b'<html>\n<title> - CYBERSECURITY REGULATION HARMONIZATION</title>\n<body><pre>[Senate Hearing 115-310]\n[From the U.S. Government Publishing Office]\n\n\n                                                        S. Hrg. 115-310\n\n                 CYBERSECURITY REGULATION HARMONIZATION\n\n=======================================================================\n\n                                 HEARING\n\n                               BEFORE THE\n\n                              COMMITTEE ON\n               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 21, 2017\n\n                               __________\n\n        Available via the World Wide Web: http://www.fdsys.gov/\n\n                       Printed for the use of the\n        Committee on Homeland Security and Governmental Affairs\n\n       \n       \n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n       \n       \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n27-395PDF                  WASHINGTON : 2018                     \n          \n-----------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b7d0c7d8f7d4c2c4c3dfd2dbc799d4d8da99">[email&#160;protected]</a>       \n       \n       \n       \n            \n       \n       \n       \n       COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS\n\n                    RON JOHNSON, Wisconsin, Chairman\nJOHN McCAIN, Arizona                 CLAIRE McCASKILL, Missouri\nROB PORTMAN, Ohio                    THOMAS R. CARPER, Delaware\nRAND PAUL, Kentucky                  JON TESTER, Montana\nJAMES LANKFORD, Oklahoma             HEIDI HEITKAMP, North Dakota\nMICHAEL B. ENZI, Wyoming             GARY C. PETERS, Michigan\nJOHN HOEVEN, North Dakota            MAGGIE HASSAN, New Hampshire\nSTEVE DAINES, Montana                KAMALA D. HARRIS, California\n\n                  Christopher R. Hixon, Staff Director\n                Gabrielle D\'Adamo Singer, Chief Counsel\n              Colleen E. Berny, Professional Staff Member\n               Margaret E. Daum, Minority Staff Director\n           Julie G. Klein, Minority Professional Staff Member\n                     Laura W. Kilbride, Chief Clerk\n                   Bonni E. Dinerstein, Hearing Clerk\n\n                            C O N T E N T S\n\n                                 ------                                \nOpening statements:\n                                                                   Page\n    Senator Johnson..............................................     1\n    Senator McCaskill............................................     2\n    Senator Daines...............................................    16\n    Senator Heitkamp.............................................    18\n    Senator Lankford.............................................    21\n    Senator Peters...............................................    24\nPrepared statements:\n    Senator Johnson..............................................    29\n    Senator McCaskill............................................    30\n\n                               WITNESSES\n                        Wednesday, June 21, 2017\n\nChristopher F. Feeney, President, BITS, Financial Services \n  Roundtable.....................................................     4\nDean C. Garfield, President and Chief Executive Officer, \n  Information Technology Industry Council........................     5\nDaniel Nutkis, Chief Executive Officer, Health Information Trust \n  (HITRUST) Alliance.............................................     7\nJames ``Bo\'\' Reese, Vice President, National Association of State \n  Chief Information Officers, and Chief Information Officer, \n  Information Services, Office of Management and Enterprise \n  Services, State of Oklahoma....................................     9\n\n                     Alphabetical List of Witnesses\n\nFeeney, Christopher F.:\n    Testimony....................................................     4\n    Prepared statement...........................................    33\nGarfield, Dean C.:\n    Testimony....................................................     5\n    Prepared statement...........................................    58\nNutkis, Daniel:\n    Testimony....................................................     7\n    Prepared statement...........................................    74\nReese, James Bo:\n    Testimony....................................................     9\n    Prepared statement with attachment...........................    79\n\n                                APPENDIX\n\nEmail submitted for the Record by Senator Lankford...............    92\nResponses to post-hearing questions for the Record\n    Mr. Feeney...................................................    93\n    Mr. Garfield.................................................    98\n    Mr. Nutkis...................................................   109\n    Mr. Reese....................................................   111\n\n \n                 CYBERSECURITY REGULATION HARMONIZATION\n\n                              ----------                              \n\n\n                        WEDNESDAY, JUNE 21, 2017\n\n                                     U.S. Senate,  \n                           Committee on Homeland Security  \n                                  and Governmental Affairs,\n                                                    Washington, DC.\n    The Committee met, pursuant to other business, at 10:29 \na.m., in room SD-342, Dirksen Senate Office Building, Hon. Ron \nJohnson, Chairman of the Committee, presiding.\n    Present: Senators Johnson, Lankford, Daines, McCaskill, \nCarper, Tester, Heitkamp, Peters, Hassan, and Harris.\n\n             OPENING STATEMENT OF CHAIRMAN JOHNSON\n\n    Chairman Johnson. Good morning. This hearing will be called \nto order. I want to welcome our witnesses. Thank you for your \ntestimonies.\n    I would ask consent that my written statement be entered \ninto the record.\\1\\\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator Johnson appears in the \nAppendix on page 29.\n---------------------------------------------------------------------------\n    I will just keep my remarks brief.\n    Cybersecurity is an enormous threat facing this Nation As \nGeneral Keith Alexander, the former Director of the National \nSecurity Agency (NSA), said, the loss of industrial information \nand intellectual property through cyber espionage constitutes \n``the greatest transfer of wealth in human history.\'\'\n    I believe this is either our fifth or sixth hearing on \ndifferent aspects of the problem associated with cybersecurity. \nWe are looking at different parts of this, looking for a proper \ndefinition of the problem, certainly laying out the reality of \nwhat General Alexander was referring to, but also looking for \nsolutions.\n    This is an interesting hearing because it combines our \nconcentration on this real threat, cybersecurity, one of the \ntop priorities on the homeland security side of our Committee, \nwith a top priority on the governmental affairs part of this \nCommittee, overregulation--the $2 trillion regulatory burden, \nabout $15,000 per year per household, and how that \noverregulation is making us less secure in cyberspace.\n    It is interesting. We had Comptroller General Gene Dodaro \nhere at our annual duplication report hearing, and we had the \nchancellor of UW-Madison come and testify. The last 2 years she \nhas visited me in my office, she has complained of \noverregulation. This year she came in armed with a study \ncommissioned by the research universities that said that 42 \npercent of researcher time in these universities on Federal \nGovernment grant programs--these are the grants that are \nsupposed to cure diseases and help advance human knowledge and \nscience--42 percent of researcher time is spent filling out and \ncomplying with Federal regulations. And, I think what is \ninteresting is that in testimony today from our witnesses, one \nof the witnesses will testify that about 40 percent of his time \nor his cybersecurity group\'s time is spent--guess what?--\ncomplying with often contradictory Federal regulations.\n    So, we obviously have to streamline this. We have to \nunderstand the enormous opportunity cost of overregulation, of \ncontradictory regulations. If we want to truly address this \nvery complex problem of the threats we face because of the \ncyber attacks and our challenges in securing our cyber assets, \nwe have to look to all levels of government, consolidating \ntheir regulatory framework, to streamline that regulatory \nregime as much as possible so professionals within industry and \nwithin government, quite honestly, can concentrate on the \nprimary task at hand, which is securing our cyber assets.\n    With that, I will turn it over to Senator McCaskill.\n\n           OPENING STATEMENT OF SENATOR MCCASKILL\\1\\\n\n    Senator McCaskill. Thank you, Chairman Johnson. One of my \ntop priorities as a Senator is focusing on how we can make \ngovernment work better and more efficiently. Eliminating waste, \nfraud, and abuse in an effort to save taxpayer dollars and \nimprove government services and make government less intrusive \ninto the lives of operating businesses in this country are a \npriority.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Senator McCaskill appears in the \nAppendix on page 30.\n---------------------------------------------------------------------------\n    Today\'s hearing allows for us to hear from representatives \nfrom the private sector and the States about how they manage \ncompliance with the variety of regulations they face relating \nto data and cybersecurity. There is currently no clearinghouse \nfor mitigating conflicts between regulators, and as a result, \nStates and industry bear the burden for ensuring compliance \nbetween sometimes redundant and often conflicting regulations.\n    Regulators play an essential role in mandating security \nmeasures like notifications after a data breach and requiring a \nminimum level of security to protect personally identifiable \ninformation (PII). However, as these witnesses will attest, \nwhile the goal of the regulation is improved security, due to a \nlack of harmonization between regulations industry spends too \nmuch valuable time sorting through compliance when it could be \ninvesting those hours and resources into improving their \nsecurity systems and services.\n    We will hear today about how centralized information \ntechnology (IT) systems can play a key role in improving \nefficiency and security. The same can be said about \ncentralizing cyber policy across the Federal Government. We \nhave made significant strides in recent years to authorize and \noperationalize the Department of Homeland Security\'s (DHS) \nNational Cybersecurity and Communications Integration Center \n(NCCIC). President Obama also mandated the creation of National \nInstitute of Science and Technology (NIST) Cybersecurity \nFramework, which creates a common language for government and \nindustry.\n    We have spent years working to make DHS the central \ncybersecurity information sharing entity. We finally passed the \nCybersecurity Information Sharing Act (CISA) in 2015, providing \nliability protection to encourage industry to share threat \ninformation with DHS. But, now the Department of Health and \nHuman Services (HHS) has decided that the NCCIC and the \nexisting information sharing structure have limitations. Rather \nthan examining what the private sector was doing to address \npotential gaps, HHS went ahead and built a health-specific \nversion called the ``Health Cybersecurity and Communications \nIntegration Center\'\' (HCCIC). That is the essence of \nduplicative. It is exactly the problem that we are trying to \naddress in this hearing.