[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]



 
       CDM: GOVERNMENT PERSPECTIVES ON SECURITY AND MODERNIZATION

=======================================================================

                             JOINT HEARING

                               before the

                     SUBCOMMITTEE ON CYBERSECURITY
                     AND INFRASTRUCTURE PROTECTION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                                and the

                            SUBCOMMITTEE ON
                         INFORMATION TECHNOLOGY

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             MARCH 20, 2018

                               __________

                     Serial Nos. 115-55 and 115-69

                               __________

       Printed for the use of the Committee on Homeland Security
       
       
       
       
       
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





     Available via the World Wide Web: http://www.govinfo.gov and 
                       http://oversight.house.gov

                               __________
                               
                 U.S. GOVERNMENT PUBLISHING OFFICE
                   
 30-791 PDF               WASHINGTON : 2018                                     
                               
                               
                               
                               
                               

                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Sheila Jackson Lee, Texas
Mike Rogers, Alabama                 James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania           Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania            William R. Keating, Massachusetts
John Katko, New York                 Donald M. Payne, Jr., New Jersey
Will Hurd, Texas                     Filemon Vela, Texas
Martha McSally, Arizona              Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas                Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York     J. Luis Correa, California
Mike Gallagher, Wisconsin            Val Butler Demings, Florida
Clay Higgins, Louisiana              Nanette Diaz Barragan, California
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Don Bacon, Nebraska
                   Brendan P. Shields, Staff Director
                 Steven S. Giaier, Deputy Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                  Hope Goins, Minority Staff Director
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                    John Ratcliffe, Texas, Chairman
John Katko, New York                 Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York     Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin            James R. Langevin, Rhode Island
Brian K. Fitzpatrick, Pennsylvania   Val Butler Demings, Florida
Don Bacon, Nebraska                  Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
             Kristen M. Duncan, Subcommittee Staff Director
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                  Trey Gowdy, South Carolina, Chairman

John J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, 
Darrell E. Issa, California              Ranking Minority Member
Jim Jordan, Ohio                     Carolyn B. Maloney, New York
Mark Sanford, South Carolina         Eleanor Holmes Norton, District of 
Justin Amash, Michigan                   Columbia
Paul A. Gosar, Arizona               Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts
Blake Farenthold, Texas              Jim Cooper, Tennessee
Virginia Foxx, North Carolina        Gerald E. Connolly, Virginia
Thomas Massie, Kentucky              Robin L. Kelly, Illinois
Mark Meadows, North Carolina         Brenda L. Lawrence, Michigan
Ron DeSantis, Florida                Bonnie Watson Coleman, New Jersey
Dennis A. Ross, Florida              Raja Krishnamoorthi, Illinois
Mark Walker, North Carolina          Jamie Raskin, Maryland
Rod Blum, Iowa                       Jimmy Gomez, Maryland
Jody B. Hice, Georgia                Peter Welch, Vermont
Steve Russell, Oklahoma              Matt Cartwright, Pennsylvania
Glenn Grothman, Wisconsin            Mark DeSaulnier, California
Will Hurd, Texas                     Stacey E. Plaskett, Virgin Islands
Gary J. Palmer, Alabama              John P. Sarbannes, Maryland
James Comer, Kentucky
Paul Mitchell, Michigan
Greg Gianforte, Montana

                     Sheria Clarke, Staff Director
                    William McKenna, General Counsel
                Troy Stock, Subcommittee Staff Director
                         Meghan Green, Counsel
                    Sharon Casey, Deputy Chief Clerk
                 David Rapallo, Minority Staff Director
                                 ------                                

                 SUBCOMMITTEE ON INFORMATION TECHNOLOGY

                       Will Hurd, Texas, Chairman

Paul Mitchell, Michigan, Vice Chair  Robin L. Kelly, Illinois, Ranking 
Darrell E. Issa, California              Minority Member
Justin Amash, Michigan               Jamie Raskin, Maryland
Blake Farenthold, Texas              Stephen F. Lynch, Massachusetts
Steve Russell, Oklahoma              Gerald E. Connolly, Virginia
Greg Gianforte, Montana              Raja Krishnamoorthi, Illinois


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on Cybersecurity 
  and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana, and Ranking Member, Subcommittee 
  on Cybersecurity and Infrastructure Protection:
  Prepared Statement.............................................     7
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     6
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Prepared Statement.............................................     8
The Honorable Gerald E. Connolly, a Representative in Congress 
  From the State of Virginia, and Vice Ranking Member, 
  Subcommittee on Infomration Technology:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5

                               Witnesses

Mr. Max Everett, Chief Information Officer, U.S. Department of 
  Energy:
  Oral Statement.................................................    10
  Prepared Statement.............................................    11
Mr. Scott Blackburn, Executive in Charge, Office of Information 
  and Technology, U.S. Department of Veterans Affairs:
  Oral Statement.................................................    14
  Prepared Statement.............................................    16
Mr. David Garcia, Chief Information Officer, U.S. Office of 
  Personnel Management:
  Oral Statement.................................................    23
  Prepared Statement.............................................    24
Mr. Kevin Cox, Program Manager, Continuous Diagnostics and 
  Mitigation, Office of Cybersecurity and Communications, 
  National Protection and Programs Directorate, U.S. Department 
  of Homeland Security:
  Oral Statement.................................................    26
  Prepared Statement.............................................    28

                                Appendix

Question From Chairman Will Hurd for Max Everett.................    45
Questions From Ranking Member Cedric L. Richmond for Max Everett.    45
Questions From Ranking Member Bennie G. Thompson for Max Everett.    46
Question From Chairman Will Hurd for Scott Blackburn.............    46
Question From Ranking Member Cedric L. Richmond for Scott 
  Blackburn......................................................    46
Questions From Ranking Member Bennie G. Thompson for Scott 
  Blackburn......................................................    47
Questions From Honorable James R. Langevin for Scott Blackburn...    47
Question From Chairman Will Hurd for David Garcia................    48
Questions From Ranking Member Cedric L. Richmond for David Garcia    48
Question From Ranking Member Robin L. Kelly for David Garcia.....    48
Questions From Ranking Member Bennie G. Thompson for David Garcia    48
Questions From Chairman John Ratcliffe for Kevin Cox.............    48
Questions From Chairman Will Hurd for Kevin Cox..................    50
Questions From Ranking Member Cedric L. Richmond for Kevin Cox...    51
Questions From Ranking Member Robin L. Kelly for Kevin Cox.......    51
Questions From Ranking Member Bennie G. Thompson for Kevin Cox...    52
Questions From Honorable James R. Langevin for Kevin Cox.........    52


       CDM: GOVERNMENT PERSPECTIVES ON SECURITY AND MODERNIZATION

                              ----------                              


                        Tuesday, March 20, 2018

     U.S. House of Representatives,        
      Committee on Homeland Security,      
         Subcommittee on Cybersecurity and 
  Infrastructure Protection, joint with the
                        Committee on Oversight and 
                                 Government Reform,
                    Subcommittee on Information Technology,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:38 p.m., in 
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe 
(Chairman of the subcommittee) presiding.
    Present: Representatives Ratcliffe, Hurd, Katko, Donovan, 
Fitzpatrick, Bacon, Jackson Lee, Langevin, Lynch, Demings, 
Connolly, and Krishnamoorthi.
    Mr. Ratcliffe. The Homeland Security Subcommittee on 
Cybersecurity and Infrastructure Protection and the Committee 
on Oversight and Government Reform Subcommittee on Information 
Technology will come to order. The subcommittees are jointly 
meeting today to receive testimony regarding the Department of 
Homeland Security's continuous diagnostics and monitoring 
program. I now recognize myself for an opening statement.
    This is the second hearing this year that the Subcommittee 
on Cybersecurity and Infrastructure Protection has held on the 
Continuous Diagnostics and Mitigation, or CDM, Program. That is 
because I see real value in the goals of CDM, not only for 
cybersecurity but also for improving the efficiency of the 
information technology across the board. To that end, I am 
pleased to be holding this hearing today jointly with my good 
friend from Texas, Congressman Will Hurd, who will be joining 
us shortly and who has been a leader on IT modernization issues 
as the Chairman of the Subcommittee on Information Technology. 
I welcome our friends from the Oversight Committee to the CDM 
conversation today.
    I believe that DHS's CDM Program has great potential to 
drive progress on a number of cybersecurity issues, from 
network visibility to data-centric security and from the role 
of increased automation of security tasks to the role of 
artificial intelligence. So the question that I have for this 
panel today is what can Congress do to make sure CDM 
capabilities are being rolled out to keep pace with the 
evolving threat landscape?
    The Government has a pretty checkered past when it comes to 
IT investments and the ability of Federal agencies to provide 
effective cybersecurity. While CIOs are the point of 
accountability on all things IT at their respective agencies, 
every stakeholder has to recognize their role in supporting 
CIOs. But this is a hearing about finding solutions and 
ensuring that the Federal Government is on the right track.
    I think every agency represented today has some IT 
investment or application that did not produce the kind of 
results the American people, the American public needs and 
deserves from their taxpayer dollars. That is not to mention 
the profoundly damaging data breaches that have plagued Federal 
agencies.
    We simply have to get a handle on the cyber threats we are 
facing. I believe that CDM is part of that solution. This 
hearing is about learning from the initial roll-out and 
progress of CDM phase 1, plans to move through phase 2, and, 
perhaps most importantly, what is and what should be the long-
term vision of CDM?
    Obviously, part of today's hearing will involve a 
discussion about the resources necessary to invest in top-of-
the-line security technologies, but at its core, cybersecurity 
is more than an issue of technology; it is an issue of 
governance, of process, and leadership. We have to get the 
strategies and vision for CDM right so that our investments 
don't throw good money after bad. To that end, I intend today's 
hearing to include a robust conversation about the metrics 
necessary to measure not only the implementation of CDM but 
also the effectiveness of the program as well. CDM is about 
maintaining more secure systems and a better understanding of 
the risk posture of the Federal enterprise, but it also 
represents a continuing mission and establishes the kind of 
structure necessary for us to evolve.
    To that end, I welcome your thoughts, not only about the 
CDM capabilities but also about the ultimate goal of providing 
network and system defenders with the data and tools necessary 
to do their jobs well and at the pace to combat the threats 
that they face. What is CDM's value-add to the people on the 
lines of this conversation? It is the Federal agencies' CIOs 
that are ultimately accountable for bad investments or data 
breaches. So this is really about getting you the authorities, 
tools, and resources that you need to get the job done.
    As we continue this conversation, I look forward to hearing 
from stakeholders, as we did at last month's hearing, as we 
will continue to make sure that we are getting CDM right. CDM 
is an ambitious program that I believe has the framework of 
providing the kind of cybersecurity that the American people 
deserve from a Government that they entrust with their most 
valuable personal and, in some cases, irreplaceable 
information.
    I want to thank the witnesses for their time, and I look 
forward to your testimony today.
    [The statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                             March 20, 2018
    This is the second hearing this year that the Subcommittee on 
Cybersecurity and Infrastructure Protection has held on the Continuous 
Diagnostics and Mitigation or CDM program. That is because I see real 
value in the goals of CDM not only for cybersecurity, but also for 
improving the efficiency of information technology across the board.
    To that end I am pleased to be holding this hearing today jointly 
with my good friend from Texas, Mr. Hurd--who has been a leader on IT 
modernization issues as the Chairman of the Subcommittee on Information 
Technology.
    We welcome our friends from the Oversight Committee to the CDM 
conversation.
    I believe that DHS's CDM program has great potential to drive 
progress on a number of cybersecurity issues--from network visibility 
to data-centric security and from the role of increased automation of 
security tasks to the role of artificial intelligence.
    So the question I have to this panel today is--what can we as 
Congress do to make sure CDM capabilities are being rolled out to keep 
pace with the evolving threat landscape?
    The Government has a checkered past when it comes to IT investments 
and the ability of Federal agencies to provide effective cybersecurity. 
And while CIO's are the point of accountability on all things IT at 
their respective agencies, every stakeholder has to recognize their 
role in supporting CIOs.
    But this is a hearing about finding solutions and ensuring the 
Federal Government is on the right track.
    I think every agency represented today has some IT investment or 
application that did not produce the kinds of results the American 
public needs and deserves for their taxpayer dollars. And that is not 
to mention the profoundly damaging data breaches that have plagued 
Federal agencies.
    We have to get a handle on the cyber threats we are facing and I 
believe CDM is part of the solution.
    This hearing is about learning from the initial rollout and 
progress of CDM phase 1, plans to move through phase 2, and perhaps 
most importantly what is and should be the long-term vision of CDM.
    Obviously, part of today's hearing will involve a discussion about 
the resources necessary to invest in top-of-the-line security 
technologies.
    But at its core cybersecurity is more than an issue of technology, 
it is an issue of governance, process, and leadership. We have to get 
the strategies and vision of CDM right, so that our investments don't 
throw good money after bad.
    To that end, I intend today's hearing to include a robust 
conversation about the metrics necessary to measure not only the 
implementation of CDM but the effectiveness of the program as well.
    CDM is about maintaining more secure systems and a better 
understanding of the risk posture of the Federal enterprise. But it 
also represents a continuing mission and establishes the kind of 
structure necessary to evolve.
    To that end I welcome your thoughts not only about the CDM 
capabilities, but also about the ultimate goal of providing network and 
system defenders with the data and tools necessary to do their jobs 
well and at the pace to combat the threats they face.
    What is CDM's value-add to the people on the lines of this 
conversation?
    It is the Federal agency CIO's that are ultimately accountable for 
bad investments or data breaches, so this is really about getting you 
the authorities, tools, and resources you need to get the job done.
    As we continue this conversation I look forward to hearing from 
stakeholders as we did at last month's hearing, and what we will 
continue to do to make sure we are getting CDM right.
    CDM is an ambitious program that I believe has the framework of 
providing the kind of cybersecurity the American people deserve from a 
Government they entrust with their most valuable, personal, and in some 
cases, irreplaceable information.
    I want to thank the witnesses for their time and I look forward to 
their testimony.

    Mr. Ratcliffe. Other Members of the committee are reminded 
that opening statements may be submitted for the record.
    We are pleased to have a distinguished panel of witnesses 
before us today on this very important topic. Mr. Max Everett 
is the chief information officer for the Department of Energy. 
Mr. Everett held a variety of information technology leadership 
positions in Government and the private sector before joining 
DOE in June 2017.
    We certainly look forward to your perspectives today, sir.
    Mr. Scott Blackburn is the executive in charge of the VA's 
Office of Information and Technology and has served in that 
capacity since October 2017. Prior to joining the VA, Mr. 
Blackburn served in the Army until 2003.
    Thank you for that service as well, sir, and thanks for 
being here.
    Mr. David Garcia is the chief information officer for the 
Office of Personnel Management. Mr. Garcia previously served as 
the chief information officer for the State of Maryland.
    Sir, thank you to being here with us today.
    Finally, Mr. Kevin Cox is the program manager for CDM in 
the National Protection and Programs Directorate at the 
Department of Homeland Security. Before joining DHS, Mr. Cox 
was the deputy chief information security officer at the 
Department of Justice. We look forward to gaining your insights 
on your interagency experiences.
    Mr. Connolly. Mr. Chairman.
    Mr. Ratcliffe. Yes, sir.
    Mr. Connolly. I serve as the Vice Ranking Member of the 
Oversight and Government Reform Committee. In the absence of 
Mr. Cummings, I do have an opening statement I would like to 
read.
    Mr. Ratcliffe. I recognize the gentleman for his opening 
statement.
    Mr. Connolly. I thank the Chairman for his courtesy. I want 
to thank you and Chairman Hurd for holding today's hearing to 
examine the status of the Department of Homeland Security's 
Continuous Diagnostics and Mitigation Program.
    Initiated in 2013 by the Department of Homeland Security, 
the CDM Program provides other Federal agencies hardware, 
software, and services through contracting vehicles to 
strengthen the security of Federal networks. As you indicated, 
Mr. Chairman, desperately needed.
    CDM has great potential to help agencies secure networks by 
providing data to agencies on their attack surface, who has 
access to their networks, and how users access those networks. 
This will eventually allow agencies to monitor their traffic 
and network activities and identify areas of concern.
    Just this week, we were reminded, albeit in the private 
sector, of additional Russian attacks on our grid. So we know 
the attack--or the threat is real. However, the lack of 
adequate funding for CDM has impeded full deployment of the 
program. The President's budget for fiscal year 2019 requested 
$237 million for the CDM Program as part of an $815 million 
request for cybersecurity funding at DHS.
    As in previous years, the $237 million is not just for DHS 
to oversee the procurement and operations associated with CDM 
but also for individual agencies to implement activities 
related to the program, and so it gets disbursed pretty 
quickly.
    When funding from DHS does not completely cover the costs 
to agencies implementing CDM, agencies are left to find funding 
among other information technology priorities. However, at a 
time when so much of Federal IT spending is simply to operate 
and maintain legacy systems, it will continue to be a challenge 
for agencies to find the money for net new investment in CDM, 
which is certainly something we support on a bipartisan basis.
    The MGT Act we just passed into law, and I was proud to be 
an original Democratic co-sponsor, may help agencies with 
funding challenges by allowing agencies to establish working 
capital funds to reinvest IT savings in the enterprise and to 
transition to cloud computing and other innovative technologies 
and to enhance cybersecurity. The MGT Act also authorized the 
centralized technology modernization fund at $250 million for 
each of fiscal years 2018 and 2019, for a total of $500 
million. Once the TMF is funded, agencies can borrow from that 
fund to finance large IT modernization projects and enhance the 
CDM process.
    I was happy to join with Chairman Hurd in a letter to the 
Appropriations Subcommittee on Financial Services and General 
Government Subcommittee last week to support appropriating the 
total $250 million for TMF for fiscal year 2019. Congress and 
this administration must recognize that, unless there is a 
significant amount of money agencies can use to upgrade old IT 
systems that are critical for their mission and that can be 
encrypted--that is to say new investments that can be 
encrypted--agencies will not only be able to address the low-
hanging fruit and will not be incentivized to take on the 
larger projects that are complicated, take a long time, and 
could be prone to cyber attack.
    The shortage of qualified Federal employees to work on IT 
and cybersecurity has also hindered DHS and agency efforts to 
implement CDM. While agencies are working to attract the 
talented individuals they need to upgrade their IT systems and 
to defend against malicious cyber intrusions, the 
administration and some in Congress are taking actions that I 
think will make it more difficult to recruit and retain the 
skilled work force of the future. Disparagement of the work 
force, freezing salaries, extending probationary periods for 
new hires from 1 to 2 years--these are not helpful, especially 
if we are targeting the millennial generation that expects so 
much more in the workplace. So I would hope we keep that in 
mind too, because that is part and parcel of what we are 
talking about here.
    So I certainly welcome this hearing. I think we have put 
some legislative tools in place that we think can create a 
structure that will foster CBM at DSH and elsewhere. We 
certainly look forward to hearing the testimony today about how 
we can do that better.
    Thank you, Mr. Chairman.
    [The statement of Ranking Member Connolly follows:]
             Statement of Ranking Member Gerald E. Connolly
                             March 20, 2018
    Thank you Chairman Hurd and Chairman Ratcliffe for holding today's 
hearing to examine the status of the Department of Homeland Security's 
Continuous Diagnostics Mitigation (CDM) program. Initiated in 2013 by 
the Department of Homeland Security (DHS), the CDM program provides 
other Federal agencies hardware, software, and services through 
contracting vehicles to strengthen the security of Federal networks.
    CDM has great potential to help agencies secure their networks by 
providing data to agencies on their attack surface, who has access to 
their networks, and how users access those networks. This will 
eventually allow agencies to monitor their traffic and network 
activities and identify areas of concern.
    However, the lack of adequate funding for CDM has impeded full 
deployment of the program. The President's budget for fiscal year 2019, 
requested $237 million for the CDM program as part of an $815 million 
request for cybersecurity funding at DHS. As in previous years, the 
$237 million is not just for DHS to oversee the procurement and 
operations associated with CDM, but also for individual agencies to 
implement activities related to the program. When funding from DHS does 
not completely cover the cost to agencies of implementing CDM, agencies 
are left to find funding among other information technology (IT) 
priorities. However, at a time when nearly 80 percent of Federal IT 
spending is on operations and maintenance of legacy IT systems, it will 
continue to be difficult for agencies to find money for CDM among other 
IT projects.
    The MGT Act may help agencies with funding challenges by allowing 
agencies to establish working capital funds to reinvest IT savings to 
retire legacy IT systems, transition to cloud computing or other 
innovative technologies, and enhance cybersecurity. The MGT Act also 
authorized a centralized Technology Modernization Fund (TMF) at $250 
million for each of fiscal years 2018 and 2019, for a total of $500 
million. Once the TMF is funded, agencies can borrow from the fund to 
finance large IT modernization projects. I was happy to join Chairman 
Hurd on a letter to the House Appropriations Subcommittee on Financial 
Services and General Government Subcommittee last week in support of 
appropriating the total $250 million to the TMF for fiscal year 2019. 
Congress and this administration must recognize that unless there is a 
significant amount of money agencies can use to upgrade old IT systems 
that are critical to their mission, agencies will only be able to 
address the ``low hanging fruit'' and will not be incentivized to take 
on the larger projects that are complicated and prone to a cyber 
attack.
    The shortage of qualified Federal employees to work in IT and 
cybersecurity areas has also hindered DHS and agency efforts to 
implement CDM. While agencies are working to attract the talented 
individuals they need to help upgrade their IT systems and defend 
against malicious cyber intrusions, the administration and the Majority 
in Congress are taking actions that make it difficult for Federal 
agencies to compete with the private sector in recruiting and retaining 
skilled cybersecurity and IT professionals. In the administration's 
budget proposal for fiscal year 2019, the President is seeking a pay 
freeze for all civilian Federal employees. The administration also 
proposed reducing retirement benefits for current and future Federal 
employees, changing how the Government contribution to health plans are 
calculated, and amending how paid leave is determined. Last year, the 
House of Representatives passed legislation to increase the 
probationary period for Federal employees from 1 year to 2 years.
    It is no wonder why agencies not only have trouble recruiting the 
IT and cyber workforce they need, but why they are also losing 
employees to the private sector. Many seeking to enter public service 
understand that the Government cannot pay as much as the private 
sector, but reducing retirement benefits, instituting a short-sighted 
pay freeze, and increasing trial periods for a highly sought-after 
workforce is counterproductive and only makes it harder to implement 
the ``sweeping transformation of the Federal Government's technology'' 
promised by the President.

