Special thanks for this lunch sponsorship, and thank you for seven years of their sponsorship and support which has been greatly really a key reason for us being able to host this forum free for the government and military. And to be able to do this now for the 10th year. So thank you very much. I want to just also point to your, give your attention on your seats. There are flyers that describe the next year event, september 8th and 9th at the marriot. For Corporate Executives that are interested, a series of quarterly leadership meetings. Were in the third year of that. If you look at the flip side, youll see the corporate members include cisco, aws, raytheon, hp, google cloud and others. If youre interested in that, let us know. Id also like to recognize and express our appreciation for the Advisory Board members. Ill list those once again as theyve been very helpful. Brett scarborough from raytheon. Dan prietto from google cloud. General gregg tuhill, brad maderi. Matt berry. Dave leavy, mark ker, and shawn love. If we could give them a round of applause, please. So just a couple logistical announcements. Im trying to keep us on time. Isc squared, if youre a member of that, you can get credit by going to the Registration Desk and giving them your member number, please. And they can send you a print certificate or they can give you a print certificate or they can send you a digital certificate. If youre an osaka member, i gather you have to go to the saka portal to register for continuing education. Were delighted to partner with them to offer continuing education credit for those of you who would like it. This is a very full and exciting afternoon. Im very excited about it. Well have a number of keynote from the general crawl who just will be introduced shortly. We then will have a number of panels, and well conclude with keynotes from the ego u uno and others. We have a full day ahead. And well then have a number of awards at the end of the day, and im honored that well be giving a Lifetime Achievement award. Im announcing this now, to general mike hayden who will also give final remarks to our audience, and im honored by that. So with that said, id like to now introduce gregg potter. Hes the Corporate Lead executive at fort meade and aberdeen. Hell be introducing the lunch and keynote speaker. Gregg . Thank you very much. Thanks, tom. And thanks for billington putting on such a great conference. Its my honor and pleasure this afternoon to introduce the keynote speaker for this this afternoon. Hes a Deputy Principle and senior military adviser for Cyber Security. He is a career aviation command and control officer who has commanded the squadron in deep levels. He has deep cyber and Information Operations background where he was the chief of the joint operation at Central Command as well as the deputy chief of their Information Operation center. He was the branch chief for strategic plans for Information Operations at u. S. Special operations command. If you would, please give a warm welcome to Major General dennis kroll. Well, being introduced with music and applause before i speak is interesting. You might want to hold that. Maybe well earn some of that together. Its my pleasure to have a few minutes to chat with you this afternoon. And id like to split my time here to get done framing a conversation and then being available to take your questions. So i want you to im your afternoon caffeine. Youve just had lunch. Ive got enough excitement for both of us, for all of us here. What id like for you to do is to take the conversation up a notch and were going to talk about war fighting for my quick portion of it. And were going to think strategically, and the slide thats in front of you is my staff is embarrassed about my slide. I built this slide myself, and it probably shows. Thats about as many words as i want to cover in a framing document, and i want us to think the way that the department thinks and breaks down our War Fighting Mission in this very critical domain. Im going to use the language that comes from our National Defense strategy and the Cyber Strategy that flowed from that in 2018. This is language that our former secretary of defense used very clearly about lethality, partnership and reform. Its a great lens by which to look through cyber and a few other quick items well talk about. But i need you to remember something when we have this conversation. Theres a couple caveats. Every one of these framing ideas doesnt exist unto itself. This is all about outcomes. Youve got to make sure we pause and think about what it is were doing, why were doing it, and if it lends itself to the ultimate mission, the reason were doing it. Which means theres got to be pause points in execution to make sure that were still on track. Technology changes. We all know at a rapid state. Its easy to Chase Technology and not the mission. Its easy to stay focussed on antiquity and not adopt modernization. There has to be a level of balance. We do it within a government system of funding which drives a lot of this, which at times is a bit ep sodic. The challenge is balancing those three tendencies but not to forget this is all about outcomes and driving to an endstate. What makes this different in our approach that were looking at possibly this year than previous years is the right emphasis and weight to what we call persistent engagement. The items that ill talk about, especially under lethality really lend itself to think about is this something were doing episodically, is i stay in steady state or is this fits and starts which means you lose momentum and dont have the ability for proper exploitation of success . These are all principles that we talk about in every other domain, yet, we somehow shy away from them in this one, and its just as applicable in order to seize that advantage and to maintain the advantage throughout operations. The other piece is we talk a lot about operations in a contested environment. And ill be honest. Im not sure that we are as practiced as we need to be to be successful given the threats we believe were going to face. Now, im fully aware that there are those who believe weve given our ill also tell you that there are times because we really believe that we can fight