\n    I have questions about the utility of this new entity. It \nis also not clear that this new cyber center is necessary or \nthat it adds value. We should be looking to enhance information \nsharing participation and the NCCIC\'s capabilities, not \nsprouting a new ``kick\'\' for every industry or critical \ninfrastructure sector. This could go on ad nauseam, handcuffing \nbusiness even more in terms of sharing important threats with \npeople who need to know.\n    I am glad Chairman Johnson is joining me in sending a \nletter to HHS asking questions about the genesis of this new \nHCCIC and how it has been and will coordinate with DHS on the \nliability protections offered to those that share information \nwith the HCCIC and why this new entity is even necessary. I \nhope we can stop this before it goes too far.\n    I look forward to hearing from the witnesses today about \nother ways we can work to simplify and harmonize their \nregulatory burden.\n    Thank you, Mr. Chairman, for holding this hearing.\n    Chairman Johnson. Well, thank you, Senator McCaskill. And, \nagain, I appreciate the leadership you have taken on that. It \njust kind of proves the point that, bottom line, the government \nwants to grow, regardless of the Administration. I believe this \nwas started under Obama, and the Trump administration is kind \nof moving right forward with it. So, hopefully we can prevent \nthat and consolidate this, and that is the purpose of the \nhearing.\n    It is the tradition of this Committee to swear in \nwitnesses, so if you will all stand and raise your right hand. \nDo you swear that the testimony you will give before this \nCommittee will be the truth, the whole truth, and nothing but \nthe truth, so help you, God?\n    Mr. Feeney. I do.\n    Mr. Garfield. I do.\n    Mr. Nutkis. I do.\n    Mr. Reese. I do.\n    Chairman Johnson. Please be seated.\n    Our first witness is Christopher F. Feeney. Mr. Feeney is \ncurrently president of BITS.\n    The technology policy division at the Financial Services \nRoundtable (FSR). Mr. Feeney has over 30 years of experience in \ntechnology, business, sales, executive management, and \noperating roles at a variety of companies. Before starting at \nBITS, Mr. Feeney served as Chief Executive Officer (CEO), \npresident, and in executive roles at Thomson Financial, Bank of \nAmerica, Telerate, Multex, and Broadridge Financial. He is \ncurrently on the Board of Directors at Scottrade, Incorporated, \nand an executive committee member of the Financial Services \nSector Coordinating Council (FSSCC). Mr. Feeney.\n\n    TESTIMONY OF CHRISTOPHER F. FEENEY,\\1\\ PRESIDENT, BITS, \n                 FINANCIAL SERVICES ROUNDTABLE\n\n    Mr. Feeney. Chairman Johnson, Ranking Member McCaskill, \nthank you for inviting me to testify on this critically \nimportant and timely subject.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Feeney appears in the Appendix on \npage 33.\n---------------------------------------------------------------------------\n    The Financial Services Roundtable represents 100 of the \nleading financial firms in our country, including banks, \ninsurance companies, asset managers, payment firms, and finance \ncompanies.\n    Make no mistake: Cybersecurity is a top-of-mind issue for \nevery one of our CEOs, and the industry is committed to making \nthe investments necessary to protect our critical \ninfrastructure and, ultimately, the information and assets of \nour customers.\n    Our industry is one of the most heavily regulated sectors. \nNine independent Federal regulators, three self-regulatory \norganizations, and the State insurance, banking, and securities \nagencies oversee the industry. With that level of regulatory \noversight, it is imperative that financial firms develop \nstrong, collaborative relationships with regulators. In no \nspace is that more relevant than in cybersecurity.\n    The cybersecurity requirements across the financial \nindustry are, like the sector itself, very diverse in terms of \nbusiness size, type, and geographic footprint. That said, we \nhave heard from both our members and regulators that 60 to 80 \npercent of the cyber issuances could be considered common \nacross all regulators. For any regulated entity, words matter. \nFor the financial sector, with our waterfront of State and \nFederal regulators, it becomes a tangible problem when those \ntasked with creating cybersecurity rules do not follow a common \nlanguage and instead approach the shared components of \ncybersecurity regulations with their own variations addressing \nthe same cyber issues but from different perspectives.\n    Think about it this way: As you all know, English is the \nuniversal language of air traffic controllers, and controllers \nall over the globe speak to pilots using the same agreed-upon \nlanguage. Imagine if a pilot flying to Paris, the Middle East, \nand China had to know every native language as well as the \ndifferent variations in expectations and protocols for every \nairspace they pass through.\n    To put it in the context of this hearing, over the last 2 \nyears State and Federal financial regulators have put forth 46 \ncybersecurity regulations, updates to guidance, or new tools. \nIndividually, these regulations have merit. However, while we \nrecognize the need to have cyber regulations tailored to the \ndifferent firms and the markets in which they operate, these \nregulations do not follow a common language or a common set of \nexam procedures. This is counterproductive and introduces \ntremendous inconsistency and duplication of effort for \ntechnology operators, governance architects, and executive \nleadership.\n    More specifically, firms already burdened by a shortage of \nskilled cyber professionals must take resources away from \nprotecting their platforms to interpret the language of diverse \nregulations. Ultimately, we hold ourselves accountable, and the \nfinancial firms must ensure compliance with the regulatory \nprocess.\n    As for a solution, you might be surprised to hear me say \nthat it is not necessarily fewer regulations but instead \nrationalized and harmonized regulation around a common approach \nand a shared language. Our industry is committed to working \nwith regulators to address this issue. In fact, FSR BITS and \nour industry partners have developed a model cyber framework \nusing consistent language specific to our sector. The \nfoundation of this effort is the NIST Cybersecurity Framework, \nwhich has been used in a similar way by other industries.\n    We were very pleased to see this issue highlighted in the \nTreasury\'s report on modernizing financial regulation, which \ncalled for better coordination on cybersecurity regulation and \nexamination across State and Federal financial Agencies.\n    In conclusion, until that goal can be reached, we encourage \nthe regulators to pause any additional cyber regulation which, \nif issued, will only serve to extend the problems I have \ndescribed. When a chief information security officer (CISO) at \none of our largest member firms estimates that 40 percent of \nhis group\'s time is spent trying to unravel the web of \ncybersecurity regulations rather than focusing on protecting \nsystems, that is a serious problem. We must ensure this issue \ndoes not fall prey to regulatory oneupmanship or jurisdictional \nturf battles. We must collaborate to maintain the cyber \nintegrity of the U.S. financial system.\n    Thank you, Mr. Chairman, and I look forward to your \nquestions.\n    Chairman Johnson. Thank you, Mr. Feeney.\n    Our next witness is Dean Garfield. Mr. Garfield currently \nserves as president and CEO of the Information Technology \nIndustry (ITI) Council. Through this role, ITI has helped \ndefined the national and international technology agenda, \nexpanded its membership, and launched a leading innovation \nfoundation. Before joining ITI, Mr. Garfield served as \nexecutive vice president and chief strategic officer for the \nMotion Picture Association of America (MPAA) and vice president \nof legal affairs at the Recording Industry Association of \nAmerica (RIAA). Mr. Garfield.\n\nTESTIMONY OF DEAN C. GARFIELD,\\1\\ PRESIDENT AND CHIEF EXECUTIVE \n        OFFICER, INFORMATION TECHNOLOGY INDUSTRY COUNCIL\n\n    Mr. Garfield. Thank you. Chairman Johnson, Ranking Member \nMcCaskill, and Members of the Committee, on behalf of 60 of the \nmost dynamic and innovative companies in the world, I would \nlike to thank you for engaging us in this conversation. The \nissues we are talking about today are immensely important, and \nso I would like to thank you as well for putting the focus on \nthis issue.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Garfield appears in the Appendix \non page 58.\n---------------------------------------------------------------------------\n    We have submitted my testimony for the record, so rather \nthan repeat it, I will presume you have already read it and \nhone in on three things: one, our definition of the problem; \ntwo, what we are doing to help solve for it; and, three, where \nwe see gaps that Congress, and this Committee specifically, can \nbe helpful.\n    Our definition of the problem is really how do we go about \npreserving the vibrancy and vitality of the Internet while \nprotecting it against those who seek to do damage to the \necosystem through cyber insecurity. For us, success looks like \nenhancing the societal and economic benefits of the Internet, \nits openness, its interoperability, its integrated and \ninternational nature, while making sure we are protecting it \nagainst cyber insecurity.\n    Like many shared spaces, whether it is a community play \narea or the Internet, we know that when there are \nencroachments, the instinct is to react by adding regulation \nand adding new rules. In the case of Internet and cyberspace, \nto do so would be a colossal mistake.\n    What are we doing to try to help? We are focused on a \nmultifaceted approach, largely targeted in three areas:\n    One, doing what we do best, which is innovating, making \nsure that we are thinking about cybersecurity in the first \ninstance as a design feature both at the hardware and software \nlevel.\n    Second is recognizing that because this is a shared space, \nit is a shared responsibility, and so working in public-private \npartnerships to make sure that we are advancing cybersecurity. \nMy colleague Mr. Feeney referenced the NIST framework, which we \nthink should be the foundational strategy for how we go about \nprotecting cyberspace.\n    Third, we are endeavoring to cascade best practices through \nour supply chains and more broadly. For businesses like the \nones I represent, cybersecurity is a CEO issue, and we put the \nemphasis and the resources that are necessary behind it. For \nsmall businesses, they may not have the resources or the know-\nhow to do so, and so we are endeavoring to do what we can to \nhelp solve for that.\n    How can this Committee and Congress help? There are a \nnumber of gaps that we have identified, including the ones that \nare the point of this hearing.\n    One, there is a lack of coordination. There are three \nExecutive Orders (EO) in the last 5 years focused on \ncybersecurity and driving greater coordination. That has not \noccurred.\n    Second, the point that I made earlier about small \nbusinesses and making sure that they are contemplated as part \nof the solution in this area is another gap that we see.