    Mr. Ratcliffe. I thank the gentleman.
    Again, I remind other Members of the committee that they 
may submit opening statements for the record as well.
    [The statements of Ranking Members Thompson and Richmond 
and Honorable Jackson Lee follow:]
             Statement of Ranking Member Bennie G. Thompson
                             March 20, 2018
    The Continuous Diagnostics and Mitigation (CDM) program is a key 
part of our National approach to secure Federal networks, which 
Americans rely on to store some of our most sensitive National data--
from health records and Social Security Numbers to the holdings of 
critical infrastructure owners and operators and National security 
documents.
    Over the past decade, we have seen the number of cyber attacks 
against Federal agencies rise exponentially. According to the 
Government Accountability Office cyber attacks have risen by more than 
1,000 percent since 2006.
    The Office of Management and Budget reports that Federal agencies 
endured more than 35,000 cybersecurity incidents last year alone.
    Some of the officials testifying on today's panel know all too well 
how much damage can flow from a high-profile breach.
    For instance, the Veterans' Affairs Department reported in 2013 
that its databases had been hacked by no less than eight foreign 
governments.
    And in 2015, the Chinese government infiltrated the Office of 
Personnel Management's systems and accessed the personal information of 
more than 22 million past and present Federal employees.
    Last week, we turned our attention to bold attacks carried out by 
the Russian government in 2016 to access and gain control of the 
central command centers that support our electrical grid, nuclear power 
plants, and our water supply.
    Even the Secretary of Energy admitted that he was ``not confident'' 
in the ability of the Federal Government to counter foreign adversaries 
in cyber space.
    These hackers show no signs of slowing down. Instead, they have 
only grown more aggressive and more sophisticated.
    Federal agencies need robust cybersecurity now more than ever--and 
CDM has the potential to be an important line of defense.
    Through the CDM program, DHS works with Federal agencies to procure 
cybersecurity tools and services to fend off cyber attacks.
    The program works in tandem with EINSTEIN to keep out unauthorized 
traffic, continuously monitor for threats, improve visibility of 
network assets, and prioritize efforts to correct vulnerabilities.
    Unfortunately, Federal agencies have been slow to adopt and fully 
deploy CDM technologies.
    In a hearing earlier this year, we learned that agencies and CDM 
vendors are struggling to compensate for a lack of cyber expertise 
among agency personnel.
    The witnesses told us that these employees need to be better 
trained on how to use CDM tools in order to reap all the security 
benefits they provide.
    We also heard that, after 5 years, agencies still do not have a 
full accounting of all the devices connected to their networks.
    Agencies need this visibility, since they cannot protect what they 
do not know they have.
    These obstacles are compounded by the staggering number of cyber 
vacancies throughout the Federal Government, both for rank-and-file 
civil servants, as well as key leadership positions.
    Far too many agencies are still operating without a permanent chief 
information officer in place.
    We need to understand the challenges agencies are facing when it 
comes to purchasing, installing, and deploying CDM capabilities, and we 
need to make sure you have the resources, support, and statutory 
authority necessary to continue moving forward.
                                 ______
                                 
             Statement of Ranking Member Cedric L. Richmond
                             March 20, 2018
    The Continuous Diagnostics and Mitigation (CDM) program is a key 
component of the Department of Homeland Security's (DHS) overall effort 
to protect the ``.gov'' domain. Through CDM, DHS works with agencies to 
procure cybersecurity tools and services that will enable them to 
identify and defend against attacks. These tools are increasingly 
important in today's security environment.
    Every year, Federal networks get hit by tens of thousands of 
attempted intrusions--many of them highly sophisticated, state-
sponsored attacks. According to the Office of Management and Budget, 
Federal agencies endured over 35,000 cybersecurity incidents in fiscal 
year 2017, which is higher than previous years. As initially 
envisioned, CDM would provide Federal agencies with the information and 
tools necessary to protect their networks, including:
   What devices and assets are on an agency's network?
   Who has access to an agency's network, including those parts 
        of the network reserved for privileged users?
   What happens on the network, and how data is stored and 
        protected?
    Unfortunately, agencies have been slow to realize the potential 
benefits of CDM due to unanticipated implementation challenges. For 
example, Federal agencies struggled to complete the difficult task of 
identifying all of the devices, assets, and endpoints on agency 
networks. Moreover, when the Cybersecurity and Infrastructure 
Protection Subcommittee held a hearing with CDM contractors in January, 
witnesses observed that many agencies lack personnel with the 
appropriate training and expertise to reap the full value of CDM tools, 
particularly the dashboards.
    This subcommittee has repeatedly examined cyber workforce 
challenges throughout the Federal Government, and our witnesses in 
January reminded us that there is no silver bullet technology can 
replace human capital. We also learned that, although the CDM program 
has been in place for 5 years, agencies still do not have full 
visibility into the IT assets on their networks. Without this 
visibility, it is impossible for agencies to know who has access to 
their networks, and what exactly they need to protect. Today's 
witnesses can provide an important and informed picture of how CDM 
tools and services are being adopted and deployed at their respective 
agencies.
    I am interested in knowing not only the status of implementation, 
but also how these agencies are working with the Department of Homeland 
Security, and how effectively the Department has been able to respond 
to agency needs. I also hope to hear what Congress can do to make sure 
CDM is an effective tool for raising the bar on cybersecurity 
throughout the Federal Government.
    Last week, the Department of Homeland Security and the FBI issued a 
technical alert on the Russian government's efforts to use cyber tools 
to target U.S. Government entities. These cyber attacks were carried 
out over the course of 2016, and parallel Russia's attacks on our 
electoral system and democratic institutions. It is clear that the 
Kremlin will continue to be relentless in its assault on our Federal 
networks, and the networks that support our Nation's critical 
infrastructure. And, we know that China, Iran, and North Korea are 
sophisticated cyber actors that are constantly working to build a more 
robust cyber ``arsenal'' that could be used against our Federal 
networks. We must remain vigilant in protecting the .gov, and do 
everything in our power to ensure the Federal Government has the 
resources needed to act quickly to protect itself.
                                 ______
                                 
               Statement of Honorable Sheila Jackson Lee
                             March 20, 2018
    Chairman John Ratcliffe and Ranking Member Cedric Richmond, of the 
House Homeland Committee's Subcommittee on Cybersecurity and 
Infrastructure Protection; and Chairman William Hurd and Ranking Member 
Robin Kelly of the House Government Reform's Subcommittee on 
Information Technology thank you for today's joint hearing on ``CDM: 
Government Perspectives on Security and Modernization.''
    On January 17, 2018, the Homeland Security Committee's Subcommittee 
on Cybersecurity and Infrastructure Protection held a hearing on ``CDM: 
the Future of Federal Cybersecurity.''
    That hearing engaged non-Government stakeholders who provided 
Members of the subcommittee on Homeland Security with the opportunity 
to learn more about the Continuous Diagnostics and Mitigation (CDM) 
program, a key component of the Department of Homeland Security's (DHS) 
overall effort to protect Federal network.
    Today's hearing will give Members an opportunity to hear agency 
perspectives on the Continuous Diagnostics and Mitigation (CDM) 
program.
    Our witnesses will provide valuable insight into the civilian 
agency experience with the rollout of CDM throughout the Federal 
Government:
                               witnesses
   David Garcia, Chief Information Officer, Office of Personnel 
        Management;
   Max Everett, Chief Information Officer, Department of 
        Energy;
   Scott Blackburn, Executive in Charge, Office of Information 
        Technology, Department of Veterans Affairs; and
   Kevin Cox, Program Manager, Continuous Diagnostics and 
        Mitigation, Office of Cybersecurity & Communications, 
        Department of Homeland Security (Democratic Witness).
    The Continuous Diagnostics and Mitigation program is an active 
approach to fortifying the cybersecurity of Government networks and 
systems.
    The security of Federal agency networks has been a major concern of 
mine since I chaired the Subcommittee on Transportation Security, which 
at that time had jurisdiction over cybersecurity issues.
    Earlier this year, the House passed H.R. 3202, the Cyber 
Vulnerabilities Disclosure Act, which I introduced to address the need 
for effective and aggressive action to deal with the threat of Zero Day 
Events.
    H.R. 3202 requires the Secretary of Homeland Security to submit a 
report on the policies and procedures developed for coordinating cyber 
vulnerability disclosures.
    I have also introduced last Congress and again this Congress a bill 
to address the cybersecurity workforce shortage in the Federal 
Government.
    The bill H.R. 1981, Cyber Security Education and Federal Workforce 
Enhancement Act, which will establish the process for looking outside 
of DHS and within its ranks to solve the shortage of cybersecurity 
professionals.
    The solution is making sure that from early childhood education 
through University programs young people are prepared with the 
fundamentals needed to excel in course work associated with computing 
security degrees or certification.
    The need for a strong cybersecurity posture for our Nation's 
Federal civilian agency computing networks is essential to a healthy 
National security posture.
    This month, the Office of Management and Budget (OMB) reported that 
``[Federal] agencies endured 35,277 cybersecurity incidents in fiscal 
year 2017, a 14 percent increase over 30,899 incidents that agencies 
reported in fiscal year 2016, with five of the fiscal year 2017 
incidents reaching the threshold of `major incident' due to their 
impact.''
    The Continuous Diagnostics and Mitigation or CDM provides Federal 
departments and agencies with the tools needed to identify 
cybersecurity risks on an on-going basis, prioritize these risks based 
upon potential impacts, and enable cybersecurity personnel to mitigate 
the most significant problems first.
    The Congress established the CDM program to provide adequate, risk-
based, and cost-effective cybersecurity and more efficiently allocate 
cybersecurity resources.
    It is true that each Federal agency is responsible for protecting 
its own information systems; however, some agencies, including DHS, 
play a larger role in Federal network security.
    Under the Federal Information Security Modernization Act, DHS is 
required to deploy technologies to continuously diagnose or mitigate 
cyber threats and vulnerabilities and make such capabilities available 
to agencies upon request.
    The law essentially codified the CDM program, which DHS is 
implementing.
    DHS entered into partnership with GSA in 2013 to meet the statutory 
obligation of the Federal Information Security Modernization Act, which 
facilitated agencies purchase of consistent, compliant technologies 
that offered ``Information Security Continuous Monitoring Mitigation'' 
(ISCM).
    The first contract was awarded on August 12, 2013, to 17 companies, 
supported by 20 subcontractors, that received awards under a $6 
billion, 5-year companion Continuous-Monitoring-as-a-Service to deliver 
diagnostic sensors, tools, and dashboards to agencies.
    CDM is an essential part of the Department of Homeland Security's 
overall effort to protect the civilian Federal network.
    Implementation of CDM is being phased in under the process 
established by DHS using several contractors and subcontractors.
    There have been a number of challenges to the process of 
implementing a Federal-wide CDM program.
    DHS encountered a number of unexpected challenges during the 
rollout of Phase 1.
    For example, neither DHS nor the customer agencies anticipated how 
difficult it would be to identify all the hardware and software assets 
associated to a network and grossly underestimated the number of 
agency-connected devices, which delayed the purchase and installation 
of the necessary sensors.
    In May 2016, GAO reported that most of the 18 agencies covered by 
the CFO Act that had high-impact systems were in the early stages of 
CDM implementation, and many were proceeding with plans to develop 
their own continuous monitoring strategies, independent of CDM.
    Further, only 2 of the 17 agencies reported that they had completed 
installation of agency and bureau or component-level dashboards and 
monitored attributes of authorized users operating in their agency's 
computing environment.
    Due to these unexpected challenges the early estimates of 
completing Phase 3 by 2017 were not met.
    These issues as well as the urgency of protecting Federal agency 
networks makes it imperative that we have DHS before the committee to 
provide an update on the CDM program.
    I look forward to hearing the testimony from today's witnesses.
    Mr. Chairman, I yield back.

    Mr. Ratcliffe. Having already introduced our distinguished 
panel, I now ask the panel to stand. Raise your right hand so I 
can swear you in to testify.
    [Witnesses sworn.]
    Mr. Ratcliffe. Let the record reflect that the witnesses 
have answered in the affirmative. You all may be seated.
    The witnesses' full written statements will appear in the 
record.
    The Chair now recognizes Mr. Everett for 5 minutes for his 
opening statement.

   STATEMENT OF MAX EVERETT, CHIEF INFORMATION OFFICER, U.S. 
                      DEPARTMENT OF ENERGY

    Mr. Everett. Good afternoon, Chairman Hurd, Chairman 
Ratcliffe, Ranking Member Connolly, Ranking Member Richmond, 
and the rest of the distinguished panel. On behalf of Secretary 
Perry and Deputy Secretary Brouillette, I appreciate the 
opportunity to come and talk to you today about CDM and 
modernization and our implementation at the Department of 
Energy.
    Chairman Hurd, we talked last November at a hearing, and 
you asked me a very pointed question: Do I know everything that 
is on all of our viewing networks? My blunt answer had to be 
no. While that is still the case, I am happy to be here to talk 
a little more about some of the work and efforts we are making 
so I can change that no into a yes.
    First, as the Department CIO, I report directly to the 
Secretary and deputy secretary, which I think is a critical, 
critical thing for all CIOs in government. I think it is also 
important because our Secretary and deputy secretary have made 
cybersecurity a priority, not only for our internal networks 
but also in our role as a sector-specific agency to the energy 
sector, and I think that is critical. Our Secretary and deputy 
secretary understand very well the importance of knowing 
everything that is on our network as a first step to having 
basic cybersecurity.
    The Secretary and deputy secretary fully support our 
enterprise plan of action and have directed me to move with all 
due haste in rolling out CDM capabilities across our networks 
where we have many gaps, including at our National labs, our 
sites, and at the Power Marketing Administrations. In both the 
public sector and private sector, one of our challenges is, 
frankly, we are moving to a new model. The old model was staff 
augmentation. The old model was counting contractors. We are 
moving to a new model, and that new model is around managed 
services and automation. That is a significant challenge 
because most of us in Government and, frankly, even many in the 
beltway vendor community have not really caught up yet. That is 
an on-going challenge for us. I know it very well as a former 
Federal contractor.
    In the Federal work force, I need people not only with the 
technical skills to use all these new tools, but I also need 
people who have customer service ability. I need people who can 
understand organizational management, people that understand 
business process. We've got to find, as you spoke about 
Congressman Connolly, we've got to have a new model to bring in 
the talent that we need to achieve the goals that we're talking 
about.
    I believe that CDM and modernization go hand-in-hand. 
Chairman, as you talked about earlier, CDM actually can be a 
great driver for modernization, the information and the data we 
get from that can help us in prioritizing what we modernize and 
putting those priorities out front. In turn, I believe 
modernization sets out the platforms that will allow us to do 
the automation that makes CDM more and more valuable as we go 
along.
    It is essential for the incentives for both the CDM Federal 
contracts folks, as well as the vendors, to be aligned to the 
right goals. I think that's one of our other critical elements 
here, is to make sure that we have incentivized folks to go for 
our goals. Our goals are not how many tools we have placed in 
the environment or necessarily the time lines; our goals are to 
provision and provide secure and efficient capabilities to meet 
our missions. So we've got to find some ways to make sure that 
our incentives match that goal.
    I do want to mention, while we are here, I want to thank 
Kevin Cox, one of my fellow panelists, as well as and Mark 
Kneidinger at DHS. I've had multiple opportunities to interact 
with them and their teams. My team meets regularly with them. I 
want to give them kudos because, very frankly, this program 
been around for a few years, and really and especially in the 
last year, they've done significant work in making the program 
more collaborative. I think we need to continue that process of 
collaboration. One of the challenges, to be very frank with 
you, about CDM is that many departments have perceived this as 
a program being done at them rather than with them. I think 
Kevin and Mark Kneidinger and their team have done a lot to 
reverse that viewpoint.
    I want to mention that, again, visibility that CDM brings 
is only the first step. It's going to require action. We need 
to focus on making sure that the things we get out of CDM at 
the Federal level and the Departmental level are actionable 
information that we can move forward with. We've got to do 
that, and we know that you're going to hold us accountable for 
doing that.
    I want to give you a quick example: One my labs used a CDM-
like capability last year to help them find some unmanaged 
cloud services in their environment and the steps they took 
around customer service admission resulted in provisioning new, 
better, and more secure capabilities and removing those things 
which were a management risk out of the environment. We want to 
find more opportunities to do exactly that kind of thing across 
the Department and across the Federal enterprise.
    Finally, I do want to mention the MGT Act. The tools--the 
technology management fund as well as the working capital 
fund--are critical tools for all of us in the CIO community. 
I'm happy to report that I've had a lot of progress talking to 
our CFO shop, and we put in five proposals to OMB for using the 
technology management fund and are very hopeful that that will 
be fully funded very soon by Congress.
    I want to thank you again for the opportunity to come and 
talk about this. It is an important issue, and it is a critical 
tool for us across Government and look forward to answering 
your questions.
    [The prepared statement of Mr. Everett follows:]
                   Prepared Statement of Max Everett
                             March 20, 2018
    Good afternoon Chairmen Hurd and Ratcliffe, Ranking Members 
Connolly and Richmond, and distinguished Members of the committees. On 
behalf of the Secretary and deputy secretary of Energy, I thank you for 
inviting me to testify about the Department of Energy's (DOE or 
Department) experience with Continuous Diagnostics and Mitigation (CDM) 
capabilities and tools.
                             doe priorities
    As the Department's chief information officer (CIO), I report 
directly to the Secretary and deputy secretary, properly positioning me 
to ensure that decision-making processes across the Department factor 
in Information Technology (IT) and cybersecurity considerations from 
the outset. The Secretary and deputy secretary have repeatedly 
emphasized to senior Departmental leadership the importance of weaving 
cybersecurity into the fabric of DOE policy and operations. They 
understand that the first step toward protecting information and 
systems is to have visibility into what is connected to and runs on DOE 
networks.
    Chairman Hurd, at the Federal Information Technology Acquisition 
Reform Act (FITARA) 5.0 hearing this past November, you asked me 
whether I could say that I knew everything that was connected to DOE 
networks. My response then was blunt: I said I could not. Today, 4 
months later, while that message has not changed, I am pleased to talk 
about the work we are doing to be able to answer that question with an 
emphatic ``yes.'' The lack of fidelity and visibility about what is 
connected to DOE's networks raises our cybersecurity risk profile to an 
unacceptable level; urgent action is needed.
    The Secretary and deputy secretary are aware of this issue and 
fully support our enterprise-wide plan of action to obtain fidelity and 
visibility, enabling DOE to properly protect its networks. We know that 
CDM tools and capabilities are essential to providing visibility into 
the content and connectivity of our networks. That is why the Secretary 
and deputy secretary have given me clear direction to implement CDM as 
swiftly as possible where gaps exist across the DOE enterprise, 
including at the National Nuclear Security Administration (NNSA) and 
its National Laboratories, the Office of Science National Laboratories, 
the Power Marketing Administrations, plants, and sites. We also 
recognize that CDM capabilities and automated data collection and flow 
will enhance DOE's Integrated Joint Cybersecurity Coordination Center 
(iJC3)--which provides cybersecurity threat analysis, tracks advanced 
persistent threats, and distributes automated threat information--by 
providing additional visibility into the network enterprise-wide. 
Furthermore, CDM will accelerate the availability of the more detailed, 
relevant, and reliable data necessary to better inform our Enterprise 
Risk Management processes.
    Implementation of CDM Phase 1 and 2 has been accomplished for DOE 
Headquarters. This is approximately 8 percent of the Department's 
networked endpoints. I am pleased to report that the Department is 
looking forward to deploying the common elements of the CDM platform 
across the DOE enterprise to fill gaps in current capabilities. The 
Department developed a 180-day strategy to identify and address gaps in 
CDM Phase 1 and 2 capabilities and to plan implemention of Phase 3 
capabilities. This, in combination with mutually reinforcing, on-going 
IT modernization efforts, will be calibrated to ensure DOE's continued 
mission success throughout the enterprise.
                               cdm status
    The Department recognizes that sound and comprehensive 
vulnerability detection requires a multi-dimensional approach involving 
asset management, automated tools, monitoring of communication 
channels, and human analysis. We believe that implementing CDM 
capabilities will play a key role in this multidimensional effort.
    Unfortunately, we are still in ``catch-up'' mode with 
implementation of CDM enterprise-wide. The Department took a scaled 
approach to CDM Phases 1 and 2. Before embarking on the larger-scale 
deployment of CDM across the DOE enterprise, DOE first piloted tools 
and sensors on the Energy Information Technology Services (EITS) 
network, which is the network the Office of the CIO directly manages.
    We fully implemented CDM Phase 1 tools and sensors across EITS, and 
successfully tested data transfers with the Department of Homeland 
Security (DHS). Further, we procured the tools to implement CDM Phase 2 
for EITS and are working with a vendor on that implementation. We 
estimate completion in November 2018.
                             cdm next steps
    While we are taking measured, prioritized actions to meet our 
goals, we appreciate the cooperation and collaboration of our DHS 
partners. In partnership with DHS, we will conduct a CDM Phase 3 needs 
assessment--enterprise-wide--to identify and address gaps for the 
remainder of the Department, including NNSA and its National 
Laboratories, the Office of Science National Laboratories, the Power 
Marketing Administrations, plants, and sites. I am pleased to report 
that we have a high level of confidence in our gap analysis 
methodology, cost estimates, and due diligence.
    In the coming weeks, we intend to utilize the CDM Dynamic and 
Evolving Federal Enterprise Network Defense (DEFEND) Request for 
Service (RFS) Process to address Phase 1 and 2 gaps in deployment in 
addition to Phase 3 and 4 Planning and Implementation requirements. We 
have incorporated lessons learned from our EITS pilot to streamline the 
Department's approach and planning as we progress through CDM Phases 3 
& 4 with DHS.
    My assessment is that CDM capabilities will complement and enhance 
DOE's IT modernization efforts by helping us identify and prioritize 
legacy systems in need of remediation. OCIO recognizes that it is not 
prudent to apply CDM to failing network infrastructures or outdated 
systems that use legacy software, some of which are no longer 
supported. While this change will be uncomfortable at first, 
streamlined and prioritized IT modernization efforts that are fully 
informed by CDM will, in turn, lay a foundation for further security 
upgrades, including the components of CDM Phases 3 and 4, and should 
result in better network security and cost savings through operating 
efficiencies.
                    opportunities for improving cdm
    Opportunities exist for additional streamlining and acceleration of 
the CDM implementation process. We will make the most progress when we 
lead with the areas where shared platforms hold the most obvious and 
direct opportunities for improved visibility, awareness, and on-going 
mutual benefits between DOE and Federal agencies. On the other hand, 
where we have exceptions that require special considerations due to 
unique environments and mission requirements, we are committed to 
finding ways to account for their presence on the network, as well as 
identifying opportunities to adapt or upgrade those systems to make 
them compatible with enterprise-wide CDM.
    We encourage DHS to continue to work actively and collaboratively 
with their counterpart departments and agencies to develop the CDM 
dashboard and associated metrics, which need to be usable and 
actionable by providing relevant threat and vulnerability information. 
I am confident that the CDM dashboard will provide significant value to 
the Department as CDM is implemented across the enterprise. The value 
of the CDM dashboard will be the extent to which it allows us 
visibility into the networks while providing actionable information and 
intelligence that can drive real-time decisions that result in 
increased protection for DOE systems and information. Establishing a 
credible feedback loop that takes into account the customers' 
requirements across the Federal enterprise is essential.
    We also encourage DHS to continue to actively work with DOE and 
other departments and agencies in the decision-making processes around 
the maturation of the CDM program, particularly with regard to 
contracts, metrics, priority data, and parameters. To have a truly 
shared platform, we need the information to flow in both directions. 
Collaboration and cooperation are key to mission success Government-
wide. Having a genuine shared platform means having a shared 
responsibility for the information that we feed into the system, as 
well as for the information we will receive and use for threat analysis 
and incident response.
                               workforce
    At DOE, our people are the key to and foundation of our mission 
success. We are focused on developing our employees' expertise, 
expanding our talent pool, and working to optimize the integration of 
automated systems, such as CDM, to find ways for systems to conduct the 
automated tasks and large-scale processing for which they are best 
suited.
    Further, we must attract and retain a world-class cybersecurity 
workforce that has the skills necessary to successfully broker and 
oversee cloud and managed-services solutions, and make key decisions 
about how best to use new and rapidly-changing information both 
tactically and strategically.
                     cdm and digital transformation
    In addition to implementing CDM, DOE is conducting a range of IT 
modernization efforts that are mutually reinforcing with CDM's 
enhancements to network security. As we continue to implement CDM, it 
will generate data and visibility that will accelerate these 
modernization efforts, and the modernization projects will, in turn, 
provide a robust infrastructure for the deployment of additional tools 
and capabilities, including CDM.
    DOE is currently developing a Digital Transformation Strategy 
(Strategy), which will provide an enterprise plan of action and include 
a mechanism to measure results through enterprise requirements for the 
Department. In addition, we are developing an Enterprise Architecture 
and Roadmap tied to our Strategy.
    Our Strategy will be built on a ``Cloud First'' policy to 
transition from service owner to service broker. Consistent with the 
President's direction in the IT Modernization Report, the Cloud First 
policy fosters innovation, reduces costs, improves interoperability, 
scales capacity to match demand, lowers operational costs, and 
establishes the bedrock for future enterprise capabilities.
    We have initiated seven Digital Transformation Work Streams to 
define enterprise requirements and develop further recommendations for 
modernization. These are: Trusted Internet Connection, Collaboration 
Tools and Services, Directory Services, Data Center Optimization, 
Email, Network Transport, and Mobility.
    The Department's Data Center Optimization Work Stream is expected 
to identify multiple opportunities for IT Modernization from 
consolidation, virtualization, and cloud migration. Our goal is to move 
IT workloads to the cloud, maximize virtualization, meet data center 
closure targets, and retrofit the remaining data centers for optimal 
energy efficiency while reducing costs.
    We also have efforts under way to modernize DOE Headquarters 
networks to a level consistent with the capacity, agility, and 
resiliency of modern enterprise networks. This will establish the base 
for commercial/managed-service implementations of services with 
engineered and inherent cybersecurity capabilities, such as 
Infrastructure-as-a-Service and Platform-as-a-Service in support of the 
Data Center Optimization Initiative, and Enterprise Software-as-a-
Service solutions like cloud email and Desktop-as-a-Service, while 
providing foundational requirements for enhanced cybersecurity tools, 
products, and capabilities.
                               conclusion
    Enterprise-wide CDM is a high priority for DOE, because of the 
range of benefits we expect to see from its full implementation. CDM 
will assist us with other critical and long-overdue efforts, such as IT 
Modernization, while also providing us with timely, actionable 
information to help us secure DOE information and systems.
    I appreciate the committees' interest in this important topic, and 
I look forward to continuing to work with our partners in Congress, as 
well as our colleagues at DHS and across the Federal Government, to 
achieve our shared goals. It has been my distinct honor to testify 
before you today, and I would be pleased to address your questions.

