rereliable emergency care in poor communities that would not occur, at fleece one of our hospitals. so i'm quite optimistic about the future for the health system, and i think particularly in this year of 2014, where we are embarking upon this grand experiment in health reform, our hospitals are right at the epicenter, and bruce's insurance plans as well in trying to make this work and trying to pursue that laudible goal, which frankly was initiated by you during your administration of trying to improve access to care and the percentage of people who are covered by some form of insurance program. ultimately that will lead to better health very, very quickly. so i just would like to say, hospitals are incredibly important part of the equation and we're actually doing a pretty good job. we're improving value and have

been successful in reducing the rate of growth in costs. we have a lot of demographic factors putting it higher, but i'm very proud of the business we're in, and the job that hospital its doing as part of the healthcare system in america today. [applause] >> well, all these people are really smart. i don't need to ask them probing question. i prefer to let them talk. but i want too ask you -- i want to take the next step here. and if you're -- basically the only layman here, and -- okay, we're sort of stumbling in the right direction. let's posit that. and science is out there, as patrick said, but we have to figure out a way to make it accessible and usable to all of us. given where we are, either in

public health or in the healthcare system itself, the delivery system, concisely as you can, what do you think the greatest challenges we still face are, and what are the greatest opportunities, one or two of each. i will just give you an example. you mentioned we needed to do more with primary care. there's a lot of worries we don't have enough primary care physicians, nurses, health care workers. i saw a great article about how we ought to really look at some of these developing countries that have done a great job with trained healthcare workers and send them to the most rural areas of the country, and then hook them up by the internet back to all of the stuff that patrick wants to do. but let me just give you an

example. what i personally saw in the last six week. a friend of mine -- i just went home to a funeral, and a friend of mine went to one of these clinics in a small remote rural area instead of going into the nearest city to a hospital and it appeared that it was a -- just had the flu, but in fact she had sepsis, infection in the blood, and by the time she got to the hospital she only lasted three days. now, she was older and also very depleted in energy, so i'm not -- this is not a malpractice issue. this is, if we're going to have distance health care, if we're going to have clinics, if we're going to have all this -- will

we have a system in america that will train people adequately to do it? that's the kind of thing i'm thinking of. what do you think the greatest opportunities and greatest challenges out there are? >> i'll start. i think it's -- i'll put it in general. it's reducing the barriers. there's a lot of barriers. a number of months ago i was in south florida, a large market for us, and i calls find it motivating and educational to visit some of our members, and i went and visited one of our members that was in south florida, and it was underresourced area, and i went in there, bars on the windows, and lady was in there, and i went with a nurse. spent about an hour with her, and we went over her medicine. we looked in the refrigerator to see what her nutrition was, and we do this at humana, part of our humana cares program.

she didn't know who i was. did this on my own. and when i walked out, president, there was a thing she said that probably will stay with me the rest of my life. she says, i'm lonely. that was her comment. she is 80 years old, lived alone. and i say there was a barrier in her life that she could not connect with society because of transportation, because of resources she had, and loneliness for her was a health problem. we don't diagnose that as a health problem. we diagnose a heart condition, diabetes, diagnose those -- when i walk out of that i said, get her transportation. to social community. sure enough we did and that had an impact. and so when i think about barriers in health care, i think the things patrick is doing -- we partnered with the organization that he owns a number of years ago and created that. i think technology is a very

important aspect of the future. when i think about the impact that small things that are hard to do in health care, i think that's a great target for us, and i look at lifestyle, i look at social, and i look at economics, in an area that we as a healthcare system should focus on because i think that it will have a large impact on what we do. [applause] >> what an inspiring story. >> i just want to say one thing. there have been a lot of studies and several books written about societies with high percentages of centenarians. and the island of okinawa has the highest percentage of those. it's being penetrated by fast-food places. the more mountainous areas of

sardine ya, not yet penetrated by fast-food places. without exception, one thing they all have in common is, they don't let older people get lonely. and if their families die under them, that is their children and grandchildren, they are given almost ceremonial status within their communities with roles to play and meaningful contact on a consistent basis. there's huge amounts of evidence to support what you said. loneliness is a health matter. >> just add to that. our system doesn't pay for it. doesn't help bridge it, and if you think about the impact you just talked do about -- >> wouldn't be very expensive if we organized it like other societies do, more simple and