\n    What we recommend this Committee and Congress do generally \nis using its oversight powers to ensure that the level of \ncoordination that is called out in those Executive Orders \nactually happens, built around the strategy that exists in the \nNIST framework, which is incredibly flexible, adaptable. In the \nsame way that those who are endeavoring to create cyber \ninsecurity are adapting all the time, the NIST framework is \nreally a broader strategy around which we can build.\n    Second is streamlining. The Department of Homeland \nSecurity, which Ranking Member McCaskill noted earlier is \nworking on these issues, last year I spent some time looking at \nall of the different Federal cybersecurity initiatives around \nthe Internet of Things (IOT), and recognized and identified \nthat there were 30, often competing, different initiatives \nbuilt solely around IOT. That is simply emblematic of the \nbroader problem, and I know Mr. Feeney\'s exhibit over there to \nour right, in the context of his world, in the financial \nservices sector I think does a good job of capturing the \nredundancies that occur more broadly.\n    Third, it is critical, since this is a shared issue, that \nwe take a multifaceted approach. Part of the solution here, \nincluding \nfor the private sector but government as well, is our \nprocurement practice. The procurement system actually helps to \ncreate these redundancies and complexities, and so streamlining \nand simplifying our procurement process will help to advance \nour goals in this area. I know this Committee is contemplating \nand considering the MGT Act, and from our perspective, moving \nthat in a way that is consistent with your goals is a part of \nthe solution in this area as well.\n    I thank you for the opportunity to testify, and I look \nforward to your questions.\n    Chairman Johnson. Thank you, Mr. Garfield.\n    Our next witness is Daniel Nutkis. Mr. Nutkis currently \nserves as founder and chief executive officer at the Health \nInformation Trust Alliance (HITRUST) Alliance. Mr. Nutkis has \nover 25 years of experience in risk management and health \ninformation technology. Before founding HITRUST, he served as \nexecutive vice president of strategy and president of care \ndelivery at Zix Corporation, a security technology company. He \nalso served as the national director for Ernst & Young LLP\'s \nhealth care emerging technology practice. Mr. Nutkis.\n\nTESTIMONY OF DANIEL NUTKIS,\\1\\ CHIEF EXECUTIVE OFFICER, HEALTH \n              INFORMATION TRUST (HITRUST) ALLIANCE\n\n    Mr. Nutkis. Chairman Johnson, Ranking Member McCaskill, and \nMembers of the Committee, I am pleased to appear today to \ndiscuss the health care industry\'s experiences in engaging with \ngovernment Agencies relating to cybersecurity regulatory \nharmonization and efforts we believe will provide the greatest \nbenefit to industry. I am Dan Nutkis, CEO and founder of the \nHealth Information Trust Alliance. HITRUST was founded in 2007 \nand endeavored and continues to endeavor to elevate the level \nof information protection in the health care industry and its \ncollaborators, especially between industry and government. \nWhile I prepared my written statement for the record, in my \ntestimony today I will highlight three areas where \ncybersecurity regulatory harmonization should occur to reduce \nredundancy, unnecessary expense, and delays to better support \nthe private sector in defending against cyber threats, thereby \nimproving cyber resilience and management of cyber risk.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statment of Mr. Nutkis appears in the Appendix on \npage 74.\n---------------------------------------------------------------------------\n    First is the area of information sharing. In 2010, HITRUST \nestablished a mechanism to share Indicators of Compromise \n(IOCs) and other cyber threat information with organizations of \nvarying cyber maturity. HITRUST has led the industry in the \ncollection and distribution of cyber threat information and \ncontinuously evaluates and innovates to support organizations \nin managing their cyber threats.\n    From the beginning, HITRUST participated with the DHS Cyber \nInformation Sharing and Collaboration Program (CISCP). We \noperate the largest and most active Information Sharing and \nAnalysis Organization (ISAO) in health care. We are the first \nhealth care organization to begin sharing bidirectionally with \nthe Department of Homeland Security\'s Automated Indicator \nSharing (AIS) program.\n    It was a surprise to learn that the Department of Health \nand Human Services recently established its healthcare-specific \ncybersecurity and communications center to focus its efforts on \nanalyzing and disseminating cyber threats across the health \ncare industry.\n    There is a significant level of effort required for \norganizations like HITRUST in coordination with its thousands \nof constituents to engage in cyber information sharing programs \nwith government. We undertake these efforts because we see the \nvalue in the program and participation with government and \nbelieve we are all operating toward a common goal. More can and \nshould be done to ensure the role of industry and government \nare clearly defined when it comes to information sharing.\n    The second is the area of government as a partner. HITRUST \nvalues its partners and recognizes the burden, responsibility, \nand authority beholden on them to protect the private sector. \nHowever, we should expect in areas where the private sector has \nmade a significant investment in establishing an effective \nprogram or approach, the government would give it due \nconsideration before seeking a government alternative that \nreplicates or devalues industry efforts.\n    For instance, last year, the Health and Public Health \nSector Coordinating Council (SCC) and Government Coordinating \nCouncil (GCC), with input from HITRUST and other sector members \nincluding the DHS Critical Infrastructure Cyber Community, \ndeveloped the Health Sector implementation guide for the NIST \nCybersecurity Framework, specifically referred to as the \n``Healthcare Sector Cybersecurity Framework Implementation \nGuide.\'\' Yet despite the significant public and private effort \nthat went into its publication, HHS is working toward the \ndevelopment of yet another health care-based implementation \nguide of the NIST Cybersecurity Framework despite the broad \nadoption of the existing guidance by private sector \norganizations. We are perplexed as to why HHS would not partner \nwith industry by leveraging programs already in place and \noffering assistance to improve them instead of replicating and \ndismissing the hard work of industry. We would ask that \nCongress require Federal Agencies to give due consideration to \nexisting standards and best practices already in place before \ndeveloping new ones.\n    The third is the area of government as a regulator. The \nDepartment of Health and Human Services is responsible for \noverseeing the implementation of the Health Insurance \nPortability and Accountability Act (HIPAA), and the HHS Office \nfor Civil Rights (OCR) is responsible for assessing compliance \nwith and enforcement of the HIPAA Privacy, Security and Breach \nNotification Rules, including issuance of civil and criminal \npenalties.\n    In support of their role, they conduct annual random audits \nthat are designed to enhance industry awareness of compliance \nobligations. We have documented that these random audits are, \nin fact, causing organizations to divert their attention and \nresources from enhancing their information protection programs \nbased on the potential for random audits.\n    We propose that policymakers consider a system whereby \norganizations that can demonstrate a comprehensive information \nsecurity program that complies with the privacy and security \nprovisions of HIPAA can receive some form of safe harbor or \nsimilar relief, and focus HIPAA audits on those organizations \nthat cannot demonstrate their compliance in meeting the \ncriteria.\n    I hope my testimony illuminates areas where individual \nactivities may seem innocuous, but in totality begin to create \nconfusion and concern. I have highlighted where additional \nclarity in regulation and guidance will ensure the private \nsector understands how to best engage with government and also \nthe complex issues that arise when a regulator is partnering \nwith industry.\n    Thank you again for the opportunity to join you today and \nshare these insights. I look forward to your questions.\n    Chairman Johnson. Thank you, Mr. Nutkis.\n    Our final witness is Bo Reese. Mr. Reese currently serves \nas the chief information officer (CIO) for the State of \nOklahoma and vice president of the National Association of \nState Chief Information Officers (NASCIO). Mr. Reese has been \nin State government for 25 years and was appointed the Oklahoma \nState CIO by Governor Mary Fallin in 2014. Prior to this role, \nhe was CIO and deputy administrator and chief operations \nofficer at HealthChoice, the State\'s self-funded health plan. \nFrom 2013 to 2014, Mr. Reese served as the chief operations and \naccountability officer at the Office of Management and \nEnterprise Services, Information Services. That is a pretty \ngood mouthful. Mr. Reese.\n\n TESTIMONY OF JAMES ``BO\'\' REESE,\\1\\ VICE PRESIDENT, NATIONAL \n  ASSOCIATION OF STATE CHIEF INFORMATION OFFICERS, AND CHIEF \nINFORMATION OFFICER, INFORMATION SERVICES, OFFICE OF MANAGEMENT \n           AND ENTERPRISE SERVICES, STATE OF OKLAHOMA\n\n    Mr. Reese. Chairman Johnson, Ranking Member McCaskill, and \nMembers of the Committee, thank you for inviting me to testify \nbefore you today on Federal data security regulations and their \nimpact to State governments.\n---------------------------------------------------------------------------\n    \\1\\ The prepared statement of Mr. Reese appears in the Appendix on \npage 79.\n---------------------------------------------------------------------------\n    My name is Bo Reese, and I serve as the chief information \nofficer for the State of Oklahoma. I also serve as the vice \npresident of the National Association of State Chief \nInformation Officers. All 50 States and 2 territories are \nmembers of NASCIO, and we represent the interests of Governor-\nappointed State CIOs who act as the top IT official for State \ngovernment.\n    Today, I would like to provide the Committee an overview of \nhow Federal cybersecurity regulations impact our work to \nintroduce efficiencies and generate savings for State \ntaxpayers. I will also touch upon how the complex Federal \nregulatory environment is duplicative in nature, contributes to \ninconsistent Federal audits, and drives cybersecurity \ninvestments based on compliance and not risk, which is the more \nsecure approach.\n    Based on a 2009 assessment and prior to IT consolidation, \nthe State of Oklahoma was supporting 76 financial systems, 22 \nunique time and attendance systems, 17 different imaging \nsystems, 48 reporting and analytic applications, and 30 data \ncenter locations.\n    Over the past 5 years, we have reduced these redundancies, \nmade large strides in unifying technology, and completed \nconsolidation of 76 of the 78 mandated State Agencies and more \nthan 30 voluntary agencies. Consolidation has resulted in $283 \nmillion of estimated reduced spending and projected savings. \nOne of the biggest hurdles in achieving savings through IT \nconsolidation has been compliance with Federal security \nregulations.