up redundant capabilities 38:09.219 --> 38:11.108 and not leverage , leveraging the 38:11.108 --> 38:13.219 enterprise vehicles that we've put in 38:13.219 --> 38:15.219 place . That's where we really need 38:15.219 --> 38:17.441 your help is that that partnership ? Um 38:17.441 --> 38:19.552 We've , we've certainly grown in that 38:19.552 --> 38:21.719 area , but it's also an opportunity um 38:21.719 --> 38:23.719 that we need to focus on . Second , 38:23.719 --> 38:25.663 where I've seen a lot of help from 38:25.663 --> 38:27.886 industry in the past year is helping us 38:27.886 --> 38:29.780 solve our acquisition problem of 38:29.790 --> 38:31.512 looking at . Where can we take 38:31.512 --> 38:33.679 opportunities of leveraging enterprise 38:33.679 --> 38:35.790 licensing . IC Cio has been AAA great 38:35.790 --> 38:37.901 partner in this and helping lead that 38:37.901 --> 38:40.068 across the IC . Um but then also dissa 38:40.068 --> 38:42.068 has as well in terms of identifying 38:42.068 --> 38:44.290 acquisition vehicles that we could take 38:44.290 --> 38:45.957 advantage of to get after our 38:45.957 --> 38:48.179 priorities uh without releasing our own 38:48.179 --> 38:47.760 contracts , right ? Things that are 38:47.770 --> 38:49.881 already within scope that are open to 38:49.881 --> 38:51.937 us that we could take advantage of a 38:51.937 --> 38:54.214 lot of that is recommended by industry . 38:54.214 --> 38:56.214 And so I continue to emphasize that 38:56.729 --> 38:59.120 thank you , um Ryan , you just started 38:59.129 --> 39:01.110 to mention uh cloud . So I like to 39:01.120 --> 39:03.342 shift to that a little bit , right ? Um 39:04.209 --> 39:06.431 Great potential , right ? It's a , it's 39:06.431 --> 39:08.209 a wonderful tool if we can take 39:08.209 --> 39:10.376 advantage of it . How , how do you see 39:10.376 --> 39:12.153 that being utilized and the the 39:12.153 --> 39:14.320 community using ? Yeah , thanks Mike . 39:14.320 --> 39:16.431 Uh I have great fortune of um jumping 39:16.431 --> 39:18.653 on that train in 2014 as it was leaving 39:18.653 --> 39:20.653 the station . Um I think people see 39:20.653 --> 39:22.376 where cloud is today and don't 39:22.376 --> 39:24.459 recognize um how hard it was to get 39:24.469 --> 39:26.959 here . Um uh In the early days uh 39:26.969 --> 39:29.060 credit to NGA was first in , I think 39:29.070 --> 39:30.959 with map of the world if I recall 39:30.959 --> 39:32.959 correctly soon after uh a launch in 39:32.959 --> 39:36.139 2014 . Um I think we viewed cloud as 39:36.149 --> 39:38.038 data center replacement , right ? 39:38.038 --> 39:40.093 Infrastructure as a service . I have 39:40.093 --> 39:42.149 got , you know , hardware or virtual 39:42.149 --> 39:44.205 machines in my data center . I moved 39:44.205 --> 39:46.482 them to cloud sort of didn't re factor , 39:46.482 --> 39:48.649 it was just sort of a lift and shift . 39:48.649 --> 39:50.593 I think what we've seen is a great 39:50.593 --> 39:52.260 maturity . Uh not only within 39:52.260 --> 39:54.093 government but within our vendor 39:54.093 --> 39:56.316 community as well to figure out ways to 39:56.316 --> 39:55.995 help us take advantage of the 39:56.004 --> 39:59.750 opportunity of this um this perceived 39:59.760 --> 40:03.030 uh infinite capacity um the access 40:03.040 --> 40:05.780 to um you know , a variety of it , 40:05.790 --> 40:08.550 services , democratizing access to 40:08.560 --> 40:10.782 infrastructure and services . And we've 40:10.782 --> 40:13.004 seen it grow to a point . We said , you 40:13.004 --> 40:15.227 know what , I think we've done a lot of 40:15.227 --> 40:17.282 the digital transformation work as a 40:17.282 --> 40:19.393 community And now we're ready to sort 40:19.393 --> 40:21.504 of uh take the next step into sort of 40:21.504 --> 40:23.338 this multi cloud . So in 2020 we 40:23.338 --> 40:25.560 awarded the commercial cloud enterprise 40:25.560 --> 40:27.560 or C two E uh with five vendors for 40:27.560 --> 40:29.504 that uh now operate within the top 40:29.504 --> 40:31.671 secret network fabric . Uh We're super 40:31.671 --> 40:33.782 excited to see um uh the evolution uh 40:33.782 --> 40:36.134 to come . Uh our imperative is to 40:36.144 --> 40:38.255 deliver the multi cloud foundation to 40:38.255 --> 40:40.563 allow the community to take advantage 40:40.573 --> 40:42.406 of those higher order services , 40:42.406 --> 40:44.204 whether they're A I uh services 40:44.214 --> 40:46.325 natively provided by those vendors or 40:46.325 --> 40:48.513 third party or open source um to have 40:48.523 --> 40:50.412 the compute capacity to run those 40:50.412 --> 40:52.778 models to , to , to do inference on 40:52.788 --> 40:54.899 like cyber security data as we talked 40:54.899 --> 40:57.066 about , but a variety of other sort of 40:57.066 --> 40:59.177 mission imperatives . Um but also the 40:59.177 --> 41:01.066 broad , the access to the broader 41:01.066 --> 41:03.121 ecosystems of technologies that have 41:03.121 --> 41:04.955 natively been grown in the cloud 41:04.955 --> 41:07.177 environment . Uh If you're a start up , 41:07.177 --> 41:09.344 um The last thing you'll ever do is is 41:09.344 --> 41:11.455 is acquire a data center and buy some 41:11.455 --> 41:10.897 servers , right ? You start in the 41:10.907 --> 41:12.740 cloud , you natively built those 41:12.740 --> 41:14.963 capabilities in the cloud , you build a 41:14.963 --> 41:17.129 business model around consumption that 41:17.129 --> 41:18.851 is that is metered uh based on 41:18.851 --> 41:21.491 utilization . Uh Those are the things 41:21.501 --> 41:23.852 that we think we can now uh gain access 41:23.862 --> 41:25.751 to by delivering this multi cloud 41:25.751 --> 41:27.584 foundation . So I think where we 