b"<html>\n<title> - DEPARTMENT OF HOMELAND SECURITY APPROPRIATIONS FOR FISCAL YEAR 2016</title>\n<body><pre>[Senate Hearing 114-]\n[From the U.S. Government Publishing Office]\n\n\n \n  DEPARTMENT OF HOMELAND SECURITY APPROPRIATIONS FOR FISCAL YEAR 2016\n\n                              ----------                              \n\n\n                       WEDNESDAY, APRIL 15, 2015\n\n                                       U.S. Senate,\n           Subcommittee of the Committee on Appropriations,\n                                                    Washington, DC.\n    The subcommittee met at 2:15 p.m., in room SD-138, Dirksen \nSenate Office Building, Hon. John Hoeven (chairman) presiding.\n    Present: Senators Hoeven, Cochran, and Shaheen.\n\n                    DEPARTMENT OF HOMELAND SECURITY\n\nSTATEMENT OF HON. ANDY OZMENT, ASSISTANT SECRETARY, \n            OFFICE OF CYBERSECURITY AND COMMUNICATION, \n            NATIONAL PROTECTION AND PROGRAMS \n            DIRECTORATE\n\n\n                opening statement of senator john hoeven\n\n\n    Senator Hoeven. I would like to call this meeting of the \nDepartment of Homeland Security Appropriations Subcommittee to \norder. I would like to welcome Ranking Member Senator Shaheen \nand also our full committee Appropriations Chairman, Senator \nCochran. I appreciate very much you being here, as well as our \nthree witnesses.\n    This hearing, of course, is on cybersecurity. Cybersecurity \nis one of the most complex and challenging threats currently \nfacing our Nation. Today, we will examine the role of the \nDepartment of Homeland Security (DHS) in our Nation's \ncybersecurity efforts, specifically its responsibilities for \nsecuring the dot-gov domain, protecting critical \ninfrastructure, and facilitating and conducting robust \ninformation sharing.\n    I'm pleased to welcome our witnesses Andy Ozment, the \nAssistant Secretary of the Office of Cybersecurity and \nCommunications from the National Protection and Programs \nDirectorate (NPPD) within DHS; Luke McCormack, the DHS Chief \nInformation Officer (CIO); and Greg Garcia, Executive Director \nof the Financial Services Sector Coordinating Council.\n    The focus of today's hearing, as I noted, is DHS's role in \ncybersecurity. First and foremost, DHS is responsible for \nprotecting the dot-gov domain. Through NPPD, DHS secures dot-\ngov by providing overarching services and capabilities and best \npractices that agencies are required to deploy to protect their \nagencies' information technology (IT) infrastructure and \nsystems.\n    While there is a roadmap to accomplish this mission, I \nunderstand DHS still has work to do to fully deploy \ncapabilities to ensure each agency is protecting its data.\n    At the same time, we must ensure departments and agencies \nacross government are appropriately funded to operate and \nsupport their own IT infrastructure and systems. Each Chief \nInformation Officer (CIO) bears responsibility to their \ncustomers and data. That includes the DHS CIO with us today.\n    We will discuss in detail programs such as Einstein for \nintrusion detection and prevention, continuous diagnostics for \nmonitoring activity within systems, and incident reporting \nthrough US-CERT's online system.\n    Cybersecurity efforts are substantial and growing. In \nfiscal year 2015, Congress provided $12.4 billion for \ncybersecurity across the government. DHS is responsible for 11 \npercent or $1.4 billion of that funding, largely due to its \nresponsibility for securing dot-gov.\n    DHS's second cybersecurity mission is supporting critical \ninfrastructure protection. DHS leverages its experience in \ndeploying capabilities for dot-gov in supporting protection of \ncritical infrastructure. At the same time, the role is very \ndifferent, as 85 percent of U.S. critical infrastructure is \nprivately held. Robust public-private partnerships are the \ncornerstone of this responsibility.\n    No discussion of cybersecurity would be complete, however, \nwithout mentioning the Department's third mission area, the \ndissemination of cyber threat and incident information. Yet \nagain, this is not a mission that DHS can own exclusively and \nexecute alone. The intelligence community and national defense \napparatus has access to information significant to detecting \nU.S. cyber-interests broadly. They struggle with how to best \nshare that information while protecting sources and methods.\n    Conversely, private sector entities are often the first to \nrealize something wrong is happening in cyberspace and can \nalert the government and their peers.\n    For those reasons, both the government and the private \nsector need the right information sharing mechanisms and \ncapabilities. Timely, actionable information needs to flow in \nall directions. There is no silver bullet. Responding to the \nthreat will require visionary leadership on the part of the \nDepartment; the government as a whole; and State, local, and \nprivate sector partners. Parochial interests and bureaucratic \nprocess should not be allowed to stand in the way of progress.\n    With strong detection, prevention, mitigation, and \ninformation sharing efforts, we can address evolving threats \nhead on and work toward a more robust cybersecurity \nenvironment. And I look forward to your recommendations, to \nthat end.\n    This is a complicated area, but it is one of great priority \nright now.\n    Let me also note that this date marks a solemn anniversary. \nTwo years ago today, the city of Boston suffered a terrible \nterrorist attack. The Senate will be observing a moment of \nsilence at 2:49, the time of the attack. With the indulgence of \nSenator Shaheen and our witnesses, we will do the same during \nthis hearing. So we will notify you at that time, 2:49, and \nthere will be a moment of silence.\n    With that, I would like to turn to the ranking member of \nthe committee. She and I just returned from a visit of the \nsouthern border, including Houston, McAllen, Laredo, and San \nAntonio. I appreciate very much your going. I think it was very \ninformative.\n    There is a lot going on when it comes to DHS. Whether it is \nborder security or cybersecurity, this is complicated stuff. \nAnd we need good people doing a good job, so we want to do \neverything we can to help and support, in terms of doing the \nbest possible job of funding that effort.\n    With that, I will turn to Ranking Member Shaheen.\n\n\n                  statement of senator jeanne shaheen\n\n\n    Senator Shaheen. Thank you very much, Mr. Chairman. As you \npoint out, we had a fascinating and informative trip to the \nsouthern border. And while border security, obviously, was a \ntopic of conversation throughout the trip, cybersecurity didn't \ncome up much, so we look forward to hearing from each of our \npanelists today.\n    I also, like you, Mr. Chairman, say how much I appreciate \nChairman Cochran being here for this hearing. It is always nice \nto have the full committee represented when we are having a \nsubcommittee hearing.\n    And I also very much appreciate your mentioning that this \nis the 2-year anniversary of the Boston Marathon bombing. We \nhad a number of New Hampshire folks who were injured in that \nbombing, so it is something that we feel very personally \nthroughout New England, and I know through the rest of the \ncountry. So I am very appreciative that we will all be pausing \nto remember and acknowledge the bombing and its victims.\n    As the Chairman pointed out, the Department of Homeland \nSecurity's role in cybersecurity is very complex and \nmultifaceted, and the agency's effort should be carefully \ncoordinated with other Federal agencies, with all government \norganizations, and, of course, with the private sector.\n    Cybersecurity is at the forefront of our national \nconsciousness, and we hear every day about another \ncybersecurity challenge.\n    On the news this morning, there was a report about the \npotential vulnerability of cockpits because of the ability to \nhack into security networks. So this is an issue that, as all \nof you know, is on the front pages every day. Anybody who has \nseen the news knows that the Federal Government, private \ncompanies, academic institutions, individuals, no one is free \nfrom the potential of a cyberattack.\n    Now, through this hearing, we hope to focus on DHS's role \nin protecting the Nation from cyberattacks, and I look forward \nto discussing the National Protection and Programs Directorate \n(NPPD) activities and how partners such as Federal agencies and \nthe private sector use their programs. In addition, we will \nhear from DHS's chief information officer on how his office \npartners with the NPPD to stay ahead of cyber threats.\n    The Department is also helping secure our Nation by the \nwork of its various law enforcement agencies tasked with \ntracking down cybercriminals, and the Science and Technology \nDirectorate, which is working to develop and improve \ntechnologies that protect our information systems.\n    And I have to say, I had a fascinating briefing earlier \nthis week on our efforts internationally to work with other \ngovernments on securing cyber networks.\n    The Office of Management and Budget (OMB) reports that the \nPresident's cybersecurity request for fiscal year 2016 is $13.9 \nbillion, an 11-percent increase. Of this total, $1.4 billion is \nrequested for DHS programs, including protection, \ninvestigations, and science and technology. And much of the \nrequested funding will be dedicated to programs that help us \nboth catch up and keep up with the daily threat from \ncyberattacks.\n    Now, since the Internet was developed with an open \narchitecture, we are retroactively addressing security \nvulnerabilities through major programs, such as intrusion \ndetection and continuing diagnostics, and these efforts are \nimportant. Investments that mitigate future risks are equally \nimportant. We should focus on future workforce needs and \nsupport businesses by ensuring the development of quality \ncybersecurity products and encouraging the use of best \npractices.\n    It is concerning that budget pressures are forcing us to \nfocus more on immediate needs rather than also making the \nnecessary investments that will save us money and prevent \nattacks in the future.\n    So again, thank you all for being here today. I look \nforward to hearing what you have to say and to an exchange, \nfollowing your remarks.\n    Thank you, Mr. Chairman.\n    Senator Cochran. Mr. Chairman.\n    Senator Hoeven. I would now like to recognize the chairman \nof the full Appropriations Committee and thank Senator Cochran \nfor joining us.\n    Senator Cochran.\n\n\n                   statement of senator thad cochran\n\n\n    Senator Cochran. Mr. Chairman, thank you. I am very pleased \nto join you and other members of this panel to discuss with the \nDepartment of Homeland Security experts here what we should \nknow about cybersecurity, what we should appreciate the \nopportunity to learn, what Congress as a principal part of the \ndecision-making process should be considering in terms of \nfunding, in terms of legal authority to act on behalf of our \nNation's interests in cybersecurity, and exactly what we should \ndo about the challenges that we face.\n    Senator Hoeven. Thank you, Mr. Chairman. And again, thanks \nfor joining us.\n    We will go with 5-minute rounds for the questions, but, \nfirst, of course, we will start with your prepared statements.\n    So Mr. Ozment, if you would like to proceed?\n\n\n                 summary statement of hon. andy ozment\n\n\n    Mr. Ozment. Thank you. Chairman Cochran, Chairman Hoeven, \nRanking Member Shaheen, thank you for your unwavering support \nfor the Department of Homeland Security and the National \nProtection and Programs Directorate, or NPPD. We look forward \nto continuing this cooperation as we work to secure and enhance \nthe resilience of our Nation's cyber and physical \ninfrastructure.\n    Speaking to our cyber mission, we view ourselves as a \ncustomer service organization with three customers: the Federal \nGovernment civilian and executive branch; State, local, tribal, \nand territorial governments; and the private sector. In helping \nthese three customers manage their cybersecurity risks, we \nfocus on three areas.\n    The first is to implement best practices, particularly \nthrough the cybersecurity framework. And these best practices, \nwe believe that companies and agencies should invest at least \n70 percent of their effort in the space. The second is robust \ninformation-sharing in near real-time whenever possible, and we \nbelieve that companies and agencies should be investing about \n25 percent of their effort in this space. And the final area is \neffective incident response, where companies should invest the \nfinal 5 percent or so of their effort.\n    These are ballpark figures, but my idea here is to give you \na sense of the magnitude and relative effort that should be \nexpended. We know that best practices alone can defeat the vast \nmajority of cyber threats and force our adversaries to pay \nmore, frankly, for the benefits that they are hoping to obtain.\n    I will focus my remarks today on two of our three \ncustomers, the Federal civilian executive branch and the \nprivate sector. And, of course, two of my customers are, in \nfact, testifying with me here today.\n    Regarding our Federal agency customers, I would like to \nhighlight three key initiatives. First, we measure and motivate \nagency cybersecurity. Second, we provide tools and services to \nidentify network security issues. And third, we provide a \nbaseline of security across the Federal civilian executive \nbranch through the Einstein program. I will explain each of \nthese a bit further.\n    Last year, Congress gave us new authorities to help measure \nand motivate agency cybersecurity through the Federal \nInformation Security Modernization Act, or the modernization of \nFISMA. We are now working closely with the Office of Management \nand Budget, the National Institute for Standards and \nTechnology, and the Federal CIO Council to implement these \nauthorities and to help Federal agencies better understand and \nmanage their own risks.\n    To the second point, our Continuous Diagnostics and \nMitigation program, or CDM, serves Federal executive branch \ncivilian agencies with tools and services to identify network \nsecurity issues and prioritize their mitigation.\n    I am delighted to announce that, just yesterday, we awarded \na new task order to seven large agencies that cover 47 percent \nof the Federal civilian government by personnel. So in total, \n55 percent of the Federal civilian government has now received \nawards for CDM tools and services.\n    This is the award. The actual deployment of these tools and \nservices will take some months yet, but this is a major \nmilestone to have achieved.\n    We are requesting $103 million for CDM in fiscal year 2016.\n    Finally, in the best practices realm for Federal \ndepartments and agencies, I would like to highlight our \nEinstein program, otherwise known as the National Cybersecurity \nProtection System. Einstein 1 and 2 provide intrusion detection \nservices, so that is where we identify the bad guys and set off \nan alarm. Einstein 3 provides an intrusion protection service, \nwhere it actually blocks malicious actors from intruding upon \nor attacking the Federal Government.\n    The Einstein program provides a first line of defense \nagainst cyber threats. Einstein 3 uses classified and \nunclassified information to block cyber espionage and attacks. \nIt is also a platform upon which we can build future security \ncapabilities that adapt to emerging cybersecurity risks and \nthat help us take advantage of the innovation the private \nsector can provide.\n    We look forward to working with Congress to further clarify \nDHS authority to deploy Einstein 3A across Federal executive \nbranch civilian departments and agencies.\n    Now let me switch my focus to the private sector. For the \nFederal Government, our mission includes directly protecting \ndepartments and agencies. For the private sector, our mission \nis to help companies better secure themselves. Through our C-\nCubed Voluntary Program, we encourage organizations to adopt \nthe cybersecurity framework as part of an enterprise risk \nmanagement approach.\n    We also perform risk assessments with and for companies. \nThese risk assessments give us data on the state of industry \nand help individual parts of our infrastructure understand and \nmanage cyber risks. We have invested an additional $4 million \nin fiscal year 2016 to double the number of cybersecurity risk \nassessments this program can help to provide our private-sector \npartners.\n    I now would like to highlight three information-sharing \nprograms that we offer to help the private sector. The first, \nthe cyber information-sharing and collaboration program, allows \nDHS to share cybersecurity formation in near real-time with \ncritical infrastructure partners. In this program, we built a \npilot automated information-sharing program with the FS-ISAC, \nand I expect that my partner up here, Greg Garcia, may also \nspeak to that.\n    We also offer Enhanced Cybersecurity Services, or ECS, \nwhich allows us to share classified and unclassified threat \nindicators with cybersecurity companies, who then use that \ninformation to protect their private-sector customers.\n    We have requested nearly $17 million in additional funds \nfor fiscal year 2016 to expand the ECS program.\n    Finally, we are working to foster Information-Sharing and \nAnalysis Organizations to address the private sector's request \nfor more flexible information-sharing organizations and clear \nbest practices for those organizations. And we are requesting \n$2 million in fiscal year 2016 for the program.\n\n\n                           prepared statement\n\n\n    I would like to close by thanking members of the \nsubcommittee for your help in passing five pieces of historic \ncybersecurity legislation this past year. In the interest of \ntime, I will leave additional description of our efforts and of \nthe NCCIC, our National Cybersecurity and Communications \nIntegration Center, for your questions.\n    Thank you.\n    [The statement follows:]\n\n                 Prepared Statement of Hon. Andy Ozment\n                              introduction\n    Chairman Hoeven, Ranking Member Shaheen, and distinguished Members \nof the Subcommittee, let me begin by thanking you for the unwavering \nsupport that you provide to the Department of Homeland Security (DHS) \nand the National Protection and Programs Directorate (NPPD). We look \nforward to continuing to work with you in the coming year to ensure a \nhomeland that is safe, secure, and resilient against terrorism, cyber \nattacks, natural disasters, and other risks.\n    NPPD undertakes its cybersecurity activities within its overarching \nmission to secure and enhance the resilience of the Nation's cyber and \nphysical infrastructure. We view ourselves as a customer service \norganization, and our customers are Federal Executive Branch civilian \ndepartments and agencies, private sector infrastructure owners and \noperators, and State, local, tribal, and territorial (SLTT) \ngovernments.\n    In serving these customers, our guiding principles are: prioritize \nour customers' needs to build and retain their trust; ensure privacy \nand civil rights across the depth and breadth of our cyber and \ncommunications activities; and enable continuous improvement in \nemergency communications and cybersecurity to stay ahead of malicious \nactors.\n    I will focus my remarks today on the Office of Cybersecurity and \nCommunications (CS&C's) approach to service and capabilities. This \nincludes the technical tools we use in protecting our Federal agency \ncustomers; CS&C's incident response capabilities that we deploy to both \npublic and private entities to ensure critical infrastructure \nresilience; and how we help entities protect themselves, in particular \nour work to ensure that we help private sector and SLTT customers \nbetter manage their risks.\n                   protecting the federal government\n    Across the Federal Government, each department and agency is \nresponsible for managing its own cybersecurity. However, under the \nFederal Information Security Modernization Act (FISMA) of 2014, DHS is \nprovided with the authority to administer the implementation of Federal \ncybersecurity policies. In order to carry out this important \nresponsibility, DHS is authorized to issue binding operational \ndirectives, monitor agency cybersecurity practices, and provide \noperational and technical assistance. NPPD's strategy to implement its \nFISMA authorities is to measure and motivate improved cybersecurity \namong Federal agencies through partnerships with the Office of \nManagement and Budget, the National Institute of Standards and \nTechnology, and the Federal CIO Council, and to build technical systems \nthat provide a baseline of cybersecurity across the Government.\nCDM: Helping Federal Agencies Understand and Manage Cyber Risk\n    Through the Continuous Diagnostics and Mitigation (CDM) program, \nDHS provides Federal Executive Branch civilian agencies with tools and \nservices to identify network security issues, including unauthorized \nand unmanaged hardware and software; known vulnerabilities; weak \nconfiguration settings; and potential insider attacks. Agencies can \nthen prioritize mitigation of these issues based upon potential \nconsequences or likelihood of exploitation. In this way, CDM helps \nagencies understand and manage their own cyber risks.\n    DHS is moving aggressively to implement CDM across all Federal \nExecutive Branch civilian agencies, and Memoranda of Agreement (MOA) \nwith the CDM program cover over 97 percent of all Federal civilian \npersonnel. Delivery Order 1, the first award under the CDM/Continuous \nMonitoring as a Service (CMaaS) blanket purchase agreement was for \n$59.5 million to purchase CDM tools for 21 agencies; this procurement \ndemonstrated a 30 percent cost reduction over General Services \nAdministration (GSA) pricing and resulted in $26 million in cost \navoidance. A subsequent award was made for license maintenance of the \ntools procured in Delivery Order 1 that reflected a 50 percent cost \nreduction over GSA pricing. The first of six awards for Task Order 2 \nwas made in February 2015 and will provide CDM tools and services to \nDHS itself. Additional awards will be issued through fiscal year (FY) \n2015 and fiscal year 2016, and ultimately will cover over 60 additional \nFederal agencies including 23 of the 24 Chief Financial Officer Act \nagencies. Department of Defense, the 24th CFO Act agency, does not \nparticipate in the CDM-funded solicitation activities.\n    The CDM Federal Dashboard will provide DHS with summary data to \nunderstand relative and system risk across the Executive Branch. Local \nagency dashboards will provide each agency with detailed information \ninto its specific, prioritized risks. Both dashboards will use \ncommercial off-the-shelf technology. The agency-level dashboards will \nbegin deployment in fiscal year 2015, and the Federal dashboard is \nexpected to fully deploy by fiscal year 2017.\n    These dashboards will receive automated feeds from the CDM tools \nand will provide a new level of rigor and timeliness to our \nunderstanding of Federal agency cyber risk.\nE \\3\\A: Detecting and Blocking Threats Against Federal Networks\n    Another tool utilized by NPPD to fulfill its mission is EINSTEIN 3 \nAccelerated (E \\3\\A). E \\3\\A is a perimeter defense tool: a first line \nof defense against cyber threats for Federal civilian Departments and \nAgencies. E \\3\\A can be considered a set of security gates on the \nFederal Government's traffic, located at the handful of Internet \nService Providers (ISPs) that are used by almost every Federal civilian \nagency to access the Internet. DHS has completed building E3A \ncheckpoints at two ISPs: therefore, agencies that currently use these \ntwo ISPs to connect to the Internet are now able to obtain E \\3\\A \nprotection. These security gates only apply to traffic transiting to \nand from Federal civilian executive branch agencies. A Privacy Impact \nAssessment (PIA) for E \\3\\A was published by DHS in 2013 to publicly \ndocument how privacy protections have been integrated into the E \\3\\A \nprocess. This PIA is available through the Department's publicly-facing \nwebsite.