through certain things but are not well rehearsed that we may be in for a rude awakening if were not practiced and postured to succeed. So think about what information contest would look like thin lines, red lines, low bandwidth. The ability to prioritize information at the need of speed. What are the minimum elements a commander needs to fight . If those have not been defined, it would be difficult to figure out how youre going to employ that on a battle field when you realize that its at that time under this crucible of challenge that youre not going to have a pause point, the fog of war creeps in and everything becomes more difficult. These have to be practiced. And you have to understand what it means to your perfectly rehearsed plan when you do that in garrison, what it means to meet that plan on a battle field. A famous boxer once said about his competition that every man has a plan until i punch him in the face. Right . You think about that. We all plan and we think about what its going to be like, and then we meet the krus billion of contest, and weve got to be ready for what that looks like. When we talk about these principals, theyre not e soar theic. Theyre there to be practiced, vetted, rehearsed, challenges, improved and implemented with confidence. Thats where we need to be. Lets talk about these things under lethality first. Three sub areas important the way i look at defining them. The first one would be the idea of authorities. Weve got to of to right authorities to operate in the space. And it doesnt matter what kind of activity were talking about. Whether were operating networks, talking more it centric role, whether were talking about defense, or offensive operations. They require the requisite authorities in order to move at pace. This persistent engagement means the authorities need to be deep enough to character rise the battle field as well. Not to simply execute. Youve got to anticipate in that authority realm that these things would be in plans. Not sprinkled in after, but for forethoughts built in, planned for, and tested as ive mentioned earlier. Ill be honest with you, weve had a lot of help, and i mean that in a good way from the administration and from congress in this area. They have loaded us up with authorities that we havent had before. Its important that we utilize them. And that we line up a couple other items that go along with that. So authorities would be one idea of that triad that you have to think about, be two others have to be lined up concurrent with that. The other one is process. Youve got to have a process in place that takes advantage of the authorities that were given. If the process isnt repeatable, if its mired in quagmire, the idea of constant uphill battles and fights. Im not saying we shouldnt share information with other parties. The point is the process has to lend itself to a successful and timely outcome. Not for a process that exists unto itself. Anyone who has worked in the pentagon personally and seeing the pentagon process up front knows exactly what im talking about. Secretary mattis used to have a phrase back when i worked for him as general mattis, that when good people meet bad process, bad process wins. Bad process can take the most energetic, forcible, excited individual and crush them through a series of things that dont lead to an outcome. These are areas taking advantage of the authorities were given and working on new ones, looking at this process inside and outside the building to execute operations in a timely manner, and the last piece of this three legged stool is on the idea of capabilities. Weve got a make sure that we have the Trained Work Force and the equipment to perform the mission at hand. Weve taken a hard look at this work force. And in some cases, i think weve taken it maybe for granted that the work force will be available. The amount of training thats required. The recruitment. The competition that were under to retain individuals given theres a lot of walks of life that people can go do. Looking at models that lend itself to attracting and retaining the best and brighter for our mission is critical to what we do. Also the capabilities in the terms of the tools we have to employ these are critical as well. Weve got to make sure that we employ cutting edge technology. Weve got to make sure that when we start looking at ways we can take advantage that we do so in a timely manner. And that were not looking at Old Technology delivered too late. Theres a quadrant that i have. Its a mythical quadrant that i keep on my board that i try to avoid. Thats the phrase of this may not work, but at least its expensi expensive. Right . We want to avoid the idea that were paying at premiums for outdated technology. Weve got to be more responsive to on board and use whats available. If you think about lining up the authorities, the process, and the capabilities, how critical that is to the lethality rubric. The next piece is the idea of partnership. We have a couple areas that challenge us here as well. On the good side we know many of our partners have unique capabilities we dont have. We want to make sure that we take advantage of those. We want to make sure that we build their prowes and capabilities up through our practiced relationships. And as they get better, were better. Its less threat surface for us to look at. On the challenging side, however, with partnerships, we still struggle with information sharing. How do we Exchange Information at n a timely moanner . As we have joint and Coalition Partners that stand next to us and information sharing gets difficult, we need better cross domain solutions. How do we move information at the speed of warfare and take it to our Defense Industrial base . How do we help safeguard our nations most critical secrets . At the time theyre thought of through development and eventually for the introduction in our war fighting apparatus. So partnering from the idea of Mission Execution and planning and then on the side of ensuring that were able to share information with a common level of protection is critical for us. All of these have varying efforts that are ongoing in the building today and serve again that framework i just described. The last piece, and its one of the