\n    State CIOs and chief information security officers must \ncomb through thousands of pages of Federal regulations to \nensure that States are in compliance with rules from our \nFederal partners, and even though many Federal regulations are \nsimilar in nature in that they aim to protect high-risk \ninformation, they are mostly duplicative and have minor \ndifferences which can obscure the goal of IT consolidation, the \nwhole point of which is to streamline IT applications and \nsimplify the enterprise IT environment to produce savings for \ntaxpayers.\n    For example, Internal Revenue Service (IRS) Publication \n1075 and the Federal Bureau of Investigation (FBI) both protect \nvery high risk information, but their password policies vary \nenormously. Also, the IRS requires incident notification within \n24 hours, but Center for Medicare and Medicaid Services (CMS) \nrequires notification of a breach without unreasonable delay.\n    Additionally, the FBI requires us to keep audit logs for \none year. The IRS requires us to retain audit records for 7 \nyears.\n    Further, duplicative regulations also contribute to \ninconsistent Federal audits. State governments are often \naudited multiple times by the same Federal agency and have \ndifferent audit findings, even though they are auditing the \nexact same IT environment. For example, in Oklahoma, the IRS \naudited one of the State Agencies twice because it viewed two \nprogrammatic elements of the agency as separate entities. My \noffice had to answer questions, attend meetings, and deliver \nadditional explanatory materials twice for one agency because \nit is seen as two by the IRS auditors. Additionally, one audit \nteam had a finding, and the other did not, despite only one IT \nenvironment being the subject of both audits.\n    In Louisiana, five State Agencies were assessed by five \ndifferent IRS auditors and ended up with five different \noutcomes. One agency had 32 findings; another, 27; one had 23; \none had 14; and another had only 11. We have several more \nsimilar examples in our attachment to the written testimony.\n    Inconsistent regulations in audits are problematic because \nit leads CIOs to make cybersecurity investments based on \ncompliance and not risk. When Federal data security audits are \nconducted and produce findings of a critical nature, State CIOs \nmust direct their attention and resources to remediating and \naddressing those findings to satisfy Federal auditors and avoid \nany potential negative impact to citizens. This approach is \nproblematic for State government cybersecurity because it \nencourages State CIOs to make check-the-box compliance \ninvestments instead of ones based on risk, which is the more \nsecure approach to managing sensitive data.\n    We appreciate efforts by the Federal Government to secure \nand protect sensitive citizen information because we also share \nthat responsibility at the State level. But, we must accomplish \nour shared goal without overly burdening State governments, \nensuring that we are delivering government services to citizens \nin the most efficient and cost-effective manner. In recognition \nof that shared mission and responsibility, we want to work with \nour Federal Government partners to harmonize disparate \nregulatory requirements and normalize the audit process.\n    Thank you for your attention, and I look forward to \nanswering your questions.\n    Chairman Johnson. Thank you, Mr. Reese.\n    If we could put that diagram back up on the board, I would \nappreciate it.\n    I think the witnesses have really laid out through \nanecdotal stories the problem here that I think is pretty \nobvious and pretty clear. I think the solution is actually \npretty clear as well, but, as a diagram, this is pretty good. I \ndo not know how long we actually had printers that could print \nsomething this complex. [Laughter.]\n    But, Mr. Garfield, you mentioned the fact that there have \nbeen three Executive Orders basically asking the Federal \nGovernment to harmonize the regulation in the space, and you \nwent on to testify that they have not been implemented.\n    First of all, describe why not. I mean, is there any \nexplanation of why a step that is so obvious, something that is \njust so imperative that we do, why has it required three \nExecutive Orders and those Executive Orders have gone \nunimplemented?\n    Mr. Garfield. I think in part it is because of the \nchallenge of putting someone in charge. So, in order to have \nthe level of coordination that is needed to avoid the kind of \nredundancy that we see reflected in that chart, you need \nsomeone who is a center point for coordination. So, we have a \nstrategy, which is the NIST framework, around which we can \nbuild, but that strategy has to be driven by a particular \nentity or person.\n    For example, in the most recent Executive Order, 13800, \nfrom President Trump, he pushes all of the Agencies and \nactually requires the Agencies to say what they are doing to \nact consistent with the NIST framework. The second part of it \nis not asked, and that is, What are the additional regulations \nthat you are advancing related to cybersecurity? It is one \nthing to say you are implementing the NIST framework. It is \nanother thing to actually do so in a fashion that does not \ncreate replication, redundancy, and complete lack of \ncoordination.\n    So, I think having a center point that is coordinating and \nadvancing this to avoid duplication is central to helping to \nsolve for this.\n    Chairman Johnson. You are not saying there has been some \nbureaucratic infighting in terms of who wants--so let us--I \nmean, who should coordinate this? Because in the end, you need \nsome department, some agency, somebody in the Federal \nGovernment to take charge of this, to be given the \nresponsibility, to be held accountable to coordinate this \naction, to make sure that everybody comes into line so that \nthe--again, Mr. Reese, I cannot remember how many you said, the \nnumber of different requirements that are required are actually \nanswered in the same way. Who do you think is the best--and I \nwill have all of you answer that question. Which agency, which \ndepartment of government ought to take control of this? We will \nstart with you.\n    Mr. Feeney. I think for us it is important to keep Treasury \nin the role they are in. They are chartered to be our sector-\nspecific agency through DHS, and that has been very useful. \nThey sit between both the industry and also the regulators. \nThey chair the Federal Banking Infrastructure Council (FBIC), \nthat specifically works with the Federal regulators, plus \nothers like market regulators. So, in our world, that is the \nlogical place. They understand us; they know our business. They \nunderstand financial systems and have been a good steward.\n    Chairman Johnson. But, again, the problem with that is you \nare the financial industry. Then you have the health care \nindustry over there.\n    Mr. Feeney. Right.\n    Chairman Johnson. And, now you have different Agencies of \ngovernment basically trying to ask the same questions, trying \nto do the same type of regulation to ensure cybersecurity. And, \nMr. Nutkis\' group\'s regulators is going to have something \ncompletely different. Is that not the problem, Mr. Nutkis?\n    Mr. Nutkis. Well, I think for us there are multiple \nproblems. I think some of the guidance that is out there puts \nDHS squarely in the middle when it comes to cyber information \nsharing. So, we did not think we had any ambiguity, which I \ntestified in March in a similar hearing, which was we were \nsomewhat confused because we thought the Presidential directive \ncreated the ISAOs and then CISA clarified the role of \ngovernment, which the Presidential directive kind of said you \nshare with government, CISA clarified which part of government \nyou shared with, so industry started moving down a path to do \nthat.\n    We may see things slightly different. We see HHS as a \nregulator. They fine, they enforce. So, sometimes when it comes \nto how openly and willingly you want to share with your \nregulator makes things a little tough as well. So, I think \nthere is a role for the regulator in the role that they play, \nbut as we look at looking for things like standards and how we \napply these, we want them to be applicable across all \nindustries. They can apply to ours as well.\n    I think also health care is not a box. You have \norganizations that make fitness equipment. You have \norganizations that have supplements. You have organizations \nthat deliver care. The lines get fuzzy, so we sometimes find \nthat they do not work in small boxes.\n    Chairman Johnson. So, again, you have the departments, you \nhave the Agencies regulating different industries, and, again, \nthat would be appropriate. What we are talking about here is \nsomething over all of those to completely coordinate and \nharmonize cybersecurity.\n    Mr. Reese, as a State, you are not dealing with just one \nFederal agency. You are dealing with a bunch of them. I mean, \nindustries might be dealing with a limited number. You are \ndealing with all of them. Is that not what you are asking for, \ngive us basically kind of a one-stop shop to go to, to pretty \nwell dictate--and I hate to say this--within the Federal \nGovernment, this is how you are going to develop--this is the \nframework under which you are going to regulate cybersecurity \nso we do not have that?\n    Mr. Reese. Right, so most of the discussions we have had in \nthe past have not been so much about who but how. And, as \nStates, we have an organization like NASCIO where we as States \ncome together and collaborate on a regular basis, and they help \nfacilitate opportunities where we can begin conversations. And, \nwe have begun some conversations with our Federal partners. We \nhave not made a whole lot of headway, and we certainly are \nlooking to this group to help champion some real change, \nhopefully; but really the how, and I think that is through a \ncollaborative effort. We really want to avoid making those kind \nof decisions in a vacuum, getting everybody at the table, and \nmaking sure that we are in a collaborative environment where we \nare looking across the board at the different industries and \nthen looking at the impact to States and looking for that true \ncollaboration and shaping and sculpting something maybe from \nthe ground up that is more functional and efficient.\n    Chairman Johnson. Yes, from the ground up, but it has to \ncome eventually to a point, to the top of that pyramid where \nthe decisions are made and things are harmonized. Mr. Garfield, \nI will let you have the last word on this.\n    Mr. Garfield. Yes, the infrastructure is there, so NIST \ndevelops the standards. You do not want a regulatory body \ndeveloping the standards, as Mr. Nutkis pointed out. And so, \nthe actual strategy, the framework, NIST is there. They are \ndoing it. They are doing it well.\n    Chairman Johnson. But, everybody is going off in different \ndirections on that.\n    Mr. Garfield. Yes.\n    Chairman Johnson. So great, you have NIST. But, you still \nneed somebody to have the power to make sure that everybody is \nhandling it the same way.\n    Mr. Garfield. We also have a cybersecurity coordinator. In \nthe previous Administration, it was Michael Daniel. Now it is \nMr. Joyce. I think part of what we are encouraging is that that \nrole or some other role play this part in driving coordination \nand avoiding redundancy.