41:27.584 --> 41:29.912 started um and , and I think great work 41:29.922 --> 41:32.144 been done over the last , you know , 10 41:32.144 --> 41:34.255 years or so . I think the opportunity 41:34.255 --> 41:36.200 is even greater now um through our 41:36.200 --> 41:38.366 partnerships with these uh these great 41:38.366 --> 41:40.366 vendors . Um but then to access the 41:40.366 --> 41:42.931 broader ecosystem of solutions , um uh 41:42.941 --> 41:45.163 you know , to put those in the hands of 41:45.163 --> 41:46.941 our , our various mission , our 41:46.941 --> 41:49.108 partners to solve kind of those unique 41:49.108 --> 41:51.496 problems . Ryan , your reference to 41:51.506 --> 41:53.506 2014 takes me back , I'm in the way 41:53.506 --> 41:55.728 back . Machine thinking back to you , I 41:55.728 --> 41:57.895 remember Sue Gordon saying NGA was all 41:57.895 --> 42:00.006 in on the cloud and I remember having 42:00.006 --> 42:01.950 to assure people that going to the 42:01.950 --> 42:04.117 cloud didn't mean things were going to 42:04.117 --> 42:05.895 be on the open internet . So it 42:05.895 --> 42:05.885 shouldn't have called it commercial 42:05.895 --> 42:08.062 cloud . That was , that was one of our 42:08.062 --> 42:10.275 first market , same for us with GOV 42:10.416 --> 42:12.472 cloud , which was not in the cloud . 42:13.340 --> 42:16.110 Yeah . So it took me way back and um it 42:16.120 --> 42:18.231 made me also appreciate how far we've 42:18.231 --> 42:20.398 come . And this year , especially from 42:20.398 --> 42:22.064 the NSA perspective is really 42:22.064 --> 42:24.520 monumental in our , in our shift . It's 42:24.530 --> 42:27.050 uh a once in a generation change in how 42:27.060 --> 42:30.020 we um how we build and how we deploy 42:30.030 --> 42:32.479 our it . Because historically , our 42:32.489 --> 42:34.899 default has been , we build it in house 42:34.909 --> 42:37.020 and we deploy it on and that's how we 42:37.020 --> 42:39.791 do our it and starting with the journey 42:39.802 --> 42:42.501 started about 10 years ago . Um But 42:42.511 --> 42:44.678 what it's about for NSA and I know for 42:44.678 --> 42:46.789 many of my colleagues here , it's all 42:46.789 --> 42:48.567 about finding the right compute 42:48.567 --> 42:50.678 solution for each mission , the right 42:50.678 --> 42:53.382 option for every distinct problem and 42:53.392 --> 42:56.302 for every distinct uh purpose . So that 42:56.312 --> 42:58.612 might be commercial cloud . It could be 42:58.694 --> 43:01.793 C two E , it could be an instance of A 43:01.803 --> 43:03.944 TS cloud . It could be hardware as a 43:03.954 --> 43:05.954 service for things that don't quite 43:05.954 --> 43:08.121 work on commercial cloud . It could be 43:08.121 --> 43:09.954 on prem there's a whole range of 43:09.954 --> 43:12.121 options . And so we've kind of evolved 43:12.121 --> 43:14.214 from saying no , we can't do cloud , 43:14.283 --> 43:16.339 that's too open to everything out on 43:16.339 --> 43:18.073 the cloud , to really having a 43:18.083 --> 43:20.864 discernment as to what missions and 43:20.874 --> 43:23.216 what purpose should go into which 43:23.226 --> 43:25.976 platform ? And that's been all about 43:25.986 --> 43:28.097 how we partner with industry , how do 43:28.097 --> 43:30.365 we leverage the best that industry as a 43:30.375 --> 43:33.035 whole and that individual companies 43:33.045 --> 43:35.555 have to offer so that we can save the 43:35.565 --> 43:37.787 human capital for the things that truly 43:37.787 --> 43:39.843 only government can do . And that is 43:39.843 --> 43:42.065 not building data centers , that is not 43:42.065 --> 43:44.121 something that we have the corner on 43:44.121 --> 43:46.065 the market on . So that's what our 43:46.065 --> 43:48.232 hybrid compute initiative is all about 43:48.330 --> 43:50.386 and uh it's exciting because this is 43:50.386 --> 43:52.497 the first year at do I can talk about 43:52.497 --> 43:56.320 HC I is , is real um at multiple doses 43:56.330 --> 43:58.959 do die is that the pearl of do do at 43:59.110 --> 44:01.370 multiple ? Do I have talked about a 44:01.379 --> 44:03.800 hybrid compute initiative in the future 44:03.810 --> 44:06.030 of these amazing partnerships that NSA 44:06.040 --> 44:09.090 had for , with industry for commercial 44:09.100 --> 44:12.944 cloud on the TS side um for NSA as 44:12.954 --> 44:15.543 well as hardware as a service and this 44:15.553 --> 44:18.233 year it went live and we are deploying 44:18.243 --> 44:21.083 mission with our partner and that's our 44:21.093 --> 44:23.644 core mission services . Our IC R in 44:23.674 --> 44:26.293 Aptly named IC GOV cloud , um which 44:26.303 --> 44:28.924 provides hundreds of programs and uh 44:28.934 --> 44:31.184 systems that are used not only by NSA 44:31.194 --> 44:34.614 but across the IC and Dod and uh sort 44:34.624 --> 44:36.846 of like what I said with cyber security 44:36.846 --> 44:38.791 when we switched it over , nothing 44:38.791 --> 44:41.068 happened . And that was wonderful news , 44:41.068 --> 44:43.180 of course , the long term reasons why 44:43.180 --> 44:45.124 we made the shift is the increased 44:45.124 --> 44:47.235 reliability , increased performance , 44:47.235 --> 44:49.346 ultimate scalability and modularity , 44:49.346 --> 44:51.577 the efficiency . So there was no way we 44:51.587 --> 44:53.754 could get where we needed to go in sin 44:53.754 --> 44:55.920 and Cyber without those partnerships . 