most critical. It involves a level of trust. Trust with the taxpayer. Trust with our government. And keeping that trust and not breaking faith with our work force. And our war fighters. We need reform. Some of this reform is going at pace which is pretty respectable, and others may be at pace that needs to be picked up and made better. So what do we mean by reform . This is the idea of scarce resources being applied in the most consistent, meaningful, and thoughtful ways. Gone are the days for everyone doing whats right in their own eyes. The word that really surfaces to me the most under this category is standards. Weve talked a lot about standards setting. We already understand what requirements do to the acquisition cycle. This is the idea of making sure that we have common standards that we drive to. And that we have an apparatus in place to inspect what we expect. That we have adherence to the standards. Nothing is more frustrating than publishing a set of standards and not following them and not even knowing that youre not following them. But the idea of following through with the expectation that we have a level of adherence and compliance and commitment to those means were a better war fighting organization as a result. This reform has to be deep. All the way through the lowest level when we start looking at our work force all the way up to the most strategic ways we plan for actions and activities. Weve got to look across the department to make sure we dont have unnecessary redundanciered. You know, there was a time in the information environment when it was new. When we used terms like Information Operations, military information, support informations, those types of things. We went to congress and we asked for money on kind of this new frontier for us at scale. Its always been practiced, but this was at scale, and embraced by the department. There was a time where that money, i believe, flowed a bit too freely. And we couldnt always account for how it was spent. We couldnt always look at measures of effectiveness. We had a lot of measures of performance, but we couldnt provide the so what to the money we were given and what was really a permissive, friendly, giving environment turned into a very challenged environment to demonstrate a level of sufficiency and to rebuild trust. Ill tell you that i think that were probably not too far off be in some of the realms within cyber if were not careful. People want to help us. Our leadership wants to help empower us in this area, but we have to be very, very good stewards on how the money is spent. It has to be data driven and really show the level of effectiveness for how we commit these treasures. So every single day we wake up in the principle cyber advisers office. Our relationship with the chief Information Officer couldnt be closer. The relationships that we have with our services, components, chiefs, et cetera, couldnt be closer. And we think in these three terms. Because the National Defense strategy tells us to think this way, and our Cyber Strategy demands we think this way, and the posture review which reveals the gaps that we have are framed in that rubric of lethality, partnership, and reform. Strategic thoughts . A way to kind of share a broad picture in less than ten minutes with you . And i stand ready to take what i imagine will be your challenging questions where i can answer, i look forward to answering them. Thank you. [ applause ] i dont know the rules but youre in front of me with a hand up. [ inaudible question ] outside the wire, as it were, if those guys were being hacked, who are you going to call . Thats a great question. For those who couldnt hear, this was really about how the dod responds to calls from the Defense Industrial base for a challenge they may have for Cyber Security. And one of the statements that were made, well, certainly they wouldnt call kral. I would agree with that. They may be unsatisfied with the answer since that particular mission set literally falls outside of our primary work roles but not outside the area of responsibility for department. The answer will not be as detailed as you may like, but there are challenges. Some challenges to how we share information, what information we can share, and who owns the burden of responsibility. Who owns the liability if information is shared or solutions are provided and those compromises still take place . These are not easy questions to answer. I dont pretend they have been solved at our level, but i promise you this year theyve received more attention than ive personally witnessed. And there are really probably some difficult choices in the road ahead for the department to make. I dont know what the balance is personally, and i dont know where the leadership will side on that, but if you think about that, how much should the department do, how much can the department provide and how much of the solutions are really on the part of those who own, for example, data . I will say this. No matter what that answer lies, theres one thing thats very clear. We as a unit, have to do better at securing our data. Theres no argument there. There are things and solutions in place from either basic hygiene to Good Practice to movement of information and safeguarding it that there is zero disagreement that were too porous, and we have a threat surface that lends itself to complicating the process and challenge in a way thats unnecessary. Probably not the detailed answer you would expect because that is still yet to be solved in the d. General, you have another question over here. No . Other questions . If you could take a mic, well come down for you. Good afternoon, sir. Id like to follow up on that previous question. It sounds to me like it could be something to do with the initiative 871. Is that something that falls under your domain . It doesnt fall under my domain personally within pca, but its certainly an area that were involved in, and thats got, you know, secretarial interest, so yes, it does. You know, enforcing the standards in contracts, you know, we have ans that provides a lot of that information. Theres been a lot of reform this year in contracting language to get after that. So yes, its an interest area of mine, but primarily in the pca, when