\n    That does not mean we are getting rid of the Agencies and \ntheir role in cybersecurity. This is multifaceted, and it has \nto be dealt with in that way. But, it would be helpful to have \nan entity, a person, a group of people coordinating all of the \nAgencies, bringing it together, making sure it is working in a \nholistic risk management approach.\n    Chairman Johnson. The last point I will make is if it is \njust a person in an Administration, that could change every 4 \nyears, or sooner than that. I think we really need to identify \na department--if that is going to be DHS and the NCCIC, we need \nto identify that. We need to empower that department so that \nthere is consistency long term in this. Senator McCaskill.\n    Senator McCaskill. Thank you, Mr. Chairman.\n    Yes, in fact, the ``I\'\' in CCIC stands for ``Integration,\'\' \nand when we passed the bill, I think we envisioned that DHS \nwould be the locus of the integration, while NIST provided the \nstandards. That is why I am so concerned about this effort at \nHealth and Human Services.\n    Mr. Nutkis, when did you learn about the effort at HHS to \nessentially duplicate what we were trying to accomplish through \nthe legislation that we signed into law at the Department of \nHomeland Security?\n    Mr. Nutkis. I am not exactly sure when I found out, but I \ndo know I found out through the media. I did not find out \nthrough our partnership with HHS, and it was not that long ago.\n    Senator McCaskill. And, are you confident that it is going \nto duplicate efforts that are already underway? Is there any \nadditional benefit you see coming from HHS trying to create its \nown entity for integration of cybersecurity policy?\n    Mr. Nutkis. I cannot state that there is no value and I am \nnot sure that I am cognizant of all the potential that--and \nwhat they want to focus on. I can only talk about what we \nunderstood the rules to be and how the role of industry and the \nrole of government were supposed to play and now we have \nchanged the rules.\n    The rules were there was supposed to be information sharing \norganizations that we established either at a sector level, a \nsegment level, or a community of interest level to be able to \nfacilitate information sharing and share with government, and \nthat provided the organizations to be able to understand which \nones provided the most value. And, we could have sub-\ninformation sharing organizations so that they were value-based \nand there was transparency around--as a matter of fact, DHS was \nestablishing a standard. So, it was not one size fits all, and \nyou could have a best of breed, so if you felt that you were a \nsmall organization, there was a community of interest for you. \nSo, those ISAOs were able to innovate.\n    What we have now done is say we are just going to--the \ngovernment is going to come in and help us, and we are not sure \nexactly where the help is needed. There is no question more can \nbe done. The question is: Did we evaluate what was going on and \nwhere the help is really needed?\n    Senator McCaskill. I think this is probably another issue \naround this we have to talk about. One of the reasons the \nCybersecurity Act of 2015 is so important is because of the \nsafe harbor it provides. We are trying to incentivize this \nintegration so that we can evaluate real risk and real threats. \nAnd, some of the briefings we have had around here in the last \nfew months, classified briefings, have only tightened my grip \non the sense of urgency that this is a real danger that our \ncountry faces, this threat from cyber warfare.\n    Do you have confidence that the safe harbor liability \nprotections that we put in that act that apply to DHS even \napply to the HHS effort, HCCIC?\n    Mr. Nutkis. I only know from reading the CISA Act, like \neverybody else. It is not a listed agency in CISA.\n    Senator McCaskill. Right. So, are you all currently sharing \ninformation with HCCIC?\n    Mr. Nutkis. We do not. We share information with the NCCIC.\n    Senator McCaskill. And, I assume that this is a common view \nof people that are regulated by HHS that it is safer and my \nunderstanding is that they want you to share directly without \nredacting?\n    Mr. Nutkis. I am not aware of the expectations of the \nHCCIC. I do know that the expectations of the thousands of \norganizations that share with us is we anonymize the \ninformation before sending it on to DHS and that we also spent \na considerable amount of time having to go back to thousands of \norganizations to ask them to provide us with the waiver \nnecessary for them to do that.\n    Senator McCaskill. Have you voiced the concern you have \nabout a regulator that has the ability to levy fines also being \nthe point for information sharing? Have you shared that with \nHHS?\n    Mr. Nutkis. I believe we have.\n    Senator McCaskill. And, what was their response?\n    Mr. Nutkis. I am not fully sure we ever got an answer.\n    Senator McCaskill. Let me talk to you, Mr. Reese. While I \nwould hope that we would all kind of join hands and try to \nforce as much integration as possible through the NCCIC, \nthrough the Department of Homeland Security, because of the \nefforts we made to codify not only protections for the private \nsector but also integration in that locus for cybersecurity \ninformation sharing with the private sector, but maybe the help \nthat might kind of tell HHS to back off or tell other Agencies \nwe are going to do integration through NCCIC, we are going to \ndo standards through NIST, would maybe be the Federal CIO. Do \nyou believe that the Federal CIO--it would be important for the \nPresident to nominate a new Federal Chief Information Officer \nso that you would have an identified contact that has similar \nresponsibilities at the Federal level that you have in your \nState?\n    Mr. Reese. I think that is certainly a very interesting \nconversation because that is one of the challenges we certainly \nhave, is when we are dealing with so many different Agencies \nand so many different disparate frameworks and regulations, \nwhere do you contact, who do you contact, who do you call for a \nparticular one, and that they all overlap. And, when you are \ndealing in our environments where we have unified across a \nState an entire Executive Branch, we are dealing with public \nsafety information, health information, IRS information, all \ncollectively on similar systems. And so, when we have some of \nthese challenges, we are not even sure who we should be seeking \nout guidance from because there is not a single contact. And, \nwhen we often get that guidance, it is usually not something \nthat is very consistent.\n    Senator McCaskill. Well, I certainly would like to join \nwith the Chairman in a bipartisan effort to contact the \nAdministration and let them know that not only are we anxious \nfor them to nominate someone, that we would like to empower \nthem to be somebody who is identifying the conflicts and \nidentifying this issue of NCCIC versus HCCIC, and why is this \neven happening, because then maybe they would be in a position \nthat they could throughout the government be a point of contact \nto deconflict and help all of these various private sector \nentities that are struggling with we want to do the right thing \nbut we just cannot--we cannot do all of the right things \nbecause they are not even consistent with one another. Maybe \nyou and I could join----\n    Chairman Johnson. I am happy to work with you. In fact, we \nhave three Executive Orders on this. It is obviously recognized \nas a problem.\n    Senator McCaskill. Yes, but we do not have the guy in \ncharge.\n    Chairman Johnson. Right. So, we will work with you on that.\n    Senator McCaskill. So, it would be great if we could get \nthat nomination done, and maybe this would be a letter they \nwould look at since maybe you would sign it.\n    Chairman Johnson. They are looking at all your letters. \n[Laughter.] Senator Daines.\n    Senator McCaskill. I winked when I said that. I was not \nbeing confrontational to my friend, the Chairman. [Laughter.]\n\n              OPENING STATEMENT OF SENATOR DAINES\n\n    Senator Daines. Thank you, Mr. Chairman, Ranking Member \nMcCaskill, and thank you all for testifying today about this \ncritical area of national security. I was struck by the chart. \nI thought we were going to be talking about regulations. I did \nnot know it was about spaghetti today. [Laughter.]\n    That is a sobering-looking flow chart. I am not sure you \ncould use the word ``flow\'\' with that chart. Let us just say \nthat redefines complexity.\n    Policymakers continue to debate the best approach to \nimplement cybersecurity standards. Despite Congress\' attempt to \nget ahead of cyber crimes in 1986--that is going back to \nPresident Reagan\'s second term--with the Computer Fraud and \nAbuse Act, most legislation and regulation in this area has \nbeen in response to a high-profile breach, arguably very \nreactionary.\n    Over the years, best practices have emerged. They apply \nbroadly but certainly, as we all know here, it is all about the \ndetails, and the devil is in those details. I spent 12 years in \nthe cloud computing industry before I came to the Hill. I \nunderstand how important it is for business to guard networks \nand sensitive data. And, I do not believe we can mitigate this \nthreat by burdening companies with more one-size-fits-all \nregulations. If there is something that ought to frighten the \nprivate sector, it is when Congress, who does not really grasp \nthe details and the challenges, dictating technologies to \nindustry. Some of our best and brightest in the tech sector \nare, I am always a bit nervous with tech mandates. To quote \nSenator Mike Mansfield of Montana, he used the words ``Tap \'er \nlight.\'\' I think that is appropriate advice as we think about \nthis. However, we need to encourage and share best practices \nand, importantly, punish the criminals and enforce the law.\n    The debate over cybersecurity standards typically leads \npolicymakers to one of two conclusions: first, the Federal \nGovernment should mandate baseline requirements; or voluntary \nstandards, such as the NIST framework should be kept for \ncompanies to apply as they see fit. I might argue there is \nperhaps a third option. There is an old adage in the private \nsector: ``If you aim at nothing, you will hit it.\'\' Consider \nyour credit score for a moment, an industry-recognized ranking \nsystem based on quantitative data, so taking something that can \nbe somewhat complex and qualitative in nature and quantifying \nit, your credit score. It enables informed decisions about \nrisk. A score that ranks an organization\'s cybersecurity \npractices based on empirical data would allow consumers to make \ninformed decisions. This approach allows the market to decide \nand incentivize companies to strive beyond the threshold of \nregulatory compliance to become industry leaders in \ncybersecurity.\n    I know when we were running a cloud computing company, we \nhosted in our data centers many Fortune 500 companies. We had, \nas is the best practice in the industry, outside groups that \nwould seek to penetrate our systems here and issue reports to \nus good guys acting like bad guys and telling us what they \nfound. That is a very helpful way to think about security, and \nI know it is generally a best practice in the industry.\n    Mr. Garfield, would you agree that neither purely voluntary \nframeworks nor overly specific Federal mandates are the best \napproach?\n    Mr. Garfield. I think the answer to that is yes. As it \nturns out, NIST is engaged in an exercise in updating the \ncybersecurity framework where it is looking at metrics and \nmeasurements. To the point you made earlier about ``tap \'er \nlight,\'\' I think we have to be thoughtful in the approach that \nwe take.