\n    E \\3\\A uses classified and unclassified information to block cyber \nespionage and attacks, including by our most sophisticated adversaries. \nE \\3\\A currently provides two protection capabilities (Domain Name \nServer (DNS) Sinkholing and Email Filtering) that have been found to be \nhighly effective in detecting and blocking known threats, thereby \nprotecting against those adversaries about whom the Government has \nidentified telltale attributes. The Domain Name Server (DNS) Sinkholing \ncapability allows DHS to prevent malware installed on .gov networks \nfrom communicating with known or suspected malicious Internet domains \n(sinkhole information) by redirecting the network connection away from \nthe malicious domain to ``safe servers'' or ``sinkhole servers,'' thus \npreventing further malicious activity by the installed malware. The \nEmail Filtering capability allows DHS to scan email destined for .gov \nnetworks for malicious attachments, Uniform Resource Locators (URL), \nand other forms of malware, before being delivered to .gov end-users.\n    Currently, approximately 26 percent of Federal civilian personnel \nare protected by at least one of E \\3\\A's capabilities. Recently, a \nsecond ISP completed its build-out of E \\3\\A, so now the capacity \nexists to protect almost 50 percent of Federal civilian personnel. To \ntake advantage of that new capacity, the newly covered agencies must \nsign an MOA and restructure their networks to ensure they can receive \nthe full suite of E \\3\\A capabilities. Agencies will be onboarded in \nstages, and each onboarding is expected to take several weeks. As of \nApril 3, 2015, 51 agencies have signed MOAs to participate in E \\3\\A \nservices, and those agencies include approximately 96 percent of all \nFederal civilian personnel. We are continuing to work with the other \nmajor ISPs used by the Federal Government to build E \\3\\A capabilities \nat those ISPs as well.\n    E \\3\\A also provides a platform on which DHS can build future \nprotection capabilities that adapt to emerging security risks, allowing \nfuture innovation from both government and industry. It is a unique \nsystem that utilizes classified information to protect unclassified \nnetwork traffic for Federal Civilian Executive Branch networks and \nallows DHS to better detect, respond to, and appropriately counter \nknown or suspected cyber threats identified within the Federal network \ntraffic it monitors.\n    Moreover, E \\3\\A is allowing DHS to create situational awareness of \ncyber threats by screening Federal agency Internet traffic for cyber \nthreats across multiple agencies, enabling strong correlation of events \nand the ability to provide early warning and greater context about \nemerging risks. As the Department detects and stops adversaries' \nattacks with E \\3\\A, we will take the knowledge we gain and share it \nwith the private sector and SLTT governments, meeting their information \nneeds in a manner that is consistent with the protection of privacy and \ncivil liberties. They will be able to use this information to better \nprotect themselves.\n    Obtaining the MOAs necessary to deploy E \\3\\A services has been \ntime consuming, and not all agencies are ready to sign them. Some \nagencies, in some cases, have questioned how deployment of EINSTEIN \nunder DHS authority interplays with their existing statutory \nrestrictions on the use and disclosure of agency data. As a result of \nthis uncertainty, DHS has not been able to achieve 100 percent \ncommitment from agencies to enter into authorizing the deployment of \nEINSTEIN capabilities to protect their systems. DHS and the \nAdministration have sought statutory changes to clarify this \nuncertainty and to enable agencies to disclose their network traffic to \nDHS for narrowly tailored purposes to protect agency networks, while \nmaking clear that privacy protections for the data would remain in \nplace. Moreover, as E \\3\\A's capabilities evolve, the MOAs will need to \nbe updated. We look forward to working with Congress to further clarify \nDHS's authority to deploy this protective technology to Federal \nExecutive Branch civilian systems.\n    Looking toward the future, NPPD is advancing its protective \ncapabilities to detect not only known cyber threats, but also recognize \npotential threats that have not been previously observed. Just as the \nhuman body achieves resilience by fighting new viruses with biological \nmechanisms that recognize when the body is under attack, DHS seeks to \nbuild similar mechanisms for networks using mathematical trend analysis \nof cyber events. We will collect the data needed for this from the \ngovernment agencies that we protect, following the privacy protections \ndetailed in our publicly available PIAs. The concept comprises the \nability to view the current state of cybersecurity, just as a \ntraditional weather map provides a view of current weather. Our long-\nterm goal is for networks and connected devices to know when to reject \nincoming traffic or even refuse to execute specific computer \ninstructions because they are recognized as harmful due to their \ncurrent behavior, even if the exact computer ``disease'' has not been \nseen before. This will help to create the resilience to deter many \ncyber threat actors by increasing the costs of individual cyber \nattacks.\n  enhancing information sharing to reduce the frequency and impact of \n                            cyber incidents\n    The National Cybersecurity & Communications Integration Center \n(NCCIC) serves as a 24x7 centralized location for cybersecurity \ninformation sharing, incident response, and incident coordination. \nNCCIC partners include all Federal departments and agencies, including \nlaw enforcement, the Department of Defense, the Intelligence Community; \nSLTT governments; the private sector; and international entities. The \nNCCIC provides its partners with enhanced situational awareness of \ncybersecurity and communications incidents and risks, and it provides \ntimely information to manage vulnerabilities, threats, and incidents. \nIn 2014, the NCCIC received over 97,000 incident reports, and issued \nnearly 12,000 actionable cyber-alerts or warnings. NCCIC teams also \ndetected over 64,000 vulnerabilities on Federal and non-Federal systems \nand directly responded to 115 significant cyber incidents.\n    An example of the NCCIC's support to and collaboration with the \nprivate sector was the effort to mitigate Distributed Denial of Service \n(DDoS) incidents impacting U.S. banking institutions in 2012 and 2013. \nDuring the DDoS attacks, the NCCIC disseminated technical data and \nassistance--including 600,000 DDoS-related Internet Protocol (IP) \naddresses and supporting contextual information--to Federal agencies, \ncritical infrastructure partners, international partners, and US-based \nISPs. This information helped financial institutions and cybersecurity \nservice providers improve their defensive capabilities and detect or \nblock threats before financial services were impacted. In addition to \nsharing with relevant private sector entities, the NCCIC shared \ninformation with over 120 international partners, many of whom \ncontributed to our mitigation efforts. The NCCIC, along with the U.S. \nSecret Service, FBI and other interagency partners, also deployed to \naffected entities to offer on-site technical assistance.\n    For fiscal year 2016, NPPD requested an additional $10.412 million \nand 35 FTP/19 FTE to develop situational awareness and infrastructure \nanalysis. This increased funding will support 24/7 operations for an \nIntegrated Analysis Cell, increased software and tool support for \nforensic analysis, increased resources for incident response, and \nimproved architecture to drive cybersecurity solutions.\n      helping the private sector and sltt governments manage risk\n    NPPD helps the Nation's infrastructure owners and operators protect \nthemselves by offering our customers risk assessments and assistance \nvia the Critical Infrastructure Cyber Community (C3) Voluntary Program. \nNPPD assists all 16 critical infrastructure sectors with risk \nmanagement activities, including supporting the use of the NIST \nCybersecurity Framework for Critical Infrastructure (the Framework). \nNPPD is requesting additional resources in support of the Framework to \nallow the C3 Voluntary Program to double the number of cybersecurity \nrisk assessments provided to critical infrastructure owners and \noperators. These assessments provide critical infrastructure owners and \noperators with invaluable information about their cybersecurity posture \nin relation to the Framework, and they offer concrete areas for \nimprovement. This budget request will extend the reach of the C3 \nVoluntary Program, promote adoption of the Framework, and build the \nsecurity and resilience of the nation's critical infrastructure.\n    Separately, NPPD is requesting $16.901 million for the Enhanced \nCybersecurity Services (ECS) program. ECS has similar capabilities to E \n\\3\\A. However, unlike E \\3\\A, it is available to validated critical \ninfrastructure companies and SLTT customers. ECS shares sensitive \nunclassified and classified cyber threat indicators with qualified \nCommercial Service Providers (CSPs) that then use that data to protect \ntheir ECS customers. All payment and contractual relationships occur \nbetween an ECS customer and their service provider devoid of any DHS \ninvolvement. The Federal Government deals directly with the CSPs and \nnot their end customers. The Federal Government's role is limited to \nensuring CSPs meet the program security requirements for receiving \nsensitive unclassified and classified Government Furnished Information, \nproviding timely and vetted cyber threat information to the qualified \nservice providers, and receiving anonymous, aggregated data back from \nthe service providers about the number of malicious activities detected \nby their ECS systems. Through their respective CSPs, ECS customers can \ndecide whether any data is shared back to the Department. The privacy \nand civil liberties considerations for the program are detailed in the \nECS PIA available on DHS's publicly-facing website and in a Privacy and \nCivil Liberties assessment mandated by Executive Order 13636 and made \npublicly available on the DHS Privacy Office website. This budget \nrequest will fund additional cybersecurity analysts to provide new \nthreat and network analysis, and it will expand the ECS program to an \nincreased number of CSPs.\n                         congressional support\n    I would like to take this opportunity to thank the members of this \nCommittee, and Congress as a whole, for the passage of five pieces of \nlegislation this past year that have significant implications for \ncybersecurity. The passage of these bills represents a historic and \nmomentous accomplishment for our Directorate. These bills contribute to \nthe safety, security, and resilience of our Nation's digital networks \nand critical infrastructure. Simply put, they will make our nation \nsafer. They include:\n  --The National Cybersecurity Protection Act of 2014, which provides \n        explicit authority for DHS to provide assistance to the private \n        sector in identifying vulnerabilities and restoring their \n        networks following an attack, and establishes in law the NCCIC \n        as a Federal civilian interface with the private sector.\n  --The Federal Information Security Modernization Act of 2014, which \n        statutorily establishes DHS authority to administer the \n        implementation of Federal information security policies, \n        develop and oversee implementation of binding cybersecurity \n        directives, provide technical assistance to other agencies \n        through US-CERT, and deploy cybersecurity technology to other \n        agencies upon their request.\n  --Two bills that help DHS continue to recruit, hire, and retain the \n        best and brightest cybersecurity workforce. In fiscal year \n        2016, NPPD is requesting $16.238 million to support \n        cybersecurity pay reform as part of DHS' efforts to improve its \n        cybersecurity workforce.\n  --Separately, apart from our cybersecurity authorities, a four-year \n        authorization for the Chemical Facility Anti-Terrorism \n        Standards (CFATS) program, which significantly improves our \n        ability to work with the private sector on security at high-\n        risk chemical facilities.\n    Thank you for the opportunity to appear before you today. I look \nforward to answering any questions you may have about my testimony or \nNPPD's cyber activities. Additionally, before I conclude, I'd like to \nencourage those members who have not yet been able to visit the NCCIC \nor who have not been by recently to contact us to arrange a tour. A \nvisit to the facility is a great way to better understand how NPPD \nworks to secure our customers and respond to incidents across the \nNation.\n\n    Senator Hoeven. Thank you.\n    Mr. McCormack.\nSTATEMENT OF LUKE McCORMACK, CHIEF INFORMATION OFFICER\n    Mr. McCormack. Thank you, Chairman Cochran, Chairman \nHoeven, Ranking Member Shaheen, and members of the \nsubcommittee. Thank you for this opportunity to speak to you \nabout cybersecurity at the Department of Homeland Security.\n    In the following remarks, I will focus on the role and \nresponsibility of the DHS chief information officer to defend \nthe Department's information systems from cyberattacks and how \nthe Nation's cybersecurity is strengthened through ongoing \ncollaboration with our components, with NPPD, and across the \nFederal Government.\n    The Office of the Chief Information Officer implements \ninformation security programs at the Department level. It \nprovides oversight to more than 90 major IT (information \ntechnology) programs across the Department's seven operational \ncomponents and headquarters offices. Because of our size and \nmission diversity, we have some unique challenges and \nopportunities for success.\n    The Department's leadership is strengthening a \ncollaborative environment and culture within DHS, especially \nacross planning, budgeting, and acquisition oversight processes \nthrough the Secretary's signature Unity of Effort initiative.\n    With this as our foundation, the CFO (Chief Financial \nOfficer) and CIO councils work together to clearly define \nbudgetary needs for cybersecurity efforts in 2016 and into the \nnear future. Just as NPPD coordinates the Federal response to \ncyber incidents, we collaborate with them on many Federal \ncybersecurity programs, oftentimes while they are still in \ndevelopment. Through early adoption, we provide feedback to \nNPPD on products and programs before they are more widely \nimplemented across the Federal Government.\n    Our organization also collaborates prominently across the \nFederal IT community to address challenges and share our cyber \nexperience.\n    I would like to share a few of the highlights of some of \nour critical cyber programs and initiatives.\n    DHS is a major partner in the Federal Risk and \nAuthorization Management Program, commonly referred to as \nFedRAMP. FedRAMP provides a standardized approach for accessing \nand monitoring the security capability of cloud service \nproviders. It then certifies those capabilities. Using this \n``do once, use many times'' framework, departments and agencies \ncan then leverage the certification, reducing their cost and \nreducing their time-to-market for service delivery.\n    Along with the Department of Defense (DOD) and the General \nServices Administration (GSA), DHS serves as one of the tri-\nchairs of the FedRAMP Joint Authorization Board, the primary \ngovernance and decisionmaking body for this program. We have \nrequested a program increase of $2.6 million in fiscal year \n2016 to support FedRAMP as cloud computing expands and our \nengagement intensifies.\n    Again, as an early adopter partnering with NPPD, the \nDepartment was the first agency to contract for Continuous \nDiagnostic and Mitigation. CDM uses real-time data to provide \nstakeholders with tools to detect and counteract day-to-day \ncyber threats. This real-time information will be available on \nan agency-level dashboard that will alert us to critical cyber \nrisks, providing situational awareness across the Department.\n    Our CDM capabilities are complemented by ongoing \nauthorization. Ongoing authorization allows us to focus our \nattention on the most critical system security controls, so we \ncan make data-driven and timely risk management decisions. With \nCDM and ongoing authorization, DHS is leveraging technology and \nrisk-based decisionmaking to strengthen our security posture \nand target our resource capabilities.\n    Another important initiative to strengthen our security is \nthe Intrusion Defense Chain, or IDC. Cyberattacks are more than \nisolated activities. They often occur in phases that are \nrepeated and reused. The DHS IDC methodology uses lessons from \npast attacks to anticipate the direction of future attacks.\n\n                           PREPARED STATEMENT\n\n    We continue to enhance our remediation of known \nvulnerabilities across the Department. It is because of these \nefforts that the President's fiscal year 2016 budget includes \n$31.7 million for mission-essential cybersecurity remediation. \nWe also requested $16.2 million to implement an enterprise \nsingle sign-on ability. This will strengthen our ability to \nprevent unwarranted access to mission-critical systems.\n    Cyber-defense is not purely technical. Attracting, \ntraining, and retaining quality IT professionals is critical to \nthe long-term success of our mission. DHS has developed and \nimplemented a number of initiatives, beginning with the hiring \nprocess and extending throughout an employee's career.\n    I appreciate your time and attention, and I look forward to \naddressing your questions and concerns.\n    [The statement follows:]\n                  Prepared Statement of Luke McCormack\n                              introduction\n    Chairman Hoeven, Ranking Member Shaheen, and Members of the \nSubcommittee: Thank you for this opportunity to speak to you about \ncybersecurity at the Department of Homeland Security. As you are aware, \nit is vital for our Department and the Federal Government to defend our \nsystems against cyber-attacks. The Office of the Chief Information \nOfficer (CIO), in close coordination with the National Protection and \nPrograms Directorate (NPPD) ensures that our Nation is secure and able \nto stay ahead of cyber threats.\n    In the following remarks, I will focus on the roles and \nresponsibilities of the Office of the Chief Information Officer to \nensure the Department's information is safe from cyber-attacks, and how \nthe nation's cybersecurity is strengthened through ongoing \ncollaboration with our components, with NPPD, and across-government. I \nwill also highlight some of the Department's ongoing and future \ncybersecurity initiatives.\n                         the role of cio at dhs\n    As the DHS Chief Information Officer, my role is to implement \ninformation security programs at the Department level. My office's \nmission is to develop and maintain a single, Department-wide \ninformation technology (IT) infrastructure that is reliable, scalable, \nflexible, maintainable, accessible, and secure. I provide oversight to \nover 90 major IT programs across the Department's seven operational \ncomponents and Headquarters offices. Because of our size and mission \ndiversity, we have some unique challenges and opportunities for \nsuccess.\n                        dhs ocio and components\n    The Department's leadership recognizes the importance of \nstrengthening a collaborative environment and culture within DHS, \nespecially across programming, budgeting, and acquisition oversight \nprocesses. On April 22, 2014, the Secretary signed a memo entitled \nStrengthening Departmental Unity of Effort. Through this Unity of \nEffort initiative, we are:\n  --Actively supporting the Joint Requirements Council (JRC)--a body \n        that develops recommendations for investment, as well as \n        changes to training, organization, legislation, and operational \n        processes and procedures;\n  --Enhance the Department's programming and budgeting process; and\n  --Actively collaborating with our component counterparts to drive \n        efficiencies and improve effectiveness.\n    Using Unity of Effort as our foundation, the Councils of the CFO \nand CIO--bodies comprised of the chief financial and chief information \nofficers from across DHS-worked collaboratively to clearly define \nbudgetary needs for cybersecurity efforts in 2016 and into the near \nfuture. It is because of these efforts that the President's budget \nincludes $31.7 million for essential cybersecurity remediation \ninitiatives in fiscal year 2016.\n    The Unity of Effort also resulted in updating the DHS IT Strategic \nPlan. It is a focused, mission-driven, achievable plan that positions \nour technology environment to address the critical areas of people and \nculture, innovative technologies, cybersecurity, and governance and \naccountability. As part of that IT Strategic Plan, the CIO Council \ndeveloped a specific cybersecurity goal: to ``Empower DHS and its \npartners to operate secure IT systems and networks, keeping ahead of \nevolving cyber threats.'' Additionally the CIO Council is supported on \nall matters of cybersecurity by another cross-Department council \ncomprised of the Chief Information Security Officers from Headquarters \nand our components.\n                          partnering with nppd\n    NPPD's role is to enhance the security, resilience, and reliability \nof the nation's cyber and communications infrastructure. NPPD \ncoordinates the Federal response to cyber incidents, and leads efforts \nto protect the Federal ``.gov'' domain, and collaborates with the \n``.com'' domain to increase the security of critical networks. Due to \nour partnership with NPPD we are able to internally implement and \ncollaborate on many Federal cybersecurity programs, sometimes while \nthey are still in development. By taking on the role of an early \nadopting agency, we provide valuable feedback to NPPD on products and \nprograms before they are more widely implemented across government. For \nexample, we are currently working with NPPD to test the Continuous \nDiagnostics and Mitigation (CDM) dashboard. Through collaboration of \nthis nature, DHS strengthens its cybersecurity posture across \ngovernment to serves as an initiator and leader in Federal \ncybersecurity efforts.\n              cross-government expertise and collaboration\n    In addition, my office contributes cybersecurity expertise to the \nFederal IT community. Two of the areas where we are working with \ncolleagues across government are to enhance security of mobile \napplications and standardizing the approach for assessing and \nmonitoring the security of cloud products and services.\nSecure Mobility\n    Directly related to the Presidential memorandum issued on May 23, \n2012, entitled, Building a 21st Century Digital Government, the Federal \nCIO Council has been charged with identifying solutions to challenges \nthat prevent progress in IT delivery. One such challenge is ensuring \nthe rapid adoption of mobile technologies while maintaining a security \nposture appropriate to the agency's mission. To address this, the \nFederal CIO Council established a Mobile Technology Tiger Team. DHS co-\nchairs the tiger team, which recently unveiled a set of criteria to be \nused in validating security for mobile applications. This effort \nprovides consistency across the Federal Government and allows industry \nto better meet the needs of Federal customers. As additional Federal \nagencies adopt the criteria, mobile application development will be \nmore secure and predictable.\nThe Federal Risk and Authorization Management Program (FedRAMP)\n    DHS is a major partner in the Federal Risk and Authorization \nManagement Program (FedRAMP). FedRAMP provides a standardized approach \nfor assessing and monitoring the security of cloud products and \nservices and will significantly reduce the time-to-market for \nDepartments and Agencies as they implement cloud computing. Testing and \nauthorizing a cloud provider is performed once and is shared multiple \ntimes across the government. This reduces both time and cost by reusing \nthe authorization of a cloud provider, and introduces competition in \nthe cloud market.\n    DHS was engaged in FedRAMP from its inception, contributing to the \ndevelopment of its security standards. Along with the Department of \nDefense and the General Services Administration, DHS serves as one of \nthe tri-chairs of the FedRAMP Joint Authorization Board, the primary \ngovernance and decisionmaking body for the program. DHS provides \ntechnical reviews of cloud service provider proposals for the board. As \nmore of government moves to cloud services and our engagement \nintensifies, we see an expected program increase of $2.6 million in \nfiscal year 2016 to support FedRAMP.