we look at reform and focus, its on implementation and portions of that strategy and those owners to that information, but its clearly a part of the solution. And one thats been enacted this year. General right here. Yes, sir. Hey, jason miller, federal news network. You mentioned capabilities and authorities from congress from the administration and you said that in a very positive way. We have to use them. Would you offer maybe a look into whats a couple of them that maybe stand out to you that you guys are using or should be using or are planning to use, and why theyre important authorities . In this environment, i cant, unfortunately. Please . Please . [ laughter ] it isnt a matter of will. It isnt a matter of will. Its a matter of classification. So i will say that, that i am confident i have not overstated the empowerment aspect of that, but a lot of these are used for the types of missions that we, this forum would not be appropriate to discuss. I will provide you a consolation, though, because i hate to send you away empty handed. If i looked at where the department i believe is headed next for organization, reform, and some potentially different authorities, i would share with you that Information Operations as we know it traditionally, if i looked into a crystal ball, i would share with you that that is probably a or certainly an area of resurgence in how we look at how we execute, what authorities and rules are in place, what capabilities need to exist, how we build war fighters, and equipment sets for the fight in that information space. Thats coming, and its coming quickly. General, given the recent memo from the dod cio ipv6 deployment, do you support the initiative to set a specific deadline to turn off ipv4 to adopt a single stack of ipv6, in order to reduce the overall attack factor . Thank you. Yes, so thats an easy question for me to answer. Mr. Deasy runs that, and i support his decision. [ laughter ] i fully support it. I think i understand where youre going. There were alternatives considered, but yes, i support the chief Information Officers approach. I think thats the last question. So major mccall, thank you very much coming to be our speaker and keynote. Honored to have you, sir. [ applause ] ladies and gentlemen please welcome back our master of ceremonies. Captain edward w. Dekriny ii, u. S. Navy retired. Thank you very much, Major General crall. We have a great Panel Following up from this about supply chain si si cybersecurity. The moderator for this session is john czech, senior director of cyber solutions, intelligence information and services at raytheon, so thank you, john, for moderating the panel. Joining john up on the stage is abov kolosky from the department of homeland security, bill marion, the deputy chief Information Officer for United States air force and matt berry, chief operating officer for hp federal. I thank all of you and over to you, john. Perfect. Thank you and thank tom and the billington team for hosting this event today. Really a great opportunity to highlight some key issues. With that well just jump right in to securing our supply chain. One of the key aspects of securing supply chain is enshci all parts are incentivized properly. It comes when the costs are equally shared and understood. Matt, id like to start with you. What are some of the things hp is doing to incentivize your supply chain and some of the things your customers are doing. Thank you, john and thanks for the opportunity to be here. You know, i was thinking about this panel and kind of ticking through mentally what we do and what others in the industry do to secure their supply chain, and a lot of it comes back to fundamentals. I think thats been a theme weve heard here this weekend. One thing that i think about is our supplier standard, and we share that with our supply base, and we have them go through a pretty rigorous process, management process of adherence. We do audits, all sorts of things. When you look at it, it starts with design and what we call the secure Development Life cycle, and then you can kind of go down the stack from there through the endtoend supply chain, through disposal. I mean, so manufacturers, youve got software, firmware, provisioning, youve got logistics and traffic and as you span through that, and you think how do we manage that well or less than well, it really starts with what questions are we asking, and so no one starts from a Vantage Point of perfection. Its a journey and its something weve done for a long time, but what was really interesting to me about this question is the intersection between physical supply chain and what weve done for many, many years, and this cyber supply chain, and any ict product that were talking about here, ip enabled, logic bearing components, you have to mine both. This idea of supply chains being static and you drag a bucket of parts through supply chain point a to point b and check the box, its just simply not the case anymore. Theyre persistent supply chains. Theyre data beacons. How do we manage that . So i think thats a lot of the conversation for us is going back to the suppliers trust but verify, and then of course we triage or tier the suppliers. So people that make plastic and screws may be slightly different than embedded controllers, microcontrollers, et cetera, and we hold those people quite close. In fact, the technical contribution from those partners is paramount to our joint success, and so in terms of incentives, thats the overall framework and then were pretty outcomesbased. We let the market force decides. Either were jointly successful and theres both tremendous upside or the alternative inverse. Thanks for that. Bob, ill ask you, what incentives would you like to see implemented to help drive some of the behaviors . Sure. I mean, lets start with the idea that information itself and better information about risks is an incentive, and i start with that area by taking a step back and you know, when were talking about businesses managing their own supply chains government responsible for their supply chain, i believe all the incentive in the world exists for a business to make sure something that doesnt happen in their supply chain that will affect their operations that could