\n    For example, the Fair Isaac Corporation (FICO) score that \nyou mentioned is fairly straightforwardly quantitative. How we \ndo that and turn something that is complex, sometimes \nspaghetti, into something that is fairly straightforward and \nmakes sense will require the kind of multi-stakeholder \nengagement that you are talking about.\n    Senator Daines. The only thing worse than doing nothing is \ndoing something that drives the wrong behaviors, the wrong \noutcomes, certainly, and it will take thoughtful dialogue. And, \nI am pretty confident--spending some time with our best and \nbrightest in the private sector, and as well engaging those in \nthe Federal Government and State governments--we could come up \nwith something here that would be a quantitative indicator. \nBut, it is just an idea to throw out there, something that \nwould be actionable going forward.\n    I want to talk about the support for Rapid Innovation Act. \nThis concept for an empirically driven cybersecurity score was \nthe product of research funded by DHS\'s Science and Technology \nDirectorate. Through technology transfer, this investment is \nbecoming a viable market-based solution that can adapt to \ntrends in cybersecurity as they emerge. I believe as a \ngovernment we should be investing in forward-looking solutions \nlike these as precisely the objective of my Support for Rapid \nInnovation Act, which would allow DHS to foster and enable \nprogress rather than impeding it by setting these static \nrequirements that oftentimes would be obsolete by the time \nCongress got around to acting.\n    To the panel, the question is: Where is the Federal \nGovernment currently expanding resources for negligible \nbenefit? And, where should it focus its resources as it relates \nto cybersecurity? I am throwing that question out to see who \nwould like to take it first.\n    Do not jump all at once.\n    Mr. Garfield. Well, I think we have given some examples. \nFor example, the--and by saying ``negligible,\'\' I do not mean \nto suggest that it is not important. So, whenever there is a \nnew area of innovation, there is a rush to jump in and \nregulate. So, the Internet of Things is one area. As I pointed \nout earlier, there are 30 different initiatives aimed at \nregulating that. I think there is negligible benefit to \napproaching IOT and IOT security in that fashion. And so, I \nwould say that is one area where resources are being \nmisdirected. The National Highway Traffic Safety Administration \n(NHTSA) is undertaking an effort looking at cybersecurity \nsolely in the automobile instead of engaging and coordinating \nits efforts through NIST, which is advancing an initiative \nbased on cyber physical systems, and so the very thing that \nthey are also advancing. And so, I think that effort is also \ngoing to be negligible because the experts are elsewhere and \nthe likelihood that you are going to be as forthcoming with a \nregulator as you would with a scientist I think is misguided, \nas some of the other witnesses have pointed out. So, those are \ntwo examples where I think we can streamline and reduce \nredundancy.\n    Senator Daines. That is very kindly put. Thank you.\n    Mr. Feeney. I think it is good money spent when you fund \nNIST, especially relative to some of their innovation work. So, \nthey are doing considerable work in quantum. For instance, they \nare looking at IOT. Both of those are relevant and important. \nThey will be upon soon, if not already. So, when you can focus \non programs like that, they make real sense for the fuller \nmarketplace. So, that is where I would spend time and effort.\n    We are a little bit unique in that we are working with \nindependent regulators. They are not subject to the Federal \nmandates, if you will. So, our view of it is really \nconcentrated within the industry. But, innovation is important. \nA number of our regulators are working on innovation as well.\n    Senator Daines. Thank you. I am out of time. The thoughtful \nconversation, I appreciate it. This is a town that has a \nculture of rewarding activity and not results, and we have to \nget focused back on outcomes here versus checking a box, well, \nwe did all these things here and think that Members of Congress \nare going to nod their head and think they are bluffed. But, I \nthink we need to focus on the result.\n    Thank you, Mr. Chairman.\n    Chairman Johnson. Senator Heitkamp, and I do want to thank \nyou for switching the order here to accommodate Senator Daines.\n\n             OPENING STATEMENT OF SENATOR HEITKAMP\n\n    Senator Heitkamp. You bet. Not a problem.\n    I am going to give you another analogy, and one is a bike \nlock. When I was in college, you had a chain. It had a little \npadlock, right? And, that was enough of a deterrent. And then, \npretty soon people came with wire cutters, and, now we have \ntitanium locks, and people are taking their bike seat off, and \nthe bottom line is it is always going to change. And, if we do \nnot have a system that is adaptable, if we do not have \ncommunication and adaptability, then all of this means nothing, \nI mean, because there is a back door somewhere.\n    And so, the innovation that Steve talked so eloquently \nabout is absolutely critical, staying ahead of where the threat \nis and being nimble and being diverse. And, that is the \nchallenge that I see, which is one size fits all may be the \nmost dangerous thing we can do, is applying, one system to all \nof this because, number one, it will tap down innovation, but \nit also will create greater vulnerabilities if we are only \ndoing the same thing over and over again.\n    And so, this is an area that I think there is incredible \nbipartisan concern, but also a willingness to look at that, and \nwe can all say that is not where we want to be. And, as a \nformer State official, I can only say I feel your pain. Back in \nthe day before we had all of this technology, I was the tax \ncommissioner--and he nods, and he knows what those IRS audits \nare, and rightfully so. They want to protect their information. \nThere is a lot of great information sharing. We could not do \nwhat we do in terms of enforcement without a relationship with \nthe IRS. But, a lot of that is box checking. It is not real \nsecurity. It is you have the checklist, you go out there, you \nding someone because there is the wrong kind of door as opposed \nto what is the actual breach.\n    And so, I want to go to what you are seeing in State \ngovernment because State government is not as complicated as \nthis, but it definitely is a laboratory for innovation and a \nlaboratory for coordination. And, I want to give you a chance, \nMr. Reese, to tell us what you have learned in your role not \njust in Oklahoma but your role as heading up the Chief \nInformation Officers organization and give us the five things \nyou want us to do.\n    Mr. Reese. Fantastic. So, what a great opportunity, right? \nBecause being a part of NASCIO, we work with all 50 States and \n2 territories, and I assure you what we hear across every State \nis the same story over and over again. There is overregulation, \nthere is duplicity, there is inefficiency. We can give multiple \nexamples where we are making check-the-box decisions instead of \nbeing allowed to work with our Federal partners and make good \nbusiness decisions.\n    Things like cybersecurity and dealing with these odds is \nnot just a simple check-the-box type of technology. You have to \nlook at the opportunities. I have had scenarios where, in \nOklahoma, because for the last 5 years we have been in a State \nof flux--we have been going through this consolidation of all \nof our IT within the Executive Branch and have made tremendous \nstrides and have found tremendous savings and efficiencies. \nHowever, we still run up against a lot of hurdles because it \nbecomes very troublesome trying to align with our Federal \npartners who still treat us as if we are siloed. Here I am \nworking and am incentivized by our Federal partners to \nconsolidate, but when I go engage with my Federal partners, \nthey are not consolidated, and they still treat me as if I am \nsiloed, and, therefore, I end up losing all of my efficiencies \nbecause I have to do these repetitive processes.\n    Senator Heitkamp. Right.\n    Mr. Reese. I also make these decisions where, if I know I \nam working with an agency, and I have great examples of some \naging hardware at an agency that was reaching end of life, and \nI knew I had a plan during the consolidation that I was going \nto be moving all of that network infrastructure over onto our \non-prem shared solution, and, therefore, would be on a newer \nsolution. But, when the auditors came in and identified that \nhardware was not on their list of approved versions of \nhardware, they said no, we have to replace that. We said, wait \na minute. We are going to replace it. We have purchased \nextended maintenance on it so we have mitigated the risk, and \nwe would like to take those dollars and go apply them somewhere \nelse, say on an application layer security, because we know \nthat we are also going to be absorbing it later. Did not \nmatter. We had to check the box. We were forced with making a \ndecision of spending the money to go ahead and replace a piece \nof hardware before we were prepared, before it was even an \nappropriate return on investment, and we ended up making that \ncheck-the-box decision instead of getting to make a good \nbusiness decision, which is what I was charged to do in this \nrole, was to go make good business decisions with our Agencies. \nThose type of scenarios come up over and over and over.\n    Senator Heitkamp. So, if we gave you a place that was \nresponsive to this, that was an override that was looking at a \nbroader kind of spectrum of concerns--so let us say in that \ncase they say go buy this equipment, you go, I am going to take \nthis to the Council of, You Are Crazy, and I am going to plead \nmy case that that is not reasonable. I think one of these \nthings that you get is that when things are siloed here, the \nright hand does not know what the left hand is doing. They are \nnot familiar. They are just like do not confuse me with the \nfacts and your problems. This is my problem, and I have to make \nsure that you have this.\n    So, if there were a place, and maybe thinking about this, \nif there were a place where you could go or industry could go \nto say, no, I am not going to do that, and I do not want to be \ndinged for it; I have a logical reason; I am going to appeal \nyour decision someplace so that you have to be accountable for \nthe disruption that you are creating that does not make a lot \nof sense, because States are very similar in this role to \nindustry. They are the users. They are the regulated in this \ncase.\n    And so, it seems to me that if we had some place where you \ncould go to say this is not smart in terms of overall security, \nand you did not get forced into this by the time crunch of an \naudit or dinged on an audit, that might be helpful.\n    Mr. Reese. Absolutely. Timing is such a challenge. The \nOklahoma Tax Commission is a fantastic partner to me and my \norganization. They have been great at working with us to find \nefficiencies in what we can do together, and we have been able \nto achieve some really good things with those folks. But, yet \nit comes down to some things that you think would be simple, \nbut because the technology is ahead of the regulations, we find \nourselves struggling for guidance.