more rural areas. go ahead. >> there's many areas that we could talk about to build on what you were talking about and that is utilizing technology to start helping exactly what you talked about. and that is, for some reason, we have not allowed the likes of telemedicine or telehouse to become just part of our fabric as it relates to the healthcare system. it could tackle some of the linealliness issues. help the issue around being able to understand very, very quickly that it was much more serious than what she thought when in fact it became sepsis earlier on and that's a technology and also policy issues. it's the state allowing technologies to cross borders and being able to tackle that on a national basis is something that we have to do, because that really will decrease costs, increase health, address issues around loneliness, which i

hadn't thought about, house determinant, and i fundamentally believe this is something we can do on a national level and execute at the local level. >> patrick, following up on her comments, you -- medical records should be stored in the cloud and accessible under certain circumstances. how are we going to do that and there are national and local public policy issues that have to be addressed? is there anything left the government can do to accelerate this process? >> mr. president, let me address your question when you talk about the challenges and opportunities. i spent the last ten years of my life, actually, trying to figure this out, and i have had the very strange, wonderful privilege of being in this country, coming from a socialized, so to speak, country

in south africa, where the doctor saw me at home with a bag in his hand. i came to this country invented, developed, a vaccine, in 1991, gave it to nci. it's 2013. it's got approved for pancreatic cancer. so think about the time frame. so from the knowledge to the application. i then ran with -- created this injectable company and i took over this injectable company in chicago for the sole purpose to invent the unanimous to the -- unanimous -- nano particle. and i realized there was no drug made if there wasn't a market. heparin. so i understand the supply chain and what was happening with that. i then went to come back full circle now and have come back to

academia and this how i see the challenge of the country. nobody looked at health care at a systems approach. on one hand you have the knowledge bucket, the other hand the delivery system, and the third is the payment system. the knowledge bucket is in today's world -- we cannot afford to wait 17 years for a molecule to get into the hands or the insight to get into the hands of a person dying of cancer that has a year to live. on the delivery system, it's completely disorganized, disintegrated. there's no coordination of care. you can not tell whether the patient is at home in the clinic or a hospital. on the payment system, and the delivery system, however, doctors want to actually provide care by keeping the patient out of the hospital and in the home. they actually disincentivize to do that. on the payment system theirs no icd9 code for health.

it's multiple procedures so churn so you churn. so you look at the new jersey system and delivery system and payment system and say you need to integrate that and put them together as one unit. how you do that. and then you need to create a seamless, overarching system that allows communications to happen in real-time. so when president obama had this 800 billion and 4 billion in 2008, i started this program in 2005. met with him, were kathleen sebelius was hired he said you'll immediate with kathleen sebelius. i said, mr. president, please do not fund electronic medical record systems that will create what i call medical bridges to nowhere. and unfortunately they've done exactly that. they funded software systems that do not talk to each other. a business model that is

proprietary and not talk to each other. you have to fund a grid computer software system that the large collider is running on. i then convene with the institute of medicine, and he says, kathleen met with me and said i'm going to -- met with him he says i'm a public health guy. don't know anything about i.t. i said, fine, we'll give you cover. we'll have the institute of medicine convene in two days. brought the best minds to the -- hadn't put out the award yet and i said fun for less than $100 million what is running the collider and we can integrate the nation. unfortunately it's gone completely the other way, and now the doctors are incentivized with meaningful use which are process issues, not outcomes issues. so we went ahead and quietly

then said, we need to do this. we meaning my family foundation, and said this is a great country issue was able to sell both of these companies, not because i built the companies to make money but built the companies to have a product which became very valuable, and decided we would take a billion dollars of that and actually fund internally the development of this. we've actually built an operating system that currently talks to any software, whether the epic, and it now is running for three million -- across the pathway, across the delivery system, and we know the real-time. we built in the software system that actually takes ten thousand cancer protocols and provides to the doctor in real-time the knowledge of which cancer protocol to give to the patient in real-time.

it's now in 8,000 oncology practices. with regard to technology, it is the job, actually, for us to make this healthcare system where he makes money when patients don't come into the hospital, where we actually have patients at home. i call this i.c. u at home. i see you at home. which means you need ic us at home. and then this whole world of machine to machine technology is upon us. it's right here. so i partner with verizon and at&t and built an electronics company that could have boxes that talk to each other. the blood pressure machine, scale, we have now adopted dismiss now we went into every hospital that has 6,000 medical devices, made from eave different vendor, including ge. we rented eight pis for devices and are now capturing

three billion vital signs real-time. so if you got an icu in the hospital and the same box in the home, which called the health box, you can diagnose at home thankful patient you spoke about, we can know that what is going on wither in real-time, and we have created a telemedicine device on the internet where you can actually have four or five-way conferences. so the systems, if you look at this from a systems perspective. if you can now manage a patient from the home and clinic, hospital, and through a super commuter do the analysis in 47 seconds which we have now accomplished, ten thousand, done a thousand genomes a month. your then have an engineered system for the nation. which then says, frankly, you have the ability to create what i call norads of health care.