\n                     dhs cybersecurity initiatives\n    As you know, Congress passed two key pieces of legislation that \ngreatly enhances our ability to shape and resource cybersecurity \ninitiatives. Both the 2014 Federal Information Security Modernization \nAct (FISMA) and the Federal Information Technology Acquisition Reform \nAct (FITARA) will strengthen our ability, as a Department, to respond \nand establish stronger guidance and controls.\n  --The 2014 Federal Information Security Modernization Act allows for \n        more nimble and risk-based security assessments and compliance. \n        It defines roles and responsibilities for cybersecurity within \n        the Federal Government. FISMA frames information security in a \n        more modern and efficient fashion.\n  --FITARA strengthens the role of Departmental CIOs. It ensures that \n        all IT investments are be reviewed by the CIO prior to \n        acquisition. This is vital to reduce duplication of IT systems, \n        provide high-value services, and ensure the continued ability \n        to proactively combat cyber-attacks.\nContinuous Diagnostics and Mitigation Program\n    The Department was the first agency to contract Continuous \nDiagnostics and Mitigation. As an early adopter, the Department expects \nto see positive impacts to how we detect and counteract cyber threats. \nCDM uses real-time data to provide stakeholders with the tools needed \nto protect their networks and enhance their ability to detect and \ncounteract day-to-day cyber threats. The CDM capabilities feed into \nagency-level dashboards that alert us to critical cyber risks in near \nreal time.\n    DHS is currently testing the CDM dashboard in two operational \ninstances. This enables the system stakeholders to readily identify \nwhich network security issues to address first, enhancing the overall \nsecurity posture of agency networks in hours instead of days. The CDM \ndashboard will provide extensive visibility across the DHS enterprise.\nOngoing Authorization\n    Originally, a system's Authority to Operate was granted every 3 \nyears after a large paper-based security controls review. This \ntriennial paper-based process will evolve to the Ongoing Authorization \n(OA) program. OA uses real-time event-driven data from CDM sensors to \nalert on dynamic, risk-based events. OA delivers effective, timely, \nevent-driven security services to Federal IT systems.\n    DHS is a role model for the implementation of OA across the Federal \ngovernment. Our OA program continues to expand. Seventy systems were \nenrolled in the program before the end of fiscal year 2014, exceeding \nthe goal of 50. Currently, 82 systems are enrolled.\nSecurity Operations Center\n    Like other Departments, DHS uses a federated architecture that \nrelies on mission-focused components leveraging their intimate \nknowledge of their missions to police their networks. The DHS Security \nOperations Center (SOC) aggregates these data feeds to create a \nholistic view of the DHS enterprise. The Department's SOC monitors the \nenterprise network and reports all cyber incidents to the United States \nComputer Emergency Readiness Team (US-CERT) under NPPD. Additionally, \nthe DHS Chief Information Security Officer provides advanced threat \ninvestigation services.\n    As our adversaries continue to evolve and become more \nsophisticated, we must evolve as well. To do this, we anticipate \nadditional investment in cyber counterintelligence services like \nFocused Operations.\nIntrusion Defense Chain\n    Cyber attacks are more than isolated activities. They often occur \nin phases, in a chain of offensive events that are repeated, reused, \nand predictable. In 2013, we began implementing and refining the \nIntrusion Defense Chain (IDC) into our security operations. The DHS IDC \nmethodology uses the attackers' tactics against them. It hardens the \nDepartment's defenses based on what we learn from evaluating all the \nlinks of their previous attacks.\n    The IDC allows us to use what we learn from past attacks to bolster \nour defenses and identify areas that might need future investment. \nDefending the Department is a full-time effort and the IDC helps to \nprovide us with an advantage tactically and financially.\nStrengthening the IT Workforce\n    Workforce planning at DHS is an inclusive process involving top \nmanagement support with input from human resources, program management, \nbudget, acquisition, and legal partners. It is the responsibility of \nevery DHS component to support and ensure that effective workforce \nplans are prepared, implemented with action plans, monitored, and \nevaluated.\n    Attracting, training, and retaining quality IT professionals is \ncritical to the long-term success of our mission. To attract IT \nprofessionals with cutting-edge skills in emerging technologies \nnecessary to address cybersecurity future needs, DHS has developed and \nimplemented a number of initiatives:\n  --The CyberSkills Management Support Initiative develops and executes \n        Department-wide human capital strategies, policies, and \n        programs that will create, enhance, and support a top-notch DHS \n        cyber workforce.\n  --The DHS IT Human Capital Strategy outlines IT career paths and \n        enables DHS to more formally address how new workers can \n        progress along a technical or managerial career track. As part \n        of this strategy, DHS is leveraging developmental, mentoring, \n        and rotational programs.\n  --The DHS IT Immersion Program provides newly-hired employees with a \n        formal path to learning about IT across DHS components, and to \n        engage with senior leadership and colleagues about career \n        management, component activities, and working in DHS IT. This \n        supports a true IT culture, including mentoring and educational \n        opportunities.\n    The Department continues to explore possibilities to collaborate on \nways to create a community of high-performing IT professionals.\n                               conclusion\n    I appreciate your time and attention, and I look forward to \naddressing your questions and concerns.\n\n    Senator Hoeven. Mr. Garcia.\nSTATEMENT OF GREG GARCIA, EXECUTIVE DIRECTOR, FINANCIAL \n            SERVICES SECTOR COORDINATING COUNCIL\n    Mr. Garcia. Thank you, Chairman Hoeven, Chairman Cochran, \nRanking Member Shaheen. Thanks for inviting me to testify. \nToday, I will discuss the DHS role in cybersecurity and its \npartnership with the private sector. But first, I will just \ntake a few minutes to describe how the financial sector deals \nwith threats and vulnerabilities to our critical financial \ninfrastructure.\n    The Financial Services Sector Coordinating Council, or \nFSSCC, was established in 2002 and includes 65 of the largest \nfinancial firms and associations. It was formed under the \ncritical infrastructure protection framework first developed by \nPresidential Directive 63 in 1998. That directive was since \namended in 2003 and again in 2013.\n    The FSSCC mission is to coordinate the sector-wide efforts \nto strengthen the resiliency of our critical financial \ninfrastructure against threats and vulnerabilities. In \npractice, this means that we work with government and other \npartners on information-sharing content and procedures, \nincident response, cyber and operational risk management best \npractices, and policy options to support the above objectives.\n    To achieve these objectives, the FSSCC focuses on the \nlonger term policy and strategy options. And the tactical and \noperational engagement is performed by the Financial Services \nInformation-Sharing and Analysis Center, or the FS-ISAC. This \nis one of our member organizations under the FSSCC umbrella.\n    The FS-ISAC manages a formal structure for collecting, \nanalyzing, and sharing actionable intelligence and best \npractices. This sharing is done within the sector and with our \nindustry, government, and law enforcement partners.\n    Indeed, we have learned over the years that strong risk \nmanagement includes participating in communities of trust that \nshare information on cyber and physical threats, on \nvulnerabilities and incidents. And this is based on the simple \nconcept of strength in numbers. Call it a neighborhood watch or \ncommon situational awareness.\n    So now on DHS programs, our financial institutions, whether \nthey are companies or industry associations, participate in a \nvariety of strategic and information-sharing programs operated \nby DHS. For example, we have a physical presence in the \nNational Cybersecurity and Communications Integration Center, \nor NCCIC, which Andy Ozment described in his statement. \nSupplementing our NCCIC presence is the DHS Cyber Information-\nSharing and Collaboration Program, or CISCP. Our sector \nparticipants consider the CISCP program valuable for fusing and \naccelerating threat analysis and our time to respond. This is a \ngood tool.\n    Also useful is the Critical Infrastructure Cyber Community, \nC-Cubed Voluntary Program, again, which Dr. Ozment described. \nThis supplements the NIST cybersecurity framework and assists \nour industry stakeholders with risk assessments.\n    The Office of Cyber and Infrastructure Analysis helps \ncritical sectors evaluate those cross-sector interdependencies, \nand they are currently doing an assessment between financial \nservices and the telecommunications infrastructure in the \nChicago area.\n    The FSSCC also has developed a research and development \nagenda that is highlighting the priority R&D initiatives that \nwe believe will enhance the protection of our critical \nfinancial infrastructure. I am happy to submit the agenda for \nthe record.\n    Referencing this agenda, we have consulted with the DHS \nScience and Technology Directorate over time to help inform \ntheir funding priorities.\n    In the area of physical resiliency, the sector works \nclosely with the National Infrastructure Coordinating Center, \nthe NICC.\n    Most recently, the financial sector has been planning and \nexecuting a series of sector-wide cyber-exercises that test our \nability to share information and respond to critical incidents \nwith our government partners. The DHS NCCIC management and \noperations team has been an important partner in this process. \nThey have helped develop scenarios, supported the actual \nexercise, and contributed to the after-action reports.\n    DHS also funded development of an open specification for \nautomated threat information sharing that Dr. Ozment referred \nto. It is called STIX and TAXII.\n    The financial sector leveraged that tool to develop a \ncapability known as Soltra Edge. It automates threat sharing \nand analysis, and it speeds our time to decision and mitigation \nfrom days to hours and minutes.\n    This tool is extremely powerful and getting more so, and it \nis available to anyone in the financial sector and in other \nsectors. There has already been a substantial amount of uptake \nsince its formal launch in December of last year.\n    Now I will wrap-up with some concluding observations.\n    First, if Congress were to pass legislation facilitating \ninformation sharing, DHS could receive a new influx of cyber-\nthreat information from the private sector. A lot of these \nliabilities go away in incentives for more information sharing. \nBut this in turn would intensify the already pressing need for \nDHS to be able to process and act on that intelligence. That is \ngoing to require more personnel who are well-trained in \ncybersecurity and in the critical infrastructure sectors that \nthey serve. And it requires robust, well-managed programs to \ndevelop analytical and best practices guidance for the \ncommunity, particularly at the unclassified level. I believe \nthese requirements apply not only to senior DHS management, but \nto thoughtful congressional oversight as well.\n    Overall, our assessment is that the financial sector's \nrelationship with DHS is productive and directionally positive. \nWe are showing tangible successes that are improving the \nprotection and resilience of our critical financial \ninfrastructure. Where there are programmatic gaps or \nimplementation deficiencies in the partnership, they are \nmutually acknowledged and addressed.\n    On a personal note, I will just say as the first person to \nhold the position of Assistant Secretary at the Department of \nHomeland Security that Andy Ozment now occupies, I just want to \ncongratulate Assistant Secretary Ozment for continuing the \nmomentum that we had begun in a previous administration. They \nhave improved on the initiatives that we started and have \nembarked on new initiatives and new innovations in customer \nservice, as Andy put it.\n    And I also thank Congress for recognizing the critical \nimportance of this issue and funding it accordingly. If only I \nhad the money in 2008 that Andy has in 2015.\n    Ultimately, we recognize that, as our joint effort matures \nover time, we are never done, we are only better. And we are \ngetting better.\n    Mr. Chairman, that concludes my oral remarks, and I will be \nhappy to answer questions.\n    [The statement follows:]\n                Prepared Statement of Gregory T. Garcia\n    Chairman Hoeven, Ranking Member Shaheen, and Members of the \nSubcommittee, thank you for this opportunity to address the \nSubcommittee about funding the DHS role in cybersecurity and its \npartnership with the private sector.\n    My name is Gregory T. Garcia. I am the Executive Director of the \nFinancial Services Sector Coordinating Council (FSSCC), which was \nestablished in 2002 and involves 65 of the largest financial services \nproviders and industry associations representing clearinghouses, \ncommercial banks, credit card networks and credit rating agencies, \nexchanges/electronic communication networks, financial advisory \nservices, insurance companies, financial utilities, government-\nsponsored enterprises, investment banks, merchants, retail banks, and \nelectronic payment firms.\n    The FSSCC was established in accordance with the critical \ninfrastructure protection framework promulgated first in Presidential \nDecision Directive 63 in 1998, which was superseded in 2003 by Homeland \nSecurity Presidential Directive 7 and in 2013 by Presidential Policy \nDirective 21.\n    FSSCC membership includes critical financial enterprises and their \nindustry associations whose responsibility and commitment to the \nprotection of our sector is commensurate with their substantial \nimportance to the resilience of the national and global economy.\n    As with many industry associations, its governing structure \nincludes a rotating chairmanship and an executive committee, with \nnumerous outcome-oriented working groups focused on specific \ndeliverables to achieve the organization's objectives.\n    The current chairman, serving the first year of his 2 year term, is \nRussell Fitzgibbons, theChief Risk Officer and Executive Vice President \nof The Clearing House.\n    What I will cover today is an overview of the financial sector's \ntactical and strategic components, and how we manage cyber risk with \nthe Department of Homeland Security, the Treasury Department, and other \nkey government and industry partners.\n                             fsscc mission\n    The mission of the FSSCC is to strengthen the resiliency of the \nfinancial services sector against attacks and other threats to the \nnation's critical infrastructure by proactively identifying threats and \npromoting protection, driving preparedness, collaborating with the \nFederal government, and coordinating crisis response for the benefit of \nthe financial services sector, consumers and the nation. During the \npast decade, this strategic partnership has continued to grow, in terms \nof the size and commitment of its membership and the breadth of issues \nit addresses.\n    In simplest terms, members of the FSSCC assess security and \nresiliency trends and policy developments affecting our critical \nfinancial infrastructure, and coordinate among ourselves\n    and with our partners in government and other sectors to develop a \nconsolidated point of view and coherent strategy for dealing with those \nissues.\n    Accordingly, our sector's primary objectives are to:\n    1. Implement and maintain structured routines for sharing timely \nand actionable information related to cyber and physical threats and \nvulnerabilities among firms, across sectors of industry, and between \nthe private sector and government.\n    2. Improve risk management capabilities and the security posture of \nfirms across the financial sector and the service providers they rely \non by encouraging the development and use of common approaches and best \npractices.\n    3. Collaborate with homeland security, law enforcement and \nintelligence communities, financial regulatory authorities, other \nindustry sectors, and international partners to respond to and recover \nfrom significant incidents.\n    4. Discuss policy and regulatory initiatives that advance \ninfrastructure resiliency and security priorities through robust \ncoordination between government and industry.\n    We have learned over the years that a strong risk management \nstrategy for cyber and physical protection involves participating in \ncommunities of trust that share information related to threats, \nvulnerabilities, and incidents affecting those communities. That \nfoundation is based on the simple concepts of strength in numbers, the \nneighborhood watch, and shared situational awareness.\n    Accordingly, we partner with the Department of Treasury as our \nsector specific agency, the Department of Homeland Security, law \nenforcement, the intelligence community, other critical sectors, and \nfinancial regulatory agencies forming our Government Coordinating \nCouncil counterpart--called the Financial and Banking Information \nInfrastructure Committee (FBIIC).\n    Together we are undertaking numerous initiatives to:\n  --Improve Information sharing content and procedures between \n        government and the sector;\n  --Conduct joint exercises to test our resiliency and information \n        sharing procedures under differing scenarios;\n  --Prioritize critical infrastructure protection research and \n        development funding needs\n  --Engage with other critical sectors and international partners to \n        better understand and leverage our interdependencies;\n  --Advocate broad adoption of the NIST Cybersecurity Framework, \n        including among small and mid-sized financial institutions \n        across the country; and\n  --Develop best practices guidance for operational risk issues \n        involving third party risk, supply chain, and cyber insurance \n        strategies.\n financial sector partnership with the department of homeland security\n    Of particular relevance to the topic of this hearing, financial \nsector stakeholders participate in a variety of strategic and \ninformation sharing programs operated by the Department of Homeland \nSecurity. For example:\n  --The financial sector and Treasury Department maintain a physical \n        presence within the DHS National Cybersecurity and \n        Communications Integration Center (NCCIC), which serves as a \n        hub for sharing information related to cybersecurity and \n        communications incidents across sectors, among other roles and \n        responsibilities.\n  --Supplementing our information sharing engagement within NCCIC is \n        the DHS Cyber Information Sharing and Collaboration Program \n        (CISCP) which enables collaborative threat analysis between \n        industry and government in an operational environment that \n        speeds time to response.\n  --Also useful to the financial sector, particularly smaller community \n        institutions, is the Critical Infrastructure Cyber Community \n        (C3, or ``C-Cubed'') Voluntary Program, which supplements the \n        NIST Cyber Security Framework, and provides guidance on how \n        institutions can improve their cyber risk management programs, \n        regardless of size and sophistication.\n  --The Office of Cyber & Infrastructure Analysis helps critical \n        sectors evaluate cross sector interdependencies with risk and \n        threat assessments, and is currently undertaking an \n        interdependency assessment between financial services and \n        telecommunications infrastructure in the Chicago area.\n  --The financial sector has developed a research and development (R&D) \n        agenda highlighting the priority R&D initiatives we believe \n        will enhance protection of our critical financial \n        infrastructure, and we have consulted with the DHS Science and \n        Technology Directorate to help inform their funding priorities.\n  --The sector also works closely with the National Infrastructure \n        Coordinating Center (NICC), the dedicated 24/7 coordination and \n        information sharing operations center that maintains \n        situational awareness of the nation's critical infrastructure \n        for the Federal government.\n  --Most recently, the financial sector has begun planning and \n        executing a series of sector-wide cyber exercises that test our \n        ability to share information and respond to critical incidents \n        collaboratively with our government partners. The DHS NCCIC \n        management and operations team has been an important partner in \n        this process, as have the Treasury Department and other key \n        government stakeholders, lending their expertise and resources \n        toward developing the scenarios and supporting the execution \n        and after-action reports of the exercises.\n  --Through the promulgation of DHS-funded open specifications for \n        automated threat information sharing, the Financial Services \n        Information Sharing and Analysis Center (FS-ISAC) has developed \n        a capability that is widely used by the financial sector and \n        other sectors. Known as Soltra Edge, this tool automates threat \n        sharing and analysis and speeds time to decision and mitigation \n        from days to hours and minutes. I will discuss FS-ISAC \n        activities in more detail below.\n    In sum, the financial sector has been able to benefit substantially \nfrom its close information sharing relationship with DHS.\n          fs-isac information sharing programs and operations\n    For the financial sector, the primary community of trust for \ncritical financial infrastructure protection is the Financial Services \nInformation Sharing and Analysis Center, or FS-ISAC, which is the \ntactical and operational organization that informs the FSSCC's \nstrategic policy mission.\n    The FS-ISAC was formed in 1999 in response to the 1998 Presidential \nDecision Directive 63 (PDD 63), which called for the public and private \nsectors to work together to address physical and cyber threats to the \nnation's critical infrastructures. This role was reinforced after 9/11, \nand in response to Homeland Security Presidential Directive 7 (and its \n2013 successor, Presidential Policy Directive 21) and the Homeland \nSecurity Act.\n    The FS-ISAC is a 501(c)6 nonprofit organization and is funded \nentirely by its member firms and sponsors. In 2004, there were 68 \nmembers, mostly larger financial services firms. Since that time, the \nmembership has expanded to more than 5000 organizations including \ncommercial banks and credit unions of all sizes, brokerage firms, \ninsurance companies, data security payments processors, and 24 trade \nassociations representing virtually all of the U.S. financial services \nsector.