The continuous diagnostics and Mitigation Program and what im going to talk to you today about is the importance of the cdm program continuous diagnostics and mitigation for federal cybersecurity. I want to set the stage in regards to where the cdm program originated around 2012. Many of these types of headlines were occurring and we see those today, as well. They continue to try to perform reconnaissance on our Government Networks, try to get to our Mission Critical and sensitive data. Really the importance of cdm is to help agencies combat that. What we want to do is help agencies and get in front of the adversary, get in front of the threat. And so, what we have done in the federal government, started out at dod with the cybersecurity architecture review there and now dodcar and we have it in the civilian side. The dotgov review and what this effort is about is to take a look at our government systems, Government Networks to understand how the adversary is looking at them. To understand how the adversary is attempting to perform reconnaissance on the networks. Exploit vulnerabilities to the networks and be able to escalate privileges to move up through the Network Stack and get to more sensitive data. What the govcar eft is doing is an agile fashion taking a look at the different parts of the network in a spin fashion so starting out looking at the Network Perimeters and getting from the benefits of the Nation National cybersecurity and with the next spin looking at the Typical Office automation network. Going out to the cloud. Looking at the agency data center. And then one of the more recent spins is the mobile architecture. What theyre trying to see is what are the technique that is oured isser have shares are using to get on to the networks . What are they seeing when theyre doing reconnaissance on the network to enable them to get into the systems . So what this allows us to do is to take a look at the safeguards we have in place to determine how effective they are and also look at additional safeguards that might have better return on investment, might have a better capabilities to combat the adversary. One of the key findings of the Cyber Security okay tech chur reviews is one of the most important things to do is really quite basic and what cdm helped the agencies with in these four areas. Helping the agencies understand what is on their network both from a hardware standpoint and software standpoint. If you dont know whats on your network you dont know how to protect it and our adversaries probably know our networks better than we do in many cases. We are working to get better at that. We also want to help agencies understand their vulnerability posture because if they know how its patching sickles are going its better at keeping the adversary off the network. Configuring the system, making sure to get the most important configurations in place to keep the adversary from exploiting some basic misconfigurations to get in on the system. And one of the most important things is to ensure that you understand who your users are, who has credentials to your network and Privileged Access to the most sensitive systems and thats really what cdm to this point is focused on. Many of you may be familiar with this ven diagram but the first two areas we started out are in the red, Asset Management. Again, helping agencies understand what is on their network. We then moved on and are continuing to work with the agencies who is on their network. Understanding who has access to the network, who the privileged users are and so those two efforts have been really important really critical to epg the agencies getting in front of the adversary, get this basic understanding of what their networks look like and get the processes in place to ensure their systems remain patched and properly configured. We have since widened out and ill talk a little bit, the circle surrounding the ven diagram is the dashboard. We have since expanded out from Asset Management and identity and Access Management to Network Security management. We are working to help agencies understand what their perimeters look like, what data they have in the cloud, what they have in regards to mobile devices. And ill talk a little bit more about that here shortly and then we are also working with the agencies starting to work with the high value asset system owners to ensure they have the proper protections in place around their most Mission Critical data. Thats what our Data Protection management efforts are. What we to ensure data is properly encrypted that the right people have access to it and the people who shouldnt have access to it are kept away from it. So i mentioned the dashboard. Our dashboard architecture is pretty straight foord. Its a stack. We call it the abcd operational view or architecture. The idea here is that we are working with agencies to deploy sensors out through their networks so that they get that better understanding of what the network looks like, who their users are. Thats the a layer. We take that data, feed it up to the b layer, integration layer. We want to make sure we can normalize that data, standardize and and report on it to utilize that data. That feeds up from the b layer to the c layer, the Agency Dashboard. Today, with the cfo agencies, cabinetlevel agencies by and large, Agency Dashboards are in place to gather that data. We have mechanisms for the agencies to run reports against the data down to individual assets, two particular vulnerability. From that c layer we summarize that data up to the federal dashboard so that the federal leadership gets a summarized view of what the federal landscape looks like in terms of assets, vulnerabilities, configuration, posture, ultimately users as we bring that data on. So this is the cdm architecture. Ill talk more about our direction here on that shortly. Coming back to this slide, one thing weve been really focused on this year, heading into 20 and beyond is operationalizing cdm. To this point weve been working to get the capabilities, the processes out to the agencies so they get the better view of their networks, the better understanding of who their users are. Now that were getting that data, we want them to be able to utilize that data and to utilize it to help understand their risk and better manage their risk, better understand their security posture. So the first thing here i want to point out is with the dashboard architecture, we have over 50 agencies connecting up through the federal dashboard. Now to be open and transparent, one of the key things weve been working on in fy19 and well continue to work on going into fy20 is to ensure that that data flow throughout that infrastructure