a building with three cardiologies, ten oncologists, two pathologist, pen pediatrician that can manage an entire city. >> is this going to happen anyway or there is something we should change about the laws to make this happen faster. >> what's preventing this? the issue is to actually create what i call outcomes based, value-based care, change the payment system. so we created the ceo council policy center, which -- bank of america, mckenzie, and the single largest barrier now is disincentivizing care with fee for service, ironically. so, if you can then say, your job, mr. provider, is to keep this person healthy, we can

measure the outcomes in real-time. if he keeps this patient healthy, this is your payment per month and at the end of the year, if this patient is healthy, here's your bonus. and whether the patient is in the hospital -- you don't want the patient in the hospital. whether the patient is at home and that's where we need to change the providers of the nation and that's what we'll be announcing after this event, this cancer collaborative with the nations of the world. we have the unions also with us, and we have the united food workers union participating in the audience here with us. this is what the nation is going to need and this is what we think there is the potential. it's not the potential. we're actually doing it. the opportunity is not the opportunity. we're actually doing it. the obstacle is the payment system. eye robbery, medicare advantage was the best system you had. -- ironically, medicare advantage was the best system you had.

and it's been being penalized because they don't understand the system. [applause] >> it's interesting. we're doing more and more of this, paying to keep people healthy instead of paying per procedure, but there are incentives in the healthcare law to do it but no mandated pace to get everybody doing it. i don't think it makes any sense to have anything else unless you have some hugely expensive thing that can't be covered by the size of a pool people are involved in. no question, it's -- in a much more mundane way, you just -- it works everywhere, not paying for procedure but paying for people to be healthy. do you agree with that? >> if agree. i think we're in a -- i'll just

speak from a practical point of view because we're actually though ground treating thousands of patients a day, millions of patients per year. we're in a period of transition from the fee-for-service environment, which is pervasive throughout physician offices and imaging centers and kind of everything -- every healthcare node you can think of, toward a system where there's accountable care and payment for health, but it's going to take a very long time. i think we all need to be realistic about this. the conditions have too exist in a particular community in order to enable that. now, we have some examples in our own organization where this has been very effective. northern california, in a farming and light industrial community in modesto, california, we have been running an accountable care organization for over two years. been very successful, and

actually reduced the incidents of hospitalization of the population there that has participated in this program, and actually we've done just fine as a hospital provider, because we have been able to earn incentives, as you mentioned, through better health outcomes. think that is a model for the future, but i think we all ought to be realistic how long it will take. meanwhile there's some great innovations taking place among the providers. putting in place these advanced clinical systems to even capture the type of data we're capturing. just didn't even exist six or seven years ago. you mentioned government policy and incentives. the incentives for adopting these clinical systems has been very effective. in our own company's case in total we're spending a billion dollars in advanced clinical systems and the government

incentives are making it possible for us to do that by offsetting half of that cost, and although the operability does not exist freely, there are other great things happening. in just in our company we avoided hundreds of thousands of unnecessary tests, unnecessary because they were duplicated. we've all been in hospital environment when a physician walks in and is looking for a result of a test that he or she ordered and the result isn't in there, so they order another test,, and we are able to avoid medication errors, maybe the wrong dose or the wrong medication or the wrong time being given to patients. these are really important innovations and improvements in safety and quality in hospitals driven by technology. everything patrick described is possible, and i think it will occur, but i think we need to

give it a little time. >> let me did you this. you can say whatever you want to say but i want to follow up on it. your position is, i take it, that if we completely stopped paying for procedures and paid for performance for health care, that the government wouldn't have to do much more to end the siloization, if you will, of len tropicin -- electronic medical records and no incentive in the world to not share medical records with appropriate privacy protections for the patients, but is that what you're saying? >> correct. correct. that's exactly right. we have completely disincentivized the system, and perversely. you hear, with all due respect, the incentives of getting the money to actually put in systems that actually don't talk to another system, is a perverse

incentive that the government fashioned. and when we talk about the time, i want to emphasize that this is not some hypothetical. we actually are installed, as we sit and speak, as you said in 155 systems, 3.3 million lives, capturing 40 million claims a day. three billion vital signs, adopted by the nhs as we sit and speak. the software system that is intelligent is running 70% of the emergency rooms of portugal. it's running the largest hop in the united kingdom, the largest cancer center in brazil. so this is not a hypothetical. it's a will of us actually integrating a platform that gives you actionable knowledge in real-time, anywhere, anytime, and is evidence-based.