\n    The Oklahoma Tax Commission recently worked with us on \nmoving to a hosted voice solution, and in trying to determine \nhow we deploy and meet all the Federal requirements for the IRS \nand others for this solution, we found ourselves struggling \nwith trying to determine what set of standards do we use. Is it \nthe voice regulations or is it cloud-based or hosted solution-\ntype regulations? They do not match. And so, we end up seeking \nguidance, and it takes months.\n    Senator Heitkamp. I think Mr. Garfield wants to add to \nthis.\n    Mr. Garfield. If I could just add that what Mr. Reese is \nsaying is so real, and we hear it so often at the State level, \nbut we also experience and see it at the Federal level as well. \nAnd so, this is a broad-based problem that requires a solution.\n    Senator Heitkamp. I just want to make one final point, and \nthat is about risk taking. Everybody has a checklist, and they \nwant to meet that checklist because if something happens, they \nwant to say, ``I did my job\'\'; as opposed to ``I am part of an \nevolving, necessary, very dynamic industry that needs to be \nmobile and agile,\'\' and we need to tolerate to some degree--and \nI am not saying that this--but we need to tolerate that this \nwill not be perfect, and we are going to learn as time goes on. \nAnd so, we need to tell people, ``Do not do things that do not \nmake sense, and if it did not make sense, we are not going to \nding you if something happens.\'\'\n    So, that is part of the problem here, that when you have \nenforcement actions, the dinging or the risk taking does not \nhappen because people are so afraid that they will be held \naccountable.\n    Mr. Nutkis. Can I add one more thing? Because I think in \nindustry we have tried to innovate, and I think this has been \nthe concern that we have had is we have looked at things for \nyears from risk. We transitioned from compliance-based to risk-\nbased. We have worked with cyber insurance actually to be able \nto understand how risk scores actually work and how we can \ndevelop better frameworks to do this. But, we are driven by a \ncompliance and a regulatory environment that says, just as you \nsaid, here is the box. But, I would not--I would certainly look \nat what industries are doing because there is a lot of work \nalready in place. In industries, we have been doing it for 10 \nyears. We have thousands upon thousands of organizations, tens \nof thousands, that get assessed against this every year, and it \ndoes meet the requirement of HIPAA, but, again, the requirement \nhere is to manage risk, not to check the box.\n    Senator Heitkamp. And, we need to be sending the message to \nthe people who are reviewing it, because they are box checkers \nand they need to be in the risk assessment business. I totally \nagree.\n    Chairman Johnson. At an earlier hearing on a separate \nsubject, at the end of Senator Heitkamp\'s questioning--and I am \nparaphrasing. Maybe this is not an exact quote. ``This is \ncrazy. This is insane.\'\' I was kind of actually waiting for \nthat. I think what you are seeing here is we are kind of \nworking toward what hopefully will be a bipartisan solution and \nworking together on this. So, thank you, Senator Heitkamp. \nSenator Lankford.\n\n             OPENING STATEMENT OF SENATOR LANKFORD\n\n    Senator Lankford. Thank you, Mr. Chairman. And, I thank all \nof you for being here. Mr. Reese, good to see you again. Glad \nyou are here. Thank you for the work that you do in Oklahoma \nall the time.\n    I want to be able to highlight several things with you \ntoday. One is a point of reference on different Agencies and \nentities that you interact with. DHS and the FBI, just to be \nable to give you a point of reference for all of the four of \nyou as well, I just walked out of an Intel hearing that is an \nopen hearing today dealing with cyber attacks from Russia and \nhow they are influencing that, and specifically going after \nState election systems.\n    There is this myth that all of you know well is just a myth \nthat foreign actors, whether they be North Korea, Iran, Russia, \nor China, are interested in hacking into the Pentagon, but they \nare really not interested in anyone else. That is completely \nfalse. We have 21 States during the last election time period \nthat Russians were trying to hack into specific State election \nsystems. They were not able to get to any of the vote tally \nareas or controlling voting machines, but they were able to get \nto things like voter registration rolls. And, it raises the \nquestion: If they can get into a voter registration roll, could \nthey add people? Could they delete people? Could they change \ndata? Could they complicate the process on election day? If \nthey can get to that data, what else could they get to?\n    So, you have in front of you the now famous--I should say \n``infamous\'\'--email that was sent to a DNC employee named Billy \nRinehart.\\1\\ Billy never intended to be a national example, but \nhe suddenly became a national example as an employee of the \nDNC. He was on vacation, was in Hawaii, actually, and he opened \nup his email and saw this email from Google. And, the email \nsimply reads, ``Someone just used your password to try to log \ninto your Google account,\'\' had his email address there, and \nsaid the location was from the Ukraine. So, it encouraged him \nto change his password, which he promptly clicked on that, \nchanged his password, and went back to bed. What he actually \ndid was just opened up a portal from Russia into the DNC, and \nthey began exfiltrating data of large quantities based on that. \nBilly was not the only one that clicked on that. There were \nothers that did from that same email.\n---------------------------------------------------------------------------\n    \\1\\ The email submitted by Senator Lankford appears in the Appenidx \non page 92.\n---------------------------------------------------------------------------\n    So, the question is for the Federal Government and for \nState governments, it is always the conversation about the \nweakest link. And, you have regulators hanging over you asking \nyou how many connection points, how many possibilities of \nlogging in. Where is your latest hardware? Have you updated \nthis router in this place? There is a vulnerability. Do you use \ncertain software for virus protection? Where does that \ninformation get routed? Has it stayed in the United States? Is \nit routed through Russia? All of those basic questions that are \ncoming at you all the time.\n    The issue that we are trying to figure out is how to be \nable to give you a consistent voice and where does that even \ngo.\n    Mr. Reese, your statement before that in the consolidation \nthat we did in Oklahoma, which was a very real consolidation \nwhere we saved a quarter billion dollars through the work that \nyou did and the others that are around you did through the work \nthat happened there, your testimony that the biggest hurdle \nthat you had was not the consolidation; it was the Federal \nGovernment and the regulations and the multiple answers that \nyou were trying to get in the multiple audits that are now \ncoming at you. How do we manage this? This is a real threat. \nNinety-one percent of the hacks that come into our Agencies \ncome in through a phishing attack just like that. Some employee \nclicked it; they now have access. If they now have access to \nhealth care data, to tax data, it is connected by forms to \nother places. How do we manage this best? And, do we need a \nsingle point of contact to be able to manage this from a \nFederal side, as all of you are doing on the State sides? Or \nwhat is the best way to be able to continue to manage how that \ndata flows rather than having multiple entities?\n    That is a long, rambling question, but somewhat I want to \nbe able to expose this issue, because I think a lot of \nAmericans think somehow it is some hack that got into a system. \nMost often it looks just like that. That is just how they got \ninto the system.\n    Mr. Reese, do you want to try to attack my rambling \nquestion?\n    Mr. Reese. Absolutely. So, to be able to manage these types \nof scenarios, which we see every day, when we tackle this one, \nthere will be another one tomorrow, right? That takes a \ntremendous amount of resources. Today we find ourselves--\ntraining and awareness is in the forefront of how we protect a \nState. We have 33,000-plus employees statewide that have access \nto some degree or level to secure State information. And so, \nobviously things like this are very difficult because it is \nabout end-user awareness and training, and all the systems we \nhave put in place may not be able to protect us from this.\n    However, being able to commit those resources and the team \nthat we have and being able to manage the staffing, that is a \nhuge challenge to manage, to actually retain staff, the talent \nwe need in Oklahoma to do this.\n    Now, NASCIO, polling all 50 States, finds on average the \nState CIO\'s office for each State has anywhere from 5 to 15 \ncybersecurity analysts full-time. That is not a very deep \nbench. And, where we are constantly struggling to be able to \ntrain and retain these folks and trying not to lose them to \nprivate industry for sometimes better, higher-paying jobs, we \nalso find that they get very frustrated because when they are \nworking within the State government, they are working with all \nthe different Federal Agencies that we touch. We find this \nscenario kind of like a well-trained physician who has gone to \nschool for many years and practiced and wants to go heal \npeople, and he finds himself in a practice where he is being \ntold, ``Just put a Band-aid on it and move on. You do not have \ntime to treat the illness. You have to just put a Band-aid on \nit.\'\'\n    Our cybersecurity folks feel like that is what they are \nbeing told, ``Put a Band-aid on it. Check the box. Move on.\'\' \nThere are too many things behind this to worry about, so they \ncannot go focus on the true issues. They cannot go out and find \nthe next innovative solutions, look at the tools that are \navailable to them, or develop the tools that are necessary in \nmany cases to protect the way we know we could. And, that is \nkind of the struggle we have, which is----\n    Senator Lankford. So, how do we fix that?\n    Mr. Reese. So, I think we have to simplify the \ncommunication, first off, like you said. I can just only \nimagine the man-hours that could be saved within a State if we \nwere to simplify these regulatory challenges we have. I could \nfocus these folks more on these type of issues and less on just \ndoing audits alone.\n    Some great examples we have, like the State of Maine \ndocumented last year they spent over 11,000 hours in audits. \nThese are the same folks that are trying to address these \nproblems. Eleven thousand hours were spent on audits, working \nwith six Federal Agencies and trying to review over 1,000 pages \nof regulatory compliance. They could do some pretty amazing \nthings if those man-hours could have been truly focused on \nforward-thinking solutions rather than just trying to check the \nbox and appease----\n    Senator Lankford. Filling out paperwork, trying to track \ndown answers to someone\'s questions, yet another audit from yet \nanother agency, multiply the audit that just came 6 months ago \nfrom somebody else, and on and on.\n    Mr. Reese. Exactly.