affect their bottom line, and so that incentives there. You get information assem trymm and how much steps they take to protect the supply chain can be changed by the fact that theres more information about risk, what could go wrong in terms of a supply chain particularly as we talk about some of the questions of intentional efforts to do things against ict products hardware, Software Type products so one of the things the government can do certainly is create a better information environment that then helps businesses take advantage of their incentives that they already have. Second order incentives are there has to be an expectation that if you are selling something that you are part of a supply chain for something thats important, that youre taking this stuff seriously, and that happens through procurement practices, that happens through contracts, that happens through you know, that being part of the overall conversation for those of us who have a little more influence over what gets into a supply chain and the smarter performers, that incentive is, you know, is proliferating out there right now, but lets make sure its there. Lets make sure its a go or no go decision particularly around important parts those incentives. Start with information, go to basic usually contractual procurement incentives and we can have an interesting conversation, then is there still a gap of where theres some National Security concerns that maybe cant be handled through business incentives but i think were going to talk about Public Private partnerships in a second. At a starting point, get the incentives lined right early on and accept business and government have similar incentives and only have government intervene when theres a gap for the purpose of National Security. Okay. So bill, what type of incentives would you like to see implemented for the dod . I think you are looking at it from a manufacturer side of it from hp . From our side its typically from an acquisition. What are the things in the acquisition process to incentivize the right behavior because if we incentivize the right, industry will build it for us. Taking some of the standards, some of the work thats gone on right now and actually working those into the proverbial security as part of the cost schedule performance equation, and actually providing some level of ratio or investment roi of what the investment the manufacturer did and how do we give them credit and the acquisition process. I think thats probably the biggest piece, because were typically buying, not building, and so i definitely believe if we put the right incentive structure, businesses will come, but we also have to take a little bit of a reality view of that to say when its too much, just like in regular security, you can keep putting horse blankets on. We do have to figure out what the right threshold is to manage the risk at the right level. So i think thats going to be the hardest part of the incentive. Today our biggest incentive is a stick, or a bat or a club. We all know that doesnt work very well longterm and it also doesnt create the right incentive behaviors on the manufacturing side, so weve got to flip that fundamental equation, but i think the biggest risk is how do you understand what that roi is and how do you determine its applicability in an acquisition. Something you said, bill, i think is worth saying. Sometimes the problem is what happens if we put disincentives out there in terms of security, disincentives for things that are drivers of other things that work against security and also disincentives requiring too much as youre suggesting and causing people to not want to be in the market and we cant take advantage of things here. Absolutely. So who is doing this well today . Matt, anybody stand out there that you think is doing, getting the incentives right and sending the right framework to get us to where we need to get to . Well, i think ill make an aspirational statement. I think coming from a place of manufacturing and managing our extended supply base, where i think we Industrial Base might be falling short is in the management of third and fourth order nodes in the supply chain, and how can we cascade that effectively but efficiently at the same time. I do believe theres an opportunity or a sweet spot to look at some of the work, for example, led out of the dod acquisition, cmmc model, where we can put a smart baseline, achieve that, and then iterate against that. Again, i think its a journey, but quite frankly, a lot of it are things we ought to be doing already, and if we can start there, the benefit is not only do we reflect through our own internal process, but we can look up and down the chain and have some level of visibility and illumination up and down, and we have more confidence that when were representing our extended supply chain, we have some ground to stand on. I think cmcc is like i think the best thing we have going for us right now. Its not a perfect system but far better than what we have today. And so thats really the first step. I would agree, i think were at the information stage right now, as just how do we understand the company and their relationships and how do mergers and acquisitions and second and third party, first you kind of got to know the environment. Im not sure were there with the right tools yet but at least we have great efforts in navy and air force to kind of understand that ecosystem and dhs and dc3, but weve got to get past that level of majority model of we know we have a problem. We have to go fix it. Right, right. So lets move on to Public Private partnerships. I think everybodys talked a lot about that. Its a very hot topic. We know in order to make those effective, you have to collaborate, and collaboration starts with building that trust that youre trusting the person youre collaborating with to literally listen to what theyre saying and think differently how youre approaching different tasks. Bob, id like you to highlight some of the work that youre doing with cissa focusing on supply Chain Management initiatives and how theyre progressing. One of my favorite topics because of the essence around Critical Infrastructure security, supports Public Private partnerships when we established the National