that encentavoses the provider to give the best care, and the marketplace will do that if you actually -- you hear accountable care organizations and i will challenge anybody, how can you have an accountable care organization when in no real-time can you tell who is accountable for that patient? if you have surgery and you're elderly, you see just as one person 27 healthcare providers, and an elderly person has 19 medications. who is accountable? so, you can't have a accountable organization when you cannot measure who is accountable, and then you want to give value-based care. it's outcome divided by cost. if you can't measure outcomes and pathways in real-time, how can you know when you're giving

value-based care and you have no idea about the cost of real-time. so we can measure outcomes in real-time and costs in real-time in st. john's hospital, a patient walks into the hospital. the mint he walks into the hospital we know where he is, what doctor is touching him, what inventory is being used by the minute. so if you can measure outcomes in real-time and costs in real-time you can create accountable care, but accountability gives you outcomes for health and that's how they're actually going to be bonussed. so that's a system that i don't think is hypothetical. i think it's actually real. we just need the courage and organizations like yourselves actually to be the voice -- >> but you're saying it could be done within the existing legal framework or we need to at least change the payment system? >> and the way i'm approaching

it with the fortune 500 companies and the unions -- and we're announce -- we will be taking the self-insured and in that context build a collaborative of providers across the nation, install the system, on one condition. this collaborativer will work with the underinsured, and now we will bring 21st century care to patients in south l.a. or beverly hills, and the doctors can do what they do best, provide health care. [applause] >> and in theory, needs to be able to bring it to any country in the world. >> correct. >> if we have -- one of the things our foundation is

involved in is this remarkable effort to -- asked to us undertake -- they're still a low income country. they want to be free of all foreign assistance in their health care program by 2020. so, they -- we worked with them for years, and dr. paul farmer to design a program they can afford to run that will provide high outcomes for them. it basically -- build a good hospital in every region of the country, which we have now completed doing. have one good cancer center in the country, which we have now completed doing. a lot of people thing poor people don't get cancer. actually the rates are fairly consistent across the world. then a network of clinics, and then train community health workers, which is my -- i had this nightmare experience because it's really the same in

america. if you had the technology it should work. we have 19 american medical institutions working their training these people, with seven percent overhead. i'm very proud of that. lowest in history. and they're going to be free of, i think, all foreign assistance, but they will only have really good care if their hooked into a global information network that will table -- in ethiopia where we worked there are only hundred clinics in the 60,000 plus villages, so all these people in the world you don't think about that are still dying anonymously. nobody ever knows they lived, nobody ever knows they died because nobody keeps such records. so i'm very interested for the rest of my life, the stiff don't do -- the stuff i don't do here, about how to apply these technological possibilities to

places like in -- patrick is from port elizabeth, south africa. you get sick in south african city you'll be fine but in the bush people are dying alone. >> i'm working with the uc global health initiative in ethiopia and we're degree those kind of things for africa. >> but it's true. if we can -- that's the point i'm trying to make is if we did is in in america, it would have incredible ripple effects across the world by just building the infrastructure for access. what were you going to say? >> just going to build on pat's aspect, bringing it a little bit back to the states. 70% of our revenue is medicare advantage, and it has just transformed the organization from -- because of guaranteed issuance we have to take everybody. we're not an insurance company. we're a clinical company. we are highly incentivized to

keep people health. i mentioned the woman i visited in south florida. the reason we have nurses going to their hem, checking if they have ramps and nutrition and ensuring their not depress is, is because we're responsible for their health. we are paid an overall fee for their health, and they're still with is four seven to ten years, so getting back to patrick, it's the big situation and of the tech -- the integration of the technology with a reimbursement system nat motivates people to take responsibility for people's health, not just the information side of that. and to me, what it has done for our organization is transformed our organization to be innovative about being responsible for people's halve. and i think if you change the reimbursement system, you will bring that innovation, is what you were saying before. >> i want to comment on one thing. some of the things you're talking about, patrick in terms

of the african nations, couldn't that happen fast center they don't have a system like we have. they don't have to defend the fee for service system was we have here. a lot of self pay. in fact the percentage of self-pay -- that's -- so much of the health care system over there. pilots round these activities we should be able to do those fairly quickly in some of these developing countries. >> in bangladesh and ge there with the ultrasound. they have leapfrogged. they don't have land lines. they have cell phones. >> let me just cut in on that. for me it was inspiring when i learn about this and what ge was doing, and we have a hand-held ultrasound, and you guys -- those who have experienced ultrasound, you have to go into