\n    Since its founding, the FS-ISAC's operations and culture of trusted \ncollaboration have evolved into what we believe is a successful model \nfor how other industry sectors can organize themselves around this \nsecurity imperative. The overall objective of the FS-ISAC is to protect \nthe financial services sector against cyber and physical threats and \nrisk. It acts as a trusted third party that provides anonymity to allow \nmembers to share threat, vulnerability and incident information in a \nnon-attributable and trusted manner. The FS-ISAC provides a formal \nstructure for valuable and actionable information to be shared among \nmembers, the sector, and its industry and government partners, which \nultimately benefits the nation. FS-ISAC information sharing activities \ninclude:\n  --Delivery of timely, relevant and actionable cyber and physical \n        email alerts from various sources distributed through the FS-\n        ISAC Security Operations Center (SOC);\n  --An anonymous online submission capability to facilitate member \n        sharing of threat, vulnerability, incident information and best \n        practices in a non-attributable and trusted manner;\n  --Support for attributable information exchange by various special \n        interest groups including the FSSCC, the FS-ISAC Threat \n        Intelligence Committee, threat intelligence sharing open to the \n        membership, the Payment Processors Information Sharing Council \n        (PPISC), the Clearing House and Exchange Forum (CHEF), the \n        Business Resilience Committee, and the Payments Risk Council;\n  --Bi-weekly threat information sharing calls for members and invited \n        security/risk experts to discuss the latest threats, \n        vulnerabilities and incidents affecting the sector;\n  --Emergency threat or incident notifications to all members using the \n        Critical Infrastructure Notification System (CINS); and\n  --Participation in various cyber exercises such as those conducted by \n        DHS (Cyber Storm I, II, and III) and support for FSSCC \n        exercises such as the Hamilton series, CyberFIRE and Quantum \n        Dawn.\n                          fs-isac partnerships\n    The FS-ISAC works closely with various government agencies \nincluding the Department of Treasury, DHS, Federal Reserve, Federal \nFinancial Institutions Examination Council (FFIEC) regulatory agencies, \nUnited States Secret Service, Federal Bureau of Investigation (FBI), \nthe intelligence community, and state and local governments.\n    In partnership with DHS, FS-ISAC 2 years ago became the third ISAC \nto have representation on e the NCCIC watch floor. FS-ISAC \nrepresentatives, cleared at the Top Secret/Sensitive Compartmented \nInformation (TS/SCI) level, attend the daily briefs and other NCCIC \nmeetings to share information on threats, vulnerabilities, incidents, \nand potential or known impacts to the financial services sector. Our \npresence on the NCCIC floor has enhanced situational awareness and \ninformation sharing between the financial services sector and the \ngovernment, as well as other critical sectors, and there are numerous \nexamples of success to illustrate this.\n    As part of this partnership, the FS-ISAC set up an email listserv \nwith U.S. CERT where actionable incident, threat and vulnerability \ninformation is shared in near real-time. This listserv allows FS-ISAC \nmembers to share directly with U.S. CERT and further facilitates the \ninformation sharing that is already occurring between FS-ISAC members \nand with the NCCIC watch floor or with other government organizations.\n    In addition, FS-ISAC representatives sit on the Cyber Unified \nCoordination Group (Cyber UCG) and the group has been actively engaged \nin incident response. The Cyber UCG's handling and communications with \nvarious sectors following the distributed denial of service (DDOS) \nattacks on the financial sector in late 2012 and early 2013 is one \nexample of how this group is effective in facilitating relevant and \nactionable information sharing.\n    Finally, the FS-ISAC and FSSCC have worked closely with its \ngovernment partners to obtain security clearances for key financial \nservices sector personnel. These clearances have been used to brief the \nsector on new information security threats and have provided useful \ninformation for the sector to implement effective risk controls to \ncombat these threats.\n                  automated threat information sharing\n    The sector continues to make significant progress toward increasing \nthe speed and reliability of its information sharing efforts through \nexpanded use of DHS-funded open specifications, including Structured \nThreat Information eXchange (STIX<SUP>TM</SUP>) and Trusted Automated \neXchange of Indicator Information (TAXII<SUP>TM</SUP>).\n    Late last year, the financial sector announced a new automated \nthreat capability it created called ``Soltra Edge'', which is the \nresult of a joint venture of the FS-ISAC and the Depository Trust and \nClearing Corporation (DTCC). This capability addresses a fundamental \nchallenge in our information sharing environment: typically the time \nassociated with chasing down any specific threat indicator is \nsubstantial. The challenge has been to help our industry increase the \nspeed, scale and accuracy of information sharing and accelerate time to \nresolution.\n    The Soltra Edge capability developed by the sector removes a huge \nburden of work for both large and small financial organizations, \nincluding those that rely on third parties for monitoring and incident \nresponse. It is designed for use by many parts of the critical \ninfrastructure ecosystem, including the financial services sector, the \nhealthcare sector, the energy sectors, transportation sectors, other \nISACs, national and regional CERTs (Computer Emergency Response Teams) \nand vendors and services providers that serve these sectors.\n    Key goals of Soltra-Edge are to:\n  --Deliver an industry-created utility to automate threat intelligence \n        sharing\n  --Reduce response time from days/weeks/months to seconds/minutes\n  --Deliver 10 times reduction in effort and cost to respond\n  --Operate on the tenets of at-cost model and open standards (STIX, \n        TAXII)\n  --Leverage DTCC scalability; FS-ISAC community & best practices\n  --Provide a platform that can be extended to all sizes of financial \n        services firms, otherISACs and industries\n  --Enable integration with vendor solutions (firewalls, intrusion \n        detection, anti-virus, threat intelligence, etc.)\n    With these advancements, one organization's incident becomes \neveryone's defense at machine speed. We expect this automated solution \nto be a 'go to' resource to speed incident response across thousands of \norganizations in many countries within the next few years.\nimportance of dhs funding and strong oversight for improved partnership\n    DHS is currently responsible for enhancing the security, \nresilience, and reliability of the Nation's cyber and communications \ninfrastructure--a critical and expansive mission. In the realm of \ninformation sharing, DHS's role could expand further with increased \ninformation sharing following the implementation of the President's \nFebruary 13, 2015 Executive Order to promote private sector information \nsharing. Should Congress enact legislation establishing a streamlined \nvoluntary information sharing legal framework, DHS will likely receive \nadditional information from private sector partners on cyber threats. \nThis will increase the already existing need for a robust analytic \ncapability at DHS to develop products, particularly at the unclassified \nlevel, that will be useful and actionable to its domestic and \ninternational stakeholder community, both inside and outside the \ngovernment.\n    It is critical that DHS have the necessary personnel and technical \ntools to enable them to complete their mission. Last year, Congress \npassed additional personnel authorities for DHS to hire trained, \nqualified personnel to work in cybersecurity positions, which will \nhopefully make the recruitment and retention of qualified personnel \nmore successful.\n    In this era of fiscal restraint, we also appreciate the need to \nensure that appropriated funds are being spent in the most effective \nand efficient manner. We believe this is a role not only for senior DHS \nmanagement, but Congress as well, as the ultimate appropriators of \nfunding. This can strengthen DHS's cyber programs and provide sector \nstakeholders better information with which to defend their own networks \nand ultimately strengthen the security of our nation's infrastructure.\n    Overall, our assessment is that the financial sector's relationship \nwith DHS is productive and directionally positive, with tangible \nsuccesses that we believe are improving the protection and resilience \nof our critical financial infrastructure. Where there are programmatic \ngaps or implementation inefficiencies in the partnership, they are \nmutually acknowledged and addressed. Ultimately, we recognize that as \nour joint effort matures over time, we are never done, only better.\n    Mr. Chairman and Members of the Committee, this concludes my \ntestimony.\n\n           EINSTEIN AND CONTINUOUS DIAGNOSTICS AND MITIGATION\n\n    Senator Hoeven. Thanks to all three of the witnesses, and \nwe will start the rounds of questions. We will be pausing at \n2:49. So I will start, but we may have to pause, in terms of \nyour response.\n    I want to start with Mr. Ozment. My first question goes to \nthe rollout of both Einstein and CDM. Where are you in terms of \nthe rollout? There has been obviously some concern about the \npace at which these are being deployed across all government \nagencies, and also the state of the technology.\n    So in terms of the dot-gov domain, talk about the rollout \nabout CDM and Einstein. Do we have it across all agencies? If \nnot, why not? And when will it happen? And is the technology \nahead of the attacks that are coming our way? And you have 2 \nminutes, so you can just get started. I may interrupt you, but \nif you want to start?\n    Mr. Ozment. Thank you, Mr. Chairman. I am happy to do it, \nand I, certainly, understand and am very happy to be \ninterrupted when the time comes.\n    If you don't mind, I would like to start by giving an \noverview of what the Einstein and CDM programs do and how they \ntie together and where they are, to your question.\n    They are complementary elements of our strategy to secure \nthe Federal civilian executive branch. Einstein 1 provides \nboundary or perimeter-based protection services--I'm sorry, \nEinstein 1, 2, and 3 do.\n    So a useful analogy is that of a military base. If you are \ndefending a military base, first you limit the number of roads \ncoming in and out of it. Then you put security where those \nroads enter the base.\n    Einstein 1 is like providing a license plate reader at the \nroads into and out of the military base. So think about that \nbase as a single department or agency. Einstein 1 is tracking \nwho is entering and leaving the base.\n    Einstein 2 adds, if you, will, a watchlist function. This \ncar is not allowed to enter the base. It doesn't stop the car, \nbut it sets off an alert, a bad guy came into the base. And, of \ncourse, it is more complicated than just looking for specific \nlicense plates, but it gives you a sense of the program.\n    Einstein 3 is a different approach. Einstein 1 and 2, those \nintrusion detection systems, are built on unclassified \ninformation. Einstein 3 also takes advantage of classified \ninformation. And so to make that work effectively, rather than \nbuild this classified capability at every agency, at every \nmilitary base, if you will, we pulled it back to the highway.\n    Senator Hoeven. Mr. Ozment, I am sorry. I am going to have \nto stop you now. It is 2:49.\n    At this time, I would like to observe a moment of silence. \nLet this time serve as an opportunity to reflect on the \nsurvivors, those who were loved and lost, and our resilience as \na peaceful Nation.\n    So please, a moment of silence.\n    Senator Hoeven. Thank you.\n    Again, to all the victims and their families in Boston and \nthose from around the country who were affected, and even \nbeyond our shores, our hearts and prayers go out to them once \nagain. And we are reminded that we do face real threats in this \ncountry.\n    And, of course, that is a very important part of our \nmission, to help protect against those threats. We are also \nreminded of the strength and resiliency of our country and the \nresolve of our people.\n    Senator Shaheen, any thoughts you might have before we \nproceed?\n    Senator Shaheen. I think you said it very well, Mr. \nChairman.\n    Senator Hoeven. Chairman Cochran.\n    Senator Cochran. I have nothing further now.\n    Senator Hoeven. Thank you, Mr. Ozment. Proceed. You were \njust using your military base analogy, which I thought was \nexcellent, so please continue.\n    Mr. Ozment. Thank you, chairman.\n    So with our analogy here, we have Einstein 1 and 2 set up \nat the boundaries of the military base, essentially reading the \nlicense plates of the cars entering the base, setting off an \nalert if a bad guy drives in. Einstein 3 is pulled back to the \nhighways, the highways that serve multiple bases--in this case, \nthe Internet service providers (ISPs).\n    Now, Einstein 3 will be built at a handful of Internet \nservice providers that serve the vast majority of Federal \nGovernment traffic. It only applies to the traffic to and from \nthe Federal Government at those Internet service providers.\n    Einstein 3, think about it as a guardhouse. At that \nhighway, as we have cars heading toward the bases, the \nguardhouse can actually stop. It checks the license plates. It \nlooks for anomalous behavior of the cars and can actually stop \ncars that it believes to be malicious.\n    It is also a platform, if you will. So you have built a \nguardhouse. You can put up a gate. You can put up security \ncameras. You can have guards there. You can, in fact, do \ndifferent things at this guardhouse to adapt to an adopting \nthreat. That is exactly the case with Einstein 3.\n    With Einstein 3, we have started with two security \ncapabilities at this guardhouse, but it is also a critical \nplatform that we can use to work with the private sector and \nincorporate new and innovative security technologies at the \nguardhouse itself.\n    Now, that is great. That is security at the perimeter for \nthese bases that are our departments and agencies. But, of \ncourse, anytime you are working in security, whether physical \nor cyber, you want a layered defense. You don't want to defend \njust at the perimeter. You also want to worry about security \ninside the base.\n    CDM, Continuous Diagnostics and Mitigation, is part of our \ninterior defense for the departments and agencies. In our \nanalogy of a base, this program, CDM, is essentially the tools \nof the guards that go around the inside of the base for \nsecurity purposes. CDM also has multiple phases.\n    The first phase is the equivalent of going around and \nmaking sure that the doors on buildings are closed and locked, \nwindows are locked, the basic security of the infrastructure is \nthere. Phase two will focus on identity management and will \nessentially be going inside each building and saying, are the \npeople inside this building, which is inside this base, are \nthey people who are authorized to be here? With additional \ncapabilities, we will add different security technologies to \nthis interior guard, if you will.\n    So where are we on these two programs right now? Einstein 1 \nand 2 have broad perimeter coverage across Federal civilian \ndepartments and agencies.\n    I say that specifically to exclude the Department of \nDefense and the intelligence agencies. Those are excluded from \nthis program.\n    But for civilian departments and agencies, Einstein 1 and 2 \nreach between 80 percent and 90 percent coverage. Now the \nreason for not having full coverage there is every department \nand agency has more Internet connections. Most departments and \nagencies have more Internet connections than they want. So they \nare trying to consolidate down to a small number of connections \nwhere the security is. So as departments and agencies further \nnarrow their extra Internet connections, our coverage will go \nup.\n    For Einstein 3, we are in the middle of building out that \ncapability. We have built it with two Internet service \nproviders, Verizon and CenturyLink. Those two service providers \ngive us coverage for about half of the Federal civilian \ndepartments and agencies by personnel.\n    Now, there are two parts to Einstein 3, which is we build \nthe capability and then we work with departments and agencies \nto route their traffic through the capability. So we can build \nthe guardhouse, but if they are not sending their traffic to \nthe guardhouse, it doesn't work.\n    So with Einstein 3, about a quarter of the government is \nrouting some or all of their traffic to our guardhouses. So a \nquarter of the government is receiving at least one protection.\n    We have just put the second ISP online, so we have really \njust expanded the capacity from a quarter of the government to \nhalf. Now we are working with departments and agencies to take \nadvantage of that new capacity that we just rolled out. Then we \nare continuing to work with ISPs to build out this capability \nat other ISPs.\n    Switching to CDM, that inside-the-perimeter program, as I \nmentioned in my opening statement, just yesterday we announced \nthe second of a set of awards for this program. We now have \nawarded to departments and agencies that constitute more than \nhalf of the departments and agencies.\n    Now this is announcing the award. Now that we have the \ntools and services, we need to deploy them. That will take some \nmonths yet, but that is a particularly important milestone that \nI am very proud that we have achieved.\n    So with that, hopefully, I have answered the question, \nchairman. If it there is anything else I can add, I am happy to \ndo so.\n    Senator Hoeven. That was really well done, in terms of \nactually explaining how this stuff works to someone who doesn't \nwork in your field. Certainly, far from an expert. I didn't \neven want to use the term ``expert.'' But this is complicated \nstuff. That was a good job of explaining how it works, and I \nappreciate that.\n    I am going to follow up on that question, because I think \nyou went a long way down the trail, but you did it in an \nunderstandable way, and I appreciate that.\n    At this point, I will turn to Senator Shaheen.\n\n                            INCIDENT REPORT\n\n    Senator Shaheen. Thank you.\n    One of the challenges, and I think we talked a little bit \nabout this when I visited the NCCIC, where the NPPD operates \nand where you all are working, is how to quantify what the \nchallenge is and how to track what is happening in a way so \nthat we can prioritize resources and help explain what the \nthreat is to the Nation.\n    So I was interested to see that DHS received over 97,000 \nincident reports, and I am going to ask you to explain what \nthose are, and issued 12,000 actionable alerts, and detected \n64,000 vulnerabilities, responding to 115 incidents in 2014.\n    So those are numbers that I think show, to some degree, the \nextent of the challenge, but it is hard to understand exactly \nwhat that means out of context. So can you try to put those \nnumbers into some context and explain what that means and what \nwe should be looking at to prioritize our response to those?\n    Mr. Ozment. Absolutely. Thank you, Ranking Member Shaheen.\n    Regardless of where you get your data on cybersecurity, \nwhether it is the statistics that we report on our activity, \nwhether it is from a private-sector security company and their \nreports, or the academic reports in this field, almost every \nreport you look at will indicate that the problem is \nextraordinarily large in scale and growing. Now, no single \nentity has a lens on the entire problem, so there is nowhere \nyou can go to see everything at once. Although, certainly, we \nview that as part of the problem that we have to tackle, to \nimprove that lens.\n    You mentioned some of the statistics. Let me, I think, \nprovide some of the context within which to frame them.\n    Senator Shaheen. Great.\n    Mr. Ozment. One of them is, I started in cybersecurity \naround 1998 and originally worked as a network operator. When I \nworked as a network operator, when we had an incident, it was a \nbig deal. We pulled out all the stops. It was momentous in my \nlife. I got no sleep.\n    Unfortunately, the world is such today that if you are a \nFortune 1,000 company, this is no longer a noted or notable \nincident, just because somebody has intruded upon your company. \nIn fact, quite the contrary. Every CIO or CISO (Chief \nInformation Security Officer) I know operates under the \nassumption that somebody has already broken into their network \nand is, in fact, living and working on their network from \nabroad.\n    So we have moved from this understanding that mostly we are \nsecure and sometimes people break in, to a world where we, by \nand large, now believe that mostly we are insecure and there is \nalways somebody who has broken it. The challenge for us is how \nrapidly we can detect them and remove them.\n\n       CYBERSECURITY: GOVERNMENT AND PRIVATE-SECTOR UNDERSTANDING\n\n    Senator Shaheen. Can I just ask, how much of the rest of \ngovernment do you think understands that reality?\n    Mr. Ozment. I think, in the CIO community, and I will defer \nto my colleague Mr. McCormack on this, but I think it is very \nwidely understood. I think even in the past 6 or 8 years, I \nhave seen a dramatic increase in understanding and senior \nleadership. Now for the first time since I entered government, \nI would say that it is widely understood across senior \nleadership.\n    Senator Shaheen. Mr. Garcia, how widely do you think that \nis understood in the private sector?\n    Mr. Garcia. The private sector, writ large, is not where it \nshould be. For the financial sector, I think we have a fairly \nsophisticated understanding of, number one, the problem, and, \nnumber two, the business proposition for addressing ourselves, \nfor investing in cybersecurity.\n    Just to give you one example, after DHS, I was an executive \nat a major bank. One of the things we tried to do was actually \nmeasure the value of our cybersecurity investment. So we just \ntake one example where, are we getting our money's worth from \nall this information-sharing that we are doing and the \nresources that we are deploying toward it and the people as \nwell? Let's take an example of having gotten one piece of data, \none threat intelligence that we didn't know about.\n    We understood that that particular malware attack has the \ncapacity to disable computers or to wipe the data clean or \ncorrupt the data in some way. And if we did not have that \ninformation, we could not have stopped it from happening. If it \nhad just infected one division within the bank, maybe that is \n1,000 computers, you are going to have to go back and wipe all \nof those thousand computers clean and reimage them. $500, $750 \nper computer and multiply that by 1,000 computers, 10,000 \ncomputers, and suddenly you have a real number associated with \ncatching just one threat.\n    So when you build that out over time and you think of all \nthe other ways that we can be investing in security, it isn't \neasy. It is sometimes an art. It is hard to prove the negative, \nthat because we didn't see anything, nothing happened. But \nthose methods for measuring progress are improving and at \nincreasingly higher levels within corporate America. So we are \nmaking progress.\n    Senator Shaheen. I will get back to you.\n    Can I get Mr. Ozment to finish answering that question, \nputting numbers into some context?\n    Mr. Ozment. So I think a key thing to emphasize from us is, \nas we sit within my organization, we do not believe that we \nhave scaled to the level commensurate with the risk we are \nfacing.\n\n                               RESOURCES\n\n    Senator Shaheen. And is that a function of resources?\n    Mr. Ozment. We are receiving the resources right now that \nwe need, assuming that we receive, of course, the President's \nbudget request. We think we are in good shape. Part of it is, \nyou can only scale and grow so fast. It is a new field in the \nsort of national perspective.\n    Senator Shaheen. We can only grow so fast because we don't \nhave the personnel, the technology?\n    Mr. Ozment. Personnel is probably the biggest single \nholdup, and then just by the nature of organizations. If you \ngrow organizations too rapidly, it is difficult.\n    The only other thing I would add is when you look across \nthese, one of the things that can be confusing about the scale \nof numbers, and particularly people often report on attempted \nintrusions, that number has become, by and large, meaningless \nbecause attempting to break in is free. An adversary can try 1 \nmillion times per day against one victim and largely there is \nno punitive action that would deter them from doing it.\n    So adversaries automate their attempted break-ins and just \ngo across broad swaths of the Internet. So we have stopped \npaying attention to a number that used to be an important \nsignifier to us in this community, because, essentially, it is \ninfinite now.