is good, that the data coming to the sensors has good consistency to the federal dashboard and that the timeliness is there. So if an agency is being held to account on a particular vulnerability and if they patched it over the weekend that that is reflected properly in the federal dashboard. We want to measure against the most current data. So, more to come on that. But we have made Great Strides in getting that dashboard and that Data Architecture in place. Beyond the cfo agencies, 23 civilian cfo act agencies, weve also been working with the noncfo act agencies. Were working with 74 of those agencies, about 50, 55 we have memory dumbs of agreement in place to begin to get sensors out to the environment. And then were working with many of them through our cloudbased shared service platform, a cloud where we get the sensors out for their small and microagencies and feed that data rather than into individual dashboards at their sites, feed it up into a cloud where each agency has their own multitenant dashboard. Its been a great accomplishment for the program in terms of for the first time were getting near realtime visibility of the smaller microagencies and helping them get the capabilities they need to protect their Critical Mission systems. One of the early wins for the program, once we were getting automated discovery capabilities out to the network, we were able to see, on average, across the federal government that there were 75 more assets than what were being reported manually. So, from that measurement, we want to continue to build on that. Now we have all of this vulnerability information, feeding up to the Agency Dashboard, summarized up to the federal dashboard, Configuration Information and then ultimately the user and privilege user information. We want to be able to start giving agencies a way to measure their security posititure, to better measure their risk so that they can better manage it. Thats where more to come on this, but weve been working on the aware scoring algorithm. The purpose here is to give agencies a way to measure their overall security posture. Were going to be coming out with more information on that as we head into october. Were starting that rollout. Today, weve got, i think it is, 31 agencies that we have aware scores for. Again, part that have data consistency effort, we want to make sure that that data being reported and being measured is good from sensor up to dashboard. Thats the effort under way right now. Finally, key for the program is partnerships, both for the agencies but also with industry. We have an approved Products List that we work with the agencies and with our System Integrators to look at the tools that are going to be part of the difference cdm solutions at the agencies, and thats what the approved Products List or apl represents. Originally, we had a pretty stacked process. So it was more difficult for vendors to submit their product, have them assessed and added to the apl. Weve really worked in the program to take Lessons Learned from our prior efforts and continually improve the program. Weve worked with our partner, gsa, to expand out how the apl process works, to be able to enable vendors to submit their product to us on a monthly basis and to have that quick turn around so that the vendors know whether or not their product got added or if it didnt get added what they need to do to get it considered. What the apl represents is really not an Underwriters Laboratory testing effort. Its simply looking at products against the cdm capabilities and the criteria, but we also have other criteria, including supply chain. The vendors we ask need to know what their supply chain is for their code, for their hardware, et cetera. Thats what the apl is. Weve expanded that. When the new efforts started we were around 140,000. So, just within a year, weve added close to a little over 100,000 new products and then really expanded out the ability for different manufacturers to submit to the apl. So, those are some of our current metrics. Again, we are in the process of operationalizing the data feeding up through the dashboard. The other thing we really want to do is expand out the benefits of the dashboard to the agencies. Taking Lessons Learned from the original efforts with the program. We wanted to ensure that the agencies could access their data more, do more with that data, get better performance, better scaleability across the larger fed rated agencies. We awarded back in may our new dashboard contract. It increases scaleability throughout the fed rate efedera agencies. Were able to bring in an unlimited number of officers to scale horizontally and vertically. We improved the performance of the dashboard with the new architecture. And then really looking to expand out flexibility of what the agencies have access to with their data as well as the ability to bring in innovation. And how thats going to work can be seen in this diagram. Again, recall the a, b, c, d architecture. We can bring in any number of new sensors and data sources. One thing we focused the program on is on requirements rather than on specific tools. So as long as agencies have tools that meet requirements, we can get that data, feed it up through the stack for reporting purposes. Again, we feed it up into the integration layer but then were going to have the ability to do more from a scale perspective as well as performance perspective at that b layer. And then we can bring in additional technologies, additional innovations. So were going to, out of the gate, have better visualization of the data for the agencies but were also looking to bring in better analytics, Business Intelligence as well as ultimately Machine Learning capabilities, being able to apply that to the data so that the agencies are getting maximum benefit from their Cyber Security data. Thats all at the c layer. Again, continuing to do some risk calculations, some risk scoring, feeding that up with the summary data to the federal dashboard level. Again, were bringing in a lot of that new technology, new innovation there as well to really maximize the value of the data at the federal level. And then being able to orchestrate that across the federal landscape. So, what are our priorities Going Forward . I mentioned the operational organization, the data consistency efforts to ensure from a through d that we have good data flows and the data is good and timely. We are currently in 19 and all of these things on this slide will carry over into 20 and beyond. We want to help fill any remaining gaps for the agencies as far as their assets are concerned and their identity and Access Management is concerned. We want to help agencies get full understand