44:55.920 --> 44:58.087 So it's a really exciting time to be a 44:58.087 --> 45:00.142 as our hybrid compute initiative is 45:00.152 --> 45:02.319 live . And it's not only about mission 45:02.319 --> 45:04.430 systems , we're also looking at those 45:04.430 --> 45:06.622 partnerships and using uh various uh 45:06.632 --> 45:08.521 cloud service providers and other 45:08.521 --> 45:10.743 providers for our business systems . Uh 45:10.743 --> 45:13.701 We talk a lot about um innovation and 45:13.711 --> 45:15.600 we tend to talk about in terms of 45:15.600 --> 45:17.267 mission , but we need to have 45:17.267 --> 45:19.378 innovation in our business systems as 45:19.378 --> 45:21.544 well to keep up when you talk to folks 45:21.544 --> 45:23.711 about their long poles in the tent . A 45:23.711 --> 45:25.767 lot of the time . It's budget . It's 45:25.767 --> 45:27.989 the , it , it's some , those underlying 45:27.989 --> 45:27.696 things that , you know , it , it's , 45:27.706 --> 45:29.928 it's how , how much trouble did we have 45:29.928 --> 45:32.039 with our RT A S to , in order to , to 45:32.039 --> 45:34.206 fly out here ? Right . Um So those are 45:34.206 --> 45:36.373 some of the things that we're focusing 45:36.373 --> 45:38.484 on . Um But it's a , it's a milestone 45:38.484 --> 45:40.375 year for us and it's been a long 45:40.385 --> 45:42.607 journey with uh many of us on the stage 45:42.607 --> 45:44.663 wearing different hats over those 10 45:44.663 --> 45:46.774 years . I'd say we're all dis is also 45:46.774 --> 45:48.941 in that same perspective , Jennifer as 45:48.941 --> 45:50.941 we think about , you know , again , 45:50.941 --> 45:52.941 it's not just about , I call it the 45:52.941 --> 45:55.540 commercial cloud offerings , but things 45:55.550 --> 45:57.717 that we're , you know , trying to take 45:57.717 --> 45:59.550 advantage of with like our joint 45:59.550 --> 46:01.661 operational edge where we're actually 46:01.661 --> 46:04.189 deploying small clouds out closer to 46:04.199 --> 46:06.629 the edge where again , our war fighters 46:06.639 --> 46:08.583 are essentially working around the 46:08.583 --> 46:11.659 world or in some cases more on prem 46:11.669 --> 46:14.055 offerings or again , taking advantage 46:14.065 --> 46:16.926 of commercial cloud capabilities at all 46:16.936 --> 46:19.345 classifications , uh things that we're 46:19.355 --> 46:21.926 doing through the JWCC program . I 46:21.936 --> 46:24.103 think one of the things I'm most proud 46:24.103 --> 46:26.158 of is actually the work that Dod and 46:26.158 --> 46:28.785 the IC are doing together as we think 46:28.795 --> 46:31.936 about how we actually assess the risk 46:31.956 --> 46:34.666 and , and look at , you know , again 46:34.676 --> 46:36.843 how we take advantage of the cloud and 46:36.852 --> 46:39.771 working with industry . Um you know , 46:39.781 --> 46:42.711 the cloud works portfolio that's that 46:42.721 --> 46:45.531 Ryan is involved with . Um you know , 46:45.541 --> 46:47.771 they are really taking the lead with 46:47.781 --> 46:51.412 the top secret platforms , with dod in 46:51.422 --> 46:53.644 support of that . And we're looking for 46:53.644 --> 46:55.866 dod to take more of the leadership role 46:55.866 --> 46:58.570 when it comes to the secret cloud . But 46:58.580 --> 47:00.747 you know , what we're really trying to 47:00.747 --> 47:02.524 do is do what I would call good 47:02.524 --> 47:04.691 government , right ? We don't wanna go 47:04.691 --> 47:06.802 through and have to actually , well , 47:06.802 --> 47:08.989 let's go have one team assess this and 47:09.000 --> 47:10.989 then another team assess that same 47:11.000 --> 47:13.040 clout . How do we actually work 47:13.050 --> 47:15.729 cooperatively understand those shared 47:15.739 --> 47:18.754 risk and then be able to make the risk 47:18.764 --> 47:21.125 decisions that are appropriate for each 47:21.135 --> 47:23.191 of us , right ? You know , the dod S 47:23.191 --> 47:25.413 risk tolerance is gonna be a little bit 47:25.413 --> 47:27.635 different than the I CS risk tolerance 47:27.645 --> 47:29.945 in certain cases . And , and that's ok . 47:30.264 --> 47:32.320 The biggest thing is we're trying to 47:32.320 --> 47:34.264 create those efficiencies and that 47:34.264 --> 47:36.431 shared knowledge by bringing again the 47:36.431 --> 47:38.919 power of the two teams . I think the 47:38.929 --> 47:41.096 other thing that we're trying to do in 47:41.096 --> 47:43.151 commercial cloud , especially in the 47:43.151 --> 47:45.429 classified areas , you know , is recon , 47:45.429 --> 47:47.651 right ? Recognized yesterday , we don't 47:47.651 --> 47:50.110 fight wars alone . We we depend upon 47:50.120 --> 47:52.560 our five eyes partners , we depend upon 47:52.570 --> 47:55.639 other coalition partners . How do we , 47:55.649 --> 47:57.705 you know , look to take advantage of 47:57.705 --> 48:00.209 those capabilities that , you know , 48:00.219 --> 48:03.120 commercial cloud at all classifications 48:03.129 --> 48:05.979 offer us and how can we actually and 48:05.989 --> 48:08.780 they that true war fighting mission 48:08.989 --> 48:11.620 with our five eyes partners , et cetera . 48:11.830 --> 48:14.110 Um Things like collaboration , it was 48:14.120 --> 48:16.231 mentioned yesterday that , you know , 48:16.231 --> 48:18.560 we are faced with challenges in the 48:18.570 --> 48:20.969 collaboration space with our five eyes 48:20.979 --> 48:23.146 partners . So again , there's a lot of 48:23.146 --> 48:25.035 initiatives that we have underway 48:25.035 --> 48:28.199 working again very closely between Dod 48:28.209 --> 48:30.659 and the IC in order to improve the 48:30.669 --> 48:32.889 capabilities for our war fighters . 