RiskManagement Center last year, one of the mantras of what were trying to do is to operationalize the Public Private partnerships we had established through the department over the last 15 years which got everyone to the table, started to share information, started to talk about solutions, but lets actually go further toward operationalization, joint capability development, working more with more intensity together, and so thats what were trying to do writ large in terms of the work were doing with the ict risk supply chain Risk Management task force. Thats a task force, there are 60 representatives. Hp is on the task force, dod is on the task force, all the federal members essentially of the federal Acquisition Security Council and then representatives of the i. T. Sector, via the i. T. Sector coordinating council and the communications sector. We have most of the big i. T. And coms player and associations that represent some of the smaller players and representatives from some small businesses. So what we have is 60 people who are forming a task force to work this issue full time, to make policy recommendations, to make process improvement recommendations, to better help us understand the threat, and then the risk, and to talk through where theres a possibility for joint Capability Solutions such as around information sharing where its not just about getting the Legal Framework right and the Technical Framework right but its actually developing, thinking through how to develop some programmatic linkages. So thats what were using the task force to do. It is a true Public Private partnership. Its nice to have 60 people around the table working the problem. Occasionally we get into smaller groups around that. And then an example of what we were able to do via that task force, the department was asked to provide recommendations to the secretary of commerce on where to apply emergency Rulemaking Authority around restrictions into the ict supply chain. We could go out and study this as a government to try to understand the ict supply chain but its easier to ask the ict companies, the people who know their supply chains, the people who work this business ask them how the supply chains work, develop a framework and also what are the most important elements around the supply chain. I dont think effectively, there are two elements of my answer there. One, it gives us a better answer to the question. We actually have better sources of information because the people who are a little closer to the supply chain are giving us advice and secondly, when we make recommendations on something that may be critical or less critical that may have policy implications, we can talk to industry about what would happen if you put more restrictions around this . What would happen if you put more requirements around this . What would be the Business Impact . What woulden t be the security impact . You can balance the conversation with what the real world impact of anything that the government does, when youre talking about essentially securing things that are privately owned, that has to be part of the equation in the Public Private partnership is the only way to get there. So matt, i know youve been heavily engaged in this as well. Would you provide some thoughts around whats working . Well, i would start just by extending my congratulations for the leadership, bob, and the team i think of wrangled a lot of people in a number of work groups, which is no small feat. The area that im personally focused in, work group four is around incentivizing purchases via oem and authorized distribution, and what i was very encouraged by early on was, number one, the level of engagement from industry and Public Partners through that process, and how quickly we move from discussing and admiring to what are some practical recommendations to pick up, and i think back in the june july time frame, we sent some draft proposals up. So personally, i think the process was well worth the investment, and im looking forward to seeing that come out in the full task force report, and i think theres tremendous opportunity there to see it enshrined and acquisition and so on. Bill, from your point of view, maybe a little bit expanding upon whats working, where else in government are things going on youd like to highlight that maybe deserve recognition for taking on this initiative and really trying to drive this secure supply chain Public Private partnership . I think theres two fronts. One from a materiel command, early command does the acquisition peaces of it, the partnership with industry to have the financial discussions to have the partnering discussions, to have the no kidding, honest feedback about about who their partners are, even forecasted mergers and acquisitions, right . Because a lot of those are knew ans we dont think far enough ahead in, and so theres been a lot of work in the Research Side of that and also just the applicable taking our Weapons Systems and decomposing and making those strategic discussions with those companies to understand where the risk base is. Again its Risk Management. You dont get rid of supply chain. You just try to manage it better. So i think thats the first thing. The more ill call it almost tactical operational level for us is we are, this thing called enterprise i. T. As a service, initiative that is looking at how do we use commodity i. T. Capabilities, how do we think differently about the Security Model and so were putting this literally to test every day, not dhs is working the mac macro things but this is the no kidding tactical level award a contract, actually work through the supply chain piece operationally how we run and defend our networks to the supply chain type piece of that. So that is just kicking off here in the next 30 days, so well be following that one as a key one to see. You got the macro policy, how is it bubbling down into implementation of a large scale contract for us. All right. Well, im going to pivot to another favorite topic, bill im going to staick with you around zero trust. The threat landscape, the vulnerabilities, certainly in supply chain, a lot of times your suppliers may have a different Risk Appetite than you have, not as concerned with the supply chain raisk