    Mr. Ratcliffe. Thank you.
    The Chair now recognizes Mr. Blackburn for 5 minutes.

 STATEMENT OF SCOTT BLACKBURN, EXECUTIVE IN CHARGE, OFFICE OF 
INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS

    Mr. Blackburn. Good afternoon, Chairmen Ratcliffe and Hurd, 
and Congressman Connolly, and Members of the subcommittees. 
Thank you for the opportunity to discuss the progress VA is 
making toward its deployment of the Continuous Diagnostics and 
Mitigation Program as well as our information and 
modernization--information technology modernization effort. 
Behind me today are Mr. Dominic Cussatt, chief information 
security officer, and Mr. Gary Stephens, deputy CISO, who 
oversees the VA CDM Program.
    As a proud Army veteran, VA's sacred mission is personal to 
me. I am a user of VA services. In January, the Baltimore VA 
operated on my back. I am currently receiving physical therapy 
at the Washington VAMC. I received part of my care through the 
Veterans Choice Program. I'm a graduate of the vocational rehab 
program. I use VA's on-line scheduling tools. I am one of five 
siblings who have served in uniform. My father, like 
Congressman Fitzpatrick, was a career FBI agent.
    I left the business world in November 2014 to join VA 
because I didn't believe VA was delivering on its promise to 
veterans and I wanted to do something about it. I'm very proud 
of the progress VA has made in this time. Since December 2015, 
we have increased veteran trust by 22 percentage points from 47 
percent to 69 percent.
    For the past 6 months, I've been honored to lead the on-
going transformation in IT. It is an exciting time in VA IT. We 
are replacing VistA with a modern electronic health record that 
will achieve interoperability within VA, between VA and DOD, 
and ultimately with community providers in the private health 
care system. We have not signed the final deal yet with Cerner 
Corporation, but we hope to be making an announcement soon.
    Two weeks ago, we launched a beta version of our Lighthouse 
Lab, VA's application programming interface, or API, management 
platform that lets developers build out some standard set of 
APIs. Lighthouse, formerly known as digital veteran platform, 
or DVP, will be the API gateway that connects our disparate 
systems, allowing information exchange and innovation.
    Earlier this month, we announced the VA open-API pledge 
that 11 major health care systems have signed encouraging 
health care providers to commit to work together with VA to 
accelerate the mapping of health data to industry standards. We 
are expanding telehealth and self-service options to include 
on-line scheduling to improve the veteran experience. We are 
supporting priorities efforts in the benefits space to include 
Appeals Modernization and Forever GI bill. We are pushing 
aggressively on our buy-first strategy to use commercial off-
the-shelf solutions to replace expensive and outdated systems.
    Next week, we'll launch our new cloud-based software as a 
service IT management tool, which will streamline internal 
processes and provide a better end user experience for our 
employees, allowing them to focus on serving veterans.
    We are continuing our data center consolidation to be 
compliant with FITARA. In fiscal year 2017, we closed 47 data 
centers, and fiscal year 2018, we are in the process of closing 
68 more. Of course, underpinning all of this is improving our 
cybersecurity through our Enterprise Cybersecurity Strategy 
Program to guard against cyber threats moving from reactive 
posture to a proactive, threat-based computer network defense 
approach.
    With cybersecurity in mind, we are committed to protecting 
veteran information such as mine and limiting access to only 
those with proper authority. I am proud of the accomplishments 
and how we are securing VA's IT infrastructure. As of December 
2017, we have secured 92 percent of medical devices with 
vulnerabilities. We have increased PIV enforcement from 
unprivileged users from 12 percent in 2016 to 91 percent. We've 
achieved 100 percent enforcement of two-factor authentication 
for privileged users. We have reduced our unadjudicated 
software by 94 percent. We have blocked 7.5 billion malware 
attempts over the past 2 years, and we monitor more than 45 
billion emails daily. Through our Enterprise Cybersecurity 
Strategy Program, ECSP, we managed cybersecurity risk to 
protect VA information systems. This includes embarking on a 
change in mindset of how we manage cyber risk. VA's CDM Program 
is a piece of that larger VA information security continuous 
monitoring strategy covering 15 continuous diagnostic 
capabilities which are distributed across its four phases. We 
can elaborate further on those phases during the course of the 
hearing.
    As part of the CDM effort, we are also documenting and 
defining existing network hardware application, security 
products, and configuration control settings currently deployed 
across the agency to further understand the activity across the 
network.
    Thank you again for the opportunity to discuss our 
cybersecurity and IT modernization efforts. Ensuring a safe and 
secure environment for veteran information and improving their 
experience is our goal. I look forward to your questions.
    [The prepared statement of Mr. Blackburn follows:]
                 Prepared Statement of Scott Blackburn
                             March 20, 2018
    Good afternoon, Chairmen Ratcliffe and Hurd, Ranking Members 
Richmond and Kelly, and distinguished Members of the subcommittees. 
Thank you for providing me with this opportunity to discuss the status 
and progress that VA's OIT is making toward its deployment of the 
Federal Government's Continuous Diagnostics and Mitigation (CDM) 
Program and our Information Technology (IT) modernization effort. I am 
pleased to be joined today by Mr. Dominic Cussatt, chief information 
security officer, and Mr. Gary Stevens, (acting) deputy CISO, executive 
director policy and strategy.
    The health, safety, welfare, and prosperity of our Veterans are our 
highest priorities at VA. As one of five siblings who is either a 
Veteran or still serving in uniform and are all at least the fourth 
generation of U.S. military Veterans in our family, I take personal 
pride every day in fulfilling VA's sacred mission, and believe in 
making VA the best choice for Veterans. We want all Veterans to choose 
VA like I have, not because it is their only choice, but because we are 
the best at what we do.
    It is an exciting time to be leading OIT with all of the 
significant strides we are making in information technology. VA is 
making progress in its cybersecurity and modernization initiatives as 
well as with Federal Information Technology Acquisition Reform Act 
(FITARA) and Federal Information Security Management Act (FISMA) 
compliance. We have announced our intention and will soon be moving 
forward to replace our decades-old VistA platform with a modern 
Electronic Health Record (EHR) that will achieve full intra-VA and VA-
Department of Defense (DoD) interoperability. The new EHR will also 
provide the capability for much improved interoperability with 
community partners. This will be an important development since over 30 
percent of our care is currently done outside the Veterans Health 
Administration (VHA) system in the community.
    VA recently announced the launch of a ``beta'' version of its 
Lighthouse Lab, a computer platform offering software developers access 
to tools for creating mobile and web applications that will help 
Veterans better manage their care, services, and benefits. Eleven 
leading health care systems have agreed to sign a VA Open Application 
Programming Interface (API) pledge to accelerate the mapping of health 
data to industry standards, including the current and future versions 
of Fast Healthcare Interoperability Resources (FHIR).
    VA is continuing to expand telehealth and self-service options, 
such as on-line scheduling, to improve the Veterans experience. We are 
pushing aggressively on our ``buy first'' strategy using commercial 
off-the-self solutions to replace expensive and outdated systems. Next 
week, we will launch a new cloud-based, Software as a Service (SaaS) IT 
service management tool, which will standardize the delivery of IT 
services and provide our employees with an efficient and consistent 
end-user experience.
    This is the second time in the past several months OIT leadership 
has appeared before the House Oversight and Government Reform IT 
Subcommittee. On December 7, 2017, we discussed the progress VA was 
making toward its transformation efforts, notably our IT modernization 
effort; FITARA and FISMA compliance; the Electronic Health Record 
Modernization (EHRM) initiative; and Enterprise Cybersecurity Strategy 
(ECSS). My testimony today will cover some of those topics with a 
specific emphasis on the status and progress of the CDM rollout and our 
IT modernization efforts.
            enterprise cybersecurity strategy program (ecsp)
    VA, our core constituents, and our external partners are subject to 
a wide range of cyber threats. Given the high degree of connectivity, 
interdependence, and reliance on integrated open platform technology, 
meeting cybersecurity challenges requires strategic attention and 
collaboration across the VA ecosystem.
    Within OIT, we are committed to protecting Veteran information and 
VA data, as well as limiting access to only those with the proper 
authority. This commitment requires us to think agency-wide about 
security holistically. To achieve this end, VA Office of Information 
Security (OIS) manages cybersecurity risk through VA's ECSP to enable 
VA to securely fulfill our mission and protect VA information systems.
    As part of the ECSP, VA's Enterprise Cybersecurity Strategy is 
being refreshed to reinforce VA's strategic goals and objectives that 
inform cybersecurity behaviors at VA. Our principles include, but are 
not limited to, protection of VA data and Veteran information, evolving 
VA's resiliency to better adapt to advanced cyber threats, 
identification and strengthening mission critical systems and 
infrastructure, modernizing IT, overseeing a secure operational 
environment, and the recruitment, development, and retention of a 
talented cybersecurity workforce.
    With the establishment of ECSP, we are embarking on a change in 
mindset of how to manage cyber risk. Through ECSP, we will make 
prioritized, defensible decisions related to the implementation of 
cybersecurity projects (that may be technical or procedure-based), 
align programmatic activities with the National Institute of Standards 
and Technology Cybersecurity Framework (NIST CSF), and create an 
integrated and transparent program across each level of the program, 
which includes Government-wide statutory requirements, VA policy and 
implementation guidance, organizational cybersecurity capabilities, 
mission/business processes, and the information system level.
    We have recently focused on the following:
   Plans of Action created in response to the fiscal year 2015 
        Office of Inspector General FISMA audit, which have been closed 
        as of December 31, 2017.
   Eight Strategic Domains created as a result of VA's 2015 
        Enterprise Cybersecurity Strategy following the release of the 
        Office of Management and Budget (OMB) Cybersecurity 
        Implementation Plan on October 30, 2015.
    VA's ECSP is another step forward in VA's commitment to 
safeguarding Veteran information and VA data within a complex 
environment. Our strategy establishes an ambitious, yet carefully 
crafted approach to cybersecurity and privacy protections that helps VA 
to execute its mission of providing quality health care, benefits, and 
services to Veterans, while delivering on our promise to keep Veteran 
information and VA data safe and secure.
  va information security continuous monitoring (iscm) and continuous 
                    diagnostics and mitigation (cdm)
ISCM at VA
    In the fall of 2017, we approved our VA ISCM Strategy and the 
associated ISCM Integrated Project Team (IPT) Charter. The ISCM 
Strategy and IPT Charter guides VA's continuous monitoring program 
moving forward detecting and safeguarding systems and data, patient 
safety, and assisting Veterans after their military career.
    Our ISCM program supports a comprehensive VA organizational risk 
management program. Aligning ISCM to VA's IT risk management program 
and, in turn, the enterprise risk management program, will provide 
cost-effective risk management across the organization. ISCM IPT will 
pursue the following actions to realize this objective:
   Align ISCM activities with risk management activities to 
        provide VA with comprehensive awareness of the security posture 
        and IT infrastructure, assets, and data.
   Align ISCM activities with the on-going authorization 
        process as it is developed, so information systems security 
        controls are evaluated with data to maintain their on-going 
        authorization status.
   Implement a process to identify and prioritize critical ISCM 
        data to collect and monitor, and allow ISCM data to support 
        security control assessments.
   Validate that the ISCM strategic planning process is 
        adequately documented. The ISCM strategic planning process 
        should be transparent and communicated to ISCM stakeholders.
    OIT will integrate the current and upcoming ISCM capabilities to 
effectively evaluate VA's information system posture across the agency. 
This is accomplished through developing and deploying an end-to-end 
architecture. ISCM capabilities are being automated to the extent 
possible by leveraging the Department of Homeland Security (DHS) CDM 
program, while recognizing some security controls cannot be monitored 
by automated means. Integrating CDM capabilities into the overall ISCM 
capabilities and augmenting as necessary with automated and manual 
monitoring will give VA the ability to meet Veteran and operational 
needs. As ISCM evolves, the frequency of monitoring security controls 
and collecting measurement data stated in VA policy and procedures will 
be reviewed and revised.
    VA's ISCM strategy outlines processes for updating VA directives, 
handbooks, and standard operating procedures accordingly to align to 
the ISCM strategy. VA's strategy will be enacted through updates to VA 
Handbook 6500, Risk Management Framework for VA Information Systems, VA 
Handbook 6500.3, Assessment, Authorization, and Continuous Monitoring 
of VA Information Systems, and associated ISCM procedures. These 
documents provide ISCM policy and procedures, in accordance with the 
NIST Special Publications (SP) 800-137, Information Security Continuous 
Monitoring for Federal Information Systems and Organizations. VA 
Handbook 6500.3 was created to establish requirements and 
responsibilities for VA to confirm compliance with Assessment and 
Authorization and continuous monitoring requirements for VA information 
systems as required by FISMA.
    Monitoring tools used for ISCM, CDM, and legacy controls are 
integrated to achieve data synchronization, elimination of data error, 
and minimization of human interaction. OIT deploys a variety of tools 
to maintain situational awareness of VA's security posture. Integrating 
these monitoring tools across VA is the initial action in automating 
the monitoring, reporting processes. One of the goals of VA's ISCM 
strategy is to integrate existing and planned ISCM capabilities in 
order to form a monitoring solution for VA. This includes integrating 
existing capabilities such as the VA Cyber Security Operations Center 
Security Incident and Event Manager and the VA Governance, Risk 
Management, and Compliance tool into CDM dashboards, as part of Phase 1 
of CDM development at VA. Integrating these capabilities and others 
will inform data analysis and reporting on the effectiveness of VA's 
ISCM program.
    The VA ISCM strategy incorporates a variety of performance measures 
designed for evaluating the effectiveness of our program. Our program 
measurement sources include:
   FISMA ISCM Program Maturity Model.--Summarizes the status of 
        the ISCM program and its maturity based on a five-level scale.
   Fiscal Year 2017 Chief Information Officer FISMA Metrics.--
        Used to assess Federal cybersecurity programs on the progress 
        of their program implementation.
   NIST CSF.--Provides guidance on cybersecurity metrics and 
        measurements.
   VA Enterprise Security Architecture.--Informs ISCM measures 
        regarding the maturity of current capabilities.
    Looking forward, we are seeking additional stakeholders across OIT 
to join our ISCM IPT to provide insight into how VA currently tracks 
and reports ISCM-related data. Our IPT stakeholders will assist in the 
identification of existing ISCM tools, capabilities, and projects to 
provide a clear indication of how VA currently monitors its network. 
Ultimately, a more diverse set of stakeholders across our ISCM IPT will 
enable various groups across VA to work in concert on future ISCM 
efforts, while also providing varied inputs in order to confirm we are 
weighing multiple options when our IPT comes to key decision points.
CDM at VA
    CDM is a dynamic effort and the needs of different agencies vary. 
VA's CDM program is a piece of the larger VA ISCM strategy. The VA CDM 
program covers 15 continuous diagnostic capabilities, which are 
distributed across its four phases:
   Phase 1.--Identify assets on VA network.
   Phase 2.--Identify and monitor users on the network.
   Phase 3.--Identify what is happening on the network as well 
        as ways to protect it.
   Phase 4.--Identify risks on an on-going basis, prioritize 
        risks based on potential impacts, and enable cybersecurity 
        personnel to mitigate the most significant problems first.
    VA would like to provide a more in-depth breakdown of where we are 
within Phase 1 of our CDM program:
   Hardware Asset Management (HWAM)--We are currently 
        implementing HWAM tools and integrating these tools to assist 
        in identifying Internet Protocol addresses across the VA 
        network and is intended to assist in the classification of 
        systems and provide reports to our central dashboards. This 
        work covers approximately 2,500 facilities including hospitals, 
        Benefit Centers, Information Technology Centers, VA Central 
        Office, Data Centers, and others.
   Software Asset Management (SWAM)--We are currently 
        implementing our SWAM tool, which is designed to inventory 
        software used in the agency and report the information to our 
        central dashboards. Our team is creating lessons learned from 
        HWAM and analyzing them prior to rolling these tools out.
   Configuration Settings Management (CSM)--Our team is 
        currently analyzing existing systems. We are identifying 
        security configuration benchmarks that exist for each IT asset 
        type.
   Vulnerability Management (VUL)--We are currently 
        implementing our Dashboards, so we can eventually feed into the 
        DHS Federal Dashboard.
    We are also documenting and defining existing network hardware, 
applications, security products, and configuration control settings 
currently deployed across the agency in order to further understand the 
activity across the network. OIT is in the midst of providing 
visibility into the reporting endpoints and depicting them on a CDM 
dashboard to assist in vulnerability management.
    The central dashboards will provide actionable information from 
HWAM, SWAM, and other security tools for timely remediation of known 
vulnerabilities as well as transmit data to a DHS Federal dashboard.
    OIT documents and provides DHS and OMB its decision on the 
implementation of any whitelisting applications under the DHS CDM 
Program, as well as identifies a time line for its implementation. If 
VA chooses a non-DHS whitelisting solution, VA delineates the solution 
selected, the associated time line for its implementation, and the 
integration mechanism for the CDM Agency Dashboard. The agency also 
lists milestones for improving VA's performance in detecting and 
blocking unauthorized devices and software.
    Apart from the updates on Phase 1, we would also like to touch upon 
our progress in implementing Phase 2 of our CDM Program.
    VA conducted requirements sessions with VA Stakeholders, based on 
the guidance provided by DHS, in order to prepare the CDM Phase 2 
Business Requirements Document (BRD). The CDM Phase 2 BRD has been 
developed and is currently under review. VA has identified the 
following authoritative data sources to support the four core CDM 
functions within the agency.
    We will continue to collaborate across VA, with DHS, and with our 
partners across the Federal Government in order to progress ISCM and 
CDM at VA. We will leverage lessons learned and update our strategies 
and policies in order to remain in lockstep with Federal statutes and 
guidance. We will look to use the latest advancements in technology, 
while also prioritizing security, in order to protect VA data and the 
Veteran.
                         ois policy milestones
    Recently, we have achieved various policy milestones on the path to 
further advancing the VA cybersecurity program. These updates in policy 
allow VA to strategically leverage technologies, which will better 
serve the Veteran, while also confirming security is prioritized in 
order to protect the Veteran and VA data.
    Cloud activity continues to grow across Federal agencies. In order 
to prioritize security and allow our stakeholders to use the latest 
technologies, we have established the following:
   Cloud Security Framework.--The use and adoption of cloud 
        computing provide great benefits to our mission of serving our 
        Veterans. VA's cloud security framework defines comprehensive 
        and synchronized capabilities to identify and manage cloud 
        security risks, protect access to our cloud environment, 
        protect cloud applications and data, secure cloud network 
        configuration and connectivity, oversee the physical 
        environment security, monitor the cloud environment, and 
        provide the ability to rapidly respond and recover from a 
        cybersecurity event. These cloud security capabilities address 
        security concerns, and allow VA to capture benefits from cloud 
        computing to serve the Veteran while protecting Veteran and VA 
        data.
   Cloud Security Guidance.--Our Cloud Security Guidance, which 
        aims to provide guidelines and the minimum requirements, is 
        intended to mitigate the risk associated with increased attack 
        surface for cloud-based systems. Cloud Service Providers are 
        especially vulnerable to attackers due to the value and 
        quantity of data being stored in the cloud. Multi-tenancy 
        increases this risk as VA will not have control of or insight 
        into the security posture of other tenants. Due to lack of 
        familiarity with cloud, misconceptions about the shared 
        responsibility model, and a history of breaches in Government 
        cloud systems due to their misconfiguration, VA shall employ 
        cloud-centric defense-in-depth to help reduce these risks.
    We have instituted VA Handbook 6500.11, VA Firewall Configuration, 
a firewall policy to cover new technologies in coordination with the 
Office of Cybersecurity Policy and Compliance. This policy reflects 
firewall configurations, which are required to comply with the 
provisions of FISMA and other related information security requirements 
promulgated by NIST and OMB. We have published VA Directive and 
Handbook 6513: Secure External Connections, which governs the process 
for managing and continuously monitoring VA connections.
                            it modernization
Foundation of Modernization
    Secretary Shulkin is committed to this vision and making VA a 
world-class organization. Whether it is from silos to collaboration, or 
from process to Veteran outcomes, or from guarded to transparent, we 
are changing the culture at VA. For OIT, that means we must innovate 
and modernize to provide the best services possible. Modernizing our 
technology plays a huge role in helping us achieve this objective. That 
means looking differently at how we provide services to Veterans 
insofar as how we streamline our approach to take advantage of new 
technology and industry best practices; improve the ways we deliver 
care, benefits, and services to Veterans; and how we embrace change and 
refocus on why and how we serve Veterans.
VA OIT Modernization Strategy
    The mission of VA OIT is to collaborate with our business partners 
to create the best experience for all Veterans. OIT's three goals--
Stabilize and Streamline Processes; Eliminate Material Weaknesses; and 
Institutionalize New Capabilities--drive our strategy and outcomes. 
They are enduring and will continue to frame our plans for 2018 and 
beyond. VA OIT approaches everything through our core values of 
transparency, accountability, innovation, and teamwork. Values we seek 
to embody, every day, in every project, and for every Veteran.
    OIT is committed to VA's I-CARE (Integrity, Commitment, Advocacy, 
Respect, and Excellence) values and the underlying responsibility to 
provide the best level of care and services to our Veterans. We expect 
nothing less and will not tolerate employees who deviate from those 
core values.
    Our comprehensive IT Plan is the foundation for reducing our 
reliance on legacy systems, and creating new capabilities for a modern 
VA by leveraging cloud, digital platforms, while incorporating other 
modern and innovative technologies such as expanded telehealth, 
robotics, Artificial Intelligence, mobile devices, machine learning, 
Blockchain, and digital services to increase access, engagement, and 
interoperability. Through this plan, we will stop or migrate 240 of our 
299 projects over the next 18 months, and leverage a buy-first 
strategy--getting us out of the software development business and 
ensuring we are positioned to manage the influx of new technologies. We 
will ensure that we have end-user accessibility of these systems to be 
Section 508-compliant.
    VA is investing in innovative solutions and industry best practices 
to build a stronger; more advanced IT backbone to better serve Veterans 
with a focus on Managing Data, Migrating to the Cloud, Improving 
Cybersecurity, Digitizing Business Processes, and Decommissioning 
Legacy Systems. OIT's five modernization priorities are built on 
transformation. They facilitate a modern IT infrastructure that 
supports OIT's vision of becoming a world-class organization that 
provides a seamless, unified Veteran experience through the delivery of 
state-of-the-art technology.
The Path Forward
    We are plotting a path forward for a modern VA that seamlessly 
connects Veterans with the care, benefits, and services they have 
earned. In OIT, we are committed to investing in new and emerging IT 
solutions such as artificial intelligence, robotics, and self-service 
tools that revolutionize the way Veterans and VA employees interact 
with our digital framework. This commitment enables VA to continue to 
provide high-quality, efficient care, and services that keep up with 
the latest technology solutions and standards of care. The future of 
VA's IT modernization is rooted in eight of our key initiatives: EHRM, 
enterprise-wide API Management Platform, Financial Management Business 
Transformation, cybersecurity, scheduling enhancements, telehealth 
expansion, legacy system modernization, and data center consolidation.
    First and foremost is our EHRM initiative. On June 5, 2017, 
Secretary Shulkin announced his decision to adopt the same Electronic 
Health Records (EHR) technology as DoD. This transformation is about 
improving VA services and significantly enhancing the coordination of 
care for Veterans who receive medical care not only from VA, but DoD 
and our community partners. We have a tremendous opportunity for the 
future with EHRM to build transparency with Veterans and their care 
providers, expand the use of data, and increase our ability to 
communicate and collaborate with DoD and community care providers. In 
addition to improving patient care, a single, seamless EHR environment 
will result in a more efficient use of VA resources, particularly as it 
relates to health care providers. This new EHR system will enable VA to 
keep pace with the improvements in health IT and cybersecurity, which 
the current system, VistA, is unable to do. Moreover, the acquisition 
of the same solution as DoD, along with the added support of joint 
interagency governance and support from National EHR leadership 
including VA partners in industry, Government, academic affiliates, and 
integrated health care organizations, will enable VA to meaningfully 
advance the goal of providing a single longitudinal patient record that 
will capture all of a Servicemember's active duty and Veteran health 
care experiences. It will enable seamless care between the Departments 
without the additional step of exchanging and reconciling data between 
two systems that are not integrated and operate in separate 
environments. To that end, the Secretary has insisted on high levels of 
interoperability and data accessibility with our commercial health 
partners in addition to the interoperability with DoD. Collectively, 
this will result in better service to Veterans since transitioning 
Servicemembers will have their medical records made available to VA 
without any intervention.
    Our second initiative supports VA's commitment to leverage our 
community partners and innovative technologies to give Veterans a 
digital experience in line with what they receive from the private 
sector through APIs. VA's strategic open API program called Lighthouse 
that adopts an outside-in, value-to-business-driven approach to create 
APIs that are managed as products to be consumed by developers internal 
and external to VA. Such an approach serves as a change catalyst, which 
will allow VA to decouple systems and continue to leverage its 
investment in various digital assets, support application 
rationalization, and allow it to absorb new, commercial SaaS to replace 
home-grown, outdated systems. This strategy calls for a clearly-defined 
operating model for managing the complete life cycle of APIs and will 
include the planning, design, implementation, publication, maintenance, 
and retirement of APIs as well the operation of the API Gateway 
platform on a VA private cloud.
    The API Gateway leverages FHIR so as to enable enhanced data 
interoperability between both internal and external systems. API-
enabled and FHIR-based solutions are easier for developers to implement 
as it makes use of modern web standards and RESTful architectures with 
more easily understood specifications. By liberating data and enhancing 
interoperability with FHIR, VA will be able to shift ownership of the 
data to Veterans and make that data more readily available for whom it 
is necessary. Additionally, these resources will allow for more 
powerful solutions to be developed which will allow for a more seamless 
patient and provider experience.
    We released our developer sandbox in beta 2 weeks ago. We are 
looking for a small, initial-user group to join our developer community 
to make sure we follow industry best practices around tools, 
documentation, governance, and support workflows. As this community 
grows and VA releases more APIs, Lighthouse will serve as the ``front 
door'' to VA's vast data stores--giving developers access to 
standardized data sets they need to build mobile and web apps for our 
Veterans.
    As part of VA's commitment to promoting interoperability and 
standardized data sharing through Lighthouse, Secretary Shulkin 
announced VA's Open API Pledge, which reaffirms VA's commitment to 
giving developers access to our systems through standards-based APIs so 
that they can build Veteran and clinician-designated applications. In 
exchange, we are asking health care providers to sign a pledge to work 
with VA to accelerate the mapping of health data to industry standards, 
including the current and future versions of FHIR.
    Our third initiative supports VA's back-end systems and reduces our 
reliance on outdated legacy systems, so our clinicians and employees 
have the modern tools and IT support they need. VA's Financial 
Management Business Transformation effort is currently under way and 
will positively impact the delivery of all health and benefits by 
standardizing and improving accounting and acquisition activities 
across VA's enterprise. VA has an urgent need to address multiple 
legacy platforms used today in our finance and accounting mission 
critical functions. We are working to adopt and implement a commercial, 
cloud-hosted integrated financial and acquisitions system. This 
transformation effort will increase the transparency, accuracy, 
timeliness, and reliability of financial information. The result will 
be improved fiscal accountability to American taxpayers and improved 
care and services to our Veterans as well as transforming the 
Department from numerous stovepipe legacy systems to a proven, 
flexible, shared service business transaction environment.
    Our fourth initiative focuses on bolstering our enterprise 
cybersecurity framework to proactively respond to emerging data threats 
and the evolving cybersecurity landscape. VA's Enterprise Cybersecurity 
Strategy will ensure that Veteran data are secure, available, and safe 
from cyber threats. Safeguarding Veteran information and VA data is 
essential to providing quality health care, benefits, and services to 
our Nation's Veterans.
    Our fifth initiative extends to modernizing and enhancing the 
Department's scheduling systems. As a patient who receives treatment at 
both the Washington, DC, and Baltimore VA Medical Centers, enhanced 
scheduling is something I am very passionate about. We are launching 
new digital tools that enable Veterans to schedule appointments on-
line, use mobile applications to manage prescriptions, and participate 
in video conferences with their care providers as needed. We are also 
investing in solutions that give our providers a more seamless 
experience with the back-end scheduling tools they need to serve our 
Veterans. We have made strides in our scheduling tools, but we still 
have a long way to go. We now have VistA Scheduling Enhancement (VSE) 
upgrades fully implemented in 158 of 160 sites improving the interface 
for the schedulers so they easily view appointment times and reduce 
scheduling errors. Any person can now conduct their Scheduling 
activities at those sites using VSE. Some sites have greater 
utilization than others based on the level of training of users per 
site, which is increasing daily. We have seen on-line scheduling 
increase 5 times due to recent improvements; this capability is 
currently in place at more than 100 sites. The Medical Appointment 
Scheduling System is being piloted in Columbus, Ohio, and the Faster 
Care for Veterans Act test installs have been successfully completed in 
Minneapolis, Minnesota; Salt Lake City, Utah; and Bedford, 
Massachusetts. Last year, the Secretary launched a new access and 
quality tool, known as ``Access to Care.'' This web-based site was 
developed for Veterans and their families to see in real time the wait 
times at local VA facilities, VA hospital ratings, and comparisons with 
private hospitals in their area. This information empowers Veterans to 
choose the time and place they receive their care. Not only will this 
website take in and process complex data, but it will make the data 
transparent to Veterans. We will continue improving transparency via 
the Access to Care site as we receive feedback from Veterans, 
employees, Veterans Service Organizations, and Congress.
    In addition to scheduling enhancements, VA and OIT are making 
strides in our telehealth programs. We are expanding telehealth 
capabilities with hubs around the country to better service Veterans 
who live in rural communities or have challenges accessing VA medical 
centers due to their mobility. More Veterans have access to tele-
mental, tele-urgent, and tele-specialty care. On March 6, 2018, the 
Secretary announced VA's plan to launch a Nation-wide telehealth 
program to help Veterans dealing with post-traumatic stress disorder 
(PTSD). The pilot program will connect 12 community-based outpatient 
clinics (CBOC) across the Nation with Veterans in need of treatment for 
PTSD. This program will help greater numbers of Veterans living in 
rural areas and will save them time and effort to travel to a VA 
facility that is far from their homes.
    Another significant VA and OIT initiative is Legacy Systems 
Modernization. We are moving critical functions from outdated and 
difficult to sustain platforms into more modern systems that operate at 
lower maintenance costs. Our planned IT investments prioritize the 
development of replacements for specific mission-critical legacy 
systems, such as the Benefits Delivery Network, as well as operations 
and maintenance of all VA IT infrastructures essential to deliver 
medical care and benefits to Veterans. Investments in IT will also 
support efforts and initiatives that are directly Veteran-facing, such 
as mental health applications to support suicide prevention, 
modifications of multiple programs to accommodate special requirements 
of the community care program, Veteran self-service applications 
(Navigator concept), education claims processing integration 
consolidation, and benefit claim appeals modernization.
    OIT continues its Data Center Consolidation effort to merge and 
close data centers at VA facilities Nation-wide. During fiscal year 
2017 the team closed 24 data centers. The team plans to close another 
91 by the end of fiscal year 2018. The benefits of the Data Center 
Consolidation effort include increased system security, reliability, 
and efficiency; enhanced cybersecurity; and the opportunity to 
introduce innovative and cost-saving technological advances to VA 
systems. These improvements will allow VA employees to spend less time 
managing the infrastructure and more time on customer-focused 
activities that better serve Veterans. As OIT continues to make 
progress in data center consolidation, VA will remain a Government 
leader in compliance with FITARA.
    We are on an ambitious journey to become the No. 1 customer service 
agency within the Federal Government. By investing in innovative 
solutions--from technology to new ideas--we are on the right trajectory 
to advance toward our modernization goals and to make VA a greater 
choice for all Veterans.
                               conclusion
    Thank you again for the opportunity to appear before you today to 
address the status and progress that the VA OIT is making toward its 
deployment of the CDM Program and our IT modernization efforts. 
Throughout this modernization, our No. 1 priority has and will be 
always the Veteran. Ensuring a safe and secure environment for their 
information and improving their experience is our goal. I look forward 
to answering your questions.