\n    Senator Lankford. Let me make just a quick comment, and \nthen let me get this back to the Chair. I can assure you the \nRussians were probing our systems in 2016. They are actively \npursuing what they are going to do for 2018 elections. Each \nState manages their State\'s integrity of their voting systems \nand what happens there. I know you are all actively involved in \nthat. But, if they are able to engage in any State election \nsystem, alter any data or exfiltrate any data in 2018, I cannot \nimagine the pressure both on that State and on the Federal \nGovernment to be able to explain when we had 2 years of \nwarning.\n    So, that is all something you are all aware of. That is \nnothing new to any of you. You deal with those issues all the \ntime. But, it is something that we have to pay attention to \nhere, and I know you are paying attention to, and I appreciate \nwhat you are doing to be able to protect the integrity of the \nsystems and a lot of very personal data that our systems have.\n    Chairman Johnson. Thank you, Senator Lankford.\n    I will also point out, just pay attention to the trial in \nMontenegro about what Russia did, basically a coup attempt \nprior to their election. So, this is not something unusual or \nthey just do in America. They are attacking countries across \nthe world. Senator Peters.\n\n              OPENING STATEMENT OF SENATOR PETERS\n\n    Senator Peters. Well, thank you, Mr. Chairman, and I will \nconcur with that last comment. I just came back from Lithuania \nand Latvia, which are also subjected to constant attacks from \nthe Russians as well, and very concerned about their security, \nand being right on the border with Russia puts them at \nsignificant risk. This is something we have to grapple with in \na broad-based way, and I appreciate this hearing. And, I \ncertainly appreciate each of the folks who have testified \ntoday. I think without question cyber is the most significant \nnational security risk that we face, and the fact that we are \ncoming together to figure out how to do this in a more \neffective way is incredibly important.\n    But, I want to focus on one particular industry that I have \nbeen actively engaged with, will continue to be actively \nengaged with as a Senator from Michigan, and it is the auto \nindustry. Perhaps the most transformative new technology that \nis coming down the pike that will be every bit as big if not \nbigger as when the first car came off of the assembly line, and \nthat is autonomous vehicles, which will be changing how we \nthink about mobility. It is going to offer some incredible \npromises in terms of safety. We can eliminate most auto \naccidents, and at a time when 40,000 people die on our highways \nevery year, that is a big deal, in addition to all of the other \ninjuries that occur. You will be able to change the way \nvehicles are out on the road as far as spacing, as well as how \nwe organize our communities, all of those wonderful things. \nBut, by the same token, all these vehicles are going to be \nconnected to each other, and it only works with vehicle-to-\nvehicle technologies, where a Ford is speaking to a Toyota and \na Toyota is speaking to a Nissan and then a GM, and the \ninfrastructure will be talking to these vehicles as well. We \nwill have bridges that will tell our cars that they are icing \nover, and the cars will automatically respond to that \nincredibly important and exciting technology.\n    But, with a shift in technology, we also have to make sure \nour policies are keeping up with that and, in particular, when \nit comes to cyber. As I have often said, it is one thing for \nsomeone to break into your bank account and steal your money. \nYou are pretty angry about that. If someone breaks into your \ncar and drives you into a wall, that is existential. That is \nconsiderably worse. So, we have to make sure we are hardening \nthese systems.\n    SAE International, a standards development organization for \nengineering professionals, has begun to promulgate some basic \nstandards for the automobile industry, such as taxonomy and \ndefinitions that currently have been serving as a basis for \nFederal AV guidance. In fact, I am working on legislation now \nwith Senator Thune to deal with some AV guidance issues as \nwell.\n    But, Mr. Feeney, I am going to start with you. For the auto \nindustry, even a small number of conflicting or duplicative \nregulations would obviously significantly impact AV technology \ndevelopment. To maintain the current pace of innovation, what \nare your thoughts on the role of voluntary risk-based \nguidelines as a technical basis for future AV cybersecurity \nstandards?\n    Mr. Feeney. Right. Thank you for that question. I think it \nis critical. I have been a control owner, if you will, in cloud \noperations. I have been a CIO, and now I am doing more work on \nthe policy and governance side. And, what I find is that the \ncloser you get to a framework--we happen to like NIST, and we \nactually think about it in a customized way. It incorporates \nrisk, it incorporates judgment, it incorporates flexibility to \nadapt, which is something that is critical in the space you \njust described, and it will adapt fast. It allows you to be \nnimble.\n    So, I think if you set standards, you adopt them ahead of \ntime, you build in by design the approach you want to take \nversus bolting it on later, that is a critical aspect of \ngetting it right. It will never be 100 percent right. We \nmentioned some of the things that go on in this space. It is a \ndynamic threat environment from the external side. But, you \nhave to have those bases in place in order to accomplish what \nyou are looking to do, and I think that is an appropriate and \nprobably best practices way to go about it.\n    Senator Peters. Any thoughts?\n    Mr. Nutkis. Yes, I would agree with that. So, from our \nperspective, we certainly develop and are based on risk-based. \nBecause we saw the whole threat landscaping and our previous \niterations were based on our breach data and how we looked at \nthe threat based on a retrospective, we actually went \nprospective now to say that we are going to look at the \nemerging threats and actually build those into our framework so \nthe framework becomes more threat-based, even risk-based. So, \nbased on the threats that we see emerging, the framework \nactually evolves.\n    The one caution I would make is understanding how you \nmeasure the effectiveness of the framework and then also \ntransparency. Just because you have a framework, how do you \nensure that they are actually complying with it effectively? \nAnd then, when one person looks at it, just as we heard from \nMr. Reese, you could have 14 audits using the exact same set of \nguidance and get 14 different results. So, ensuring that \neverybody knows how to do that.\n    Senator Peters. Mr. Garfield.\n    Mr. Garfield. Yes, I think the example that you just gave \nspeaks to the convergence that is taking place in our world, \nbut also the lack of convergence that is taking place on the \npolicy side. And so, that is why standards are so important, \nbecause they speak to and accomplish all of the things that the \nother witnesses have pointed to. But, as well, the oversight \nboth from the Congressional level but a central point in the \nExecutive Branch where we can avoid these redundancies on top \nof that broader strategy and that flexible framework is \nabsolutely essential and important as well.\n    Senator Peters. Mr. Reese.\n    Mr. Reese. So, in Oklahoma, from a State perspective, when \nwe look at things such as autonomous vehicles, you start \nlooking at from a State perspective the intelligent \ntransportation systems, we work very closely with our Oklahoma \nDepartment of Transportation, and we have done a great job \nfocusing on where we can help them with financial systems and \nadministrative systems alike. And, when we get into things that \nare really specific niche areas, such as intelligent \ntransportation systems and how they manage and share those, the \nchallenges we get into when we sit down at the table and we \nstart talking about how we are going to leverage the State\'s \ninfrastructure or how we are going to leverage the State\'s \ncybersecurity efforts and the things that our security \ninformation officer has put in place to protect all of these \nsystems, they start feeling challenges and pushback from their \nFederal partners who tell them, ``No, no, no, no, no. When it \ncomes to intelligent transportation systems, you are basing a \nlot of that infrastructure and building it out on Federal \ndollars.\'\' And, their Federal partners are telling them if that \ncontrol in any way shifts to a centralized IT office, such as \nthe CIO\'s office, they are going to lose funding. And, that is \ntruly the mind-set that a lot of Agencies have because they are \nbasing that on past audit experiences they have had, from \nthird-party auditors that came in, and they are making the \ndeterminations and setting that example of how those Agencies \nnow interpret what they should be doing and how they should be \nengaging with my office and moving forward, and often, without \nproper guidance and being able to get questions answered \ntimely, we end up using the most restrictive interpretation of \nthe Federal guidelines and it costs us more money, and it slows \nus down.\n    Senator Peters. All right. Well, thank you for your \nthoughtful responses from all of you. I appreciate it.\n    Chairman Johnson. Thank you, Senator Peters.\n    I want to thank all of our witnesses. Normally, I say this \nbefore the hearing, but we had the business meeting. But, I \ntalk to the witnesses, and I say the purpose of this hearing, \nof every hearing, literally is to lay out a reality, to define \nthe problem so that you can find areas of agreement, to work \ntoward a bipartisan solution. I think you saw that is exactly \nwhat happened here today. I want to thank all the Committee \nMembers, Senator Peters, my Ranking Member--who is at a Finance \nCommittee hearing. We are juggling a lot of balls here. But, I \nthink what you have witnessed here is by laying out a reality, \nby defining the problem, by looking for areas of agreement, I \nthink this is an important hearing. I will encourage everybody \nto take a look at your thoughtful testimony, which is in far \ngreater detail than what you were able to provide just in terms \nof your verbal testimony. We have really described the problem \nin a way that we can all take a look at what the solution needs \nto be. And, it is about harmonizing. It is about integrating.\n    And so, I am looking forward to working with my colleagues \nthat were here and asked great questions, and let us write a \npiece of legislation. Working with the witnesses, working with \nyour groups, let us get that central point within government so \nwe can streamline this, so that we can certainly take the \nburden off of States, the health care industry, the financial \nindustry, every industry, so that we can secure our cyber \nassets. This is an enormous threat. We have to recognize that. \nBut, again, that is what this hearing really pointed out. So, \nagain, I just want to thank all of our witnesses for your \nwritten testimony, your thoughtful answers to our questions, \nand your verbal testimony.\n    With that, the hearing record will remain open for 15 days \nuntil July 6th at 5 p.m. for the submission of statements and \nquestions for the record. This hearing is adjourned.\n    [Whereupon, at 11:51 a.m., the Committee was adjourned.]\n\n                            A P P E N D I X\n\n                              ----------                              \n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'