and those types of things. How can we apply a zero risk methodology to build that secure we desire . Originally from san antonio for the most part. My joke is every car in san antonio can be stolen. You cant keep it from being stolen, so dont come in with that. Supply chain is no different. You cant completely secure the entire supply chain. So you have to infer that there is a risk there that is real that any time somebody can come in your front door. This is where the wall Garden Concept on traditional i. T. And cyber coms. The model is gone with cloud and mobile. I argue thats the same thing with supply chain. How do you fundamentally flip the model to say well, i dont intrinsiccally or cant intrinsically trust everything end to end. Its not just a buzzword. Its thinking differently, which is the most important thing about zero trust, about what am i going to protect, how am i going to encrypt it . How am i going to think of things different. Theres certainly large scale manufacturer that knows in their supply process they dont have endtoend supply chains so they look at it bolt in on the end which is wrong or you could say they just recognize they cant control that, so what are the mechanisms at the end. Other manufacturers may be able to do it from end to end so they may have a different process. Ztn, i dont fundamentally trust the network so how do i encrypt the application, how do i encrypt the service and the data and look at the problem differently . Thats kind of again going back to enterprise i. T. As a service, how do we flip the paradigm to use concepts like zero trust, containerized, encrypted, different ways to scan and reed myiate the hardware, look at those concepts to lay on top, versus believing that everything in a supply chain will be secure. I dont know that you know, we cant afford all the trusted foundery work that we need to make that whole. So realize youre insecure and look at the problem a little different. Bob, do you have anything to add to that . Yeah, i think, you know, zero trust isnt a phrase i use a lot. I use things like layered security, understanding your network, understanding prioritization of risk and being ready and having resilience in place so any failure is, you can minimize the consequences of failure, youve thought through the consequences of failure. So you know, were not out preaching theres a simple solution here, but theres places that youve got to apply a higher standard of trust certainly and you know, one of those areas for example that weve been working on is the we want to push up and working with state and local governments the security at the components of there, youre demanding more trust within that, and thats going to help out throughout the process, because you know, thats a place where trust ends up mattering to the trust of the results themselves. Right. Matt, we could agree that zero trust doesnt happen overnight. Establishing that type of environment, so maybe if you could touch on some recommendations or best practices that we could all use to get started with. Well, certainly, one just taking a step back, zero trust as an umbrella definitionally i think its really important to acknowledge the benefit of being able to shift a workforces focus from things as bill was saying, where maybe thats not their core competence or sweet spot, so if you engage in a Cloud Solution or say migrate, what are you enabling your team to do . However, sometimes people confuse that with Operational Management or risk. It doesnt eliminate the risk. It shifts the risk, and so the question is, are you safeguarding everything end to end in depth or layered defense and are you doing that wholistically or are you simply shifting a problem set . So i think just thinking through zero trust doesnt mean wild west and doesnt matter whats on the network. It matters critically, and so from our lens, we think about end points as a horizontal, and what do we do in order to make sure those arent just locked down but ideally resilient. So when you can take an attack, and they will come, and we will be breached, what happens . Can we detect it best . Can we selfheal . And if you can, youve reduced the functional attack space, and you can then migrate the focus of the organization up the stack to higher valueadd activity. So thats a lot of what were focused on. All right, thanks. Anything you guys would like to add . All right, well lets move on to our call to action, the theme of the billington conference this week. Its been a great discussion. Ill make sure that we really provide some, move from admiring the problem to maybe some actionable steps here. Ill start with you, bob. Could you give me one short term recommendation, maybe one forwardthinking recommendation of how we can start attacking this . Hopefully we are, and i speak about this enough and have an opportunity, hopefully i dont have a hidden recommendation, but emphasizing some things we do spend time that i think we can, were at a moment of Real Progress. I think creating a greater information sharing environment around supply chain risks is something that were at a moment where we can make some progress at. So much of the information sharing discussion so far has been around indicators and things around network defense, but i think combining understanding supply chain risk, understanding collection of information that might be sensitive, business information, that theres a lot more data out there to really do this and putting that information together, thats something were working harold as a federal government to do, and getting that information in the hands of folks who can make decisions related to this, and has to be tied to the idea that procu procurement officials have the security incentives, have the Training Program managers to know how to take advantage of the information. So i think were at a moment with supply chain information we can make some Real Progress and join information sharing right now. I think sort of longer term, its securing down the cyber ecosystem. It is incentivizing more investment in i. T. Around certain places. Its scaling the solutions that now the big places can put in place down deeper into the supply chain, so theres just less vulnerability around the