\n    That being said, sometimes people hear these broad numbers \nand largely give up. They say that this problem is intractable. \nThe flip side of this is we look at intrusions that we know \nabout. And again, whether it is our data or a private-sector \ncompany's data, the vast majority, 80 percent to 90 percent of \nthe incidents that you learn about, could have been prevented \nby basic best practices.\n    That is one of the reasons we focus so much of our efforts \non best practices. It is not the most exciting topic in the \nworld, and it often receives less attention than incident \nresponse or even information-sharing, which can be more \ndynamic. But it is the basic thing that we need organizations, \nwhether government agencies or companies, to take those actions \nand sort of raise the bar for our attackers.\n    Senator Shaheen. Thank you.\n    Thank you, Mr. Chairman.\n\n EINSTEIN AND CONTINUOUS DIAGNOSTICS AND MITIGATION: LEVEL OF SECURITY\n\n    Senator Hoeven. Mr. Ozment, go back to the analogy you were \ntalking about before, or basically the rollout of CDM and \nEinstein in terms of deploying them across all agencies, before \nwe get into the private sector aspect.\n    Will these technologies put us ahead of the technologies \nthat attackers use to try to infiltrate our systems? Are you \nahead now? Are you staying ahead? Because obviously hackers are \nconstantly improving their ability to undertake these attacks.\n    Mr. Ozment. Certainly. One of the things you will observe \nfrom me is that I am a former computer scientist and \nprogrammer, so I think in lists. So I have three answers for \nyou on this question.\n    The first is, for Einstein itself, the technology of \nintrusion detection and intrusion prevention is not a new \ntechnology. In no way would I call it innovative or cutting-\nedge. Neither is a fence. But it is still a core component of a \nlayered protection for protecting a physical installation.\n    That being said, these technologies depend upon the \ninformation that is fed them. So first, it is a necessary but \nnot sufficient technology. Second, what is innovative about \nwhat we are doing is the information we are putting into these \nsystems, particularly for Einstein 3, the classified \ninformation that we derive from our partners in law enforcement \nand the intelligence community. That information helps us stay \nahead of our adversaries and keep them out of our networks, \neven if we haven't seen them before.\n    The final aspect of it is that it's necessary to have a \nfence, and it is great that our fence uses classified \ninformation that makes it a cutting-edge fence. It is still not \nsufficient. So the final aspect of Einstein 3 is that it is a \nplatform that we have made this guardhouse at the highway that \nserves multiple bases, and we can install new technologies on \nthe guardhouse as we go.\n    We are even now exploring what are the next technologies to \nput into the system to continue to build out its capabilities. \nThat is for the Einstein program.\n    For the CDM program, it is a similar evolution. First, \nbuild the basics that every organization should have, but, \nunfortunately, not every organization does have, and then add \nthe more sophisticated technologies on top of it. That first \ncomponent of CDM, which is that guard inside the base checking \ndoors to make sure they're locked, a big part of that is \nascertaining whether or not computers are vulnerable, meaning \nwhether they have been patched.\n    Again, there are numerous private-sector reports on this: \nthat 80 percent to 90 percent of intrusions takes advantage of \na vulnerability that we have known about for at least a year, \nand that there is a patch, a fix for it, widely available.\n    So this is the basic blocking and tackling of security. And \nif we haven't rolled out the tools that let us do it \nsystematically, measurably at scale, then we can't build \nanything more sophisticated on top of that.\n    So that is what the first phase of CDM tackles. The second \nphase, as we start looking at who is in the building and should \nthey be there, starts to be more cutting-edge.\n    Senator Hoeven. Again, going back, agencies have their own \nsecurity, and then you come along and provide CDM and Einstein \nacross all agencies. But to the extent that some of these \nagencies aren't yet fully using both of those programs, as you \nmentioned in your testimony, they still have taken some steps \nfor security. Maybe some aspects of their software, their \nnumber of access points and so forth which don't fully comply \nwith some of the best practices that you talked about and some \nof your security protocols, but some steps. So, how secure are \nthey?\n    In other words, first, how secure are the ones where you \nhave Einstein and CDM deployed? What is your opinion in terms \nof how good their security is? Are they secure, and are you \ncomfortable? And then what is the state of security for those \nagencies that haven't deployed them yet?\n    Mr. Ozment. Unfortunately, it is not quite as simple as \nsaying that agencies that have CDM and Einstein are secure and \nthose that lack them are insecure. It varies widely, depending \non an agency's capability and investment in cybersecurity.\n    One of the purposes of Einstein and CDM, though, is to \nprovide a basic level of security, so that we can be \ncomfortable that we have that baseline of security across the \nFederal Government, regardless of the agency's skill or \nresources at a given moment.\n    With respect to the Einstein program, another key advantage \nreally that both programs provide us is agencies can and should \nbe effective at seeing what is happening to them on their \nnetwork, but we believe that we will be able to identify \nattacks that are not visible within one agency because it is a \nsmall anomaly within one agency, but when you see it across \nseven agencies, you recognize that it is something bigger. It \nis putting together the pieces of the mosaic and understanding \nthe broader picture of what you see.\n    And then the only thing additionally I would add, just to \nreassure you, on the Einstein program, we are providing \nsomething around departments and agencies that couldn't have \nexisted before. They may have their own intrusion detection \nsystems, but, again, the systems would be local and don't use \nclassified information. With CDM, some agencies have built out \nparts of this capability before and we are not duplicating what \nthey have already built out. The CDM program has, frankly, a \nfairly wide variety of vendors and the reason we have that is \nbecause our goal is to fill in the gaps of what agencies may \nalready have rather than replace what they bought.\n\nEINSTEIN AND CONTINUOUS DIAGNOSTICS AND MITIGATION: DEPLOYMENT SCHEDULE\n\n    Senator Hoeven. When will all agencies have both? What is \nyour goal?\n    Mr. Ozment. With CDM, we have broken the agencies \nessentially into five buckets and we are going through each \nbucket awarding and deploying to those agencies.\n    So you just heard that we awarded the second bucket. We \nintend to award the fifth bucket by the second quarter of \nfiscal year 2016 and then essentially have built out that final \nbucket over the next two quarters. So we will have all of these \nbuckets both purchased and built out by the fourth quarter of \nfiscal year 2016.\n    Now, something I do want to flag, however, is we have \ngrouped agencies in part by size. So as we get to that final \nbucket, it is a large number of agencies; it is an extremely \nsmall percentage of the Federal Government by personnel.\n    So as you heard, with just two buckets, we are already over \n50 percent. As we go through these buckets, the remaining \nbuckets get smaller.\n    Senator Hoeven. Is that for both programs?\n    Mr. Ozment. I'm sorry?\n    Senator Hoeven. Is that for both programs?\n    Mr. Ozment. So that is for CDM. Einstein is a different \napproach.\n    Einstein is based on the ISP. If we were to build \nclassified capabilities at every agency, it would be \nprohibitively expensive. So by pulling back to the highway and \nbuilding at just a handful of ISPs, we can keep our costs down \nand still cover most of the Federal Government that way.\n    Right now, as you know, we have two of those ISPs providing \nservice. We are now talking to the third ISP to get it under \ncontract. We hope to have all of our capabilities built out \nwith these ISPs by the end of fiscal year 2017.\n    Again, as you get toward the end, you get declining \nadditional coverage of the government. We get the biggest \nchunks early.\n    One thing I want to highlight for Einstein though is we \nbuild it; they still have to come. So that is why, for example, \nright now, we have 50 percent capacity for the government, but \nonly 26 percent taking advantage of a countermeasure.\n    Now that does not mean that agencies are being resistant. \nWe built the capability. Now they have to modify their \nnetworks. It takes some time.\n    But I will tell you that we do have challenges with \nagencies who are concerned about whether the legal authorities \nin this space are clear. They want the protection. They very \nmuch would like to be part of the program. But they have \nstatutes that were not intended to address this issue, that \nwere developed for entirely different purposes, but that \nrestrict who can see the information that that agency receives.\n    So there is all sorts of protected information throughout \nthe government. It may be protected because it was intended \nthat it never be accessible to law enforcement or to \nregulators, you name it. Some of those statutes are broad \nenough that agencies are concerned whether or not they violate \nthe statute for this program to be operational.\n    So that is why we have come to Congress to ask for a \npositive authorization of this program.\n    Senator Hoeven. Thank you.\n\nEINSTEIN AND CONTINUOUS DIAGNOSTICS AND MITIGATION: DHS-WIDE PROTECTION\n\n    Senator Shaheen. So, Mr. McCormack, are all the agencies \nwithin DHS protected?\n    Mr. McCormack. Absolutely. I just wanted to bridge onto \nseveral things that were discussed with Mr. Ozment.\n    One is, just in my assessment of the maturity of the CIOs \nand their awareness of cyber, being a component CIO and \nDepartment CIO at the Department of Justice (DOJ) and here at \nDHS, absolutely, there is sensitivity to that. I think what OMB \nhas done recently with their cyber assessments where they are \nhaving discussions with Department leadership, I mean, \norganically, we do that now because of the nature of what we do \nat DHS, so we are always having those conversations. But those \nare very intimate conversations going across all departments \nand agencies, at this point. So I think that has been very \nsuccessful.\n    One other thing on the Einstein, I think another thing that \nmakes that very powerful is not only do the guardhouses have \nthat level of sophistication, using Andy's metaphor, but the \nfact that these guardhouses are now going to be able to talk to \neach other at machine-speed and inform each other is very \npowerful as well. That is a big improvement as to the \nconfiguration that we have today.\n    Last, I would say, on the CDM, as we discussed earlier, as \nI said in my opening statement, we are early adopters of both \nof those programs. For instance, for us, in Einstein, they just \nimplemented the Einstein capability in the ISP that we happen \nto use.\n    Now we have to reconfigure our network, as Andy was talking \nabout. We will have that done approximately at the end of May, \nso we will be routing our traffic through that and taking \nadvantage of those capabilities.\n    That is not to say that we don't have some of those \ncapabilities now. We don't have the classified capability that \nwe are very interested in getting because that is a higher \norder of protection. But most departments and agencies have \nbuilt some type of capability using commercial services, et \ncetera, to do the protection that you asked about.\n    On CDM, we're an early adopter of that. We were in phase \none. They just awarded phase two. So we are in the process of \nimplementing that. That will take several months to implement.\n    We do have continuous monitoring throughout the Department. \nIt is not as homogenized as we would like to have it, and this \nis going to allow us to fill in those gaps and give us some \ncapability that we hadn't had before and give us that sort of \nbroad dashboard so that we can quickly look at where our gaps \nare and focus our attention on that. So that is the priority \nissue that you had spoken about, so we can narrow our focus and \nknow where we have some gaps and quickly address those \nconcerns.\n    Senator Shaheen. Mr. Ozment, is the Senate covered?\n    Mr. Ozment. So the Senate is not covered in this program. \nWe are very happy to talk about the Senate, but our \nunderstanding is, for concern of separation of branches, that \nthe legislative branch is not interested in the programs. But \nif there is a change in that opinion, we are extraordinarily \nhappy to work with you.\n\n                    INCIDENT DETECTION AND RESPONSE\n\n    Senator Shaheen. Okay. So back when the Foreign Relations \nCommittee took action on Syria in 2013, one of the advisories \nthat we got was that there was information suggesting that the \nemail accounts of those of us on the committee might be hacked \ninto. Where did that originate? Was that DHS that would have \ngotten that alert and then sent that to the Senate to act on?\n    Mr. Ozment. So I can't speak to that particular incident, \nbut that type of information can originate in a number of ways. \nIt can originate in a law enforcement investigation. It can \noriginate through intelligence.\n    When we, DHS, my organization, when the NCCIC deploys an \nincident response team to a victim, they may, as they help that \nvictim, discover information that the adversary has been on \nanother victim. So there is any number of ways that we can find \nout about new victims of intrusions.\n    One of the things that we have all worked on for the past \nfew years in the executive branch is making sure that we do a \ncoordinated, immediate outreach to those victims to let them \nknow. I am happy to tell you that whereas 2 years ago we did \nnot have a process for that, we have a process for it now and \ndo a good job, not just of making sure the victim gets a knock \non the door, but making sure the victim only gets one knock and \nnot three knocks from three different agencies.\n    Senator Shaheen. So when I read off all those statistics \nearlier, and I talked about the 115 incidents that you \nresponded to in 2014, is that the response to victims who have \nhad a cyberattack? And what do you do when that happens? Call \nthe agency and then do what?\n    Mr. Ozment. So those are responses to a victim of either \ncyberattack or intrusion. We do tend to differentiate an \nintrusion from an attack that breaks things.\n    So we may have found out about those through any of the \nmeans I just mentioned.\n    What happens when we find out? We call a victim or \nsometimes a victim calls us. It can happen either way. So we \nlet the victim know or they let us know. We offer our \nassistance.\n    That assistance can be as lightweight as our just telling \nthem we have seen this before. Here's what we know about it.\n    Senator Shaheen. What do you do in a worst-case scenario?\n    Mr. Ozment. Worst case scenario, we send a team onsite to \nhelp them figure out where in the network it is and essentially \nto kick the bad guy off the network and get them up and running \nagain. Ideally, we do that with law enforcement.\n    Senator Shaheen. That is what I was going to ask. Can you \nidentify the bad guy and then do you report that to law \nenforcement in some way?\n    Mr. Ozment. So we do not focus on identifying the bad guy, \nalthough we can find information that gives us hints and we can \npass that on. We are sometimes called by companies who are \nunwilling to have law enforcement onsite, but our strong \npreference and really our belief is that the right thing to do \nis to be onsite with law enforcement--law enforcement focused \non the investigation, the attribution, how to catch the bad \nguy; us focused on figuring out where in the network the bad \nguy is, getting them off of it, getting the company or the \nagency up and running again.\n    Whether that is the Secret Service or the FBI or Homeland \nSecurity investigators, if we are out with a victim, we will be \nencouraging them every day to bring in law enforcement.\n    Senator Shaheen. Thank you.\n\n                          INFORMATION SHARING\n\n    Senator Hoeven. I would like to shift to the state of \ninformation-sharing. So I would like to get Mr. Ozment's sense \nof where we are in terms of timely, actionable information-\nsharing, public sector, private sector.\n    Mr. Garcia, the same question to you.\n    In any order, whoever wants to go first, fire away.\n    Mr. Ozment. Okay, I will go first, I guess.\n    I actually want to break information down into three \nbuckets again.\n    One is the in-person collaboration and exchange of \ninformation, and we cannot minimize the importance of that, \nbecause so much of knowledge in complicated spaces is tacit \nknowledge that is best shared when you engage with people \ndirectly. But it doesn't scale. So while we have to do that, \nthat is far from sufficient.\n    Next is what I view as sort of the analytic reporting, \nwhich is contextual information that helps the recipient \nunderstand broadly what is going on. An example of this would \nbe a report talking about attacks that are targeting these \nthree sectors. They are broadly taking these approaches. We \nthink they are after this type of information, or this is the \ngoal they are trying to achieve. It may or may not be \nactionable in a tactical sense, but it gives that strategic \ncontext that helps the recipient understand what is going on.\n    Third and final is tactical information-sharing, what we \noften call cyber threat indicators that are the actionable \nthings that a recipient can use to protect themselves.\n    We have programs in all three areas, and I think all three \nare necessary. A lot of the focus right now is on that third \narea of tactical information-sharing, so I will focus on that. \nBut I do know that we also put a lot of effort into those first \ntwo areas.\n    So for that tactical information-sharing, that is the type \nof information-sharing that we can make happen at machine-speed \nand what we have been very focused on doing. So starting over 3 \nyears ago at DHS, we realized the need that we would have to \nshare these indicators, we would have to share them in an \nautomated way and do it at machine-speed, and that there was no \nstandard by which to characterize them and to share them. So we \nstarted that work over 3 years ago.\n    That led to the STIX (Structured Threat Informaton \neXpression) standard and the TAXII (Trusted Automated eXchange \nof Indicator Information) standard. STIX is how you describe \nthe information to be shared. ``I am sending you this piece of \ninformation. This is what it means. This is how you use it. \nThis is how you have to protect it. And this is how you share \nit, if you like.'' So it gets quite complicated, but it is the \nstandardized language for describing all those things.\n    TAXII is how computers tell each other that at machine-\nspeed.\n    So we started, 3 years ago, developing those standards. In \n2013, we started releasing all of our products in this STIX \nformat, this machine-readable language. We were not yet sharing \nit at machine-speed, but when you got it, you didn't have to \ntype it in. You could feed it to a program that could \nunderstand it and then read it as a computer would read it.\n    Then a year ago, in February 2014, we started a pilot with \nthe Financial Services ISAC (Information Sharing and Analysis \nCenter), part of the FSSCC (Financial Services Sector \nCoordinating Council). And with the Financial Services ISAC, we \nstarted this pilot where we would send information that was \nSTIX-formatted with TAXII, so machine-speed, machine-readable \ninformation, back and forth.\n    We ran that pilot. It was very much successful. As a \nconsequence of that, we have been building. We had a pilot \nscale system now. Now we want to serve a large swath of the \nprivate sector and the government. So we have to build a \nrobust, scalable system. So we have been doing that. We hope to \nreport good news on that in the coming weeks.\n    Senator Hoeven. Mr. Garcia.\n    Mr. Garcia. Yes, sir, Mr. Chairman. I agree with everything \nthat the Assistant Secretary said. I would add two pieces to \nthat. One is process, and the other is relevance.\n    Our information-sharing engagement with the government from \nthe financial sector is good and getting better. As I said in \nmy opening statement, where there are gaps or inefficiencies, \nthey are acknowledged and we are addressing them. We have a \nworking group that involves our sector-specific agency, the \nTreasury Department, as well as DHS and other Federal agencies, \nand the financial sector working on these process issues. That \nis very simple questions like: Who is on the phone tree, and in \nwhat order? And how does information generated within DHS \nactually get over to the Treasury Department? And how does \nTreasury actually get certain information from the NSA? And who \nhas authority to share it outward? What about the tear line? \nThe tear line is you have a classified section and unclassified \nsection. How do you split those two so you can actually get the \nactionable information to the owner and operator of the bank or \ninsurance company to actually deal with it?\n    So the process is not easy. The government is not \nmonolithic; the financial sector industry is not monolithic. \nAnd getting through all that vast wiring diagram to get \ninformation out in time to the right people is a challenge. It \nalways will be. It is a systemic issue that is just the nature \nof the beast.\n    The second is relevance. As the threats evolve, as \ntechnology evolves, and vulnerabilities, the way we deal with \nthose is different. Where we have taken care of one problem, a \nnew one emerges. I have been on the receiving end when I was at \nDHS, and I thought we had some pretty juicy information about \nsome classified threat, and I shared it with a cleared industry \nofficial, and he said, ``Are you kidding? I have known about \nthat for 6 months.'' So that wasn't relevant.\n    So it is a constant process of engaging with the partners \nto know, does this piece of information work for you? Is this \nrelevant? Can you do something with this?\n    So three times a year, we have very large meetings between \nindustry and government where we have classified sessions. \nEvery month, the Treasury Department is holding classified \nsessions with cleared industry people. That exchange is \nconstantly going, recalibrating and recalibrating what matters.\n    Senator Hoeven. So you feel that with the ISAC and the \nindustry--in this case, the financial services industry--it is \nworking? You feel that you have generally good security and you \nare working to make it better with information-sharing and \nresponse and coordination and technology deployment, both \nindividually and some of these technologies that cross \nbusinesses or agencies?\n    I mean, it is going the right way? You feel like it is \nworking?\n    Mr. Garcia. It is going the right way. As I said at the \nstart, we are never done, we are only better. I think the STIX \nand TAXII open specification that Andy referred to is very \nimportant for us because it is laying out an open standard for \nall industry to apply to their information-sharing. It is \nsimply how you describe the information and how you transport \nit in a machine-to-machine way.\n    That is a good thing. That is taxpayer dollars well spent.\n    Senator Shaheen. You talked about the fact, Mr. Garcia, \nthat the financial services sector is ahead of much of the rest \nof the private sector, in terms of dealing with cyber threats.\n    Why do you think that is? And how do we get folks in the \nutility sector and some of those other areas where they haven't \nresponded as quickly to be aware of the challenge and to work \nwith them to get them up to speed to where they ought to be?\n    Mr. Garcia. I certainly don't want to claim that the \nfinancial sector is far ahead of everyone else. But first of \nall, the financial sector is heavily regulated so there are \nvery explicit requirements that we have for ensuring the safety \nand soundness of the financial system.\n    Senator Shaheen. So are utilities, though.\n    Mr. Garcia. Indeed. The second point is that it is the \nWillie Sutton factor. That is where the money is.