48:34.739 --> 48:36.770 So again , thank you for the 48:36.780 --> 48:38.836 recognition that NGA jumped into the 48:38.836 --> 48:41.909 cloud first . Um We are a real risk 48:41.919 --> 48:44.141 averse organization and that was a real 48:44.141 --> 48:46.419 risky thing to be doing , but uh it has 48:46.429 --> 48:50.010 paid off um moving our instances to the 48:50.020 --> 48:52.290 cloud . Our former deputy director Sue 48:52.300 --> 48:54.522 Gordon said everything will go into the 48:54.522 --> 48:57.179 cloud , you will be there by 2017 . We 48:57.189 --> 48:59.133 quickly found out that that really 48:59.133 --> 49:01.110 wasn't the right thing to do some 49:01.120 --> 49:04.010 workloads , just don't operate well for 49:04.020 --> 49:07.080 our mission of warning safety and 49:07.090 --> 49:09.949 targeting in the cloud . So we had to 49:09.959 --> 49:12.126 pull some things and leave them in our 49:12.126 --> 49:14.229 on premises data centers . Uh We 49:14.239 --> 49:16.239 eventually found out though that uh 49:16.310 --> 49:18.199 even our on premises data centers 49:18.199 --> 49:20.770 wouldn't handle delivering capabilities 49:20.780 --> 49:22.613 to our war fighters . So we have 49:22.613 --> 49:24.780 established something called our joint 49:24.780 --> 49:26.891 regional edge nodes which pushes data 49:26.891 --> 49:29.030 pushes applications out to the edge 49:29.159 --> 49:31.659 where analysts sitting at the edge , 49:31.669 --> 49:33.725 war fighters sitting at the edge can 49:33.725 --> 49:35.836 actually access this information . So 49:35.836 --> 49:37.669 it truly is . Like you mentioned 49:37.669 --> 49:39.836 Jennifer , that hybrid situation where 49:39.836 --> 49:42.002 you've got things at the edge , you've 49:42.002 --> 49:41.919 got things in our data center , you've 49:41.929 --> 49:43.985 got things in the cloud , you've got 49:43.985 --> 49:46.151 things in multiple clouds . And so I'm 49:46.151 --> 49:48.096 glad we're able to learn from each 49:48.096 --> 49:51.010 other . Thank you , 49:52.090 --> 49:54.330 Mark and Doug yesterday , Doctor 49:54.340 --> 49:56.451 Merritt was talking about the IC road 49:56.451 --> 49:58.507 map and one of the things she talked 49:58.507 --> 50:00.507 about was priming the workforce and 50:00.507 --> 50:02.673 making sure the workforce is ready for 50:02.673 --> 50:04.840 the future . So my question for you is 50:04.840 --> 50:06.673 um how are how are your agencies 50:06.673 --> 50:08.896 working to ensure that the it workforce 50:08.896 --> 50:11.639 is remaining current ? So ho how are 50:11.649 --> 50:13.760 you keeping your , your folks current 50:13.760 --> 50:15.982 so they can , can you continue to excel 50:15.982 --> 50:18.010 and advance the mission ? Um I just 50:18.020 --> 50:20.242 start with that . Uh So really two ways 50:20.242 --> 50:22.409 we've emphasized in the past year , in 50:22.409 --> 50:26.370 particular one , we've opened up um 50:26.379 --> 50:28.435 or implemented stem pay , right ? So 50:28.435 --> 50:30.435 this is not just been unique to dia 50:30.435 --> 50:32.323 this has been all the agencies uh 50:32.323 --> 50:34.435 across the IC and dod part of that is 50:34.435 --> 50:36.212 upscaling the workforce for the 50:36.212 --> 50:38.379 qualifications to qualify for stem pay 50:38.379 --> 50:40.601 in certain positions that they might be 50:40.601 --> 50:42.823 filling that uh they don't have the the 50:42.823 --> 50:45.046 necessary certification . So we have uh 50:45.046 --> 50:47.439 expanded uh an online training portal 50:47.449 --> 50:49.616 which actually was , was not that much 50:49.620 --> 50:52.100 of a cost um but did expand course 50:52.110 --> 50:54.500 offerings to the entire it career field 50:54.510 --> 50:57.719 within dia and surprisingly , it has 50:57.729 --> 51:00.459 increased um not only obviously the 51:00.469 --> 51:03.199 qualifications but the diversification 51:03.209 --> 51:05.919 of how many courses and disciplines uh 51:05.929 --> 51:08.096 individuals within the it career field 51:08.096 --> 51:10.207 are getting engaged in . Our training 51:10.207 --> 51:13.199 went up within the past year by 4000% 51:13.290 --> 51:15.840 which is crazy to think uh at a very 51:15.850 --> 51:18.570 cheap cost and that's important to us . 51:18.790 --> 51:20.846 Uh mainly because as you look at our 51:20.846 --> 51:23.379 own workforce engagement survey , what 51:23.389 --> 51:25.611 I find especially in the comments is is 51:25.611 --> 51:27.722 that those that are most satisfied in 51:27.722 --> 51:29.778 their roles and engaged are the ones 51:29.778 --> 51:31.945 that are continuously learning . And , 51:31.945 --> 51:34.000 and I've done surveys in the past um 51:34.000 --> 51:36.056 where I've led the analytics of that 51:36.056 --> 51:38.111 and , and that has been the trend of 51:38.111 --> 51:40.167 everyone wants training and everyone 51:40.167 --> 51:42.167 wants to feel engaged and those two 51:42.167 --> 51:44.222 elements are tightly coupled . Uh So 51:44.222 --> 51:46.389 that's been a big success for us . The 51:46.389 --> 51:48.056 second is how , so we provide 51:48.060 --> 51:50.171 opportunities not just for joint duty 51:50.171 --> 51:52.750 assignments within agencies , but also 51:52.760 --> 51:55.139 with industry . So we run what's known 51:55.149 --> 51:57.629 as education , with industry . Ew I um 51:57.639 --> 52:00.830 within our it career field providing JD 52:00.840 --> 52:03.379 a credit to those that are embedded 52:03.389 --> 52:06.270 within our industry partners . That's 52:06.280 --> 52:08.447 been a big success , not only in terms 52:08.447 --> 52:10.669 of understanding business practices and 52:10.669 --> 52:12.836 how we can uh become more efficient in 52:12.836 --> 52:14.724 the way we operate , but also the 52:14.724 --> 52:16.780 implementation of tools that we have 52:16.780 --> 52:18.891 already purchased . And oftentimes we 52:18.891 --> 52:20.724 take advantage of only one small 52:20.724 --> 52:23.280 element capability of uh whether it's 52:23.290 --> 52:25.234 application or infrastructure that 52:25.234 --> 52:27.512 we've integrated within our enterprise . 