iing of all the privilege users so were still finishing out those efforts this year, we began efforts across all of the cfo act agencies, cabinetlevel agencies to discover what their perimeters look like, also to get a better understanding of what they have out in the cloud, so we know who the Service Providers are that theyre working with, what the different environments look like, whether they be infrastructure, platform or software. Also down on the lower row were working to understand what the agencies have as far as Enterprise Mobility management is concerned. So, working, and ill talk about this here in a moment, working to be able to align with an existing system that an agency has and pull data in for their reporting purposes. Weve begun pilots in a few highvalue asset environments. Again, these are Mission Critical systems in the civilian side, on the. Gov side, what type ofs of technology are need, data loss prevention, more advanced threat capabilities sitting in front of those highvalue assets. Those efforts are under way. And then with each of the task orders that we have in place for the groups across the agencies, we have different what we call request for service. For some of the agencies today, were working on a Network Access control effort. For other agencies were working for towards ongoing assessment of utilizing the Asset Management control, starting to automate a lot of the control assessments that r done manually today. Were working with an agency on Incident Response ork administratio orchestration and that data can feed up to the Coordination Center at the federal level so that incident information is shared across all of those levels and they can better track all of those incidents. Those efforts will carry into fy20. Then what were also adding in fy20 is the new dbd effort. We have proof of concept under way in the lab of the new dbd environment, the new dbd ecosystem starting in the First Quarter of fy20 in the october, november timeframe, were going to begin bringing that technology out to a handful of agencies to implement the dashboard ecosystem and really expand out what theyre able to do with their dashboard data. Were also now that we have a better understanding of what the Enterprise MobilityManagement Systems look like in the agencies, well be aligning with those, looking at the open data standards to bring in the mobile asset information into the Agency Dashboard so that the agencies have a better understanding of what they have out in the environment for mobility. With the information we have for the cloud discovery, were working with our partners within the Cyber Security division as well as with the agencies and our System Integrators to determine the right way forward for cloud security. So weve been conducting a pilot with Small Business administration to look at what we can do for reporting purposes of the data they have out in the azure cloud, being able to see what we can do with the partner with microsoft in terms of reporting and really be able to utilize as much as possible the reporting coming from the csp as well as seeing what else is needed, perhaps, to ensure that agencies have full understanding of how their data is protected in the cloud. Fin finally, we want to expand out what we do with the highvalue assets. We want to really focus on the tier one of highvalue assets, most critical, and ensure were helping get the proper protections in place for the data on those systems. So, thats the way forward for the program. I just want to conclude with the values for the program, leadership, partnership and accountability. We want to continue to lean in. We want to remain open to innovation. We want to remain flexible as the threat changes, as Technology Changes to be able to bring those the Technology Changes to the problem, to get in front of the adversary, get in front of the threat. From a partnership standpoint, partnership is really the core of our program. We had the partnerships with gsa at the beginning to get the acquisitions in place and they continue to partner with us Going Forward. Partnerships with all of the agencies to really help understand their networks better and to get them the capabilities to really help them better manage their risk. Partnerships with industry, with the system integrative community, the vendor community. If these partnerships dont work, cdm doesnt work. We really work to help these partnerships flourish and will continue to do so. Finally, from an accountability standpoint, were entrusted with taxpayer dollars. We want to ensure were using those dollars properly, efficiently, effectively. We want to be able to measure the work that were doing and show that were providing value to the agencies. We also want to help the agencies better understand their risk and better manage their risk so that they can work to ensure accountability across all of their systems. So, with that, ill open up the floor. We have a couple minutes for any questions. And then this is the Contact Information for the program. And so any questions from anybody . Yes, sir . [ inaudible question ] so the original okay. You get to see me instead. Original nomenclature was phases, four capability areas, Asset Management, Network Security management, Data Protection management. Data Protection Management is what we would call phase four. Thats what were undertaking with the pilots right now. Weve got three highvalue assets were piloting with, were bringing two additional customers on with that. So based on those pilots, were then expanding out the efforts in fy20 for the Data Protection efforts. Some of that is under way right now. The question is, is there any way to get your companys product into or for consideration in the pilot . I think what we typically do is want to make sure that the product is in the approved Products List and so you can see me after and i can get you that information. And then its working with the System Integrators in terms of what the product will bring to bear to the problem. Good . Okay. Thank you. Any other questions . Okay. If not, i thank you for your time. Appreciate your efforts in terms of better understanding the program and were looking forward to continuing to support the agencies Going Forward and ill be around for a few minutes if you have any questions. Thank you. [ applause ] our coverage of the Cyber Security policy forum here in washington will continue at 1 30 eastern with the lunch key note address by major dennis krall. Later today, Cyber Security and ceos from the justice department, Defense Department and Homeland Security and the export import bank. Meantime, a portion of the event from earlier today. Thank you, everybody