process. Thanks. Bill . Im going to start with the strategic one. I think its, it should be quick, but its probably not going to be quick but again, i go back to the how do we put security as part of one of the parameters and no kidding, implement that. Weve been talking about it for a couple years now, at least with seriousness, so no kidding, implying security is part of cost schedule performance equations. Thats got to be the strategic initiative. At the more tactical level, getting these ill call them flipping the switch on the rmf process and ato processes and all of the things how we assess what security is and actually using true assessing and remediation tools on our something bad will happen, even if we have perfect supply chain, theres going to be bad things that happen on our network. So our thrust has been how do you get to true and i think were getting there pretty well, just kind of getting over that last hump, of true Continuous Monitoring and understanding of your environment and understanding in essence what is your digital twin . What does right look like, what does it look like when its not there so you can act with some level of agility. In in world there will be a point where youre breached, there will be a point where somebody does something nefarious to you. The most important thing is how fast you detect and react. We have to attack. The cmcc one is key and acquisition incentive model is actually put in i think industry will react well, but weve got to get over that hump. We keep talking about it, but we havent made the switch yet. What do you feel the barrier to adoption is there . I personally think we lack the real threat to return on investment discussion. It goes back to got analogy if you have ten doors open on an air force base but only enough money to close three of them, theres some people i think in the acquisition world, why even close threes . a valid argument. If seven are still open and everybody knows, why i did spend the money on three . Maybe i go to another target. So i think having that understanding of when i make an investment, i actually have real return on investment from a security perspective and i dont think weve done as a community both from the cio side or the acquisition side understanding what that means and how do you put some dollar to value equation behind that. So matt, your perspective . Well, bill nailed the immediate one in my mind, which is the acquisition piece. Theres so much great work dhs, crm task force, cmmc, a ton of work coming out of nst, the 800 series, 160 and deeper 193 around firmware, bioresill yency, all of the things are phenomenal. If they dont make it in to acquisition it coudoesnt matte. You have a human being evaluating the different factors. If its not in the calculus, its not part of the answer and thats the struggle that weve had. I think bill spoke quite well to that point. Ill shift a little bit maybe to nearterm or whats next. Its interesting kind of a provocative thought from yesterday, i think grant schneider was asked what keeps him up at night and he said one word, china, and sitting where i sit, its a very interesting question, because chinas simultaneously a very important market nation state competitor, and an adversary. When we are in this Public Private conversation, unless we have strategic clarity around objective, and unless we can send unified signals back and forth to each other, youve got all kinds of things going on. Just i wont go off in the weeds here, but just with the tariff developments, you see people realigning supply chains in a reactive sense. What happens when and if that goes away . People redenominate back in china to chase low cost. Is that a Strategic Policy execution or are we reacting . What is the right answer there . Its a difficult question, but just to take a step, if we had a directive that said were simply not going to build logicbearing devices or source them from that geography, that tends to set up a very different incentive im not sure industry would get there by itself, so i think this kind of conversation is critical, and especially with whats happening in the world today, its quite important, and ill wrap with one other related thing. Theres this other little thing going on right now, this fourth industrial revolution. Essentially a 12 trillion jump ball with the manufacturing, Global Manufacturing base, and so you think about digital manufacturing 3d prints, other enabling technologies. Were actually at the cusp of a time when we can realign supply chains to be more regional and secure at lower cost with the capability thats coming on line and i think we should think long and hard about that as an opportunity, because i can assure you, other nation states are investing heavily in that area and my question would be what are we doing domestically to seize our unfair share of that opportunity, and i think thats probably a really ripe conversation, maybe for another panel. All right, well thanks. I really appreciate the panel today. Great job. I think we had a good discussion and i think we really offered a lot of opportunities of things that people can look at to consider how to secure their supply chain. So thank you. [ applause ] thank you very much to our last panel. Just before we take the next break, ill tell you were going to wrap the day up with. Weve got three great speeches coming up, some key s coming up, two very special awards, and then a life time Achievement Award to someone whom all of you will certainly know, so please, enjoy your 30minute break and well see you back here soon. Thank you. Zwr our cover original of the signersecurity forum here in washington, d. C. , continues at 2 55 eastern. Later well hear from chief Information Security officers from the justice department, defense department, homeland security, and the export import bank. During this break, well show you a portion of the Cyber Security policy forum from earlier today. My career in Cyber Security started when i joined the offensive mission set and that gives you a unique perspective for what the adversaries are doing and how we can defend against advanced actors. The point of this whole panel this morning is to talk about priorities but with a focus how we resist attack and how we