the hospital and you essentially have to book an appointment -- there's a lot of things about the system that just is. ge came out with this hand-held up a surround and now has it connected, and you can just imagine, as it relates to renatal care and morbidity of infant death, it's a remarkable tool and we're doing that in a lot of developing countries to be able to help this, because in remote villages they all have phones and they're all connected, but they don't have the tools, and we feel like this is something you can train people to utilize very, very easily. so, as it relates to possibilities of bringing technology into these developing countries, gifting the connecting world, utilizing these in remote villages, it's happening today. i have tie agree with you on that. here we have the legacy systems. we have to break through, and i know you say it's happening

already, but i have to agree with you, it's going to take time because the policies don't allow us to do what we would like to do state by state. we're still breaking down the barriers that we have to do. unless you fund it yourself. >> the way we're addressing -- going state by state, working with governors. so we're going through this unfortunately state by state. >> let me just -- to make sure everybody nurses we had a little bit -- we got off on technical speak here. the reason that medicare advantage works in the way they're talking is that it was conceived as way of paying people to take care of people on medicare and get a premium for keeping them well. so the idea was fixed price

lives here, the medicare payment that, let's say, would get at my -- for me. i'm enrolled in medicare, and if i sign up with you, you're going to get this. to fix me when i'm sick. so we'll give you this to keep me well. in theming there was a lot of controversy about it because in the congress -- agreement there should be more propreventive care but there was a suspicion it would allow the program to be underfunded. but it was -- because immediately people began to see the benefits of the preventive work and keeping people healthy, it was obvious that it was costing the providers about $600 on making this up but this

is close -- $600 a patient a year to do there is and they were getting reimbursed at 1100 and nearly anything would do anything for an 85% markup that wouldn't send you to jail. so over time, the providers got better and better and better at keeping people well into the reimburse. rate could get lower and closer to the costs of providing the preventive services. eventually you'll go into negative territory because you won't have people using the medicare on a per capita basis you had. that's why in a funny way, what started off as this big ideological fight and a big leap of faith, has led to a broad -- widespread acceptance of funding prevention and paying people for wellness instead of paying by procedure. which we're out of time, and i want to get -- this brings me

back to the conversation i had with tim feign check didn't tim when he asked me to sponsor this bob hope golf chanceship, and i said i'll do this if we have a conference at the beginning on health care, because one of the things i had to face up to when i had my heart bypass surgery, is i love getting my heart fixed at columbia presbyterian. they saved my life. it was fabulous. then they had to fix me again. but i -- americans cannot see themselves as helpless, passive creatures on a conveyor belt. and so -- i know what you're thinking. my god, if i get cancer, i want this guy to be my genome in a

hurry and fine the one miracle cure out of five billion options that will make me 20 again and healthy. you're all laughing but i'm pretty close. okay. i got it. i want that, too. but the job that tim and i have, and the rest of us -- even the providers are telling you, that's what they want now. we are not helpless inanimate bots on a conveyor belt. our responsibility is to minimize the number of times they'll have to help us. [applause] >> so -- so that's why i go back to the pga. when he agreed to do this, there were unusual number of golfers and their families who had devoted their foundations to

health care. right? but normally for perfectly understandable and wonderful reasons they were trying to help solve a particular problem that someone in their family had experienced. so, look how healthy tim is. he has lived his life as a -- not lived his life as conveyor belt, and i just want to point that out. the pga took a big risk. they were trying too save the tournament, trying to preserve the legacy of bob hope, and we raise a lot of money that goes into health institutions in the valley, but the main thing golfers can do, tim talked about walking 30 hours a week -- we have to contribute to the idea that you can't ask all the rest of these people to just take

care of us. we have a heavy responsibility here personally and in our families and our communities, to take better care of ourselves. so i want to thank tim finchem for doing his part to send the "get off the conveyor belt" message to america. [applause] >> our guest on this weekend's newsmakers is david medin, president of an agency established by congress to advise the executive branch on issues reef lated to privacy and individual rights. on sunday's program he talks about nsa surveillance and the board's recent recommendation that the nsa's collection of phone records be put to an end. you can see the interview sunday at 10:00 a.m. and 6:00 p.m. eastern on c-span. >> the new c-span.org web site

gives you access to an incredible library with more added each day through c-span's nonstop coverage of national politics, history, and nonfiction books. find c-span's daily coverage of official washington or access 200 hours of our archived c-span video. everything c-span covered since 1987 and it's searchable and viewable on your desk top computer, tablet, or smartphone. just look for the prominent search bar at the top of each page. the new c-span.org makes its easy to watch what is happening today in washington and find people and events from the past 25 years. it's the most comprehensive video library in politics. >> earlier this week, it was announced that afghan authorities released more than 60 prisoners in afghanistan despites objections from u.s. authorities. at friday's defense department