    Mr. Ratcliffe. Thank you Mr. Blackburn.
    The Chair now recognizes Mr. Garcia for 5 minutes.

  STATEMENT OF DAVID GARCIA, CHIEF INFORMATION OFFICER, U.S. 
                 OFFICE OF PERSONNEL MANAGEMENT

    Mr. Garcia. Thank you, Chairman Ratcliffe, Chairman Hurd, 
and distinguished Members of the subcommittees who are engaging 
in this important discussion. I appreciate the opportunity to 
appear before you here today.
    Although I am new to OPM, I am pleased with the 
transformative activities that my office is already 
undertaking. Since arriving, I have worked with senior staff to 
identify key priorities to drive our efforts to build 
governance processes to support our work. We recognize that OPM 
is an organization made up of terrific people with the mission 
to serve not just the Federal work force but also the American 
people. To successfully meet this important mission, OPM will 
continue to bring to the Federal Government agile, modern IT 
solutions that reflect its needs and leverage forward-leaning 
capabilities. The Department of Homeland Security's CDM Program 
is an important element to assist us with this goal.
    As the former CIO for the State of Maryland and as an 
executive with over 20 years private-sector experience, I look 
at OPM's current posture through both a private and public-
sector viewpoint. There are two main points that I think are 
critical to the context of the conversation we are having here 
today. First, you must understand that CDM is a broad approach 
and is continuously evolving. Every day, the malicious actors 
around the globe, who are equivalent to military-grade 
adversaries, are adapting. Therefore, as Federal agencies, we 
need to have the flexibility to adapt rapidly.
    Second, we must strive to have CDM and similar future 
programs reduce the time required for the public sector to 
procure technological solutions. As an entrepreneur and small 
business owner and like our private-sector industry partners, I 
had the flexibility to procure and implement solutions to 
mitigate zero-day threats and vulnerabilities without delay. 
However, as a CIO for a Federal agency, I do not have that same 
flexibility. CDM can be tuned to enhance the abilities of 
agencies to procure the needed cyber defenses as quickly as 
possible. I feel this provides agencies the best fighting 
chance to stay ahead of possible threats.
    As you may know, OPM is one of first agencies to fully 
implement CDM, and OPM completed implementation of phase 1 with 
the CDM dashboard fully populated in the spring of 2017. This 
phase focuses on managing what is on the network, to include 
management and control of devices, software, security 
configuration settings, and software vulnerabilities. For OPM, 
this has meant gaining greater insights to connection points 
within our network.
    In addition, OPM has made use of CDM technologies to 
identify and strategically resolve potential vulnerabilities, 
which has resulted in better overall risk management and 
response. OPM is on track to complete implementation of phase 2 
in the summer of 2018, ahead of the scheduled fall 2018 target. 
Phase 2 focuses on the management and control of user access 
privileges. Phase 2 has allowed OPM to standardize the access 
assistance so that management of all accounts is unified and 
controlled through an agency governance process. Reducing the 
volume and scope of user access also helps OPM identify 
anomalies related to possible insider threat activities and 
prevent data loss. This is especially critical in the context 
of the events of 2015 because it will add additional two-factor 
authentication requirements to address long-standing audit 
findings.
    OPM has been successful in the implementation of phase 1 
and phase 2 due to the alignment of the technology with the 
agency technology strategy and life-cycle management. The use 
of CDM has set the stage for OPM to move into a continuous 
monitoring approach that enhances OPM's ability to manage its 
systems and continually evolve its systems to secure in real 
time.
    Looking forward, the future should allow CIOs and CISOs the 
ability to move as quickly as new technologies and threats 
evolve. Due to the asymmetric nature of attacks, we need to 
consider security risks related to the increasing use of 
artificial intelligence, AI, by our adversaries. For CDM to be 
successful in the long term, it will need to continue to 
evolve, including the use of new ideas and concepts, such as 
the use of AI within the Federal networks.
    I accepted the position at OPM because I truly believe in 
the mission of OPM because it is an agency in which great 
success can be achieved and demonstrated. The people of OPM are 
dedicated. New technology is being implemented and the agency 
is committed to supporting all the Federal employees who devote 
their lives to serving the American people.
    I look forward to working with the Members of these 
subcommittees to continue our efforts at modernization and the 
evolution of the CDM Program so that it will remain a 
successful resource for Federal agencies.
    Thank you for the opportunity to testify before you today. 
I look forward to answering any questions you may have.
    [The prepared statement of Mr. Garcia follows:]
                   Prepared Statement of David Garcia
                             March 20, 2018
    Thank you Chairman Ratcliffe, Chairman Hurd, Ranking Member 
Richmond, Ranking Member Kelly, and Members of the subcommittees for 
engaging in this important discussion. I appreciate the opportunity to 
appear before you today.
    Although I am new to the U.S. Office of Personnel Management (OPM), 
having only been at the agency for about 6 months, I am pleased with 
the transformative activities that my office has already undertaken. 
Since arriving, I have worked with senior staff to identify key 
priorities to drive our efforts and to build governance processes to 
support our work. We recognize that OPM is an organization made up of 
terrific people with a mission to serve not just the Federal workforce, 
but also the American people. To successfully meet this important 
mission, OPM will continue to bring to the Federal Government agile, 
modern Information Technology (IT) solutions that reflect its needs and 
leverage forward-leaning capabilities. The Department of Homeland 
Security's Continuous Diagnostics and Mitigation (CDM) Program is an 
important element to assist us with this goal.
    As the former chief information officer (CIO) for the State of 
Maryland, and with over 20 years of private-sector executive 
experience, I look at OPM's current posture through both a private- and 
public-sector viewpoint. There are two main points that I think are 
critical to the context of the conversation we are having today 
regarding CDM. First, we must understand that CDM is a broad approach 
and is continuously evolving. Every day the malicious actors around the 
globe, who are equivalent to military-grade adversaries, are adapting. 
Therefore, as Federal agencies, we need to have the flexibility to 
adapt. Second, we must strive to have CDM and similar future programs, 
reduce the time required for the public sector to procure technological 
solutions compared to the time it takes in the private sector, which 
contributes to a gap in preparedness. As an entrepreneur and small 
business owner in the private sector, I had the flexibility to procure 
and implement a solution to mitigate a zero-day threat or vulnerability 
immediately; however, as the CIO for a Federal agency, I do not have 
that same flexibility to get needed tools on our network in real time. 
While CDM has certainly reduced the procurement time frame for 
cybersecurity technology, a goal should be to continue to enhance the 
ability for agencies to procure what they need to maintain the 
appropriate cyber defenses as quickly as possible. The faster agencies 
can procure technology, the faster technology can be implemented--which 
gives agencies the best chance to stay ahead of possible threats that 
continue to evolve and become more sophisticated.
    Since coming to OPM, I have developed a vision of the top five 
priorities the CIO must address to successfully support OPM. Those 
priorities are: (1) Continue to fully mature the Risk Management 
Program by building on OPM's cybersecurity success to date, applying 
new technologies and techniques, and implementing the best practice 
recommendations from the Department of Homeland Security, the 
Government Accountability Office, and OPM's Inspector General, as 
appropriate; (2) work with stakeholders to provide new and innovative 
customer experiences through the latest technology; (3) utilize 
technology to reduce the investigation inventory; (4) create IT 
financial transparency through implementation of a standardized 
technology with the ability to develop a sustainable, transparent, and 
repeatable financial model; and (5) align the CIO organization to 
better meet the needs of OPM by providing a foundation for current and 
efficient services that will last longer than the life span of a server 
and that can be leveraged for the long term.
    CDM supports these priorities and OPM will continue to build off of 
its successful implementation of CDM's Phase 1 and the continued 
implementation of Phase 2. As you may know, OPM is one of the first 
agencies to fully implement CDM, and we have benefited from the 
enhanced visibility into who and what is on our network so that we can 
more accurately and rapidly respond to potential risks. OPM completed 
implementation of CDM Phase 1 with the CDM dashboard fully populated in 
the spring of 2017 using the CDM sensors we've been deploying since 
2015. This phase focuses on managing ``what is on the network,'' to 
include the management and control of devices, software, security 
configuration settings, and software vulnerabilities. For OPM, this has 
meant gaining greater insights into connection points within our 
network, which provides us with the ability to better regulate devices 
connecting to the environment as well as a better understanding of what 
should actually be on the network. In addition, OPM made use of CDM 
technologies to identify and strategically resolve potential 
vulnerabilities, which has resulted in better overall risk management 
and response.
    OPM is on track to complete implementation of CDM Phase 2 in the 
summer of 2018, ahead of the scheduled fall 2018 target for the Federal 
Government. Phase 2 focuses on the management and control of user 
access privileges. Phase 2 has allowed OPM to standardize the access of 
systems so that the management of all accounts is unified and 
controlled through an agency governance process. Reducing the volume 
and scope of user access also helps OPM identify anomalies related to 
possible insider threat activities and prevent data loss. Access for 
privileged users, which are users that have some administrative access 
to systems or data, is being enforced through a separate login 
mechanism. Our next step toward completion of CDM Phase 2 is to 
activate additional two-factor authentication enforcement features. 
This is especially critical in the context of the events of 2015 
because it will add additional two-factor authentication requirements 
to address long-standing audit findings.
    OPM has been successful in the implementation of Phase 1 and 2 of 
CDM due to the alignment of the technology available through CDM with 
agency technology strategy and life-cycle management. The use of CDM 
has set the stage for OPM to move into a Continuous Monitoring approach 
that enhances OPM's ability to manage its systems and continually 
evolve to secure its systems in near-real time.
    I am also pleased with how CDM Phase 3 has evolved from offering 
very specific software or capabilities within certain National 
Institute of Standards and Technology control families to a ``buffet''-
style offering with software and capabilities supporting the necessary 
agility that Federal agencies require to meet the unique needs and 
goals related to their specific operations. Looking forward, OPM will 
increasingly leverage CDM for our procurement needs to meet new 
challenges. We will prioritize our risk management needs and align the 
new technologies offered by CDM to meet our highest risks in a 
continuous effort to reduce vulnerabilities.
    I see Phase 4 of CDM transitioning into an on-going and continuous 
monitoring effort that will allow OPM and other agencies to keep pace 
with malicious actors. For agencies to be successful, Phase 4 should 
allow the Federal Government the ability to move as quickly as new 
technologies and threats evolve. This can be accomplished through an 
offering of tools and services that meet the specific goals and needs 
of agencies and through agile procurement capabilities that allow 
agencies to change and adapt their tools in real time. Following best 
practices in Government procurement, coupled with a continued effort to 
survey what capabilities are available throughout the private sector, 
will help keep the Federal Government informed and on pace. For CDM to 
be successful in the long term, it will need to continue to evolve, 
including the use of new ideas and concepts, such as the use of 
Artificial Intelligence (AI), for immediate identification, response, 
and updates to threats. Due to the asymmetric nature of attacks, we 
also need to consider security risks related to the increasing use of 
AI by our adversaries across all sectors and how that may impact the 
kinds of cyber defense and tools we need.
    I accepted the position of CIO at OPM because I truly believe in 
the OPM mission and because it is an agency in which great success can 
be achieved and demonstrated. The people at OPM are dedicated, new 
technology is being implemented, and the agency is committed to 
supporting all the Federal employees who devote their lives to serving 
the American people. Although there may be bumps in the Federal 
Government's journey to keep pace with potential cyber threats, I am 
confident we have an incredible opportunity to make strides toward a 
successful future. I look forward to working with the Members of these 
subcommittees to continue our efforts of IT modernization and the 
evolution of the CDM Program so that it will remain a successful 
resource for Federal agencies.
    Thank you for the opportunity to testify before you today. I look 
forward to answering any questions you may have.