52:27.512 --> 52:29.346 Um And haven't realized the full 52:29.346 --> 52:31.512 potential of it . And by embedding our 52:31.512 --> 52:33.623 workforce and with industry , we've , 52:33.623 --> 52:35.790 we've really gotten a holistic picture 52:35.790 --> 52:35.600 of what we can do with what we have 52:35.610 --> 52:39.300 more efficiently doug I have the exact 52:39.310 --> 52:41.429 same situation . Um with our employee 52:41.439 --> 52:44.080 climate survey , the people who respond 52:44.090 --> 52:46.570 to that survey indicate that training 52:46.580 --> 52:48.691 is actually one of the most important 52:48.691 --> 52:52.350 things uh pay , not so much um uh 52:52.360 --> 52:54.939 work place , location , things like 52:54.949 --> 52:57.171 that , not so much . It's that training 52:57.171 --> 52:59.005 the ability for people to better 52:59.005 --> 53:01.005 themselves , not only for the short 53:01.005 --> 53:03.227 term , but actually for the long term , 53:03.227 --> 53:05.005 either in upskilling them to be 53:05.005 --> 53:06.838 qualified for different types of 53:06.838 --> 53:08.671 positions in our organization or 53:08.671 --> 53:10.671 actually learn additional skills to 53:10.671 --> 53:13.005 better themselves within their location . 53:13.005 --> 53:14.949 It creates that sense of belonging 53:14.949 --> 53:17.171 within our agency and that creates that 53:17.171 --> 53:19.116 job satisfaction . So it's not all 53:19.116 --> 53:20.949 about just training our existing 53:20.949 --> 53:20.850 workforce , but also we are looking to 53:20.860 --> 53:24.840 bring in new and um exciting talent 53:24.850 --> 53:27.270 into our organization . So coupled with 53:27.280 --> 53:29.502 training our existing workforce looking 53:29.502 --> 53:31.224 for that new capability or new 53:31.224 --> 53:33.419 technology uh mindset coming into our 53:33.429 --> 53:35.760 organization . That is what basically 53:35.770 --> 53:37.992 uplifts our workforce from an education 53:37.992 --> 53:41.939 standpoint . Great . Thank you . Um 53:41.959 --> 53:45.439 Similarly to the training and keeping 53:45.449 --> 53:47.393 folks current , the other thing is 53:47.393 --> 53:49.505 accessibility , right ? We wanna make 53:49.505 --> 53:51.560 sure that the workforce can actually 53:51.560 --> 53:53.338 has access to the tools and can 53:53.870 --> 53:56.092 optimize their ability to do their jobs 53:56.092 --> 53:58.540 and to support the mission . So um 53:58.669 --> 54:00.836 Jennifer , I think I'll start with you 54:00.836 --> 54:03.070 if that's ok . I would ask um what are 54:03.080 --> 54:05.191 some of the key strategic initiatives 54:05.191 --> 54:07.136 uh at your agency that you have in 54:07.136 --> 54:09.459 place to advance ? I um iit 54:09.469 --> 54:12.610 accessibility . Thanks so much . It . 54:12.620 --> 54:15.580 Accessibility is a top priority for NSA . 54:15.590 --> 54:17.812 And I know for many of my colleagues up 54:17.812 --> 54:20.500 here , it is a true priority . It is 54:20.510 --> 54:22.732 mission the same way Roger had referred 54:22.732 --> 54:25.000 to Secure by design . We need all of 54:25.010 --> 54:27.189 our capabilities to be accessible by 54:27.199 --> 54:30.750 design . So section 508 of the 54:30.760 --> 54:32.780 Rehabilitation Act , which requires 54:32.790 --> 54:34.870 federal Services and systems to be 54:34.879 --> 54:36.601 accessible to individuals with 54:36.601 --> 54:38.657 disabilities has a national security 54:38.657 --> 54:41.310 exemption . We could under the law just 54:41.320 --> 54:43.560 say it's national security , it doesn't 54:43.570 --> 54:46.189 need to be accessible . NSA determined 54:46.199 --> 54:48.421 years ago that that was not good enough 54:48.421 --> 54:50.532 for us and it's not just about what's 54:50.532 --> 54:52.699 the right thing to do . It's about the 54:52.699 --> 54:54.921 fact that in the battle for talent , we 54:54.921 --> 54:57.088 were just talking about workforce , we 54:57.088 --> 54:59.199 can't afford to say there's a sizable 54:59.199 --> 55:00.921 proportion of our employees or 55:00.921 --> 55:03.032 potential employees who won't be able 55:03.032 --> 55:04.755 to fully participate and fully 55:04.755 --> 55:06.810 contribute because we have failed to 55:06.810 --> 55:09.032 make everything accessible to them . So 55:09.032 --> 55:11.143 it's a question of not only the right 55:11.143 --> 55:13.310 thing to do and of being right for the 55:13.310 --> 55:15.366 people who work for us , but also of 55:15.366 --> 55:17.588 mission criticality . So NSA said we're 55:17.588 --> 55:19.699 going to create a policy that says we 55:19.699 --> 55:21.866 have to be accessible . It's the , the 55:21.866 --> 55:24.088 assumption is every system should be in 55:24.088 --> 55:25.921 program should be accessible for 55:25.921 --> 55:28.032 individuals with disabilities . So we 55:28.032 --> 55:30.032 put in place the policy , we put in 55:30.032 --> 55:32.366 place standards , we have a score sheet . 55:32.366 --> 55:34.421 We created a PM O which I was really 55:34.421 --> 55:36.643 proud to have as part of the deputy cio 55:36.643 --> 55:39.469 position . Um And this was all very uh 55:39.479 --> 55:42.129 thoughtful and nuanced and laid out 55:42.139 --> 55:44.959 exactly what the expectations were and 55:44.969 --> 55:47.025 what it was that it would require in 55:47.025 --> 55:49.129 order to , in some cases , it really 55:49.139 --> 55:51.570 isn't uh possible or practicable to 55:51.580 --> 55:53.699 make something accessible . But nine 55:53.709 --> 55:56.540 times out of 10 , we can get there . So 55:56.550 --> 55:58.606 what I really wanted to emphasize in 55:58.606 --> 56:00.772 response to your question is what made 56:00.772 --> 56:02.883 the difference . So having the policy 56:02.883 --> 56:04.939 and the standards and the score card 56:04.939 --> 56:07.050 and the PM O and the maturity model , 56:07.050 --> 56:09.383 that's all necessary but not sufficient . 