briefing pentagon spokesman john kirby spoke about the issue. >> back on afghanistan, you said that if these people who are returned to battlefield -- -- if they return, that then they will -- >> doing it at their own peril. if they rush to the fight, nothing is going to change about the way we and our afghan partners are going after our enemies there in afghanistan, enemies of the afghan people, and if they return to the fight they do it at their own pillar peril. one an i'dle threat. they one at their own peril. >> want to step now that they've been released are they considered enemies still since they've been released by the afghan government. >> are they targets? >> if they return to the

fight, -- >> they're no longer enemies. >> they're no -- they're still very dangerous individuals who should remain -- should have remained locked up. now they're not. there's not going to be an active targeting campaign. if that's what you're asking for. to go after them. that said, if they choose to return to the fight, they become legitimate enemies, legitimate targets. >> why the distinction? why is their previous killings or other crimes are being -- not -- why is the u.s. military just saying, they've been -- >> no, no. come on. we're not calling this a pardon at all. we weren't behind this release. we decide notice support this release but it happened. -- with did not support this release but it happened.

and if they return to the fight they do so at their own peril. >> intends to release the rest of the 88 detainees. >> we have made it very clear how we feel about these detainees, and how strongly we believe they need remain locked up, and -- but i refer you to the karzai administration. >> concerned they may return -- >> we still are still concerned about potential release of other detainees, yes. >> you can see all of the briefing online at c-span.org. >> cotton avenue is a metaphor moore macon's hit. when macon was laid out in 1823, they laid it out in nine square blocks with alternating large

wide boulevards, wider than leinfants' washington, dc boulevard. savannah has squares, macmacon has linear parks. when they were laying it out, farmer with cotton on his wagon, headed towards the river to enactor its downstream. rode right through the stakes that the engineers had laid out, and the engineers simply rose in the angled road into the layout of macon, georgia. >> this weekend, booktv and american history tv look behind the history and literary life of macon, georgia, saturday at noon on c-span 2 and sunday at 5:00 p.m. on c-span 3. >> next, a discussion on what can be done to improve cyber security based on a framework released this week by the national institute of standards and technology. the framework stems from an

executive order signed by president obama in february of last year. it aims to provide voluntary guidelines that companies can take in making themselves less susceptible to cyberattacks. the discussion is two and a half hours. >> good morning. i'm walter mccormick, the president and ceo of the united states telecome association and i want to thank you for braving the snow to attend our event. we have been glued to our television sets for the last couple of days watching weather reports, somewhat uncertain whether or not we would be able to be here this more than. so i'm grateful itself worked outside so we can have this important discussion before the release of the cybersecurity framework which the white house announced on wednesday. we believe that this framework is an important step forward for

our industry, in helping the industry achieve greater levels of security around critical infrastructure. it allows companies of all sizes to decide how to adopt the practices based on their unique circumstances, including specific threats, vulnerabilities and risk tolerances. by creating a common language or protocol, the framework will help organizations to communicate about shared cybersecurity responsibilities with vendors, suppliers, customers and partners. our industry takes these responsibilities very seriously. and we look forward to the framework to supplement and reenforce existing best practices. now it's my honor this morning to be able to introduce michael daniel, special assistant the president and a cybersecurity coordinator you has been a key architect of the framework.

he leads the development of cybersecurity strategy and policy. prior to joining the national security staff, he served for 17 years with the office of management and budget. from 2001 to 2012 he played a key role in shaping intelligence budgets and resolving major policy issues as the chief of the intelligence branch, national security division. since 2007, mr. daniel has been heavily involved with federal cybersecurity activities, including the comprehensive national cybersecurity initiative, cybersecurity funding issues, and the annual review of federal agencies cybersecurity spending. please join me in welcoming michael daniel, who will talk about the evolution of the framework, what are the next steps and how we are going to go forward and improve critical

infrastructure security. mr. daniel. [applause] >> thank you good morning, everyone. it's a pleasure to be here at the u.s. telecom event. focused on cybersecurity framework. i'm a special assistant at the white house. i'm the chief cat herder for cybersecurity in the federal government. now, of course, today you have two great panels following me. you have folks like samaa and ari and adam and jenny -- i see angela and chris and nadia here as well. all of whom are going to speak far more competently than me. i'm the band you have vaguely