    Mr. Ratcliffe. Thank you, Mr. Garcia.
    Mr. Cox, you are recognized for 5 minutes.

STATEMENT OF KEVIN COX, PROGRAM MANAGER, CONTINUOUS DIAGNOSTICS 
  AND MITIGATION, OFFICE OF CYBERSECURITY AND COMMUNICATIONS, 
 NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT 
                      OF HOMELAND SECURITY

    Mr. Cox. Thank you, Chairman.
    Chairman Ratcliffe, Chairman Hurd, distinguished Members of 
the committees, thank you for today's opportunity to discuss 
the Department of Homeland Security's effort to secure Federal 
networks. I want to begin my testimony by thanking Congress for 
its work on the Cybersecurity and Infrastructure Security 
Agency Act of 2017. If enacted, this legislation will 
streamline the organization where I work, the National 
Protection and Programs Directorate, or NPPD. It will also 
rename our organization to clearly reflect our mission. The 
Department strongly supports this effort and appreciates the 
focus of these committees on seeing it enacted.
    DHS serves a critical role in safeguarding and securing 
cyber space, a core Homeland Security mission. Cyber threats 
remain one of the most significant strategic risks for the 
United States, threatening our National security, economic 
prosperity, and public health and safety.
    Over the past year, Federal network defenders saw the 
threat landscape they face grow more crowded, active, and 
dangerous. While, in many cases, our defenses have been 
successful in mitigating these threats, we must do more to 
ensure our cyber defenses keep pace of technological change and 
the evolving risks.
    Last year, the President signed an Executive Order on 
strengthening the cybersecurity of Federal networks and 
critical infrastructure. Cybersecurity is an important 
component of the administration's IT modernization efforts and 
the administration is committed to securing the Federal 
enterprise from cyber-related threats.
    One of the capabilities MPPD leverages to assist Federal 
agencies with their cybersecurity and MPPD with its mission of 
protecting the Federal enterprise is through a program I 
manage, the Continuous Diagnostics and Mitigation Program, CDM. 
CDM provides cybersecurity tools and integration services to 
Federal agencies. CDM is helping us achieve three major 
advances for Federal cybersecurity. First, agencies are gaining 
continuous visibility into the extent of cybersecurity risks 
across their entire network. This allows prioritization of 
cybersecurity actions.
    Second, with the Federal dashboard, MPPD will be able to 
operationalize this visibility initially through improved 
vulnerability management. Prior to CDM, MPPD often tracked 
Government-wide programs in implementing critical patches via 
agency self-reporting and manual data calls. CDM is changing 
this model, enabling MPPD to immediately view the prevalence of 
a given software product or vulnerability across the Federal 
Government. All Cabinet-level agencies have their agency 
dashboards in production with additional assets being added on 
a daily basis. Additionally, the Federal dashboard currently 
has a quarter of Federal assets reporting to it. It is 
anticipated that the remaining in-scope Cabinet-level assets 
will be reporting by the end of April 2018.
    Third, through the CDM Program, DHS is building important 
partnerships with other Federal agencies, including GSA, and 
industry to directly address the nation-state and criminal 
threats against our critical data in Federal networks. In the 
first phase of CDM, MPPD is helping Federal agencies better 
understand what is on their networks and better manage the 
cybersecurity of those assets. IT assets combined with their 
vulnerabilities and misconfigurations represent a significant 
attack surface that our adversaries target.
    Another fundamental principle of CDM is to understand who 
is on the network. By learning who has access to agency 
networks, including those individuals with privileged user 
access, agencies can begin to appropriately restrict network 
access and ensure the principle of least privilege is being 
followed.
    The next phase seeks to understand what is happening on the 
network. By strengthening network protections and providing 
expanded visibility to the cloud and mobile devices, agencies 
will gain a more robust understanding of the events occurring 
on their networks and help them standardized incident 
reporting. The program is also beginning to plan for enhanced 
data protections in Federal agency high-value environments from 
information rights management to micro segmentation. These 
phase 4 initiatives will help agencies secure their most 
sensitive data, regardless of where it is located on the 
network.
    Moving forward, the new CDM DEFEND acquisition strategy 
incorporates lessons learned from earlier stages of the CDM 
Program. CDM DEFEND contracts will support longer periods of 
performance with higher contract ceilings to provide 
significant flexibility.
    In closing, I want to assure these committees that DHS is 
embracing our statutory responsibility to administer the 
implementation of Federal agency cybersecurity processes, 
policies, and practices. The overarching goal of Federal 
cybersecurity is to ensure that every agency maintains an 
adequate level of cybersecurity commensurate with its own risk 
and with those of the Federal enterprise.
    Thank you for the opportunity to testify. I look forward to 
the questions you may have.
    [The prepared statement of Mr. Cox follows:]
                    Prepared Statement of Kevin Cox
                             March 20, 2018
    Chairman Ratcliffe, Chairman Hurd, Ranking Member Richmond, Ranking 
Member Kelly, and Members of the subcommittees, thank you for today's 
opportunity to discuss the state of Federal cybersecurity. The 
Department of Homeland Security (DHS) serves a critical role in 
safeguarding and securing cyber space, a core homeland security 
mission. The National Protection and Programs Directorate (NPPD) at DHS 
leads the Nation's efforts to ensure the security and resilience of our 
cyber and physical infrastructure. This past December, the House voted 
favorably on H.R. 3359, the ``Cybersecurity and Infrastructure Security 
Agency Act of 2017.'' If enacted, this bill would mature and streamline 
NPPD, renaming our organization as the Cybersecurity and Infrastructure 
Security Agency to clearly reflect our essential mission and role in 
securing cyber space. The Department strongly supports this much-needed 
legislation and encourages swift action by Congress to complete its 
work on this legislation.
    NPPD is responsible for collaborating with Federal agencies to 
protect civilian Federal Government networks, as well as with the 
intelligence community; law enforcement; State, local, Tribal, and 
territorial governments; and the private sector to defend against cyber 
threats. We endeavor to enhance cyber threat information sharing across 
the globe to stop cyber incidents before they start and help businesses 
and Government agencies to protect their cyber systems and quickly 
recover should such an incident occur. By bringing together all levels 
of Government, the private sector, international partners, and the 
public, we are taking action to protect against cybersecurity risks, 
improve our whole-of-Government incident response capabilities, enhance 
information sharing on best practices and cyber threats, and strengthen 
resilience.
                        cybersecurity priorities
    This administration has prioritized protecting and defending our 
public and economic safety from the range of threats that exist today, 
including those emanating from cyber space. Last year, the President 
signed Executive Order (EO) 13800, on Strengthening the Cybersecurity 
of Federal Networks and Critical Infrastructure. This Executive Order 
set in motion a series of assessments and deliverables to understand 
how to improve our defenses and lower our risk to cyber threats. This 
order also emphasized the importance of accountability--clarifying that 
agency heads are responsible and will be held accountable for the 
security of their networks and systems. NPPD plays an important role in 
providing capabilities, services, and direction to Federal agencies.
    Although Federal agencies have primary responsibility for their own 
cybersecurity, DHS, pursuant to its various authorities, provides a 
common set of security tools across the civilian executive branch and 
helps agencies manage their cyber risk. NPPD's assistance to Federal 
agencies includes:
   providing tools to safeguard civilian executive branch 
        networks through the National Cybersecurity Protection System 
        (NCPS), which includes ``EINSTEIN'', and the Continuous 
        Diagnostics and Mitigation (CDM) programs;
   measuring and motivating agencies to implement policies, 
        directives, standards, and guidelines;
   serving as a hub for information sharing and incident 
        reporting; and
   providing operational and technical assistance, including 
        threat information dissemination and risk and vulnerability 
        assessments, as well as incident response services.
    Today, my testimony will focus on one of the capabilities NPPD has 
to assist Federal agencies with their cybersecurity and DHS with 
protecting the Federal enterprise--the Continuous Diagnostics and 
Mitigation (CDM) program. CDM provides cybersecurity tools and 
integration services to all participating agencies to enable them to 
improve their respective security postures by reducing the attack 
surface of their networks as well as providing DHS with enterprise-wide 
visibility through a common Federal dashboard.
    In the first phase of CDM, the National Protection and Programs 
Directorate (NPPD) is helping Federal agencies better understand what 
is on their network and better manage the cybersecurity of those 
assets. CDM works to ensure that agencies know what IT assets they 
operate and how well those assets are configured and patched. IT 
assets, combined with their vulnerabilities and misconfigurations, 
represent a significant attack surface that our adversaries target. 
Through better patching and configuration, agencies are able to reduce 
the likelihood of successful compromise against the evolving threat. 
This is one of the key objectives of CDM.
    Another fundamental principle of CDM is to understand who is on the 
network, which we address through Phase 2. By learning who has access 
to agency networks, including those individuals with privileged user 
access, agencies can appropriately restrict network access and ensure 
the principle of least privilege is being followed. This second phase 
of CDM is a significant step forward in managing cyber risk.
    CDM is helping us achieve three major advances for Federal 
cybersecurity.
    First, agencies are gaining continuous visibility, often for the 
first time, into the extent of cybersecurity risks across their entire 
network. With enhanced visibility, they can prioritize the mitigation 
of identified issues based upon their relative importance.
    Second, with the Federal dashboard, the NCCIC will be able to 
operationalize this visibility, initially through improved 
vulnerability management. For example, the NCCIC currently tracks 
Government-wide progress in implementing critical patches via agency 
self-reporting and manual data calls. CDM will transform this, enabling 
the NCCIC to immediately view the prevalence of a given software 
product or vulnerability across the Federal Government so that the 
NCCIC can provide agencies with timely guidance on their risk exposure 
and recommended mitigation steps.
    Third, through the CDM program, the DHS is building important 
partnerships with the General Services Administration (GSA), other 
Federal agencies, and industry to directly address the nation-state and 
criminal threats against our critical data and Federal networks.
    Effective cybersecurity requires a robust measurement regime, and 
robust measurement requires valid and timely data. CDM will provide 
this baseline of cybersecurity risk data to drive improvement across 
the civilian executive branch.
    Moving forward, the new CDM DEFEND Acquisition Strategy, developed 
in partnership with GSA, incorporates lessons learned from the 
Continuous Monitoring as a Service Blanket Purchase Agreements that 
were used in the early stages of the CDM Program. CDM DEFEND contracts 
have longer periods of performance with higher contract ceilings 
providing agencies more flexibility. This flexibility will allow 
agencies to modernize and standardize their security capabilities in a 
way that meets the CDM requirements and makes the most sense for each 
organization. CDM DEFEND will also support legacy and new 
infrastructure requirements such as cloud and mobile and will allow 
agencies to procure cybersecurity tools and services separately or 
together.
                               conclusion
    In the face of increasingly sophisticated threats, NPPD supports 
the Federal Government's efforts to defend our Nation's Federal 
networks and critical infrastructure from cyber threats. Our 
information technology is increasingly complex and dynamic with 
interdependencies that add to the challenge of securing and making it 
more resilient. Technological advances have introduced the ``internet 
of things'' (IoT) and cloud computing, offering increased access and 
streamlined efficiencies, while increasing our footprint of access 
points that could be leveraged by adversaries to gain unauthorized 
access to networks. As our Nation continues to evolve and new threats 
emerge, we must integrate cyber and physical risk in order to 
understand how to effectively secure it. Expertise around cyber-
physical risk and cross-sector critical infrastructure 
interdependencies is where NPPD brings unique expertise and 
capabilities.
    Thank you for the opportunity to testify, and I look forward to any 
questions you may have.