\n    The financial services sector is a symbol. It is a very \nlarge and potent symbol of America, and it, therefore, becomes \na target naturally on the global stage.\n    But I think because we recognize that we as a sector are \ntargeted every day, that it is not a competitive issue among \nus. We don't say, ``We are more secure than the other bank. \nCome bank with us.'' We recognize that it is the three \nmusketeers. We have to be one for all and all for one so that \nwe can form a collective intelligence, a collaborative posture, \nto take on the bad guys.\n    So because of that, we have formed a very strong trust \ncommunity. As I said at the start, strength in numbers. If you \ndon't have strength in numbers, you are not going to be able to \ndefeat the adversary, period.\n    I think that that notion of trust community might not be as \nmature in other sectors. They certainly are accelerating that. \nThere is greater recognition.\n    And then finally, I think we are doing a lot of work sector \nto sector. The financial sector is heavily dependent on the \nelectric sector. The electric sector is dependent on financial \nservices. We are all dependent on telecommunications, \ninformation technology. So there are critical interdependencies \nthat really illuminate those vulnerabilities, those shared \nvulnerabilities.\n    From a business-to-business standpoint, government is \nimportant in helping us deal with this, but this is a business-\nto-business issue. How do I know when the lights are going to \ncome back on? And my electric company better have an answer for \nthat.\n    So we are dealing with those issues both in terms of \nbusiness and in terms of policy and critical infrastructure \nprotection.\n    Senator Shaheen. Senator Hoeven was asking about \ninformation-sharing. I was here--I think you were here, too, \nSenator Hoeven--several years ago when there was an effort to \nget a cyber bill through the Senate. I think it broke down \nalong, basically, the concern about sharing information as well \nas who was going to be in charge of holding that information \nand responding to it.\n    There is new legislation that has been drafted. Do you have \na view on whether that is preferable and how the private sector \nmight respond to that new legislation, and whether it is \nneeded? I will ask you all that as well.\n    Mr. Garcia. Yes. I couldn't comment on the details of \nlegislation, but as a general matter, we are supportive of any \ninformation-sharing legislation that facilitates that.\n    While we believe we have very robust information-sharing \nwithin the financial sector, there remain concerns about \nliabilities.\n    Let's say I will share information with government. How do \nI know that it is not going to be used for regulatory purposes \nagainst me? Or I do take action on it and, it results in a \nclass-action lawsuit because I didn't act within 10 days or \nsome other potentially arbitrary standard.\n    So to the extent that Congress can provide levels of \nassurance to the private sector, that good-faith information-\nsharing that is intended to protect critical infrastructure \nwill not go punished in some ancillary way, I think that is \ngoing to facilitate more information-sharing.\n    Information-sharing is not the silver bullet, but it \ncertainly is the currency of our collective protection.\n\n                    INFORMATION-SHARING LEGISLATION\n\n    Senator Shaheen. Mr. Ozment.\n    Mr. Ozment. Let me start by actually emphasizing the point \nMr. Garcia just made, which is information-sharing is \ncritically important, but it is not a silver bullet. In fact, \nif you haven't implemented best practices, I can share \ninformation with you all day long and you have no way of \nimplementing that information.\n    Senator Shaheen. Should legislation include best practices? \nShould it include a standard by which sectors should operate?\n    Mr. Ozment. I don't think that we need that in statute. I \nthink the government and private sector worked together to \ndevelop the cybersecurity framework over the last 2 years and \nthat we are advocating for the voluntary adoption of that \nframework and see a lot of enthusiasm for it. So I think----\n    Senator Shaheen. Has anyone adopted it yet? The financial \nsector?\n    Mr. Garcia. Yes. The framework that Andy was referring to \nwas developed jointly between industry and the National \nInstitute of Standards and Technology (NIST), so there is \ngeneral support for it.\n    It is very broad in nature, which is the elegance of it, in \nthe sense that it is very scalable. Very small community \ninstitutions, banks like Chairman Hoeven used to be the CEO of, \ncan adopt the NIST cyber framework, as can major banks.\n    A lot of us have done the mapping. Many of the financial \ninstitutions have very sophisticated, robust cybersecurity \npractices and controls. And we see that we map very closely to \nthe NIST framework.\n    So I think we are there. I think the challenge now is to \npush that NIST framework out to the broader business community, \nparticularly small and midsized institutions, because they are \npart of this ecosystem as well.\n    Senator Shaheen. Are there other ways in which we are \nencouraging other industries and the private sector to adopt \nthose standards?\n    Mr. Ozment. We absolutely are. So a good portion of the \nprograms that I have are focused, in fact, on encouraging the \nadoption of standards. We have requested increases in our \nbudget this year for some of those programs.\n    One of them is the C-Cubed Voluntary Program. This is our \ncybersecurity advisers, so individuals who are across the \nUnited States help companies understand cyber best practices \nand adopt them. And also risk assessments.\n    So as I mentioned in my opening remarks, we will work with \ncompanies and do a risk assessment with them. Now, we can do \nthat in person, and we also have downloadable tools that they \ncan use to do their own. One of the reasons we do it in person \nis to give us a better sense of the pulse of industry and where \nindustry is.\n    So we seek to do more with us. They are a great educational \ntool, both for the infrastructure or the company that receives \nit, and, frankly, they help us very much understand industry's \nneeds.\n    So we have multiple programs where we are out there. We are \nalso working with the sectors and the sector coordinating \ncouncils to do sector-wide risk assessments but also to work \nwith them and customize a cyber framework to their sectors' \nindividual needs.\n    There is a lot of great work going on in the space. And, \nfrankly, we are seeing a level of adoption and energy around \nthe framework that I would not have even hoped for 2 years ago.\n    Senator Shaheen. That is encouraging. Thank you.\n\n                   STAFFING: RECRUITING AND RETAINING\n\n    Senator Hoeven. Okay, we will try to wrap this up now, \neither in one or possibly two more rounds, but maybe we'll just \nset this round up to go a little bit longer and see if we can't \nbring things to conclusion.\n    A couple different questions that I have. I am going to go \nto Mr. McCormack and just ask, in terms of staffing, how are \nyou doing in terms of recruiting and retaining staffing for DHS \nagencies?\n    Mr. McCormack. Thank you. Staffing is always an ongoing \nactivity for us, and we certainly do appreciate the flexibility \nthat we now have in our pay scale and the like. We are working \nvery closely with our CHCO (Chief Human Capital Officer) \norganization to go through the necessary processes, to do the \nskills assessment, etc., to implement that across the \nDepartment.\n    We also have direct hire authority, which really helps us \nin allowing us to pursue the variety of talent that we are \ninterested in.\n    Retaining is always an opportunity and a challenge. As Andy \nand I were talking right before the hearing started, I just \nshared a small story. When I was over at DOJ, we had a young \nlady over there, very sharp, midcareer, who was actively \npursued through LinkedIn. Out of the blue, she ends up getting \nan offer that is more than double her salary, moves her out of \nstate, puts her up, lets her build her dream house, and changed \nher life.\n    We were honored that--it is a big world--and of all the \nplaces across the world that they could come, they come right \nto the Federal Government. That is the flattering part of it. \nThe challenge is that we lost a good employee there. So that is \nalways a real dynamic that we have to work with.\n    So how do we address that? Well, we continue to recruit. We \ncontinue to grow. We have a lot of techniques to do that. We \nare working very closely on that. But that is a real \nopportunity for us, to continue to build our workforce from the \nlowest level up to the senior level and continue to bolster \nthat workforce to deal with the adversaries. It is a real \nopportunity for us.\n    Senator Hoeven. Do you feel you are in a position to do \nthat?\n    Mr. McCormack. Yes. I think we have all the tools in place. \nYou all have helped us with that. So we really do appreciate \nthat. That is an ongoing pursuit. That is a constant, continual \nactivity.\n    As we grow our organization and grow the level of skill set \nthat we need, that is just an ongoing maturity curve that we \nare going to continually face.\n    Senator Hoeven. Mr. Ozment, the same question.\n    Mr. Ozment. I too would really focus on the workforce issue \nand really emphasize the importance of you and the Congress \nacting in December of this year and passing, in fact, two bills \nrelated to the DHS security workforce. So I truly thank you for \nthat.\n    As we implement those bills, that will be incredibly \nhelpful for us in sustaining our cybersecurity workforce. There \nare two sort of additional considerations that I would put on \nthe table for that.\n    First of all, ultimately, those bills and that effort will \nhelp us enormously in recruiting and retaining great talent. \nBut I will also tell you, from my organization's perspective, \nwhen I look at my cybersecurity talent that I recruit, I do not \nlook at them and think, this person will be with me for a full \ngovernment career. I think this person will work with me. They \nwill contribute a great deal. They will learn a great deal. At \nsome point, they will likely circulate to the private sector. \nAnd then, hopefully, I will catch them again at a different \npoint in their career.\n    That is a different model of government service. It is not \na bad model. It is just one that we have to adjust to and build \nour workforce processes to accept.\n    The second thing I would say is, in addition to the \ntactical problem of how we hire for ourselves, we also have to \nworry about, of course, building a national workforce so that \nMr. McCormack and I don't have to just poach from each other or \nfrom other companies, but, in fact, there is a broader talent \npool available that we can all hire and draw from. That is \nwhere our cybersecurity education and awareness efforts come \nin.\n    Senator Hoeven. Do you feel you have the ability to get \nwhat you need? Yes or no?\n    Mr. Ozment. Yes. Yes, sir. Thank you.\n\n                   INFORMATION-SHARING ORGANIZATIONS\n\n    Senator Hoeven. What is the difference between an ISAC and \nISAO (Information Sharing and Analysis Organization)?\n    Mr. Ozment. We heard two things from the private sector \nabout information-sharing organizations. One, a lot of \ncompanies that were in ISACs, most companies in ISACs, feel \nreally positive about them. But there were a lot of companies \nthat said, I don't fit in an ISAC.\n    The ISACs were constructed since 1998 along sector-focused \nlines. So it would be the financial services ISAC, electric \nsubsector ISAC, you name it.\n    There are companies that said, I just don't fit. I don't \nsee myself in one of these sectors, or I see myself in all of \nthese sectors, or I have trust relationships with people in my \ncity and I want to share with them and have them be my hub. I \ndon't want to be part of the sector construct.\n    Essentially, in the government, we said, why are we \nimposing a government hierarchical structure on you? We should \nlet you, the private sector, organize yourselves as you see \nfit, and we'll work with you.\n    So ISACs continue to exist and are incredibly valuable. \nISAOs are new organizations for people or companies that are \nnot interested in the traditional ISAC approach and want to \nform a different type of group.\n    Senator Shaheen. That is a really bad acronym.\n    Mr. Ozment. That is very true. I apologize.\n    Senator Hoeven. Are there any good acronyms in \ncybersecurity?\n    Senator Shaheen. Maybe not.\n    Mr. Garcia. If I could put a fine point on it, all ISACs \nare an ISAO, but not all ISAOs are ISACs.\n    Senator Hoeven. ISACs are industry specific. ISAO is \nsomething else.\n    Mr. Ozment. Any shape and size.\n    Mr. Garcia. And it could be for-profit. ISACs are not-for-\nprofit.\n\n                              CYBER CAMPUS\n\n    Senator Hoeven. I am concerned about the civilian cyber \ncampus concept, the cost and idea of putting everything in one \nplace. I would like each of you to comment on that.\n    Mr. Ozment, why don't you start? But I want all three of \nyou to comment on that. I have concern about the cost. I have \nconcern about trying to put everything in one place.\n    So please comment on that.\n    Mr. Ozment. So all departments and agencies that are \ninvolved in the cybersecurity mission have agreed in concept \nwith the vision and goals and objectives of the cyber campus.\n    It is planned to be a federally owned and operated facility \nthat will house as original anchors DHS and DOJ cybersecurity \nelements. Our hope is that the campus will lessen and \nstreamline the costs of operating what are currently dispersed \nand largely leased facilities while simultaneously enhancing \nunity of effort. Sometimes there is no substitute for being \nable to walk down the hall and talk to a person face-to-face.\n    So we support the President's fiscal year 2016 request for \n$227 million in the GSA budget to began construction of the \ncampus.\n    Senator Hoeven. Do you have some kind of cost analysis that \nshows the relative cost of one consolidated campus versus \nmultiple sites? Have you done a cost-benefit analysis where we \ncan actually compare the costs?\n    Mr. Ozment. I would have to defer to GSA for that broader \nanalysis.\n    Senator Hoeven. Okay. That would be something I would want \nto see.\n    Mr. McCormack.\n    Mr. McCormack. We also support the concept. As an agency, \nwe wouldn't house our folks in there. We would continue to \nhouse our folks in our configuration as we have today, but we \nare obviously very interested in the information that we would \nshare with the cyber campus and the information that would come \nout, very similar to what we do with NCCIC. We actually have \nsomeone installed in NCCIC, but our whole workforce isn't in \nthe NCCIC.\n    So certainly, we support the concept, but we as an agency, \nand I am sort of speaking on behalf of any agency, that the \ninternal traditional cybersecurity organization that is \nprotecting that agency doesn't plan on being in the cyber \ncampus.\n    Senator Hoeven. Mr. Garcia.\n    Mr. Garcia. Mr. Chairman, I am afraid I am not well enough \ninformed on the program to opine.\n    Senator Hoeven. It was primarily for the other two, but I \njust wanted to see if you had any thoughts on it.\n    Mr. Garcia. Thank you.\n    Senator Hoeven. Okay, thank you.\n\n                             STAFFING: PAY\n\n    Senator Shaheen. Doesn't it, though, seem sort of \ncounterintuitive that, when we are talking about issues around \ncybersecurity and around communicating virtually on the \nInternet, the only way we think we can do that is to build a \nbrick-and-mortar campus? I mean, that seems to me like that \nsort of misses the point of what we are trying to accomplish \nhere, that it would be better to put all that money into \nimproving our IT systems rather than building a new building to \nput people together. You don't have to respond to that.\n    But I do want to zero in on the issue of more flexibility \nin the pay scale. I don't know which one of you said that, \nwhether it was you, Mr. McCormack, or you, Mr. Ozment. But one \nof the questions that I had is, as we are looking at providing \nadditional flexibility so we can recruit and retain people, how \ndo we include performance as part of what we factor in, in \nlooking at how we're dealing with that flexibility in the pay \nscale?\n    Mr. McCormack. I think that was me that mentioned that. I \nthink I also mentioned that the first thing they'll do is a \nworkforce assessment. And then through that analysis, and the \npay analysis, they will take things into consideration, such as \nperformance, also job categories and the level of training and \nthose things.\n    All of those things will get mixed together to make those \ndeterminations. I know that CHCO is working very closely with \nthe DOD and the NSA, who has already done this, and using some \nof their policies and best practices. So I would expect all \nthat to come together and then assess on the basis of, again, \njob performance. The type of job, the level of training, would \nthen determine what type of pay or bonus or retention bonus, \nthose sorts of things, that would be equated to that job \nposition.\n    Senator Shaheen. Okay. I think, clearly, this is an issue \nas we try to retain talent and recruit top talent. I think a \nbigger issue is the one you talked about, Mr. Ozment, and that \nis that we are not educating enough STEM graduates in this \ncountry.\n    In New Hampshire alone, by 2018, we need 43,000 STEM \ngraduates. So this is a huge issue and it is one we really need \nto think about, not just at the DHS level, but as we are \nlooking at education and other ways that we can incentivize \nencouraging young people to go into those fields.\n    I am going to leave you out of this Mr. Garcia, because \nthis is a public question.\n    To what extent and how do you all coordinate with DOD and \nwith other agencies that have their own cyber centers?\n\n                    COORDINATING WITH OTHER AGENCIES\n\n    Mr. Ozment. So from the national and cross-governmental \nperspective, I can tell you we coordinate and collaborate \ndeeply daily.\n    Senator Shaheen. So give me an example.\n    Mr. Ozment. So every morning at 8:30, the cyber centers, \nthe six cyber centers, have a phone call where they all walk \nthrough all the issues.\n    Senator Shaheen. Who are the six cyber centers?\n    Mr. Ozment. NCI JTF, the National Cyber Investigative Joint \nTask Force, which is housed by the FBI; the NCCIC, which is \npart of DHS and NPPD; DCCC, the Defense Cyber Crime Center, and \nI will confess I don't know where it is geographically located, \nbut the Department of Defense; the intelligence community----\n    Senator Shaheen. I have a diagram for this. Go ahead.\n    Mr. Ozment. Okay.\n    Senator Shaheen. Now I see what you are talking about. Go \nahead.\n    Mr. Ozment. Indeed. The intelligence community. And I \nforget their acronym, forgive me, but their, essentially, \ncybersecurity team.\n    Senator Hoeven. ICRC.\n    Senator Shaheen. You are good. You have seen this before.\n    Mr. Ozment. ICRC (Intelligence Contingency Readiness \nCenter). Thank you.\n    The U.S. Cyber Command Joint Operations Center and the NSA \nNTOC, the National Threat Operation Center.\n    Senator Shaheen. So you all talk first thing in the \nmorning?\n    Mr. Ozment. We all talk daily. Now, you know, depending on \nthe mission, some of us have more recurring close ties than \nothers. But we also have liaison exchange.\n    So on the NCCIC floor, for example, we have FBI liaisons, \nNSA, Northern Command, Cyber Command, Coast Guard, Homeland \nSecurity investigators, Secret Service. Those are the people \nthere every day. Appearing about once per week or so, we have \nTreasury, Energy, and I am sure I am missing agencies. But we \ndo a lot of liaisons and essentially swapping people.\n    And we have our people out at almost all of the centers as \nwell.\n    Senator Shaheen. One of the things that you talked about \nwhen I visited the NCCIC was the fact that part of what you \nwere looking for in this year's appropriation was to be able to \nanticipate and get ahead of cyber threats, to develop systems, \nwhatever technology to be able to stay one step ahead of the \nhackers.\n    How do you share that kind of effort among all of those \nagencies? So if you develop some great way to keep the system \nsecure, do you share that with DOD, and vice versa?\n    Mr. Ozment. Absolutely. The problem is too big for us to be \nworried about hoarding solutions. I will tell you I literally \nspent an entire day yesterday, and my schedule is nowhere near \nas busy as yours, but I rarely spend a full day in one place. I \nspent a full day with our Science and Technology Directorate at \nthe National Security Agency literally having this \nconversation: Here's what we are finding works on the \ntechnology front. What are you finding? Is there anything we \nknow about that you don't and vice versa? We have to stay \ntogether, and we have to stay abreast of this threat.\n    And that is about the technology. On the actual information \nitself, Ranking Member, I failed to answer your question about \ninformation-sharing legislation, would you like me to give a \nfew thoughts on that?\n\n                    INFORMATION-SHARING LEGISLATION\n\n    Senator Shaheen. Yes, that would be great.\n    Mr. Ozment. It is critically important that we in the \ngovernment share among ourselves whatever information we have \nabout cyber threats. We are doing, frankly, a pretty darn good \njob of it, far better than at any time during my time in \ngovernment.\n    With respect to the cybersecurity information-sharing \nlegislation, the administration believes that there should be \none place where information from the private sector comes into \ngovernment, and that is for two reasons.\n    One is just efficiency. We need to give the private sector \none coherent, consistent answer so they don't have to decide \nbetween multiple choices.\n    The other is for privacy and civil liberties protections. \nThe administration's proposal has a number of privacy and civil \nliberty protections in place, but one of them is to narrow what \nwe are talking about. That is to narrow it to cyber threat \nindicators. These are the things used by network defenders to \nprotect themselves against cyber threats and incidents. A cyber \nthreat indicator doesn't mean you've had an attack or you've \nbeen broken into. A good defender learns about cyber threat \nindicators just by defending themselves.\n    I got a phishing email. We were smart. We didn't click on \nthe link. We identified it as phishing, but maybe nobody has \never seen it before. So I share the ``from'' address on this \nphishing email, and other people can protect themselves.\n    There is no incident. But now we are all better off \nprotected.\n    So we believe that DHS should be the one portal by which \nthis information comes into government. We believe that \nprovides us with a better place to put in place privacy and \ncivil liberties protection, because it is centralized and we \ncan do our oversight there. The NCCIC is not law enforcement \nand it is not intelligence, so that gives comfort to those who \nare concerned about these issues.\n    At the same time, we are very up front that we are getting \nthis information and we are going to share it with our \ngovernment partners, because we all need to see it in \ngovernment. So while we will put in place the privacy \nprotections to ensure that what we are passing on is \nappropriate, it is also incumbent upon us at DHS to make sure \nwe get it to our partners at all the other cyber centers and \nrelevant agencies in near real-time, once those privacy \nprotections have been put in place.\n    Senator Shaheen. So you think you can do that without \nlegislation?\n    Mr. Ozment. We absolutely need legislation to provide \nliability protection to the private sector, to give them the \ncomfort to share information with us.\n    Senator Shaheen. Thank you.\n    Thank you, Mr. Chairman.\n    Senator Hoeven. Thank you, Senator Shaheen.\n    And we're finishing up at about the right time because we \nhave votes that will start at about 4 o'clock.\n    So I would like to thank all three of our witnesses. I \nthink you did a really excellent job of laying out what you are \ndoing. I think it was very helpful.\n    Again, it's a tremendously complex area. It's really \nimportant that we are focused on it as a Nation and doing the \nvery things that you are doing both in the public sector and in \nthe private sector.