56:09.383 --> 56:11.439 What I feel like has really made the 56:11.439 --> 56:13.439 difference at NSA is leadership and 56:13.439 --> 56:15.439 partnership , leadership . It's all 56:15.439 --> 56:17.661 about our leadership and especially our 56:17.661 --> 56:20.290 cio saying this is no kidding a 56:20.300 --> 56:22.411 priority . This is not something that 56:22.411 --> 56:24.520 you do if you have money left over 56:24.530 --> 56:27.159 after a mission , this is our mission . 56:27.449 --> 56:29.616 Um Also at breakfast this morning , we 56:29.616 --> 56:31.393 are talking about the Baltimore 56:31.393 --> 56:33.505 Washington Parkway and uh in a way it 56:33.505 --> 56:35.505 is like that the speed limit on the 56:35.505 --> 56:37.616 Baltimore Washington Parkway when you 56:37.616 --> 56:39.782 have a policy , yes , we're aware that 56:39.782 --> 56:42.005 it exists and that notionally there's a 56:42.005 --> 56:43.949 rule . But if there's nobody there 56:43.949 --> 56:46.171 telling you it's important in enforcing 56:46.171 --> 56:48.227 it , people are gonna continue to go 56:48.227 --> 56:50.005 100 and 10 MPH sometimes in the 56:50.005 --> 56:52.116 shoulder . So it was really important 56:52.116 --> 56:54.282 despite having all of the policies and 56:54.282 --> 56:56.227 standards in place to have someone 56:56.227 --> 56:58.449 saying , yeah , no kidding . This isn't 56:58.449 --> 57:00.505 just a paper exercise . You can have 57:00.505 --> 57:02.449 the slide in your required program 57:02.449 --> 57:04.671 management review deck . But unless the 57:04.671 --> 57:06.782 person who's reviewing says , no stop 57:06.782 --> 57:09.005 here , I want to ask you some questions 57:09.005 --> 57:11.060 and why you haven't made progress on 57:11.060 --> 57:11.060 this . It's just going to be another 57:11.070 --> 57:13.620 reporting exercise . So that's made a 57:13.629 --> 57:15.796 huge difference from the top on down . 57:15.796 --> 57:18.129 Having leadership say this is important , 57:18.129 --> 57:20.481 this is critical and this is about our 57:20.491 --> 57:22.931 workforce . And another aspect that's 57:22.941 --> 57:25.163 been really important is approaching it 57:25.163 --> 57:27.108 a partnership . It's a partnership 57:27.108 --> 57:28.997 among the advocates , the program 57:28.997 --> 57:30.774 management office , the program 57:30.774 --> 57:32.719 managers and developers within the 57:32.719 --> 57:35.191 agency as well as with industry . Um to 57:35.201 --> 57:37.257 make sure we're all trying to get to 57:37.257 --> 57:39.257 the same place . Um And it's really 57:39.257 --> 57:41.201 difficult . It's not . So I talked 57:41.201 --> 57:43.257 about the importance of having it be 57:43.257 --> 57:45.257 prioritized by our leadership , but 57:45.257 --> 57:47.479 that's not the only obstacle . It's not 57:47.479 --> 57:47.261 just , oh if only everyone understood , 57:47.733 --> 57:49.733 it would be easy to make everything 57:49.733 --> 57:52.283 accessible . There are major challenges . 57:52.293 --> 57:54.884 Um Sometimes , uh for example , a lot 57:54.894 --> 57:57.005 of developers , they didn't learn how 57:57.005 --> 57:59.061 to build accessibility and it wasn't 57:59.061 --> 58:01.227 part of the curriculum . So one of the 58:01.227 --> 58:03.394 things that our program manager office 58:03.394 --> 58:05.616 did , working with our uh university is 58:05.616 --> 58:07.838 to start offering um services and , and 58:07.838 --> 58:09.672 training to developers . So they 58:09.672 --> 58:11.838 understand how to build it in from the 58:11.838 --> 58:13.561 beginning , that's made a huge 58:13.561 --> 58:15.616 difference . Um And then approaching 58:15.616 --> 58:17.672 this as a , a partner and how can we 58:17.672 --> 58:19.616 all get there together ? Sometimes 58:19.616 --> 58:21.672 there are serious technical issues . 58:21.672 --> 58:23.838 Sometimes it simply doesn't make sense 58:23.838 --> 58:26.061 if you have a system that's on a remote 58:26.061 --> 58:28.283 mountain top somewhere , maybe it's not 58:28.283 --> 58:30.283 worth not deploying it until we can 58:30.283 --> 58:32.505 make it fully accessible to everybody . 58:32.505 --> 58:34.283 But we have clear standards and 58:34.283 --> 58:36.450 expectations for what it takes to meet 58:36.450 --> 58:38.616 those criteria . And then sometimes so 58:38.616 --> 58:40.838 we really struggled with trying to find 58:40.838 --> 58:43.061 a way to do multi factor authentication 58:43.061 --> 58:44.950 in a skiff that is accessible for 58:44.968 --> 58:47.190 people with visual disabilities . So it 58:47.190 --> 58:49.357 takes everybody working together . The 58:49.357 --> 58:51.357 folks on the acquisition side , the 58:51.357 --> 58:53.798 folks on uh the industry side are 58:53.808 --> 58:56.097 advocates and the program managers and 58:56.107 --> 58:58.329 that's made the , the real difference . 58:58.329 --> 59:00.468 Um And that's why it's been so 59:00.478 --> 59:02.818 important to us and that's how we've 59:02.827 --> 59:04.907 tried to , to make a real difference 59:04.917 --> 59:07.447 and we're not good enough , but I'm 59:07.458 --> 59:09.625 really proud of how far NSA has come , 59:09.637 --> 59:11.693 Michael . I , I'd like to talk about 59:11.693 --> 59:13.804 the GW Parkway um because there are a 59:13.804 --> 59:16.026 lot of , there are a lot of barriers on 59:16.026 --> 59:18.026 that both man made and natural that 59:18.026 --> 59:20.081 slow traffic down . Um In some cases 59:20.081 --> 59:22.248 that's good because there are uh areas 59:22.248 --> 59:24.248 that are under construction that go 59:24.248 --> 59:26.081 into one lane . It would be very 59:26.081 --> 59:25.840 dangerous to go to 100 and 10 miles an 59:25.850 --> 59:28.183 hour . But others are quite frustrating . 