    Mr. Ratcliffe. Thank you, Mr. Cox.
    The Chair now recognizes the Chairman of the Subcommittee 
on Information Technology, Mr. Hurd, for 5 minutes.
    Mr. Hurd. Thank you, Chairman Ratcliffe.
    I appreciate the manner in which we are able to pursue 
these important issues and not worry about that silly word 
``jurisdiction'' that I know bothers both of us.
    Mr. Cox, I think DHS is doing a great job. I think you 
all--this is why we passed the Cybersecurity Act of 2015. This 
is why we made you all the bellybutton of protecting the dot-
gov domain and coordinating with the private sector.
    I have some basic questions. These aren't trick questions, 
but when it comes to the actual implementation, DHS has the 
tools that you are helping to implement on some of these other 
agencies. Is that correct?
    Mr. Cox. Yes. Through a series of mechanisms, contracting 
processes that we build with GSA----
    Mr. Hurd. Sorry to interrupt. I'm going to try to use my 
time judiciously. So an agency, do they have to pay you?
    Mr. Cox. It is through the budget that is allocated to DHS 
that we work with the agencies to fund the efforts to deploy 
the CDM capabilities.
    Mr. Hurd. So phase 1 implementation of CDM is basically 
free to those agencies?
    Mr. Cox. The idea is that we fund the foundational year, 
the base year of the licensing plus the first maintenance year, 
and then we transition the maintenance of those tools over to 
the agencies. In those first 2 years, we also provide 
integration support to help with the deployment of those tools.
    Mr. Hurd. Gotcha. So, basically, they are getting this for 
2 years, and they have got to figure out to transition this to 
the O&M on their budget.
    Mr. Cox. That's correct. Yes, sir.
    Mr. Hurd. So, to me, this is ridiculous if there's any of 
the agencies that are not taking advantage of this in trying to 
implement this. So, once it's implemented and you're paying for 
the licenses, why would phase 2 cost money to the agency?
    Mr. Cox. It follows--phase 2, as well as our future phases, 
follow the same model. So we provide base year plus a 
maintenance year and then the cost to transition off for O&M to 
the agency, and there is integration support included in that.
    Mr. Hurd. So, Mr. Garcia, let me transition to you, since 
you have implemented phase 1 of this. What is your phase 2 
cost?
    Mr. Garcia. To be entirely candid, I don't know the entire 
cost off the top of my head.
    Mr. Hurd. In general, what are you having to pay for? 
Because you've implemented software, right? You're just using 
that software in a different way. So you're using that 
software, first, to understand all the different nodes that you 
have on that network. Then, second, you're trying to figure out 
basically the access and credentials process and who has access 
to various things on that network. So it's not like you're 
having--nobody is implementing any new software. So my question 
is: If you have people on your team that are managing the CDM 
tools, what is the cost to going to--from phase 1 to phase 2?
    Mr. Garcia. So, when we transitioned, we had other tools in 
place, and we basically sunset the tools that we had in place 
and adopted them. So, for OPM, it was rather seamless. We were 
doing the work already coming out of the 2014-, 2015-era stuff. 
So the costs were minimal, I mean, additional about what we 
were already doing.
    Mr. Hurd. I just want to confirm that point. So my question 
is for Mr. Blackburn and Mr. Everett: If you have a DHS that 
has the ability to fund the first 2 years of this and that this 
is a cost that should be taken over by your existing 
infrastructure and people, why is there any hesitancy of not 
accepting or implementing the other elements of phase 1, or why 
is phase 2 so difficult, because the cost is negligible?
    Mr. Everett. Well, the phase 2 are some new tools that 
people are bringing in. So, look, we're a poor example, 
because, frankly, we're behind. We----
    Mr. Hurd. That's what I always liked about you, Mr. 
Everett; you're always straight, straight to the point. I 
appreciate that.
    Mr. Everett. I don't like to second-guess because I wasn't 
there. I presume that my predecessors acted with the resources 
and direction they had. We're behind because we focused on a 
very small part of the Department. We are a large and diverse 
Department. So phase 1 and phase 2 were some different tool 
sets. On a small part of the Department, phase 1 is done. We 
have gone back and again at the direction of our Secretary and 
deputy secretary, and we are looking to cover all of phase 1 
and then phase 2 for the entire Department.
    Much like Mr. Garcia, a number of areas in our Department, 
they have CDM capabilities. What I mean by that is they have 
got tools that do those capabilities that we talk about in the 
phases. They may or may not be necessarily the tools that are 
part of those procurements. So, much like Mr. Garcia, our role 
right now is we are filling all those gaps, and then my goal 
over time would be to sunset some of those existing tools as we 
can, but integrate all the data back into our dashboard, which 
then goes back up to DHS.
    But, very frankly, to get to your question, we're starting 
to look at right now--I think we figured we're working with 
DHS. We figured out the cost of filling our gaps. Then we're 
estimating right now--I think the number I had was a little 
over $8 million a year for the outyear M&O. Some of that may be 
absorbed because it will displace existing tools. Some of it is 
gaps in tools, in which case it is a new cost to us. So I'm 
working right now to make sure in our outyear budget, because 
we do have the time to put it in there, that we pay for that as 
a Department so that it doesn't become all the little ticky-
tack stuff, but that we pay for it as a Department because it 
is a Departmental tool. Much like, again, the DHS approaches 
this as a Federal tool for the Federal enterprise, that is the 
direction we're trying to go.
    Mr. Hurd. Mr. Chairman, I apologize. I yield back the time 
I do not have.
    Mr. Ratcliffe. The Chair now recognizes the gentleman from 
Virginia.
    Mr. Connolly. Thank you, Mr. Chairman.
    I do see votes have been called. We have one vote. Some of 
us are going to be going in and out.
    Thank you all for your testimony.
    Mr. Garcia, you're new, as you point out, but our committee 
certainly had--the head of OPM at the time of the breach 
testified before our committee, and she lost her job, frankly, 
over that incident. Coming in, looking at the situation, this 
was I think the largest Federal cyber breach ever, and it 
compromised somewhere between 24- and 28 million Americans' 
personal data. How confident are you that we've come a long way 
and that that kind of breach is unlikely to happen today? Are 
the vulnerabilities fundamentally still there?
    Mr. Garcia. To answer your question directly, I'm very 
confident.
    Mr. Connolly. You are very confident.
    Mr. Garcia. I'm very confident we know who and what is on 
our networks. Am I 100 percent? I don't think you can ever get 
to 100 percent as the landscape, when it changes, changes 
rapidly. But I'm as confident as I can be in the defenses we've 
put in place, and a large portion of that, quite honestly, has 
been hand-in-glove with the CDM Program.
    Mr. Connolly. Do you believe if the CDM Program had been in 
place, we would have--could have avoided or preempted that 
cyber attack?
    Mr. Garcia. So I thought about that question a lot, and I 
am not trying to evade here, but I don't know if I'm fully 
qualified to say that, not having been here during that time 
and understanding some of the complexities that were involved 
with my predecessors.
    Mr. Connolly. One of problems that we had at OPM at the 
time was duplicative--I'm sorry--systems that couldn't talk to 
each other, multiple systems, old systems, unencrypted systems. 
By and large, has that been addressed to your satisfaction as 
the new CIO?
    Mr. Garcia. By and large, I would say, yes. Could we get 
better? Yes. We have 100 percent PIV authentication for network 
access. We have micro segmentation. You can't get on OPM's 
networks unless we know you're on and have a valid PIV 
credential. Again, I think a lot of that work that we've done 
and what we see from the dashboard is again from the tools from 
CDM.
    Mr. Connolly. Let me just say to you: I hope part of your 
mission will be to continue to care for the people who had 
their data compromised because, as you know, that kind of data 
available, it could be years before someone decides to do 
something bad and your credit rating is damaged or someone gets 
into your financial accounts. So I do believe we have a sacred 
obligation to those people on-going to make sure they are 
protected, and I know you share that view.
    Mr. Garcia. I concur.
    Mr. Connolly. I thank you.
    Mr. Blackburn, welcome again. Thank you for your service. 
It is always fascinating to hear your story about you're a 
customer. We've seen some reports in the press recently that 
the new electronic system has created more than glitches in 
some cases, denial of care, mess-up of identity, drug 
protocols, and has actually interfered with urgent care or 
specialized care that our veterans need. Could you elaborate on 
that? I mean, how concerned are you about that? Is this 
something to be expected that is going to be ironed out, or do 
we have yet another fundamental flaw in a major investment in 
terms of veterans or Active-Duty health care?
    Mr. Blackburn. So I'm very, very concerned and that--what 
you mentioned specifically was with the DOD's rollout of MHS 
GENESIS out in the Pacific Northwest, and I've been working 
very closely with that team. Stacy Cummings, who leads that 
team, she and I talk very frequently. We are monitoring that 
very, very closely to make sure we--when VA gets ready to 
launch our pilots, after we sign the contract with Cerner, that 
we won't be making the same mistakes. So there's a number of 
things that are going well with that, but there's also the 
things that you mentioned that are not going well, and we are 
working with----
    Mr. Connolly. I'm going to invite you to submit--certainly 
to our committee and I assume this committee as well. Mr. 
Ratcliffe, I don't mean to presume some reports on that 
because, obviously, we are concerned, and we have had some 
history. In the brief period of time I have left--thank you--
Mr. Everett, we just had some public reports about Russian 
cyber attacks on our grid and power system, very alarming in 
terms of what it could do, and we previously had attacks on the 
nuclear power system and other systems around the country. Do 
you believe CDM is a tool that can help prevent that or detect 
that or preempt it? How worried should we be about the 
vulnerability especially of our grid?
    Mr. Everett. Obviously, we take that very seriously. We 
work with our partners, the FBI and DHS, on ensuring that we 
work very well with the electric sector on those issues. 
Obviously, we have had a lot of briefings over even the last 
week. It is of special concern to me, of course, because we 
have our Power Marketing Administrations, which, for those who 
are not familiar, the Department of Energy, they are directly 
involved in provision of electricity for millions of Americans 
throughout the West and Northwest. So--that is one of reasons 
we are working with them to fill--they have a number of tools. 
We work very closely with them as part of Department. We are 
working to make sure anywhere that they do have gaps in the CDM 
capabilities that are out there, that we are working to fill 
them. In fact, I just had some of their folks in this morning 
and meet with them again, depending on snow, tomorrow. I will 
tell you they have a number of systems in place, and they are, 
very frankly, a bit of a challenge because they have industrial 
control systems and SCADA systems, which are bit unique. That's 
one of the areas we want to work with DHS, because you will 
always have those unique challenges, as broad as the Federal 
enterprise is, that we want to have them. But I absolutely 
believe the CDM tools, because they give you the visibility of 
what's on your network and who is on your network, absolutely 
will help you in that type of security.
    Mr. Connolly. Thank you.
    Thank you, Mr. Chairman.
    I do want to congratulate Mr. Blackburn for making progress 
on data center consolidation. We want to see more progress at 
DHS, and we want see that scorecard, FITARA scorecard, move up.
    Thank you all so much for being here.
    Thank you, Mr. Chairman.
    Mr. Ratcliffe. I want to advise the witnesses that votes 
have been called, but we are going to continue the hearing. So 
I am going to proceed with questions. I want to let Ms. Jackson 
Lee know that the hearing will continue if she wants to go vote 
and return, and actually, I think I'll take advantage of that 
myself and see you all shortly.
    It looks like we are going to have to recess the hearing 
temporarily, very shortly, for a quick vote.
    [Recess.]
    Mr. Ratcliffe. I am calling the subcommittee hearing back 
to order. I appreciate the witnesses' indulgence. Obviously, 
the vote schedule is beyond our control.
    Having said that, I recognize myself for 5 minutes.
    Mr. Everett, so DOE has its CDM dashboard up and running. 
Can you give us a sense of what the value is of the data that 
you're now realizing from Phase 1 CDM, what the capabilities 
are? What's different now that that's operational?
    Mr. Everett. So we're just starting to pull the value out 
of that. We've got our IGC-3, which is essentially sort-of our 
enterprise SOC. Again, very frankly, one of our challenges is 
our scope of where we have CDM installed is limited at this 
point. It gives me visibility in--the services I traditionally 
have provisioned that are primarily to all our Federal 
employees is what it covers.
    What it's doing is it is starting to give us the picture 
of, again, what our internal vulnerabilities look like, you 
know, as Kevin talked about, our actual vulnerability in patch 
management, start to give us a picture of what our 
prioritization should be about not only patching but about 
which systems are going to be no longer supported, which 
systems are out-of-date, some of those things.
    The real value for us, frankly, is as we start to expand it 
across our enterprise to the PMAs and other folks. Again, many 
of our labs and sites already have the capabilities; we have 
not tied them together as an enterprise.
    Mr. Ratcliffe. OK. So are you lacking any authorities that 
would have allowed you to do that faster that you need now to 
sort-of roll it out on a more expedited--and take advantage of 
it on a more expedited basis?
    Mr. Everett. So I think, for me, I can say, very 
fortunately, the answer is no.
    At this point--you know, again, I report directly to the 
Secretary and deputy secretary, and that was changed right 
after I came on in August. That's been a huge improvement. I 
have their direct, firm push that we need to do this. They 
understand very well that we've got to know what's on our 
networks. That's the first step in some basic cybersecurity 
hygiene.
    Mr. Ratcliffe. OK.
    Mr. Everett. So I've got that full authority.
    Mr. Ratcliffe. So then let me shift to you, Mr. Garcia, 
because you're a little further along the curve. So, same 
question regarding the new data or better data that CDM is 
providing.
    Mr. Garcia. So, again, just to echo what Mr. Everett said, 
was we were able to see across the spectrum. We can see end-of-
life systems out there. We can see items that are requiring 
patches. We can see operating systems that are end-of-life. We 
can see the progress we make with our patch updates as well.
    Mr. Ratcliffe. OK.
    So, in addition to your current role, you have pretty 
considerable private-sector experience. We're always trying to 
leverage what innovative companies are doing. Are there any 
short-term recommendations that you would make or could make 
from that experience that might speed up the deployment of CDM 
capabilities?
    Mr. Garcia. That's a great question. Since I've been with 
OPM, since October, I've been trying to think, how do we 
expedite things, how do we move things faster? I feel like 
we're always kind-of behind the eight-ball in Government 
deployment.
    I think a lot of it has to do with the bureaucracy and 
trying to navigate that. I understand there's a balance that 
has to be reached and the need to be fully accountable for 
taxpayer dollars. But, at some point, I think there's got to be 
mechanisms that we can strike a balance that will enable us to 
move faster on some of these.
    Mr. Ratcliffe. So what would those milestones be that are 
out there that we can look for to know that we're on track, 
that we're getting--that we're making progress, you know, with 
respect to an effective structure for, you know, defending the 
Federal IT infrastructure?
    Mr. Garcia. Quite honestly, I think that CDM does provide 
that. If you look at Phase 1 and Phase 2, they're addressing a 
lot of the NIST controls that are in place. Phase 3 is moving 
toward that more agency focus, with the goal in Phase 4 to move 
into that continual monitoring of the network. I think those 
are good mile markers.
    Mr. Ratcliffe. OK.
    So let me roll that into a question for you, Mr. Cox, we 
all want CDM to be a force multiplier for network defenders. 
What's the 3-year plan to get there? How do we know that we're 
getting there? What can I look at, as a Member of Congress with 
oversight, to say, hey, we're on track, or we're not on track, 
and hold you accountable?
    Mr. Cox. Certainly. I'll take that as two questions.
    First, in terms of what we're looking at over the next 3 to 
6 years is, with our CDM DEFEND contracting mechanism, we have 
the flexibility built in to work with the agencies to see what 
their priorities are at that point in time, be able to get 
teams in from the integrator that owns the contract, to help 
get the solutions deployed more quickly and being more nimble 
in terms of what the agency's needs are.
    In terms of metrics, really looking at what we've 
accomplished so far and what we will be moving toward, is, to 
this point, getting the visibility across the networks, 
starting out looking at the numbers of assets that were 
reported manually. We found a 75 percent increase in terms of 
the total number of assets once we got automated tools into the 
environment. From a cost-savings standpoint, by being able to 
do volume purchasing of the tools, we found that we achieved 
savings upwards of 70 percent off of IT Schedule 70.
    In terms of where we're headed in being able to measure the 
mission impacts of CDM, we want to be able to get full 
visibility both at the agency level for the agencies as well as 
at the Federal level; and then be able to see what their 
overall cyber hygiene is, their security posture; and 
ultimately be able to help manage, for the agencies at the 
agency level and us at the Federal level, the risk across the 
Federal enterprise.
    Mr. Ratcliffe. Terrific. Thanks very much.
    My time has expired. The Chair now recognizes the 
gentlelady from Texas, Ms. Jackson Lee, for 5 minutes.
    Ms. Jackson Lee. Mr. Chairman, thank you. Thank you for 
this joint hearing.
    I thank the witnesses for being instructive and insightful. 
I think we have a lot on our plate. Certainly, Mr. Cox, the 
areas that you deal with is of particular concern, and 
certainly the Office of Personnel Management. We're delighted 
that Veterans Affairs is getting on track.
    But let me recite what I've done for a number of years. 
Just a historical perspective. This committee was included in 
something called Transportation Security and Infrastructure, so 
we began talking about these issues almost a decade ago. We're 
probably behind, but I'm glad to see where we are today. So 
I'll pose some questions initially and then--some pointed 
questions, but I think we've made great strides.
    I emphasize a point that I wanted to make, is that we have 
a small percentage of the cyber, and most of it is in the 
private sector. A lot of that impacts Government agencies. I 
think that the more we are engaged--I introduced legislation 
that was passed--and I thank the committee--that dealt with 
zero-day events. Part of it was the consulting with the private 
sector on what might be helpful to them and what might be 
helpful to you that may be Classified.
    So I would ask this question. As you know, one of the 
challenges with Federal cybersecurity is that new technologies 
are being developed much faster than the Federal procurement 
cycle allows. What should we be doing to make sure that the CDM 
Program is flexible and agile enough to keep pace?
    Why don't I--and I'd appreciate pithy answers. I'm trying 
to get to all of you. Why don't I start with Mr. Cox and then 
go to Mr. Garcia with OPM because of the unfortunate major 
snafu impacting our Federal employees.
    Mr. Cox.
    Mr. Cox. Yes, Congresswoman. We've approached the ability 
to bring on new technologies, new innovations more quickly in 
two ways.
    First, through the CDM DEFEND task order. By awarding a 
long-term task order of 5 to 6 years, it enables us to continue 
to issue requests for service to that integrator for different 
types of technology, different types of need more quickly, 
rather than having to recompete a new contract.
    Second, through our approved products list, we have 
accelerated the pace at which vendors, industry can submit new 