heard of that comes out so the real stars have an easier time. that's what i'm doing here today. so let me say thank you to the u.s. telecom association and its members for all of the work and support on the framework. we appreciate the time and effort you put into helping to produce and it it's a product we can all actually be proud of. so, a little bit of how we got here. if you can actually rewinds back to the summer of 2012, it became obvious that the cybersecurity legislation we were working on with congress was not going to make it out of the senate. and at that point we knew that we had to shift to some alternative paths. so we began looking inside the administration for what our options were, and over the latter part of the summer of 2012 and the fall of 2012, we crafted this executive order, and of course it was the result of a tremendous amount of effort on the part of a lot of different people who put in a

lot of different time. some of whom are now in different positions, doing different things, but still all contributed to the development of the framework. and we completed that in the late fall of 2012, and then in february 12, 2013, the day of the state of the union for 2013, the president signed executive order 13636 on improveing credit contractual infrastructure cybersecurity. that executive order has a lot really packed into it. for what is actually a fairly short document, especially in washington terms. bit it -- but it told federal agencies to do three things. go out and increase information sharing with the private sector, push more cybersecurity information out to the private sector. and also said, create a framework of best practices and standards that critical infrastructure companies could use to improve they're cybersecurity. and the third thing it said was protect privacy and civil

liberties while you're doing those other two things. and it built in a lot of different things into that process, but what want to focus on today was really what happened with the creation of the framework of best practices and standards. the executive order charged the adapt of commerce and national institutes of stats and technology of leading the framework of the process and doing it in a way it was playing a convening role and actually lead industry in the development of an industry framework, and one that was actually owned primarily by the private sector, and they took the task seriously and powder real energy into the project. 18 people on the project. and it ran an amazing process. if you think about it, for crafting such complex document in just a year. after the executive order came out, a flood of comments came

into my office about the year-long deadline that the executive order set for developing the framework, and they were divided about 50-50. half the comments came in and said, are you cds? there's no way you can develop that framework in a year. then the half came' and said are you people lazy? you could do that in two weeks simple figured that we must have hit it about right at fortunately adam and the team and others proved to us that was correct. but it was still an amazing effort to pull that off in a year. they collected comments from across an enormous array of participants participants participants and my hats off to you if you participated. the participation of industry was amazing. we had well over 4,000 comments

from 300 something different organizations. but i think more to the point you can really see how the framework evolved, and grew in response in direct response to the industry input, and with each iteration of the framework it got stronger and more refined. so this is really your framework. it represents the best consensus we have among government, academia, the privacy community, and others, about how to do cybersecurity right now. and i think that's because of the contributions of all of those different groups really stepped up and provided thoughtful and useful input. so what is the framework now that we have it? what does it do? the framework references recognized standards and practices to help organizations understand, community -- communicate and establish their cyberrisk and makes common language to discuss cybersecurity stint in across organizations.

offers guidance for hour organizations can address privacy and civil liberties arizona part of their efforts to secure themselves the framework has the components. the framework core, at the profiles and the framework tiers, and the core is those set of common cybersecurity activities that almost every agency or organization has to carry out, including agencies. we'll come back to that. we're going to belight on the federal side as well. the profiles help organizations align their activities to their business requirements, they can be used to describe a current state or a potential state that you other like to get to. and it also helps companies chart a path from how to get from where they are now to where they would like to be. and then lastly the tiers can help organizations better understand their approach to cybersecurity compared to other companies. and how that compared with other

approaches and standards across their industry. and companies can then make a better informed judgment about where to invest their seen cybersecurity resources based on their own business requirements in short the framework is aimed at reducing and better managing cyberrisk and off -- flexibility for a wide range of organizations. so as we actually move into using the framework, the process for using the framework, what is it going to do for companies? i think it offers a baseline for risk management. says here is a common lexicon, a baseline that all companies can rely on to point to. that their chief information security officers can point to, that have the advantage of being a widely accepted framework for doing that. i think it will also offer a really good way for communication with the c suite. certainly i find on the federal side the ability of the seniors

and people in senior management to understand and deal with cybersecurity has increased over the last few years, certainly in my time in this position. but still searching for those ways to actually have those conversations in a language that everybody can understand. i think the framework would do a very good job of assisting with that. the framework will also enable much better communication with boards of directors for companies. it will enable them to have that conversation about why you're managing your cybersecurity the way you are and what are the resource wes need invest in this. i think this even applies to very sophisticated companies that are very far ahead in cybersecurity. for one, it serves as -- can help them internally as an external reference point, a benchmark, something against which to measure, which we haven't had in much of the cybersecurity world. so even if you're very far ahead it still provides kind of a