59:28.183 --> 59:30.183 A a and I think that relates to 508 59:30.183 --> 59:32.183 because in a sense what gets graded 59:32.183 --> 59:34.294 gets done , right ? So we have thrown 59:34.294 --> 59:36.794 up some barriers um to aid in the 59:36.804 --> 59:39.026 accessibility of technology and support 59:39.026 --> 59:40.971 reasonable accommodations . One of 59:40.971 --> 59:43.764 those is contracts . So we now evaluate 59:43.774 --> 59:45.895 every contract that we put out in dia 59:46.014 --> 59:48.705 under the standards of section 508 of 59:48.715 --> 59:50.882 the Rehabilitation Act . Um That is an 59:50.882 --> 59:53.104 opportunity for industry as well , even 59:53.104 --> 59:55.159 though , you know , the contract may 59:55.159 --> 59:57.215 not specify it . Um making sure that 59:57.215 --> 59:59.382 you're helping in that area that helps 59:59.382 --> 01:00:01.493 obviously um our workforce at the end 01:00:01.493 --> 01:00:03.659 of the day , the second is , and , and 01:00:03.659 --> 01:00:05.937 we did this a couple of years ago with , 01:00:05.937 --> 01:00:07.826 with IC CIO is actually grading , 01:00:07.826 --> 01:00:09.937 holding ourselves accountable like we 01:00:09.937 --> 01:00:12.159 do for analytic integrity and standards 01:00:12.159 --> 01:00:14.159 where agencies are evaluated on how 01:00:14.159 --> 01:00:16.104 effective they are on tradecraft . 01:00:16.104 --> 01:00:17.993 We've done the same in 508 at the 01:00:17.993 --> 01:00:19.937 community level . And in Dia we're 01:00:19.937 --> 01:00:22.090 continuing to do that . We do audits 01:00:22.100 --> 01:00:23.820 inspections uh of ourselves , 01:00:23.830 --> 01:00:26.179 especially our websites and how uh 01:00:26.189 --> 01:00:27.967 accessible those are to the the 01:00:27.969 --> 01:00:30.025 community that we provide reasonable 01:00:30.025 --> 01:00:32.247 accommodations for . Um And we're gonna 01:00:32.247 --> 01:00:34.358 continue to do that and you know , in 01:00:34.358 --> 01:00:36.469 that sense , those those barriers are 01:00:36.469 --> 01:00:38.636 helpful , but also to Jennifer's point 01:00:38.636 --> 01:00:37.899 of lifting some of those barriers , 01:00:37.909 --> 01:00:40.131 changing the policies uh to make things 01:00:40.131 --> 01:00:41.909 easier for our employees in the 01:00:41.909 --> 01:00:45.580 workforce . Um In addition to what Doug 01:00:45.590 --> 01:00:48.139 and Jennifer has talked about when I 01:00:48.149 --> 01:00:50.482 was the associate cio several years ago , 01:00:50.520 --> 01:00:52.520 I started to basically get involved 01:00:52.520 --> 01:00:54.870 with our accessibility programs and 01:00:54.879 --> 01:00:57.899 realizing that a accessibility required 01:00:58.169 --> 01:01:00.113 uh someone when they came into our 01:01:00.113 --> 01:01:01.891 agency to fill out a reasonable 01:01:01.891 --> 01:01:04.225 accommodation . And 45 to 60 days later , 01:01:04.225 --> 01:01:06.280 they might have something that would 01:01:06.280 --> 01:01:08.391 enable them to do their job . They're 01:01:08.391 --> 01:01:10.502 wasting two months worth of time just 01:01:10.502 --> 01:01:12.669 sitting , they're not able to do their 01:01:12.669 --> 01:01:12.409 job because the systems are not 01:01:12.419 --> 01:01:14.750 accessible . So we started a policy and 01:01:14.760 --> 01:01:17.919 it is our policy that everybody is able 01:01:17.929 --> 01:01:20.129 to perform on day one , we understand 01:01:20.139 --> 01:01:22.472 what special needs might be . But again , 01:01:22.472 --> 01:01:24.417 most of our systems are accessible 01:01:24.417 --> 01:01:26.417 across the board and we create them 01:01:26.417 --> 01:01:28.306 that way from day one . So that's 01:01:28.306 --> 01:01:30.250 something that we have got to do . 01:01:30.250 --> 01:01:32.669 Another quick story is that um I was 01:01:32.679 --> 01:01:34.901 part of our deaf and hard of hearing uh 01:01:34.901 --> 01:01:37.169 advisory uh group , uh taking care of 01:01:37.179 --> 01:01:39.439 our deaf and hard of hearing folks . Um 01:01:39.610 --> 01:01:42.919 I , I learned the term see with deaf 01:01:42.929 --> 01:01:45.889 eyes . Uh Basically what you do is you 01:01:45.899 --> 01:01:48.229 see things differently if you don't 01:01:48.239 --> 01:01:51.419 have that hearing sense . Um Most of 01:01:51.429 --> 01:01:53.207 our deaf and hard of hearing uh 01:01:53.207 --> 01:01:55.500 individuals work in a skiff , they 01:01:55.510 --> 01:01:58.429 don't have the ability to phone home to 01:01:58.439 --> 01:02:00.661 receive messages from home like you and 01:02:00.661 --> 01:02:02.606 I do sitting in our offices , they 01:02:02.606 --> 01:02:04.661 don't have the ability to call their 01:02:04.661 --> 01:02:06.883 doctor and talk about a serious medical 01:02:06.883 --> 01:02:08.828 condition without going through an 01:02:08.828 --> 01:02:11.050 interpreter . And I don't think anybody 01:02:11.050 --> 01:02:13.106 here wants to share that information 01:02:13.106 --> 01:02:15.106 with somebody that is somewhat of a 01:02:15.106 --> 01:02:17.272 stranger . So what we've done is we've 01:02:17.272 --> 01:02:19.383 actually created and we've got policy 01:02:19.383 --> 01:02:21.161 changes made to implement uh uh 01:02:21.370 --> 01:02:24.330 basically unclassified video phones for 01:02:24.340 --> 01:02:26.639 our deaf and hard of hearing community 01:02:26.840 --> 01:02:28.951 at our agency . So within the skiff , 01:02:28.951 --> 01:02:30.840 