\n    As we take up this cyber legislation, it is going to be a \nreal challenge. As Senator Shaheen said a minute ago, we tried \nonce before to bring a bill forward, and there just is such a \ndiversity of opinions out there in terms of how to do this. But \nit is a real challenge to get people with your level of \nexpertise to work with policymakers to foster an understanding \nso that we can try to get this right.\n    It is very important that we do. So I think you are going \nto continue to be right in the middle of some very, very \nimportant work.\n    And I think, Mr. Garcia, as you said, or maybe it was Mr. \nOzment, but I know all three of you recognize and appreciate \nthat this is a process. It is not like we are going to do this \nand, gee, it's fixed, and we solved that problem, and we'll go \ndo something else.\n    This is a process, and we are going to continue to be \nworking at it, for a long, long period of time, forever.\n    So again, thanks. Appreciate it very much.\n    Senator Shaheen, any closing comments?\n    Okay, so this will conclude our hearing today. I want to \nthank all of the witnesses for your testimony and for the work \nthat you do.\n\n                     ADDITIONAL COMMITTEE QUESTIONS\n\n    The hearing record will remain open for 2 weeks from today. \nSenators may submit written questions for the record. And we \nwould ask that the witnesses respond to them within a \nreasonable length of time.\n    [The following questions were not asked at the hearing, but \nwere submitted to the Department subsequent to the hearing:]\n\n                Questions Submitted to Hon. Andy Ozment\n               Questions Submitted by Senator John Hoeven\n        the multi-state information sharing and analysis center\n    Question. The Multi-State Information Sharing and Analysis Center \n(MS-ISAC) is also the only ISAC receiving direct Federal assistance. \nLast year they received $9.7 million from DHS, and this year the \nPresident's budget recommends a reduction to $9 million. Even though \nall 50 States receive bulletins from the MS-ISAC, only 24 States and \none territory receive Managed Security Services.\n    What are some of the factors preventing all States from \nparticipating in the MS-ISAC?\n    Answer. Please note the fiscal year 2015 MS-ISAC budget is $12.956 \nmillion, rather than the $9.7 million the question references. All 50 \nStates are members of the MS-ISAC, along with 679 local governments, \nthree territories and eight tribal governments. Over the past few \nyears, DHS has worked with the MS-ISAC to expand its Albert monitoring \nsystem, an automated cybersecurity information analysis tool, to all 50 \nStates and six territories in fiscal year 2015, beyond the 33 States \ncurrently covered by the program. However, State participation in \nAlbert requires a lengthy State approval and onboarding process. Many \nStates have a process that includes approval from political appointees, \nGenerals Counsel, and technology managers. Our primary stakeholders, \nCISOs, have an understanding of what Albert does but it can take time \nto get that information up the decision chain. Participation is \ncompletely voluntary and some States are determining whether the \napproval timeframe addresses their requirements.\n    Question. Will the reduction in funding reduce the capability for \nthe MS-ISAC to provide its current level of service?\n    Answer. DHS will be working to right size the MS-ISAC budget based \noff growing DHS requirements and mission and in response to the level \nof State and territory participation in the cost-share initiative for \nfiscal year 2017 and beyond. DHS stands by the funding request and \nfully supports the President's budget. We worked through a process to \nrequest enough funding this year so that, along with the carryover, we \nwould maintain our current level of support.\n    The MS-ISAC reduction in fiscal year 2016 exceeds the estimated \ncost share amount due to late fiscal year obligations. MS-ISAC \nobligations are done at the end of the fourth quarter of each fiscal \nyear, thereby causing MS-ISAC to draw down against those prior year \nfunds during the following fiscal year.\n                                 ______\n                                 \n              Questions Submitted by Senator Thad Cochran\n    Question. Could you explain to the subcommittee the function and \nvalue of developing and utilizing test ranges in the cyber domain?\n    Answer. Cyber test ranges fulfill two principal functions. First, \ntest ranges can be used to test and evaluate cyber technologies, \nproducts, and systems. A test range provides a suite of tools, \nprocesses and expertise to evaluate products under conditions that \nsimulate operational use in order to capture key indicators of product \nperformance. Test ranges can deploy networks of simulated government \nand commercial organizations with real world applications, services and \ncontent. For example, the National Cyber Range (NCR) deployed a \nsimulated public Internet environment for USCYBERCOM's Cyber Flag \nexercises that provided realistic content from hundreds of foreign and \ndomestic Web sites and instantiations of cafe, school, hospital, \ncommercial, and home networks. Ranges such as the NCR can employ live \nmalware, red teams, and classified tactics, techniques, and procedures \ntied to specific threat actors to evaluate whether and how a particular \nproduct mitigates basic and advanced threats. Within DHS, the Office of \nScience and Technology has partnered with the National Science \nFoundation to develop the Defense Technology Experimental Research \n(DETER) test-bed, which is used to test and evaluate cybersecurity \ntechnologies, including DHS-funded researchers, the larger \ncybersecurity research community, government, industry, academia and \neducational users.\n    Second, a cyber test range can be used for educational purposes. It \ncan provide a virtual training environment where cybersecurity \nprofessionals can practice or demonstrate competency in a skill or \nability. Training activities using a cyber test range also provide \nopportunities for operational teams to demonstrate their collective \nability to analyze unique threats, work together to develop effective \ncountermeasures, and to develop and test contingencies in an effective \nand timely manner.\n    Question. Does the administration's fiscal year 2016 budget request \nprovide adequate resources to address evolving Department requirements \nand cybersecurity test capabilities?\n    Answer. The administration's fiscal year 2016 budget request \nprovides adequate resources to address evolving departmental \nrequirements and cybersecurity test capabilities. Furthermore, the \nrequest includes resources for several high-priority areas including: \nIncident response, analysis, automated information sharing and capacity \nbuilding for non-Federal stakeholders. As part of our ongoing work to \nsupport the nation's cybersecurity, we work with industry and \ngovernment partners to identify and evaluate open source tools and to \ndevelop technology to improve interoperability among tools to reduce \nthe time for detection and mitigation of cyber events.\n    Question. Does the National Guard's unique flexibility to move \nbetween the commands of Governors and the President position it to be a \nparticularly useful organization for defending against cyber-attacks?\n    Answer. The National Guard's diverse capabilities as well as their \nunique authorities under State Active Duty and title 32 make them a \nuseful organization for defending against cyber attacks. Many National \nGuard members have cybersecurity experience from industry, making them \nhighly qualified to understand the cyber threat to civilian \ninfrastructure and serve as an effective partner with DHS. DHS \nregularly conducts exercises with the National Guard, including last \nyear's Cyber Guard. In this 2-week exercise, DHS, the National Guard, \nand other interagency partners tested operational and interagency \ncoordination as well as tactical-level operations to protect, prevent, \nmitigate and recover from a domestic cyber incident. On the other hand, \nthe National Guard cannot be the only answer to our needs. For example, \nmembers of the Guard may be needed at their private sector companies \nduring a cyber emergency, to mitigate the impacts at those companies. \nTo the extent that the National Guard participates in cybersecurity \nactivities, we would welcome their integration into existing response \ncapabilities and established Federal and National Security response \nrelationships while assisting in defending State cyber critical \ninfrastructure.\n    Question. Your Department has been recognized for its excellent \nefforts in consolidating its information technology infrastructure and \nthe savings these efforts will generate. Generally speaking, is it your \njudgment that it is easier to protect these assets when they are \nconsolidated and accounted for or when they are scattered around the \nGovernment?\n    Answer. Consolidation improves the Federal Government's security \nposture and incident response capability. Consolidation of assets \nprovides the opportunity for enhanced monitoring and situational \nawareness across the Federal enterprise. Economies of scale can be \nachieved by grouping assets to key strategic locations. But of \nparamount importance is the ability to identify and account for assets. \nWithout that capability, security professionals are unable to monitor, \npatch, configure or otherwise secure them.\n    Question. While it is widely accepted that a foreign or terrorist \ncyber-attack on our electric grid, water systems, or financial systems \ncould cause widespread damage and have detrimental effects on our \neconomy and consumer confidence, there has been much discussion about \nhow involved the Federal Government should be in defending \ninfrastructure owned by non-Federal entities. How would you define the \nthreshold for what types of non-Federal infrastructure might qualify as \n``critical'' for these purposes?\n    Answer. The Department of Homeland Security's National \nInfrastructure Protection Plan, or NIPP, defines critical \ninfrastructure as the ``assets, systems, and networks, whether physical \nor virtual, so vital to the United States that their incapacitation or \ndestruction would have a debilitating effect on security, national \neconomic security, national public health or safety, or any combination \nthereof.'' The destruction or unavailability of any critical entity can \nhave a cascading effect, either within a supply chain or across \nsectors. It is also true that while an individual disruption may not \nappear to meet a threshold meriting Federal interference, in fact, an \nimmediate and coordinated Government response is essential to the \ncontinuity of critical services and to overall national security. The \ndistinction between publicly and privately held infrastructure does not \ndictate whether it merits a Federal response to ensure continuity of \nservices and mitigation of effects, including cascading effects.\n    Further, Executive Order 13636 section 9 directed DHS to identify \ncritical infrastructure that could be impacted by a cybersecurity \nincident reasonably resulting in catastrophic regional or national \neffects on public health or safety, economic security, or national \nsecurity. DHS therefore conducts proactive outreach to those entities \non the section 9 list to ensure that they participate in available \ncybersecurity programs and are aware of assistance available from DHS \nand its partner agencies.\n    Question. I have heard about the importance of cooperation and \nclearly defined lanes of responsibility across the Federal Government \nfor our cybersecurity efforts. What are your respective roles in \nreceiving and sharing threat information with the private sector?\n    Answer. The Office of Cybersecurity and Communications (CS&C), \nwithin the National Protection and Programs Directorate, is responsible \nfor enhancing the security, resilience, and reliability of the Nation's \ncyber and communications infrastructure. CS&C is working to create a \ncyber environment where a given threat, such as a malicious email, can \nonly be used once before it is blocked by all other potential victims. \nThis will reduce the frequency of successful cybersecurity \nexploitations and deter adversaries by increasing the investment \nrequired for a single successful attack. To this end, DHS helps \ncompanies develop information sharing capabilities, fosters the \ndevelopment of information sharing and analysis organizations, and \nserves as a portal to share cybersecurity information with a wide range \nof organizations.\n    Within CS&C, the National Cybersecurity and Communications \nIntegration Center (NCCIC) provides 24x7 cyber situational awareness, \nincident response, and incident coordination capabilities. The NCCIC \nserves as a nexus between the private sector, Federal Government, \nintelligence community, and law enforcement. The NCCIC works closely \nwith other Federal departments and agencies with additional \ncybersecurity responsibilities, including the FBI, the Department of \nDefense, and Sector Specific Agencies such as the Departments of \nTreasury and Energy. Further, a number of private sector companies and \nInformation Sharing and Analysis Centers (ISACs) maintain seats on the \nNCCIC floor, allowing ongoing collaboration around cybersecurity \nthreats, vulnerabilities, and incidents. Departments/Agencies and ISACs \nthat have a person on the NCCIC floor at least 1 day a week: Department \nof Defense Cyber Crime Center; Department of State; Department of \nEnergy; Department of Health & Human Services; Department of Treasury; \nFBI; U.S. Secret Service; NSA; NORAD/USNORTHCOM; US Coast Guard; \nUSCYBERCOM; Financial Services-ISAC; Multi-State-ISAC; Aviation-ISAC; \nDHS National Operations Center; DHS ICE/HSI. There are also 114 private \ncompanies that have signed a CRADA and collaborate with the NCCIC via \nthe Critical Infrastructure and Key Resources Cyber Information Sharing \nand Collaboration Program (CISCP).\n    The National Cybersecurity Protection Act of 2014 recognized the \nNCCIC to be responsible for coordinating information sharing related to \ncybersecurity risks and to be the Federal civilian interface for multi-\ndirectional and cross-sector sharing of cybersecurity risks and \nwarnings. The NCCIC has representatives from the private sector and \nfrom other Federal entities involved in cyber information sharing work \nat a range of levels, from those with whom we have a formal Cooperative \nResearch and Development Agreement (CRADA, a negotiated agreement that \ndefines the parameters of the information sharing relationship) and \nshare consistently, to those that passively receive information from \nthe Center.\n    CS&C shares information in three principal ways; first, by sharing \nmachine-readable threat indicators that can be immediately used for \nnetwork defense; second, by sharing alerts, bulletins, and warnings \nthat provide detailed technical context to allow cybersecurity \npractitioners to understand particular risks and implement necessary \nmitigations; and finally, by convening communities of interest to \nengage in in-depth collaboration. In all of these activities, the NCCIC \nworks with its Government partners to ensure that shared information \nreflects the collective knowledge of the inter-agency and is both \ntimely and actionable to help protect private sector networks.\n                                 ______\n                                 \n              Questions Submitted by Senator Patty Murray\n    Question. Dr. Ozment, as I understand, the Enhanced Cybersecurity \nServices (ECS) program is currently limited to the two commercial \nservice providers (CSPs) currently qualified by the Department. How \ndoes the Department measure the efficacy of these programs? What are \nthe current barriers to qualifying CSPs or attracting additional CSPs \nto ECS? Last, has the Department explored partnering with other \ncommercial providers in different critical infrastructure sectors?\n    Answer. As of May 2015, the ECS program has three (3) fully \noperational CSPs--AT&T, CenturyLink, and Verizon--and expects a fourth \nCSP to begin providing service this summer. The fourth CSP is not a \ntraditional Internet Service Provider. The Department measures the \nsuccess of this program by the increasing number of accredited CSPs, \ninterest by individual companies in receiving services from a CSP, and \nmonthly/weekly program performance reports. The performance reports \nhighlight the number of ECS indicators that triggered as hits and show \ntrends by sector and threat actor. The barriers for CSPs participating \nin the program result from the nature of working with companies on a \nclassified program, particularly those that do not already have a top \nsecret facility clearance, cleared individuals, or a Sensitive \nCompartmented Information Facility (SCIF). There are also resources \nrequired of potential CSPs to design, build, and gain accreditation of \nECS systems. There is a cost to DHS to accredit CSPs, and we have \nrequested enough funding in the fiscal year 2016 budget to pay for four \nnew CSPs and to maintain the anticipated four CSPs from 2015. There is \nalso a cost for the secure communications link, and we have budgeted \nfor that as well.\n    The Department proactively partners with any company interested in \nbecoming a CSP and continues to encourage representation across \ncritical infrastructure sectors.\n              national protection and programs directorate\n    Question. Dr. Ozment, notwithstanding the current reach of ECS, how \ndoes the Department account for differing cyber analysis and response \ncapabilities among State, local, tribal, and territorial (SLTT) \ngovernment users? How is the Department supporting efforts like those \nongoing in my home State of Washington to burnish these cyber \ncapabilities among small and potentially vulnerable elements across \ncritical infrastructure sectors?\n    Answer. In an effort to better support SLTT governments and provide \ntechnical expertise and outreach, DHS provides four primary \ninitiatives: funding the MS-ISAC, offering voluntary risk assessments, \nholding cybersecurity exercises, and offering incident response \nassistance. The MS-ISAC is the DHS-designated Information Sharing and \nAnalysis Center (ISAC) for all SLTT governments. The MS-ISAC supports \nSLTT governments by providing education and awareness, a 24x7 security \noperations center, and technical expertise in malware analysis, \nforensic analysis and incident response/mitigation. The MS-ISAC acts as \na force-multiplier for DHS in reaching out to the tens of thousands of \nSLTT governments across the country.\n    Further, DHS partners with SLTT governments to help them understand \nand manage their cybersecurity risk. DHS offers risk assessments such \nas the Cyber Resilience Review and the annual Nationwide Cyber Security \nReview that help SLTT governments understand their capabilities in \nperforming, planning, managing, and measuring cybersecurity practices \nand behaviors. DHS also offers more technical in-depth assessments, \nsuch as Cyber Hygiene and Risk and Vulnerability Assessments, which \ntake a closer look at SLTT government networks and offer specific \nrecommendations to improve security and resilience. These assessments, \nand other resources, are available via the Critical Infrastructure \nCyber Community (C3) Voluntary Program, developed to support \nimplementation of the Cybersecurity Framework. The C3 Voluntary Program \noffers a Web site that provides programs and resources to all DHS \ncustomers, including SLTT governments.\n    Additionally, DHS develops and manages large and small-scale cyber \nexercises with SLTT governments to test incident response plans and \ncontinuity. These exercises, conducted on location at DHS and in the \nfield, offer SLTT governments the opportunity to evaluate their \ncollaboration with intra-State partners, other SLTT governments, and \nFederal agencies, under simulated conditions of a cybersecurity \nincident.\n    Finally, DHS' US-CERT provides incident response assistance at the \nrequest of the affected entity. SLTT governments impacted by a \ncybersecurity incident can request either on-site or remote assistance \nto identify the extent of a potential compromise, remove the adversary \nfrom the affected network, and restore critical services to a more \nsecure State.\n    Question. Dr. Ozment, as you are aware, significant pieces of \ncritical infrastructure in Washington is owned and operated by public \nsector entities, such as local governments and public utility \ndistricts. With that in mind, how does the Department plan to provide \nadequate instrumentation and analytic capacity to support real-time \ninformation sharing about cybersecurity threats to these types of \npublic sector entities? What steps has the Department taken to \nintegrate its current framework--including the National Cybersecurity \nand Communications Integration Center, computer emergency response \nteams, and information sharing and analysis centers--with these \nentities?\n    Answer. DHS provides a range of resources to enhance the \ncybersecurity of public sector entities including public utilities. The \nNational Cybersecurity and Communications Integration Center (NCCIC) is \nthe Federal civilian interface for multi-directional and cross-sector \nsharing of information about cybersecurity risks and warnings. The \nNCCIC has representatives from private sector and from other public \nentities involved in cyber information sharing work at a range of \nlevels, providing support and expertise to critical infrastructure \nowners and operators. The NCCIC works through the Multi State \nInformation Sharing and Analysis Center (MS-ISAC) to provide \ncybersecurity expertise and information to State and local governments. \nFurther, the MS-ISAC has two representatives with seats on the NCCIC \nfloor.\n    DHS' Cyber and Information Sharing Collaboration Program (CISCP) \nprovides a platform for organizations to receive, share, and \ncollaborate around unclassified threat and vulnerability information. \nCurrently, this information sharing is primarily manual via email and a \nsecure portal. Therefore, DHS is moving quickly to deploy automated \nindicator sharing, which will allow organizations to share and receive \ncyber threat indicators in near-real-time, formatted to be used \nimmediately for network defense (in a format known as STIX/TAXII). With \nAutomated Indicator Sharing, cyber threat information can be shared and \napplied to network defenses before the adversary can launch an attack. \nAs a starting point, organizations, including public sector entities, \ncan join DHS' Cyber Information Sharing and Collaboration Program \n(CISCP). CISCP currently provides a number of benefits, including \nanalyst-to-analyst collaboration, detailed technical bulletins, and in-\ndepth information exchanges, and will allow participants to benefit \nfrom Automated Indicator Sharing.\n    Public sector entities are also eligible to pay a commercial \nservice provider for Enhanced Cybersecurity Services (ECS), which uses \nclassified cyber threat indicators to detect and block potential cyber \nattacks. Additionally, the US Computer Emergency Readiness Team (US-\nCERT) and the Industrial Control Systems Cyber Emergency Response Team \n(ICS-CERT) provide a range of technical information and resources to \nsupport the cybersecurity of critical infrastructure, including public \nutilities. Among the services offered by US-CERT and ICS-CERT are on-\nsite assessment and response assistance, particularly upon the request \nof an organization affected by a cybersecurity incident.\n                                 ______\n                                 \n                 Questions Submitted to Luke McCormack\n              Questions Submitted by Senator Thad Cochran\n    Question. Your Department has been recognized for its excellent \nefforts in consolidating its information technology infrastructure and \nthe savings these efforts will generate. Generally speaking, is it your \njudgment that it is easier to protect these assets when they are \nconsolidated and accounted for or when they are scattered around the \nGovernment?\n    Answer. Consolidation of IT applications, services, and \ninfrastructure results in stronger security and accountability, which \nenhances our Nation's preparedness, mitigation, and recovery \ncapabilities.