products to the approved products list. On a monthly basis, 
vendors can submit those to us. Working with our staff, we 
assess those quickly, and then, if the products meet the 
criteria, they're quickly added. That enables agencies to get 
to those products more quickly.
    Ms. Jackson Lee. Mr. Garcia.
    Mr. Garcia. Thank you for the question.
    So I think the focus for us in coming out of the events of 
2014 and 2015 was, how do we--if we need to buy something to 
address a zero-day event, we need a vendor, we need a service, 
we need software, we need hardware, how do we shorten the 
procurement time to bring these tools to bear as quickly as 
possible?
    Ms. Jackson Lee. Absolutely.
    Mr. Garcia, I've got you right on the spot here. Does this 
either flexibility or attentiveness to moving forward include 
and embrace small, minority-, and women-owned businesses in the 
context of how the Federal Government utilizes so they're not 
shut out of the door because of their size?
    Mr. Garcia. That's a great question. So, as a former 8(a) 
program member, I would say ``absolutely'' to that question.
    Ms. Jackson Lee. That they have the opportunity?
    Mr. Garcia. Absolutely.
    Ms. Jackson Lee. Let me go right to Mr.--for the Veterans 
Affairs, Mr. Blackburn. Thank you for your service.
    We lived in a nightmare as our veterans were either dying 
or not being able to get served. We know that it is certainly 
an old agency, and it deals with older patients who deserve our 
honor and respect.
    What have you been able to do to cure that devastating 
experience that veterans have had, languishing in hallways 
waiting on doctors or not getting their doctor appointments?
    Mr. Blackburn. Well, that nightmare is why I joined after 
2014. I was as shocked and disgusted as anybody.
    We've really pushed hard on shortening the wait times so 
that we now have same-day access in all of our sites. We've 
really doubled down on customer service, self-service tools 
for--I schedule my appointments now using an on-line tool.
    So we're using technology. We're staffing. We're focusing 
on the biggest problems to make sure that that never happens 
again.
    Ms. Jackson Lee. Two last questions, which I'd like all of 
you to answer, is: What do you view as the greatest promise on 
the CDM for the Federal network?
    But as you answer that, please--I've introduced another 
piece of legislation to improve the cyber professional staff 
for the Federal Government. If that would be helpful to you, 
you might acknowledge that.
    But the final question--that question is No. 1, about 
what's the greatest promise. The other one is, in the backdrop 
of this hearing, we have an unfortunate discovery of the entity 
with Facebook, Cambridge, and the misuse of millions of emails 
or data of Americans.
    My question would be--we don't want to be in that position. 
What relationship should the Government have?
    We use these tools--Facebook, Google. I would hope we never 
acknowledge that they've gotten bigger than us, in terms of 
being able to overrun what are legitimate responsibilities of 
the Government to protect the American people.
    So if you would answer how our interface would be with 
these giants. Because we have the most and highest 
responsibility, and that is to the American people.
    Do you want to start, Mr. Everett?
    Mr. Everett. Yes, ma'am.
    I think, on your first question, aside from just the value 
of the tools themselves, I think one of the greatest promises, 
long-term, for the CDM Program ultimately should be the ability 
for us at the Federal enterprise level to start to share 
information together. I think that's just an opportunity that 
we have not taken full advantage of.
    I understand it's part of the purpose of DHS being given 
that role as a coordinator that we as a Federal--you know, that 
we're all seeing different perspectives of the cyber threat, 
and I think that CDM, longer-term, provides an avenue that we 
can share that information across the entire Federal enterprise 
to help protect each other.
    As to your other question, I would just say I think that's 
a challenge not just for us in Government but certainly 
culturally, is helping people understand the privacy issues and 
how that ties into our security.
    You know, as somebody who did this and used to talk to 
people in the private sector and try and give some training, 
most of us, even as professionals in this, very often don't 
really think about the implications of some of the tools we use 
on our privacy and then what, in turn, that does to our 
security.
    So I think that probably takes longer, looking at across 
the Federal enterprise and making sure that privacy is a part 
of our discussion of security. Because they do--you know, the 
bad guys typically want to misuse those kind of tools to get 
into our networks and do other things. So we need to tie those 
together.
    Ms. Jackson Lee. Thank you.
    Mr. Blackburn.
    Mr. Blackburn. To me, the promise of CDM, it's really 
moving from a reactive posture to a proactive posture.
    A little less than a year ago, the WannaCry virus targeted 
us as well as many others, and we, luckily, had the patches in 
place and fared well, but the U.K. health care system, for 
example, not so much. We don't know what the next threats are 
going to be. We have to stay on top of that, proactive, and 
find those before they hurt us.
    On the second question, I agree completely with Mr. 
Everett. What I would add on to that is, you know, the 
relationship with those giants--the Facebooks, the Googles--and 
making sure that we are constantly sharing the best practices 
and making sure that we are incorporating those things. But 
also, to your other point that you made a little bit earlier, 
which is, those companies were small and innovative. A lot of 
the great companies that have created such great platforms have 
come out of that small, agile, innovative--so make sure that 
we're also providing opportunities for those types of 
companies, as well, to induce, like, the best practices.
    Ms. Jackson Lee. Yes? Mr. Garcia again.
    Mr. Ratcliffe. The gentlelady's time has expired, but, Mr. 
Garcia and Mr. Cox, weigh in very quickly, if you can.
    Ms. Jackson Lee. Thank you, Mr. Chairman, for your 
indulgence.
    Mr. Garcia. So, to the first question, promise, I'd have to 
agree with my colleagues. I think sharing, along with 
reciprocity and interagency agreements, if we could standardize 
these things, I think it would do a great value to the Federal 
Government.
    As to the second question, I feel a bit uneasy to answer 
the question due to the fact I'm not fully aware of what's 
Facebook's public data policies with their open data and what 
agreements they had in place. I don't know that it's really 
fair for me, as an OPM and representative of the Government, to 
really--to comment on that without that knowledge.
    Ms. Jackson Lee. Thank you.
    Mr.----
    Mr. Cox. Yes, Congresswoman. What the real key for us, to 
echo what Mr. Blackburn said, is to get from a reactive stance 
to a proactive. We want to get out in front of the threat. We 
want to take the low-hanging fruit out of the equation and be 
able to enable these agencies, as well as all agencies, with 
the visibility of their networks, to be able to see where the 
threat is and shut it down.
    Again, like Mr. Garcia said, I don't feel that I'm in a 
good position to comment specifically on the Facebook case. But 
I would say that it is important for us to continue to build 
our partnerships with industry, to interact with them, learn 
what they're doing. We can share our lessons as well. We, as a 
Nation, continue to get better.
    Thank you.
    Ms. Jackson Lee. I yield back the time. Thank you, Mr. 
Chairman.
    The Chairman. I thank the gentlelady.
    The Chair now recognizes the gentleman from Nebraska, Mr. 
Bacon.
    Mr. Bacon. Thank you, Mr. Chairman. I appreciate it.
    Thanks for being here.
    I've got a question for Mr. Cox.
    The CDM, will you be looking at it at DHS from an 
enterprise-wide DHS, or will it be all the sub-agencies doing 
CDM? How do you integrate that? So I'm sort-of nosy on that.
    Mr. Cox. Certainly. The idea is that each component or 
operational division in each agency will be able to have the 
visibility for their particular mission area and their 
particular component.
    So, specifically with DHS, we're working--our program 
office is working with the DHS Office of the CIO, similar to as 
we work with the agencies here, to help them get the solutions 
out, help them build the partnerships with the components, so 
that they, the CIO's office, get the visibility across DHS, but 
at the same time the components within DHS get that same 
visibility for their component space.
    Mr. Bacon. Uh-huh. Will you have enterprise-wide visibility 
and see the integration or get the synergy out of that?
    Mr. Cox. That's correct. So, while each component will have 
visibility for their component, that information is aggregated 
up at the object level, so the Office of the CIO will be able 
to see individual devices, individual systems.
    Mr. Bacon. Right.
    Mr. Cox. Then what we're doing from the agency level up to 
the Federal level is summarizing that data. So, at the Federal 
level, what we're seeing is a summary view but with enough 
information that we can work with the agencies to respond to 
particular issues or incidents.
    Mr. Bacon. Does this take advantage of commercial off-the-
shelf technology pretty readily?
    Mr. Cox. It does. That's a core principle of the program. 
We didn't want to do a lot of customized builds here. We wanted 
commercial off-the-shelf, that the product could be put in 
place quickly, the agency could learn it quickly and be able to 
get value from it immediately.
    Mr. Bacon. Right.
    One question for you, but it may be applicable for 
everybody, but I'll just get your perspective. Will the 
automation help you reduce some manpower requirements by this? 
Do you get some savings where you can redirect people?
    Mr. Cox. That's exactly right. That's the idea, is that we 
change these manual processes that we've followed for so long, 
get automated data so we can make better decisions more 
quickly. Then those folks that were doing that manual 
assessment work before, we can reassign those efforts to 
security operations and being able to help identify the threat 
and get in front of it.
    Mr. Bacon. This next question really is for you and Mr. 
Everett. One of the things that disturbs me most--and I'm not 
sure how applicable right now it is to CDM, but I'm going to 
give you a chance to touch on it--is the vulnerability of our 
energy grid. I'm not sure which portfolio that falls in.
    I was afraid to talk about it too much until yesterday. 
Now, all this data has been released saying just how vulnerable 
our energy grid is.
    I mean, it was thought, because there's so many--you know, 
it's such a fragmented system out there, how would the Russians 
and Chinese devote the manpower to get in there and really 
attack this? But with yesterday's release, we see they are 
trying to do that.
    How does CDM help either one of you go after this huge 
threat? Does it facilitate or--does it directly help or 
indirectly?
    Mr. Cox. I'll start and provide the program's perspective 
and then turn it over to Mr. Everett.
    Our idea is that we want to provide Mr. Everett and the 
rest of the agencies the visibility of their network, be able 
to get vulnerabilities quickly patched, get the systems 
properly configured to reduce the likelihood that an adversary 
can easily get into that system.
    We then want to help the agencies get visibility across 
their network so that they can detect any attacks to their 
network, any threats in their network, and address them 
quickly.
    Mr. Bacon. But we wouldn't be able to help if the Russians 
or Chinese were attacking our energy grid separate from the 
network right now. Would that be--is that an accurate 
statement?
    Mr. Cox. The idea is that, if any adversary is trying to 
get in on the network, that we want to be able to ensure the 
agencies have full visibility of their network to see where 
that attack might be coming in. Even if it's coming in from a 
third party, we want to be able to see where that interface 
from that third party is coming into the agency network so that 
the agency can properly respond and quickly respond to shut it 
down.
    Mr. Bacon. Thank you.
    Mr. Everett.
    Mr. Everett. So I think I'll actually start--obviously, our 
Department is very focused on that. As a sector-specific 
agency, we work very closely with our colleagues at DHS. You 
know, while my focus is primarily our internal cybersecurity, 
the fact is I have part of the electric sector and the electric 
grid in our Department through our Power Marketing 
Administration. So it is very critical to us, and we try and 
leverage that understanding and knowledge in our work with the 
sector.
    I'll tell you, frankly, almost even a little more 
practically, one of the values of things like CDM is our 
credibility with the sector only goes as far as our actual 
capability. So, to the degree that we're doing it well as a 
Federal Government, then we have a leg to stand on when we go 
and talk to the sector and other folks. To the degree we don't, 
they're likely not going to take us very seriously.
    That's really how we're trying to approach it at DOE, is 
that we're trying to make sure that if we're doing it well, 
then we have something to say and something of value to bring 
out to the private sector, which is important. So that's one of 
several reasons that we take this very seriously.
    We think that our experience with tools like CDM, we want 
to be able to then sit at the table with them and share that. 
Because we do think tools like CDM, they are relevant to the 
private sector, maybe not as to the program itself, but the 
capabilities, the practices, and experience are very relevant, 
and we think they'll help.
    Mr. Bacon. Right.
    I'll just close, because I know we're out of time, and just 
say I've known about this for a while, the vulnerability of our 
energy grid, and I think it's very alarming. I think it's--the 
next December 7 won't be airplanes with torpedos coming at 
Pearl Harbor. It's going to be triggered with an attack on our 
energy grid, with rolling blackouts and chaos.
    So I just--you've got a tough job, but I look forward to 
supporting you in this effort, because we've got to start 
working on the resilience of our energy grid. So I appreciate 
hearing the connection with CDM and this threat to us.
    Thank you.
    Mr. Ratcliffe. I thank the gentleman.
    The Chair now recognizes the gentleman from Rhode Island, 
Mr. Langevin, for 5 minutes.
    Mr. Langevin. Thank you, Mr. Chairman.
    I want to thank our witnesses for your testimony here 
today.
    Mr. Cox, if I could start with you, the report to the 
President on IT modernization notes that CDM has not sought to 
address cloud-hosted systems and that a challenge in 
implementing CDM capabilities in a more cloud-friendly 
architecture is that security teams and security operations 
centers may not necessarily have the expertise available to 
defend the updated architecture.
    Do you view CDM as having applicability to cloud 
architectures, or will it continue to focus on on-premise 
networks?
    Mr. Cox. Congressman, yes, indeed, we want to be able to 
ensure the agencies have visibility, wherever their data is, to 
that data, how it's being used, how it's being protected. So, 
as we move into Phase 3 of CDM in understanding what's 
happening on the network, we want to ensure we're providing the 
agencies capabilities to not only get on-premise visibility of 
their data and their networks, but wherever that data is, 
whether it's out in the cloud, whether it's on a mobile device, 
wherever it's stored or used. So we want to bring that 
visibility into their dashboard visibility as well as at the 
Federal level.
    Mr. Langevin. OK. Thank you.
    So there have been many reports about sluggish adoption of 
CDM tools and capabilities.
    Mr. Cox, what are the persistent obstacles to agency 
adoption of CDM, and what is DHS doing to overcome those 
obstacles?
    Mr. Cox. Yes, sir. One of the things we saw with the Phase 
1 and Phase 2 task orders is that we built those with very 
defined runways. In the case of Phase 1, it was a 3-year task 
order. In the case of Phase 2, it was a 2-year task order.
    What we saw coming in and working with the agencies is that 
we were coming in and they had other priorities on their plate, 
and so we had to, within the bounds of our task order, work to 
get our tasks scheduled really quite quickly. So it was a 
burden on the agency to make adjustments, get the resources out 
to get the work done.
    As you can see, we've made significant progress working 
with the agencies to get the work done, but we've learned from 
that lesson. So, as we've built out our new contracting 
approach, CDM DEFEND, we've worked to build in longer runways, 
we've worked to build in more flexibility, keeping things 
focused on a requirements basis, and then working with the 
agencies to look at different ways to meet those requirements, 
whether it was through the deployment of a new technology or 
perhaps with a technology they already have in place, where we 
can bring the visibility into their dashboard.
    Mr. Langevin. OK. But are there additional authorities that 
you need or additional assistance required from OMB to 
effectively implement the program?
    Mr. Cox. Yes, we're working with OMB quite closely, taking 
a look at the OMB memorandum that was put in place in support 
of CDM. They are working to update that. So they are supportive 
of the program and continuing to move it forward. So I think 
we've got a good direction there.
    Mr. Langevin. OK. That's good to know.
    I appreciate the conceptual approach of CDM's phases. 
However, can I ask, is there a reason they aren't being pursued 
in parallel? For instance, it seems that Phase 4, focusing on 
data protection, could be implemented at the same time as Phase 
3. Is there any technical or programmatic reason beyond budget 
and human resources why it's not being pursued in parallel?
    Mr. Cox. It's a good point. The way we've constructed CDM 
DEFEND, it's so that different tasks can occur in parallel, 
whether they be Phase 3, Phase 4, whether it be bringing some 
additional things that were out of scope in Phase 1 and 2 into 
scope and making sure that that can be done.
    Why we focus now on Phase 3 is we've been building up the 
programmatics around that. We are currently working with our 
sister staff, Federal Network Resilience, to do proofs of 
concept of the Phase 4 technologies, working with the high-
value asset environments. Then our aim is to quickly benefit 
from the outcome of those proofs of concept so we can begin the 
Phase 4 work in parallel to Phase 3.
    Mr. Langevin. Phase 4 is only a pilot, from what I 
understand. Is that right?
    Mr. Cox. At this point. Then we will work----
    Mr. Langevin. Why is that?
    Mr. Cox. We have certain programmatic actions we need to 
take within our Department to present the life-cycle cost 
estimates for the program, other important programmatic 
capabilities around showing that we're ready and able to fund 
and execute Phase 4 work.
    So we're currently working that, with the idea that by the 
end of the summer we will go through that programmatic review 
within the Department.
    Mr. Langevin. OK.
    I'm having technical difficulties with the mike here, but I 
also serve on the Armed Services Committee and have seen DOD's 
attempts to implement enterprise-wide cybersecurity acquisition 
programs.
    How are you coordinating best practices with them, and what 
lessons have you learned from their attempts and newer 
programs, such as DOD Endpoint Security Solutions and Comply to 
Connect?
    Mr. Cox. We are currently working with our colleagues 
within DOD. We have a meeting scheduled next week, we've had 
conversations prior, to able to share our lessons learned on 
the capabilities that we're deploying, similar to what they're 
looking at, learning the lessons from the Comply to Connect 
implementations within DOD. That's part of the innovation, new 
technology we want to look at across the Federal Government--
the Comply to Connect technologies, software-defined 
networking, zero trust networks, et cetera.
    So we are building that partnership up so that we can share 
back and forth our best practices, lessons learned, et cetera.
    Mr. Langevin. Very good.
    Thank you all. I appreciate the answers.
    I have some additional questions that I'll likely submit 
for the record unless we do a second round, but other than 
that, Mr. Chairman, I yield back the balance of my time.
    Mr. Ratcliffe. I thank the gentleman.
    I want to thank Chairman Hurd and Ranking Member Kelly from 
the Oversight and Government Reform Subcommittee on Information 
Technology for conducting this joint hearing with us.
    I want to thank, certainly, all of the witnesses for your 
very insightful and valuable testimony today.
    I want to thank the Members for their questions.
    As you just heard, some Members of the committee will have 
additional questions for some of the witnesses, and so we'll 
ask you to respond to those in writing. Pursuant to committee 
rule VII(D), the hearing record will be open for a period of 10 
days.
    Without objection, the subcommittees stand adjourned.
    [Whereupon, at 4:16 p.m., the subcommittees were 
adjourned.]