we actually have cameras which is 01:02:30.840 --> 01:02:32.951 almost unheard of to be able to allow 01:02:32.951 --> 01:02:35.173 these individuals to be able to contact 01:02:35.173 --> 01:02:36.840 loved ones , to contact their 01:02:36.840 --> 01:02:38.673 physicians and be able to use uh 01:02:38.673 --> 01:02:40.729 American sign language or some other 01:02:40.729 --> 01:02:42.951 type of means of communication . And so 01:02:42.951 --> 01:02:42.860 again , it's important that we take 01:02:42.870 --> 01:02:44.481 care of everybody within our 01:02:44.481 --> 01:02:46.648 organization and all of our agencies I 01:02:46.648 --> 01:02:48.759 think are learning from each other on 01:02:48.759 --> 01:02:50.870 this . I didn't know you had had that 01:02:50.870 --> 01:02:50.520 experience . I'm one of the senior 01:02:50.530 --> 01:02:52.474 champions for the deaf and hard of 01:02:52.474 --> 01:02:54.641 hearing . I see affinity network . And 01:02:54.641 --> 01:02:56.919 so we've been learning from each other , 01:02:56.919 --> 01:02:58.919 all of the agencies in terms of the 01:02:58.919 --> 01:03:01.141 pilots we've done um for especially for 01:03:01.141 --> 01:03:03.197 the deaf and hard of hearing . And I 01:03:03.197 --> 01:03:05.419 did want to point out one area where we 01:03:05.419 --> 01:03:07.474 made great progress . And I see this 01:03:07.474 --> 01:03:10.016 year was a medical device policy , a 01:03:10.025 --> 01:03:12.095 huge issue for the deaf and hard of 01:03:12.105 --> 01:03:13.883 hearing and also for folks with 01:03:13.883 --> 01:03:15.994 pacemakers and other problems is that 01:03:15.994 --> 01:03:18.135 every agency had its own criteria for 01:03:18.145 --> 01:03:20.256 what you were allowed to bring into a 01:03:20.256 --> 01:03:24.006 skiff and with hearing aids , it's very , 01:03:24.016 --> 01:03:26.072 very difficult these days to get one 01:03:26.072 --> 01:03:28.294 that is not Bluetooth enabled , that is 01:03:28.294 --> 01:03:30.885 not um basically uh internet of things . 01:03:31.122 --> 01:03:34.011 Um And so it was really difficult even 01:03:34.021 --> 01:03:36.188 if someone was just going to a meeting 01:03:36.188 --> 01:03:38.299 in another building to have to figure 01:03:38.299 --> 01:03:40.521 out , am I going to be able to attend ? 01:03:40.521 --> 01:03:42.577 Am I going to be able to hear , do I 01:03:42.577 --> 01:03:44.688 have to use a sub optimal solution in 01:03:44.688 --> 01:03:46.854 order to be there ? And uh the IC came 01:03:46.854 --> 01:03:48.965 together and wrote a policy to try to 01:03:48.965 --> 01:03:51.132 standardize expectations and standards 01:03:51.132 --> 01:03:53.741 for medical devices , including but not 01:03:53.751 --> 01:03:55.973 limited to hearing aids across the IC . 01:03:56.322 --> 01:03:58.544 And as someone who wears hearing aids , 01:03:58.544 --> 01:04:02.540 I appreciate . Hm . Well , thank 01:04:02.550 --> 01:04:04.717 you very much . I think this was a , I 01:04:04.717 --> 01:04:06.828 enjoyed the conversation watching you 01:04:06.828 --> 01:04:08.828 all kind of riff off each other and 01:04:08.828 --> 01:04:10.661 kind of expand on the thoughts . 01:04:10.661 --> 01:04:10.590 Hopefully , that was as enlightening 01:04:10.600 --> 01:04:13.629 for the audience as it was for me . Um 01:04:13.639 --> 01:04:15.806 But before we uh walk off and here , I 01:04:15.806 --> 01:04:17.806 think we hear the walk off music uh 01:04:17.806 --> 01:04:20.560 again , um I just would like to turn uh 01:04:20.719 --> 01:04:22.909 the podium or the microphone over to 01:04:22.919 --> 01:04:25.141 sue do if I could . Thank you so much . 01:04:25.141 --> 01:04:28.080 Um So as I sit here with my partners 01:04:28.090 --> 01:04:30.699 and peers and , and I say my family in 01:04:30.709 --> 01:04:33.590 the audience . Um This is my last cio 01:04:33.600 --> 01:04:36.080 panel , I'll be retiring in February . 01:04:36.320 --> 01:04:39.020 Um So I have been blessed in uh to be 01:04:39.030 --> 01:04:41.610 able to come back up one more time . Um 01:04:41.620 --> 01:04:43.899 But it really is a , a homecoming to me 01:04:43.909 --> 01:04:47.620 to , to watch my um um all my 01:04:47.629 --> 01:04:49.929 people I worked with over the years at 01:04:49.939 --> 01:04:52.389 Dia where I really grew up has been 01:04:52.399 --> 01:04:55.110 profound uh where I can't see anything . 01:04:55.120 --> 01:04:57.453 So I'm like , where are the coms people ? 01:04:57.453 --> 01:04:59.453 Where are the comms , you guys over 01:04:59.453 --> 01:05:01.564 there ? That's where you were sitting 01:05:01.564 --> 01:05:03.787 yesterday . It was just profound to see 01:05:03.787 --> 01:05:05.842 how everyone has grown and the roles 01:05:05.842 --> 01:05:08.176 they're playing now . It's just amazing . 01:05:08.176 --> 01:05:10.342 So , thank you , thank you so much for 01:05:10.342 --> 01:05:12.639 uh all my time at Dia . Thank you for 01:05:12.649 --> 01:05:16.120 keeping dous , do I New Word ? 01:05:16.179 --> 01:05:18.750 Um uh um So exciting to see it come 01:05:18.760 --> 01:05:21.239 back out of COVID . I , I know I have 01:05:21.250 --> 01:05:23.250 been to some of the early ones that 01:05:23.250 --> 01:05:25.139 used to be in the DC area in a uh 01:05:25.139 --> 01:05:28.209 double tree over by Tyson's um to what 01:05:28.219 --> 01:05:30.719 it has grown to has been amazing . But 01:05:30.729 --> 01:05:32.896 uh thank you for , for letting me come 01:05:32.896 --> 01:05:35.062 home one more time . I appreciate it . 01:05:36.040 --> 01:05:38.590 Thank you . Thank you , Sue go . 01:05:40.120 --> 01:05:42.739 This is great . My family . 01:05:44.729 --> 01:05:47.120 He's a cat this way . All right . All 01:05:47.189 --> 01:05:48.149 right . Where do we go ? Thank you .