\n    Question. While it is widely accepted that a foreign or terrorist \ncyber-attack on our electric grid, water systems, or financial systems \ncould cause widespread damage and have detrimental effects on our \neconomy and consumer confidence, there has been much discussion about \nhow involved the Federal Government should be in defending \ninfrastructure owned by non-Federal entities. How would you define the \nthreshold for what types of non-Federal infrastructure might qualify as \ncritical for these purposes?\n    Answer. NPPD covers policies and outreach to non-Federal \ninfrastructure however if there was an area that could utilize \nassistance and knowledge from the Federal Government it is the private \nInformation Technology sector more specifically private Internet and \nNetwork Service providers. These entities can utilize Government best \npractices and shared operational data to combat the advanced persistent \nthreat and mitigate known and unknown threats before they impact the \nrespective networks.\n    Question. I have heard about the importance of cooperation and \nclearly defined lanes of responsibility across the Federal Government \nfor our cybersecurity efforts. What are your respective roles in \nreceiving and sharing threat information with the private sector?\n    Answer. OCIO does not have a direct role in sharing information \nwith private sector entities. However, when indicators of compromise or \nany other advanced threat information has been discovered on the DHS \nnetwork the information is shared with NPPD for external dissemination \nof relevant threat information to our industry partners. A number of \nindicators and threat based alerts that have been disseminated by NPPD \nare authored by DHS internal Security Operations Centers and released \nfor situational awareness to all interested parties.\n                                 ______\n                                 \n              Questions Submitted by Senator Bill Cassidy\n safeguarding and protecting sensitive and classified documents at dhs\n    Question. In response to the recent leaks of sensitive and \nclassified information (OPM SF-86, Wikileaks, Snowden) and in an effort \nto adhere to The White House Executive Order 13587--Structural Reforms \nto Improve the Security of Classified Networks and the Responsible \nSharing and Safeguarding of Classified Information, the subcommittee is \nfollowing up to get a status check on how the Department of Homeland \nSecurity is specifically securing classified and sensitive information \nand documents inside and outside its departmental content management \nsystems.\n    Answer. The Office of Intelligence and Analysis (I&A) and the Chief \nInformation Officer's (CIO's) response is limited to the securing \nclassified and sensitive information and documents inside Departmental \nContent Management Systems.\n    I&A Document Content Management Systems employ a variety access \ncontrol mechanisms. The mechanisms restrict access to specifically \nauthorized users and are implemented at the network, system and \napplication layers. User access controls are transitioning to Identity \nand Access Management (IdAM) which is the combination of technical \nsystems, policies and processes that create, define, and govern the \nutilization and safeguarding of identity information, as well as \nmanaging the relationship between an entity and the resources to which \naccess is needed. Currently, IdAM is not completed implementation on \nall Document Content Management Systems.\n    In addition to enhancing the access to the Document Content \nManagement Systems, I&A has integrated the enterprise audit program and \nthe Information Security Continuous Monitoring program to safeguard the \nDocument Content Management Systems. These measures combined with other \nComputer Network Defense and the Insider Threat programs have greatly \nenhanced the security posture of Document Content Management Systems.\n                           document security\n    Question. The issue of document security was specifically mentioned \nin the fiscal year 2015 House Homeland Security Appropriations Report \n(H.R. 113-481, page 22 and was not revised or negated in the \nexplanatory statement of H.R. 240 as finally passed):\n    ``The Committee remains concerned over the need to protect \nclassified information, especially as to methods used to secure paper \nforms, which can be scanned, faxed, copied, or otherwise stolen or \ncompromised. Existing, off-the-shelf commercial technologies can be \nused to monitor document access and alert security personnel when \nsensitive documents are at-risk. The Committee directs the Department \nto report to the relevant committees of jurisdiction, within 90 days \nafter the date of enactment of this Act, on the measures currently \nbeing used to ensure hard copy document security.''\n\n    Does the Department of Homeland Security (DHS) have any information \nsecurity programs in place that encrypts, analyzes and monitors \nsensitive digital content, documents and information, (MS Office, PDFs, \nCADE files, videos, etc.) inside and outside the firewall of \ndepartmental databases?\n    Answer. There are no immediate plans to fund and deploy enterprise-\nwide DRM technologies however; OCIO is researching possible solutions \nto meet this area of concern. DHS data at rest on computing devices, in \nits data centers and as it traverses its networks is routinely \nencrypted for protection.\n    In general, insider threat monitoring is fully in place on C-LAN \nand a pilot effort is in progress for HSDN. OCSO is in charge of this \neffort, with cooperation from OCIO and other Components. The Insider \nThreat program includes the monitoring and analysis of user activity on \nthe network, but does not include any encryption of content.\n    Question. Understanding the Department has a significant volume of \nsensitive and personally identifiable information (PII), does the \nDepartment's CIO or CISO have plans to fund and deploy enterprise-wide \nsecure content management or digital rights management (DRM) \ntechnologies across the Department to protect against future leaks of \ninformation?\n    Answer. At this time, capabilities such as the deployment of \ndigital rights management capabilities are localized and not provided \nat an enterprise level under OCIO. The current fiscal year 2016 budget \nrequest does not yet include development of these capabilities for \nunclassified systems. I&A would be responsible for implementing DRM on \nTS/SCI systems (C-LAN), while OCIO would create a request for the HSDN \nnetwork.\n    However, DHS will be prepared to make marked progress due to the \nfiscal year 2014 and fiscal year 2015 initiatives the Department has \nmade in ensuring that over 85 percent of its employees use a PIV card \nfor access to the network. The OCIO has been working to expand \ncapabilities which are foundational to providing enterprise \nsafeguarding services as part of its security-in-depth to further \nprotect data within DHS firewalls, and in the future as data leaves its \nfirewalls. In the fiscal year 2016 President's budget request, DHS has \nplans to implement a trusted identity exchange that is critical to \nimplementing additional data level security on sensitive but \nunclassified and classified networks such as the fine grained access \ncontrols critical to the success of the DHS Data Framework program \n(unclassified and classified), and the protection of data and \ninformation as it would leave the Homeland Security Information Network \n(unclassified).\n                       digital rights management\n    Question. Digital rights management (DRM) is a technology already \nwidely used by the commercial sector and intelligence community to \nprotect and continuously monitor sensitive documents and information. \nDRM works by encrypting information (Microsoft Office, PDFs, CAD files, \nand other digital formats) with NSA standard encryption, allowing \nGovernment officials to determine whether sensitive or classified \ndocuments may be accessed internally or externally from the \nGovernment's trusted environments. The encryption is embedded within \nthe document itself, rather than wrapping the document with a security \nenvelope, which can be discarded by trusted Government employees and \nforwarded unprotected. This embedding of encryption is a key \ndifferentiator that ensures the encryption stays with the document even \nif it is duplicated or emailed. Because of this feature, the DRM \nsolution completely prevents unwanted access to sensitive or classified \ndocuments and allows the Government to control saving, copying, screen-\ncapturing, and printing.\n    Digital rights management, once applied to a digital piece of \nevidence/intelligence, will track and potentially restrict every \ninteraction with that digital content, protecting against unauthorized \ninsider access and dissemination. This solution also provides chain of \ncustody tracking for evidence processing both inside and outside of \nfirewalls. In addition, DRM telemetry data can be used to measure the \neffectiveness of the DI's communication and information dissemination \ncampaign. This is accomplished by tracking what was opened, how long \nwas it was open (read), was it printed or edited, how often someone \nreturns to read that content and geographically where the incident \noccurred. This is achieved through three primary functions, \nauthentication, authorization and auditing (telemetry data).\nAuthentication\n    Question. Who is opening (successful or not) DRM'd content, with \nwatermark attribution and geographical location identification.\n    Answer. At this time, capabilities such as the deployment of \ndigital rights management capabilities are localized and not provided \nat an enterprise level under OCIO. The current fiscal year 2016 budget \nrequest does not yet include development of these capabilities for \nunclassified systems. I&A would be responsible for implementing DRM on \nTS/SCI systems (C-LAN), while OCIO would create a request for the HSDN \nnetwork.\nAuthorization\n    Question. What actions are they permitted to take? Has the content \nexpired or been revoked.\n    Answer. At this time, capabilities such as the deployment of \ndigital rights management capabilities are localized and not provided \nat an enterprise level under OCIO. The current fiscal year 2016 budget \nrequest does not yet include development of these capabilities for \nunclassified systems. I&A would be responsible for implementing DRM on \nTS/SCI systems (C-LAN), while OCIO would create a request for the HSDN \nnetwork.\nAudit\n    Question. The ability to know who is accessing DRM'd content, what \nactions are they taking, when this event took place and geographically \nwhere this event happened. Additional metrics can easily be added if a \ncounterintelligence officer wants to drill into a specific user to \ndetect anomalistic behavior to see what documents they are accessing, \nwhen they accessed those documents and whether this a deviation from \ntheir normal behavior.\n    Answer. At this time, capabilities such as the deployment of \ndigital rights management capabilities are localized and not provided \nat an enterprise level under OCIO. The current fiscal year 2016 budget \nrequest does not yet include development of these capabilities for \nunclassified systems. I&A would be responsible for implementing DRM on \nTS/SCI systems (C-LAN), while OCIO would create a request for the HSDN \nnetwork.\n    The use of DRM like solutions has been mandated by the Office of \nthe Director of National Intelligence (ODNI) and the White House \nthrough multiple directives.\n                                 ______\n                                 \n Questions Submitted to the Office of the Chief Human Capital Officer, \n                    Department of Homeland Security\n               Questions Submitted by Senator John Hoeven\n              meeting cybersecurity workforce requirements\n    Question. The Government has had many challenges in recruiting and \ntraining capable IT personnel. Cybersecurity needs have compounded that \nchallenge. As a result, DHS has a significant number of vacancies in \nits cyber workforce. We've certainly heard stories of people being \nrecruited away from the Federal Government, but haven't seen metrics or \ndata behind this outflow.\n    Late last year, Congress passed cybersecurity pay reform \nlegislation giving the Secretary flexibility in classifying and \nupgrading key positions. It was an attempt to make the Government more \ncompetitive with the private sector. Further, the fiscal year 2016 \nbudget includes a request for $31.3 million (1,400 personnel) including \n$16.3 million for NPPD for the CyberSkills Management Initiative \n(CSMI). In regard to this request, please provide the following:\n    A. Attrition statistics justifying the need for the $31.3 million \nrequest.\n    Answer. DHS averages a vacancy rate of approximately 5 percent in \nthe population of approximately 1,400 Federal civilian positions \npresent in the Department's Cybersecurity Workforce Inventory database. \nThis population of positions is spread across 12 different DHS \ncomponents and headquarters organizations and over 15 occupational \nseries.\n    In response to Public Law 113-277 and Public Law 113-246, the \nCyberSkills Management Support Initiative is leading a Department-wide \neffort to enhance its cybersecurity workforce planning and analysis \nactivities to meet new statutory reporting requirements and to prepare \nfor the implementation of new human capital authority, which will \neventually affect the hiring and compensation of cybersecurity \npositions.\n    Question. We have a financial breakdown by component of the CSMI \nbut lack detail on the number of personnel and how precisely the funds \nwould be distributed across the Department. Please provide a breakdown \nby component of all positions including transfers, new hires, and those \nreceiving incentive packages.\n    Answer. Current proposals distribute the $31.3 million across \ncomponents based on data derived from the Cybersecurity Workforce \nInventory database and modified based on component budget input. The \nDepartment's intention is for the Office of the Chief Financial Officer \nand the Office of the Chief Human Capital Officer to use the results of \ndata calls being conducted now as part of the effort to refine this \ndistribution prior to the start of fiscal year 2016; the new dataset of \nmission critical cybersecurity positions that will help to inform \nfunding is expected to be available in September 2015. A portion of the \n$31.3 million will be used to increase headquarters and component human \ncapital infrastructure to ensure effective implementation and eventual \noperationalization of new authority granted by Public Law 113-277; \nremaining funds will be proportionally distributed to components based \non the size of their validated, mission critical cybersecurity \nworkforce. This data will be complete by the end of fiscal year 2015. \nComponents will use these funds to support targeted recruitment and \nretention strategies. The administration of such flexibilities must be \ndone at the component/organization level, and each case in question, \nincluding the circumstances of the specific employee/new hire and \nposition, must meet regulatory and policy requirements to ultimately \njustify the decision to make a payment.\n    Question. For those positions requiring hiring (versus retention \nincentives), how many existing vacancies within each component will be \nfilled through the CyberSkills Management Support Initiative, and how \nmany can be filled by the end of fiscal year 2016?\n    Answer. The CyberSkills Management Support Initiative plans to \ninstitute new workforce planning processes throughout fiscal year 2016 \nto closely monitor component vacancies using data gathered via the \ncomprehensive cybersecurity workforce analysis process. In addition to \nproviding leadership with more insight than ever into staffing gaps and \nsimilar issues, the data will be used to inform targeted interventions \nwith component cyber program managers and human capital staff. This \ndata will be complete by the end of fiscal year 2015. This coordinated \napproach will help to ensure that DHS effectively uses its hiring and \nretention flexibilities, and to address the most critical vacancies as \nquickly as possible.\n    Question. A breakdown by job category and grade-level for each of \nthe positions.\n    Answer. At the start of fiscal year 2016, the Department expects to \nhave a new database capturing the mission critical cybersecurity \nworkforce validated through the comprehensive cybersecurity workforce \nanalysis effort. Currently available data collected by the \ncybersecurity workforce inventory process in place since 2012 indicates \nthe following for the population of approximately 1,400 civilian and \nactive duty Coast Guard positions which the Department has been \nmonitoring:\n\n                                   WORKFORCE BY OCCUPATIONAL SERIES AND GRADE\n----------------------------------------------------------------------------------------------------------------\n                                                Management                 Information\n                                 Intelligence  and program     Criminal     technology\n                                     (0132)      analysis   investigation   management     Other        Total\n                                                  (0343)        (1811)        (2210)\n----------------------------------------------------------------------------------------------------------------\nGS-07..........................             1  ...........  .............  ...........  ...........            1\nGS-09..........................             1  ...........  .............            5            2            8\nGS-11..........................             4  ...........             2            19  ...........           25\nGS-12..........................             2            1            21            52            2           78\nGS-13..........................            14            2           583           102           11          712\nGS-14..........................            12            6            61           214           18          311\nGS-15..........................             5            2             8            49            4           68\nG Band.........................  ............            1  .............  ...........  ...........            1\nH Band.........................  ............  ...........  .............            4  ...........            4\nI Band.........................  ............            3  .............           20            6           29\nJ Band.........................             2            2  .............           49            2           55\nK Band.........................  ............  ...........  .............            9            1           10\nL Band.........................  ............  ...........  .............            1  ...........            1\nExecutive (SES, SL, ST, etc.)..  ............  ...........  .............            1            8            9\nCommissioned Officer (O-1                   4  ...........  .............           11  ...........           15\n through O-10).................\nChief Warrant Officer (W-2       ............  ...........             7            26  ...........           33\n through W-4)..................\nNon-Commissioned Officer (E-4               1  ...........             3            27  ...........           31\n through E-9)..................\nOther..........................  ............  ...........  .............  ...........            3            3\n                                --------------------------------------------------------------------------------\n      Total....................            46           17           685           589           57        1,394\n----------------------------------------------------------------------------------------------------------------\n\n    Question. The Office of the Chief Human Capital Officer intends to \nwork with components to track the population of mission critical \ncybersecurity positions and al flexibilities used to recruit or retain \nemployees associated with those positions throughout fiscal year 2016.\n    What conditions are being attached to the incentives? In other \nwords, will recipients be required to stay with the Government for a \nperiod of time after receiving the additional pay?\n    Answer. As indicated in our response to the second question, the \nact of granting an incentive to a new hire or employee requires that \neach case in question, including the circumstances of the specific \nemployee/new hire and position, meet regulatory and policy requirements \nto ultimately justify the decision to make a payment. Once an incentive \nis approved, an employee must also sign a written agreement to complete \na specified period of employment with the agency. For example, a \nrecruitment incentive service agreement must specify the length, \ncommencement, and termination dates of the service period; the amount, \nmethod and timing of incentive payments; the conditions under which an \nagreement will be terminated by the agency; any agency or employee \nobligations if a service agreement is terminated (including the \nconditions under which the employee must repay an incentive); and any \nother terms and conditions for receiving and retaining a recruitment \nincentive.\n                                 ______\n                                 \n    Questions Submitted to the Office of the Chief Security Office, \n                    Department of Homeland Security\n              Questions Submitted by Senator Bill Cassidy\n safeguarding and protecting sensitive and classified documents at dhs\n    Question. In response to the recent leaks of sensitive and \nclassified information (OPM SF-86, Wikileaks, Snowden) and in an effort \nto adhere to The White House Executive Order 13587--Structural Reforms \nto Improve the Security of Classified Networks and the Responsible \nSharing and Safeguarding of Classified Information, the subcommittee is \nfollowing up to get a status check on how the Department of Homeland \nSecurity is specifically securing classified and sensitive information \nand documents inside and outside its departmental content management \nsystems.\n    Answer. The totality of these mandates and initiatives are managed \nin the Department of Homeland Security by the Information Sharing and \nSafeguarding Governance Board (ISSGB). The elements involved include \ninformation systems enterprise audit programs, information assurance \nprograms, insider threat user activity monitoring, physical security of \nfacilities and system hubs, rigorous access control programs for \nphysical and virtual environments, personnel security background checks \nand periodic reviews, developing programs involving the continuous \nevaluation of personnel holding security clearances, and active \ntraining and awareness programs for all cleared personnel. Recommend \nassigning this question to OCIO and I&A.\n                           document security\n    Question. The issue of document security was specifically mentioned \nin the fiscal year 2015 House Homeland Security Appropriations Report \n(H.R. 113-481, page 22 and was not revised or negated in the \nexplanatory statement of H.R. 240 as finally passed):\n\n``The Committee remains concerned over the need to protect classified \ninformation, especially as to methods used to secure paper forms, which \ncan be scanned, faxed, copied, or otherwise stolen or compromised. \nExisting, off-the-shelf commercial technologies can be used to monitor \ndocument access and alert security personnel when sensitive documents \nare at-risk. The Committee directs the Department to report to the \nrelevant committees of jurisdiction, within 90 days after the date of \nenactment of this Act, on the measures currently being used to ensure \nhard copy document security.''\n\n    What is the Department doing to respond to the fiscal year 2015 \nHouse Homeland Security Appropriations Report ``Document Security'' \nlanguage? Specifically, will the Department respond with some program \ndetails as to how to address document security issues? And, is this \nreport on track to be submitted within the 90-day period directed by \nCongress?\n    Answer. The response to the required report was submitted on time \nto Congress June 1, 2015.\n\n                          SUBCOMMITTEE RECESS\n\n    Senator Hoeven. And with that, this subcommittee stands in \nrecess. Again, my thanks.\n    [Whereupon, at 3:58 p.m., Wednesday, April 15, the \nsubcommittee was recessed, to reconvene at a time subject to \nthe call of the Chair.]\n\n                                   - \n</pre></body></html>\n"