                            A P P E N D I X

                              ----------                              

            Question From Chairman Will Hurd for Max Everett
    Question. Once maintenance costs transition from DHS to your 
agency, how much do you anticipate spending per year to sustain CDM?
    Answer. The 2019 budget includes $185,712 for the Department's CDM 
maintenance costs at the current level of maturity. The Department is 
working to catch up with CDM Phase 1 and 2 requirements. The Department 
will update operations and maintenance cost estimates during the DHS 
CDM DEFEND Request for Service (RFS) processes, which commenced with a 
recent kick-off meeting.
    Questions From Ranking Member Cedric L. Richmond for Max Everett
    Question 1. In January, we held a hearing with CDM contractors, who 
told us that one of the challenges with implementation was the lack of 
dedicated personnel with the expertise necessary to use CDM 
technologies and take full advantage of their benefits. Is there a need 
within your agency for more training or more cyber personnel to deploy 
CDM tools?
    Answer. Training and skill levels for cybersecurity staff are 
significant issues across both the Federal enterprise and the private 
sector, and this is particularly challenging with CDM. We are working 
aggressively to develop the means to better recruit and retain skilled 
cybersecurity Federal employees and contractors, both internally and in 
coordination with the administration's cybersecurity workforce efforts. 
We believe we will continue to face cybersecurity staffing challenges 
because of the high market demand for cyber resources in general, as 
well as the higher salaries available in the private sector. In concert 
with training and recruiting, we believe our path forward must focus 
on:
    a. Automation--CDM and other automated tools let machines help 
        lessen the requirement for manual intervention, allowing for 
        the more efficient allocation of cyber resources.
    b. Modernization--Cybersecurity must be built in from the moment 
        the planning and implementation process for any new system or 
        program begins, and it must be incorporated at every level, 
        from the design to the user interface.
    Question 2. Last week, DHS and the FBI released an alert describing 
an extremely sophisticated, deliberate, and successful operation by the 
Russian government to hack into the industrial control systems of 
energy providers. In your testimony, you mention some fairly alarming 
``gaps'' that ``exist across the DOE enterprise,'' including the 
National Nuclear Security Administration, the National Labs, and 
individual plants and sites.
    How do you reconcile this, in light of what we know about how 
forcefully foreign actors like Russia are targeting U.S. energy?
    Answer. The Department and our National Labs were very familiar 
with the information released, which we had previously shared with the 
private energy sector in our role as Sector-Specific Agency.
    The Department has initiated a broad, comprehensive, and multi-
phase review of the Operational Technology cyber strategy and 
capabilities across the Department. This approach is designed to 
leverage resources from across the Department's program offices and 
labs to identify gaps and implement requirements for improvements to 
monitoring and response to attacks on these systems, which will inform 
both the defense of our Federal systems and our ability to inform and 
support the energy sector. Additional phases will address the broader 
need for a strategic approach to advanced operational technology 
security solutions across the hardening, detection, and response 
functions.
    The Department is diligently working to identify and remediate gaps 
that exist in our capability to detect and defend against hostile 
actors. We are pursuing a number of avenues in this regard, including 
implementation of CDM tools; focusing our integrated Joint 
Cybersecurity Coordination Center (iJC3) efforts to provide better 
enterprise-wide cybersecurity information sharing; building enterprise 
incident response teams capable of responding to threats that include 
the Operational Technology in place at our Power Marketing 
Administrations and other sites; and enhancing and implementing more 
mature enterprise risk management to facilitate prioritization of our 
cybersecurity efforts based on metrics. We believe the Department's 
capability to execute a best-in-class cybersecurity program will 
enhance our ability to work with and support the energy sector in the 
face of expanding threats.
    Questions From Ranking Member Bennie G. Thompson for Max Everett
    Question 1a. For your agency, is there any senior cybersecurity 
leadership positions that remain unfilled?
    Question 1b. If so, how has that complicated your ability to move 
forward with CDM and other information security initiatives?
    Answer. The Office of the Chief Information Officer currently has 
only a small number of positions unfilled. At this time, the Deputy CIO 
for Cybersecurity position is occupied in an acting capacity--but that 
has only been the case for approximately 1 month and we are actively 
recruiting to fill that position. In addition, we are coordinating with 
other offices across the enterprise to assist with their hiring efforts 
to fill cyber leadership positions, including to meet new requirements 
that are forthcoming from the planned Office of Cybersecurity, Energy 
Security, and Emergency Response (CESER).
    Despite the limited number of unfilled roles, I have determined in 
my 9 months as CIO that there are staffing challenges my office faces 
as we work to mature and expand our enterprise cybersecurity program. 
We are now in the process of identifying additional Federal positions 
to provide the customer service, oversight, and accountability 
necessary to ensure a sustainable cybersecurity posture for the 
Department. In some cases, critical roles have been filled by 
contractors that I believe Federal employees should occupy. Contractors 
provide flexibility and access to unique and changing subject-matter 
expertise, but in certain cases a Federal employee is needed to provide 
customer service, oversight, and accountability to critical activities.
    Additionally, given the diverse missions and locations of critical 
Departmental offices and functions, the IT leadership and cybersecurity 
staff in the Department's program offices and sites are often even more 
critical to our cybersecurity efforts. I am working to ensure that 
these other cybersecurity professionals have an appropriate reporting 
structure across the Department's program offices.
          Question From Chairman Will Hurd for Scott Blackburn
    Question. Once maintenance costs transition from DHS to your 
agency, how much do you anticipate spending per year to sustain CDM?
    Answer. CDM Phase 1 and 2 capabilities are scheduled to be fully 
operational by 3d Qtr. of fiscal year 2019. VA just began participation 
in CDM Phase 3. CDM-related costs in 2019 are estimated at $48.6 
million to support licensing, maintenance, and operations of deployed 
equipment. The exact cost is still being confirmed as DHS continues to 
fund various aspects of the CDM program, including hardware, software, 
and operations and maintenance support. The details for the long-term 
operation and transition costs associated with Phase 2 and 3 
capabilities are still being determined.
  Question From Ranking Member Cedric L. Richmond for Scott Blackburn
    Question. In January, we held a hearing with CDM contractors, who 
told us that one of the challenges with implementation was the lack of 
dedicated personnel with the expertise necessary to use CDM 
technologies and take full advantage of their benefits. Is there a need 
within your agencies for more training or more cyber personnel to 
deploy CDM tools?
    Answer. VA continues to deploy CDM Phase 1 and 2 capabilities using 
VA and DHS resources. Final implementation is currently scheduled for 
3d Quarter fiscal year 2019. As appropriate, VA personnel receive 
training to perform their designated role and function. Once trained, 
the DHS contractor and VA transition functions in a manner that 
minimizes operational impacts. VA is also participating in the Phase 3 
tasks, with plans to participate in Phase 4. Throughout VA's CDM 
experience, we have managed resourcing requisite to the requirement and 
trained staff as required. If available, VA could benefit from 
additional training techniques and services to further augment existing 
training efforts and to fill CDM supporting positions in support of all 
CDM Phased deployments.
  Questions From Ranking Member Bennie G. Thompson for Scott Blackburn
    Question 1a. For your agency, is there any senior cybersecurity 
leadership positions that remain unfilled?
    Question 1b. If so, how has that complicated your ability to move 
forward with CDM and other information security initiatives?
    Answer. At this time, a key role in cybersecurity leadership that 
is currently unfilled is the Deputy Chief Information Security Officer 
for Policy & Strategy which is held by an acting official. VA is 
currently reviewing candidates to select a permanent official for this 
role, however, this selection process is in the early stages of review. 
VA remains committed to implementing the CDM program activities. The 
CDM program has continued to be a priority of the agency and 
implementation activities have continued while those leadership roles 
have been held by acting officials. The CDM program has remained a top 
priority by coordinating with relevant leaders across participating 
agencies and support resources to make sure the CDM mandate is 
satisfied.
     Questions From Honorable James R. Langevin for Scott Blackburn
    Question 1. How extensive are the cybersecurity staff and skills 
shortfalls at your agencies, and how are they affecting your 
implementation of CDM?
    Answer. VA is currently in the process of transitioning 
responsibilities for CDM services, either through existing VA staff or 
other support resources. With the on-going transition, VA is still in 
the process of confirming gaps in cybersecurity staff skills necessary 
to sustain and operate the CDM capabilities that are implemented. VA is 
developing a plan to address those gaps while working on the transition 
from DHS to VA.
    Question 2. One of CDM's objectives is to replace manual, periodic, 
and time-intensive system authorizations with an on-going process for 
automated assessments and continuous authorization. Is that process 
working, and are manual authorization processes truly going away?
    Answer. VA deployed a commercial Governance, Risk, and Compliance 
tool during fiscal year 2013 that initiated automated assessments and 
supported automatic reviews for continuous authorization. VA was able 
to move a purely manual assessment process to one that allowed for the 
automatic collection of data through tools, services, and capabilities 
already deployed in VA that report back compliance deficiencies and 
vulnerabilities across millions of VA assets. In order to expand the 
effectiveness of the continuous authorization capabilities, VA will 
deploy the Enterprise Mission Assurance Support Service (eMASS) tool 
used by the Department of Defense (DoD). eMASS will not only allow 
greater delivery of automated assessment and authorization processing, 
but will expand visibility for both VA and DoD into joint and partnered 
systems' authorizations by each respective agency.
    Manual processes, to the extent possible, will be replaced by 
better use of compliance data, aggregated enterprise-level control 
reviews, and the ability to provide enhanced system-level reporting at 
an enterprise view. While some manual processes cannot be completely 
eliminated, VA will always look for automated processing capabilities 
where possible to replace manual requirements.
    Question 3a. CDM represents a large investment of dollars and time. 
I would like to understand how we will know that investment has been 
successful, in terms of improved security across the dot-gov domain. 
What metrics are you using to measure whether your cybersecurity 
programs have actually improved your agency's security posture?
    Answer. CDM automates the scanning of VA's infrastructure to 
identify any hardware or software that is outside the National 
Institute of Standards and Technology (NIST) and VA security standards, 
that is, any vulnerability. The control values that alert the dashboard 
to any such vulnerability are those standards and are built into the 
tool. Those are the metrics that measure VA's security posture. As 
vulnerabilities are identified, VA implements plans of actions and 
milestones to remedy them. Therefore, it is the CDM dashboard itself 
that will report VA's progress to improve the agency's security 
posture.
    Question 3b. How are you employing red teams to test the successful 
implementation of your cybersecurity defenses?
    Answer. VA has been leveraging DHS, National Cybersecurity 
Assessments and Technical Services (NCATS) team for the past 2 years in 
conducting an annual Offensive Security Assessment (OSA) of VA's 
implementation of cybersecurity defenses. The assessment gives the 
organization the ability to respond to a real-world attack in a 
controlled manner, with limited number of VA trusted agents aware of 
the full attack details. The OSA assesses VA's people, processes, and 
technology by emulating various Advanced Persistent Threats (APTs) and 
measures our cybersecurity response.
           Question From Chairman Will Hurd for David Garcia
    Question. Once maintenance costs transition from DHS to your 
agency, how much do you anticipate spending per year to sustain CDM?
    Answer. OPM anticipates initially spending approximately $8 million 
annually to sustain the CDM Phase 1 capabilities, once the maintenance 
costs are transitioned from DHS.
   Questions From Ranking Member Cedric L. Richmond for David Garcia
    Question 1. In January, we held a hearing with CDM contractors, who 
told us that one of the challenges with implementation was the lack of 
dedicated personnel with the expertise necessary to use CDM 
technologies and take full advantage of their benefits. Is there a need 
within your agencies for more training or more cyber personnel to 
deploy CDM tools?
    Answer. OPM has dedicated personnel with the expertise necessary to 
use CDM technologies. However, as threats continue to evolve this will 
present additional challenges and agencies will need to make certain 
that the Federal technology and cybersecurity workforce is available 
and properly trained to meet such challenges.
    Question 2a. The DHS Inspector General recently released a report 
finding a number of information security vulnerabilities at DHS, 
including some NPPD systems that were operating without proper 
authorization. What is the status of DHS's own implementation of CDM? 
Has the Department fully deployed Phase 1 technologies?
    Answer. OPM defers to DHS to discuss its own implementation of CDM.
    Question 2b. Might CDM adoption have been easier or more efficient 
with a Department-wide cybersecurity strategy in place, as was required 
under legislation I authored in 2016?
    Answer. OPM defers to DHS to discuss its own implementation of CDM.
      Question From Ranking Member Robin L. Kelly for David Garcia
    Question. During Phase 1 implementation of CDM, many Federal 
agencies discovered that they had greatly underestimated the number of 
devices on their network and, as a result, the planned-for CDM 
deployments would be inadequate to service their larger networks. 
Indeed, DHS has publicly acknowledged that it identified 44 percent 
more devices on Federal civilian networks than originally projected, 
leading to significant gaps in coverage. Filling these gaps should be a 
significant priority for DHS and its civilian agency partners as CDM 
proceeds. What risk does the current level of coverage present and how 
soon will the identified gaps be filled?
    Answer. OPM accurately estimated the number of devices on the OPM 
network during Phase 1 implementation of CDM. In addition, OPM is 
working with DHS to improve and enhance the end-to-end protections 
where gaps were identified in the overall solution.
   Questions From Ranking Member Bennie G. Thompson for David Garcia
    Question 1a. For your agency, is there any senior cybersecurity 
leadership positions that remains unfilled?
    Question 1b. If so, how has that complicated your ability to move 
forward with CDM and other information security initiatives?
    Answer. Currently, there are no senior cybersecurity leadership 
positions that remain unfilled at OPM. OPM was one of the first 
agencies to fully implement CDM Phase 1 with the CDM dashboard fully 
populated in the spring of 2017 using the CDM sensors we've been 
deploying since 2015. In addition, we are finalizing the implementation 
of CDM Phase 2.
          Questions From Chairman John Ratcliffe for Kevin Cox
    Question 1a. What is the time line for the CDM program office to 
produce the capability requirements for Phase 4?
    Answer. The Continuous Diagnostics and Mitigation (CDM) Program is 
developing the Phase 4 capability requirements and expects to have them 
completed by the first quarter of fiscal year 2019.
    Question 1b. When is the earliest an agency could have moved 
through all CDM phases?
    Answer. The program is beginning Phase 3 and starting Phase 4 
pilots in fiscal year 2018. Phase 3, which includes cloud and mobile 
continuous visibility, is expected to run through fiscal year 2021. 
Phase 4 will be focused on providing enhanced data protection for high-
value asset (HVA) environments and is expected to run through fiscal 
year 2023. The date by which an agency could move through all CDM 
phases is dependent on the size of the agency, its total number of 
HVAs, its readiness and prioritization for CDM solution deployment, and 
overall funding. We plan to begin deployment of Phase 4 data protection 
capabilities in fiscal year 2019 for an initial set of agencies who are 
ready for the capabilities and fall within our budget. The time line to 
fully deploy Phase 4 is dependent on the agency's specific 
requirements, readiness, and CDM funding.
    Question 1c. What is beyond Phase 4?
    Answer. The CDM program includes activities required to keep pace 
with technology advances over the life of the program. The Department 
of Homeland Security (DHS) is still developing the future strategy for 
the CDM program to ensure that the program evolves after the currently 
defined four capabilities are deployed. The most appropriate path 
forward is to stay in front of the cybersecurity threat and support the 
agencies as threats and technology evolve. As part of this 
consideration, the program is now transitioning from the phase model to 
a capabilities-based model that anticipates threats. By shifting to a 
capabilities focus, the program can address specific new cybersecurity 
capabilities as they develop throughout the life cycle of the program.
    Question 1d. Are there plans for a long-term strategy to ensure CDM 
is a platform for an effective cybersecurity posture in the next 3 to 5 
years?
    Answer. In the fiscal year 2018 President's budget, additional 
funding was given to the program to speed up the deployment of mobile 
asset tracking and cloud asset tracking--both previously defined as 
Phase 3 activities starting in fiscal year 2019 and fiscal year 2020. 
Funding, however, is not the only factor in the speed at which CDM is 
deployed. DHS is actively working with agencies to identify where Phase 
3 efforts can be adopted more quickly based on agency readiness and 
where Phase 4 pilot efforts can be accelerated.
    Question 1e. Has DHS considered accelerating the roll-out and 
adoption of the capabilities in Phases 3 and 4, similar to what was 
done with the Einstein E3A initiative?
    Answer. Response was not received at the time of publication.
    Question 2a. How can CDM be leveraged to better understand the 
security posture of High-Value Assets?
    Answer. When and where possible, the Continuous Diagnostics 
Mitigation (CDM) Phase 1 tools are deployed in the High-Value Asset 
(HVA) environments to gain continuous visibility of the HVA cyber 
hygiene. Similarly, CDM Phase 2 Manage Privilege and Accounts 
(PRIVMGMT) and Manage Credentials and Authentication (CREDMGMT) 
capabilities are deployed to better understand the users who have 
access to the HVA. CDM Phase 3 includes event management capabilities 
as a requirement. Getting audit logs from HVAs to an event management 
system will help agency security operations personnel monitor for 
system and network anomalies. Finally, Phase 4 capabilities, once 
deployed, will help agencies ensure the data associated with the HVA is 
protected.
    Question 2b. Is it worth prioritizing High-Valued Assets for 
speedier roll out of CDM capabilities?
    Answer. The Department of Homeland Security (DHS) believes that it 
is worth prioritizing High-Value Assets for deployment of CDM 
capabilities. While many CDM deployment activities can run in parallel, 
it will not be possible to deploy all Phase 3 and 4 capabilities to 
HVAs at one time. As such, prioritization of HVAs will help agencies 
manage risk and identify where it should be tackled first.
    Question 2c. Is it worth considering High-Value Asset data 
differently in measuring the cybersecurity risk posture of a Federal 
agency?
    Question 2d. Can such a measurement be reflected on the CDM 
dashboard--both at the agency level and the Federal enterprise 
dashboard?
    Answer. DHS believes that it is worth considering High-Value Asset 
data differently in measuring the cybersecurity risk posture of a 
Federal agency. The CDM Program is planning to identify HVAs in the 
Agency and Federal Dashboards. This identification will enable the 
Department of Homeland Security and the agencies to assign specific 
measurements to HVAs that aren't assigned to other non-HVA systems. 
Additionally, through the implementation of the Agency-Wide Adaptive 
Risk Enumeration (AWARE) risk measurement algorithm that will be 
deployed in the summer 2018, DHS will be able to assign different 
weights to systems and vulnerabilities to draw attention to the most 
critical issues.
    Question 3a. The CDM program is reliant upon system integrators to 
roll out the solutions of each phase, can you compare the success of 
each integrator?
    Answer. With our partner the General Services Administration (GSA), 
the Continuous Diagnostics and Mitigation (CDM) Program regularly meets 
with and monitors the performance of each integrator. Each year, we 
also complete a Contractor Performance Assessment Report (CPAR) for 
each integrator. Under our current task orders awarded off the original 
CDM Blanket Purchase Agreement (BPA), the CPARs are the best way to 
compare the success of the integrators. Under the new CDM DEFEND 
acquisition strategy, task orders are being awarded as ``cost plus 
award fee''. With these task orders, the program and GSA will be 
evaluating each integrator semi-annually to measure integrator 
performance and determine the appropriate award fee level for that half 
year.
    Question 3b. Is there a comparable level of success across the 
board or do CDM integrators vary in their consistency?
    Answer. While the program and GSA have had to address some 
performance issues with some of the integrators at different points, 
the integrators are ultimately measured on achieving the objectives of 
each task order. In that regard, each integrator is making progress 
toward the successful completion of the task order. With CDM DEFEND, 
the program will be able to track the performance of each integrator 
more granularly over the life of each task order.
    Question 3c. If so are there any broad lessons learned about 
managing or choosing integrators?
    Answer. One of the key lessons learned throughout the CDM program 
thus far is the importance of closely monitoring risk for each task 
order and quickly escalating if the risk increases or becomes an issue. 
The faster problems can be identified and addressed, the better off all 
parties will be and the more quickly progress can be made.
    Question 4. How has the Information Security Continuous Monitoring 
(ISCM) strategy been aligned with CDM capabilities and the phased roll-
out to ensure an efficient use of taxpayer dollars?
    Answer. The Continuous Diagnostics and Mitigation (CDM) Program is 
the core of the Information Security Continuous Monitoring (ISCM) 
strategy and the phased roll-out of the program was developed to help 
reach realization of ISCM. In CDM Phase 3, the program is tackling on-
going assessments to help automate the assessment of as many 
cybersecurity controls as possible with the Phase 1 and 2 tools, as 
well as those of future phases. The automated controls will then serve 
as input into the development of on-going authorization, a chief aim of 
the ISCM strategy.
            Questions From Chairman Will Hurd for Kevin Cox
    Question 1a. In the Continuous Diagnostics and Mitigation Update 
dated December 15, 2017 (provided by DHS to the committee), the Phase 
Two PRIVMGMT Implementation Tracker indicates certain implementation 
activities are deemed ``out of scope for period of performance due to 
agency not being ready/interested in participating.'' Are these 
agencies not interested in implementing CDM privilege management tools 
in the future?
    Answer. Ultimately, all agencies will need to report their PRIVMGMT 
and CREDMGMT requirements data into the Phase 2 master user record 
(MUR) that will be a core component of the agency dashboards. For 
agencies that have or already are deploying PRIVMGMT tools that meet 
the CDM data requirements, the program did not need to invest further 
resources in those efforts. In other cases, agencies were focused on 
other priorities, but intend to participate in the future task orders.
    Question 1b. Or, are there plans to move forward with complete 
implementation that occur after this period of performance (ending 07/
11/2018)?
    Answer. The CDM DEFEND acquisition strategy was developed so that 
work for all phases of the CDM Program can occur through each task 
order. Therefore, the program will be able to work with the agencies 
and integrators to add new agency requirements when they arise.
    Question 1c. Please provide the names of all agencies that have 
indicated they do not plan to participate in full Phase 2 
implementation, meaning complete implementation of PRIVMGMT and 
CREDMGMT capabilities.
    Answer. Because CDM DEFEND will allow the program to work with the 
agencies and integrators to integrate capabilities as new agencies sign 
up for CDM or expand their requirements, we do not anticipate at this 
time that there will be any agencies that do not plan on participating 
fully in Phase 2 implementations. That being said, the program will 
inform the committee if any agencies indicate that they will not be 
participating fully in Phase 2.
     Questions From Ranking Member Cedric L. Richmond for Kevin Cox
    Question 1. In January, we held a hearing with CDM contractors, who 
told us that one of the challenges with implementation was the lack of 
dedicated personnel with the expertise necessary to use CDM 
technologies and take full advantage of their benefits. Can DHS do 
anything to address this, perhaps by adding training and labor into 
contracts for integration services?
    Answer. The need for additional training and to help agencies 
obtain expertise to manage the Continuous Diagnostics and Mitigation 
(CDM) tools was one of the lessons learned from the original CDM task 
orders. As a result, the program built mechanisms into the CDM DEFEND 
acquisition strategy to allow agencies to obtain more subject-matter 
expert training on the CDM tools. Agencies can also place their own 
funding on the DEFEND contract if they want to obtain additional 
training. Additionally, the agencies can use the CDM DEFEND vehicle to 
obtain additional life-cycle support for their current and future CDM 
technologies.
    Question 2a. The DHS Inspector General recently released a report 
finding a number of information security vulnerabilities at DHS, 
including some NPPD systems that were operating without proper 
authorization. What is the status of DHS's own implementation of CDM?
    Answer. The Department of Homeland Security (DHS) Office of the 
Chief Information Officer continues to make progress in the 
implementation of Continuous Diagnostics and Mitigation (CDM) 
throughout the organization.
    Question 2b. Has the Department fully deployed Phase 1 
technologies?
    Answer. DHS is in the process of fully deploying Phase 1 
technologies. By the end of the task order period of performance on 
June 15, 2018, we expect DHS to be at a 95 percent completion level for 
all networks/components originally scoped for the first DHS Phase 1 
contract. The remaining 5 percent included in the original contract 
scope will be addressed in the follow-on CDM DEFEND contract that was 
just awarded in May 2018.
    Question 2c. Might CDM adoption have been easier or more efficient 
with a Department-wide cybersecurity strategy in place, as was required 
under legislation I authored in 2016?
    Answer. In November 2013, the Acting Deputy Secretary for DHS 
issued the ``One DHS'' Deployment of CDM Capability memo to all 
component heads, noting the Department's commitment to a leadership 
role in the Federal Government with regards to cybersecurity. The memo 
directed DHS components to standardize as much as possible around the 
common security controls being deployed by CDM and that memo supported 
CDM deployment throughout the agency. In addition, Secretary Nielsen 
has signed out the DHS Cybersecurity Strategy, as called for in the 
2016 legislation, and places a priority on protecting Federal 
networks--including DHS's networks.
    Question 3a. It looks like DHS has made a lot of progress in 
getting the so-called ``CFO Act agencies'' to move forward with CDM 
adoption, but smaller, non-CFO Act agencies have been more of a 
challenge. How many of these non-CFO Act agencies is DHS currently 
working with on CDM?
    Answer. The Continuous Diagnostics and Mitigation (CDM) Program 
currently has memorandums of agreement (MOAs) in place with 56 non-CFO 
Act agencies. The CDM Shared Service Platform for the non-CFO Act 
agencies received its authority to operate in March 2018 and the CDM 
Program is now deploying the CDM Phase 1 and 2 capabilities to these 
agencies in multiple waves. The CDM Program is currently reaching out 
to the remaining non-CFO agencies to establish signed MOAs with them to 
include them as participants in the program.
    Question 3b. What tactics can DHS use to grow participation?
    Answer. Through our outreach, the program is finding that the non-
CFO Act agencies want to participate in the CDM program and get the 
benefits. When an agency is uncertain, Department leadership is able to 
engage to help address any concerns and answer any remaining questions.
       Questions From Ranking Member Robin L. Kelly for Kevin Cox
    Question 1. What is the time line to roll out Phase 4 data-level 
protection capabilities as called for in the President's IT 
Modernization Report and fiscal year 2018/2019 CDM budget requests (see 
attached)?
    Question 2. Have DHS and GSA considered accelerating the adoption 
of phase 4 capabilities for all .gov agencies?
    Answer. Continuous Diagnostics and Mitigation Phase 4 will focus on 
enhancing data protections for agency high-value assets (HVAs). The 
program is starting a series of Phase 4 pilots in fiscal year 2018 and 
is looking to increase Phase 4 efforts in fiscal year beyond what was 
originally planned in the program's life-cycle cost estimate.
     Questions From Ranking Member Bennie G. Thompson for Kevin Cox
    Question 1a. For your agency, is there any senior cybersecurity 
leadership positions that remain unfilled?
    Question 1b. If so, how has that complicated your ability to move 
forward with CDM and other information security initiatives?
    Answer. The National Protection and Programs Directorate has 
individuals in the senior cybersecurity leadership positions.
    Question 2a. As you know, there is a great deal of diversity among 
agencies--in terms of their size, structure, and management culture. 
How is your experience different working with large CFO Act agencies, 
versus small and micro agencies?
    Answer. The largest CFO Act agencies tend to be federated amongst 
their components and Operational Divisions (OpDivs). This federation 
introduced challenges in Phase 1. Communication and collaboration were 
key in overcoming these challenges. With the small- and medium-sized 
agencies, federation was not as big of an issue. The Continuous 
Diagnostics and Mitigation (CDM) program still experienced some delays 
with these agencies due to solution alignment issues within the agency, 
but the delays tended not to be as prolonged as we saw in the larger 
agencies.
    Question 2b. Are there ways the CDM program could be more 
responsive to the needs of small- and medium-sized agencies?
    Answer. With all sized agencies, communication is a key for 
success. Through sustained communication with the agencies, the CDM 
program is able to better understand the agency needs and unique 
requirements. The program can then work with the integrator to shape 
the CDM solution appropriately for each agency. Good, sustained 
communication takes work, but offers a good pay-off.
        Questions From Honorable James R. Langevin for Kevin Cox
    Question 1. NPPD's Congressional Justification for its fiscal year 
2019 budget request does not describe any efforts by CDM to provide 
asset management, identity management, network monitoring, or data 
protection capabilities for cloud-based services. Cloud security is not 
mentioned in the CDM Technical Capabilities documents published by GSA 
(Volumes One and Two). On March 20, you testified that your intention 
with CDM Phase 3 was to provide agencies with ``visibility of their 
data and their networks . . . wherever that data is, whether it's out 
in the cloud, whether it's on a mobile device, wherever it's stored or 
used.'' What tools and services will CDM provide to Federal agencies to 
secure their cloud services?
    Answer. The Continuous Diagnostics and Mitigation (CDM) Technical 
Capabilities documents are updated at least annually. Cloud, mobile, 
and many of the other Phase 3 efforts will be addressed in the next 
update. As for the CDM approach for cloud, the program is working to 
develop the appropriate approach for continuous monitoring in the 
cloud. Given the differences between on-premise and cloud 
architectures, the CDM program will not be able to approach cloud 
environments the same way we did for on-premise networks (e.g., we 
won't be deploying individual sensors on each Virtual Machine (VM) in 
the cloud, as these VMs can change frequently). Rather, we are looking 
to achieve continuous monitoring in the cloud through multiple 
mechanisms that are in the process of being developed. These may 
include a network security stack in front of the cloud environment, 
data interfaces to the security controls provided by the cloud service 
providers (CSPs), and visibility into data from other security 
capabilities provided either by the CSP or a third-party entity.
    Question 2. As we know from the critical infrastructure community, 
cybersecurity must extend beyond desktop computers. Within DHS, for 
example, Border Patrol, TSA, and FEMA agents employ diverse sensors and 
communications systems that don't run on Windows. What tools and 
services will CDM provide to Federal agencies to help protect mobile, 
operational, or other networked devices with uncommon operating 
systems?
    Answer. Many of the Continuous Diagnostics and Mitigation (CDM) 
Phase 1 tools provide continuous visibility for many versions of Unix/
Linux and MacOS. However, not all operating systems are covered by all 
tools. Where we have identified gaps, we plan on working with the CDM 
DEFEND integrators to identify the best technology to help fill those 
gaps. This will be an on-going effort, particularly as more Internet of 
Things devices come on-line. As for mobile, we will interface with each 
agency's Enterprise Mobility Management (EMM) system to gain visibility 
into the devices and mobile apps in use in the environment. If an 
agency does not have an EMM, we will work with the agency and the 
integrator to identify the optimal EMM solution for the agency.
    Question 3. The DEFEND contract moved CDM away from implementing 
identical tools and toward helping agencies procure a variety of tools 
and services from an approved list. This flexibility will likely result 
in unique cybersecurity implementations, making it more difficult to 
share and reuse collected data, and increasing the cost of integrating 
new tools in the future. What guidance is DHS providing to agencies to 
encourage reuse, sharing, and interoperability of cybersecurity data 
and tools?
    Answer. The key to making the additional flexibility work is to use 
technologies from vendors that participate in and use common data 
interface standards. The Continuous Diagnostics and Mitigation (CDM) 
program is building these into our requirements. As long as a product 
meets these standards, gaining access to the data that fulfills the CDM 
requirements is a pretty direct process. We know from experience that 
this can work based on the many different CDM technologies in use 
today. Based on our experience so far, we expect most agencies will 
settle on a single tool throughout their agency for each respective CDM 
capability. The flexibility gains a lot of value when agencies are able 
to use existing tools already in place to meet future CDM data 
requirements, as long as we can establish an interface to the data. The 
benefits include more willing agency participation, potential cost 
savings, and fewer scenarios where agencies must remove existing tools 
and replace with CDM tools.
    Question 4. What metrics are you collecting to demonstrate that CDM 
has successfully improved cybersecurity in the adopting agencies?
    Answer. The Continuous Diagnostics and Mitigation (CDM) Program has 
developed a series of metrics demonstrating cost savings compared to 
General Services Administration IT Schedule 70, significant asset and 
user discovery improvements, and millions of assets now having near 
real-time cybersecurity sensors in place. We are continuing to build on 
these to show how the agencies are starting to use the CDM tools to 
reduce their attack surface and improve their overall cyber hygiene. 
During the summer of 2018, the CDM program is also introducing the 
Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm that will allow 
agencies to compare their security posture over time against their 
original baseline. It will also give Federal leadership a tool to 
measure agency cybersecurity performance. The AWARE algorithm will be 
implemented by late fiscal year 2018 and will be operationalized 
through fiscal year 2019.
    Question 5. CDM represents a large investment of dollars and time. 
I would like to understand how we will know that investment has been 
successful, in terms of improved security across the dot-gov domain. 
How extensive are the cybersecurity staff and skills shortfalls in your 
program, and how are they affecting your ability to execute the 
program?
    Answer. The key to showing the success of the investment is through 
metrics like the Agency-Wide Adaptive Risk Enumeration (AWARE) 
algorithm. By baselining agencies at the start, it gives us a way to 
measure improvement over time. The Continuous Diagnostics and 
Mitigation program can already show that success today through metrics 
like the significant asset discovery improvements and the total number 
of assets reporting to the Federal Dashboard that have security sensors 
in place that can report the near real-time vulnerability and 
configuration state of each asset. The AWARE algorithm will pull all of 
the various measures into a singular score that will be standardized 
and allow for comparisons between agencies.
    In regards to staff in the CDM Program, we have a skilled, 
dedicated team of 40 people and are in the process of hiring and 
performing security clearances on an additional 14. Through recent 
staffing planning, the estimated personnel needs are known for the work 
associated with Phases 3 and 4 and included in the life-cycle cost 
estimates of the program used to inform future year budget requests.