foundation and a benchmark against what you can measure. companies will also be able to use it externally with suppliers, for example, and other companies they work with. as a way of communicating what cybersecurity requirements are and what they would like too see in terms of what other companies have, in terms of their cybersecurity. and then finally, i would not be -- i would be remiss if i didn't point out a gigantic business opportunity for many people, this is something for those sophisticated companies for them to provide services and other things to the small and medium sized enterprises orthos that aren't as sophisticated. so it provides a lot of opportunities, whether you're talk can bat small or medium enterprise tying to figure out how to do cybersecurity in a meaning've way, up to those that are actually very far ahead. so, in addition to developing

the cybersecurity framework which all of the panelists will talk about -- also direct the end department of homeland security to establish a voluntary program for critical infrastructure cybersecurity, and to serve as a federal coordination point for cybersecurity resources, and to support the increased cyberresilience by promoting the use of the framework, and so dhs has created that program called the critical infrastructure cybercommunity, the c cubed voluntary program. but of course it's actually -- we're the government so we can reuse the acronyms. you can talk about c cubed meaning you have a convergence of critical infrastructure resources coming together in the program. you can think of it as connecting the stakeholders together and the national security resilience efforts and coordinating those cross-sector efforts to maximize

cybersecurity. ... >> at the request of

critical infrastructure urged nationwide. we breakfast together with the voluntary program so it is clear these resources are there. d.h. has also offer resources to organizations included threats and pulled her abilities. cyberincident resources the national center security integration center and u.s. computer ready this team had the ics that will all come together with the specific agencies as with federal agencies to identify other offerings we can provide to be best suited to those sectors with the capabilities and what they require.

for example, the several securities center will work with voters and operators for sector specific use cases to build up security platform is based on the framework with best practices in the department of energy offers guidance and assistance through the energy sector security model so i think we are looking at the voluntary program through dhs to be a partnership with an industry to implement the free park -- framework. speaking from the government side a reward for this job well done will be more workers. after all there is no point we reach with a two-part one dash wattage% securities you

be done but we have to be focused on reducing cybersecurity risk and it is over time. so to talk about our past forward on dash password with the direction did dealing with the regulators with the future plans are and where we are going. with respect to the regulatory environment the goal of the of frustration and is to encourage harmonization over regulations and between those with the framework. let me be clear we are not to expand regulations. we want to streamline existed regulation and to bring that and to the framework of overtime.

to that and the president directed the executive branch agencies to review the programs in this era and and this year is consistent with the executive order curch egos with voluntary efforts agencies are encouraged to bring those existing regulations and to the light of framework. but we have invited them to for the same process what is next for the framework?

we need to see it in operation our functions with the government environment to figure out how we can make it work. that is the first thing before we tweet a and suggested we want to capitalize on the rollout with the statement in get robust use of the framework. raviolis view that as a living document. as it is used precarious organizations we have plans to integrate those lessons learned so i know adam can talk about this war but there will be future workshops the intrigues for the framework to address specific areas for further

developments so your feedback out the framework works will be valuable. also with the traditional order ship we use this to be don't and operated overtime. obviously with that transparent process to develop the framework that will be done in the same way and will not happen overnight but for what it can continue to drive. the last area to benches is to encourage the use of the framework it is a key

endeavor and we want to keep moving forward with the process. back with 2013 we intended to review further the relevant agencies have the incentives included technical assistance cyberinsurance and government procurement. and how to get engaged in the process. dhs and other agencies will help to assist in their efforts with the framework as the voluntary program. also eliciting feedback with those incentives through the voluntary program. but i feel that those

drivers with a cybersecurity framework are market-based for us to pursue and get right to make a business case. the federal government can make the cost the little lower but that is icing on the cake if that is not tasty enough itself i know that some of us just like to eat the frosting from decay and but it will make the framework work. even as we continue working. so looking at moving forward we have got off to a really great start it was amazing endeavor with all the different versions that i saw it is quite amazing.

there really could be a major shift how they talk to the industry about cybersecurity to kickstart the conversations that the to happen. so the wes government -- the u.s. government with the framework i hope the telecom industry can't continue with the framework. i say kick the tires and try it out. see where it works and where it doesn't the good and the bad is the only way to make it better. if we can do that to lay the foundation with cybersecurity to go after the real bad guys to make cyberspace safer for all of us.

of thank you for letting me speak. thank you very much. [applause] stibnite faq for the introduction i am vice president for u.s. telecom i've been called with the cedras security policy but the communications community with other sectors and i shared membership and very probably do so. i would like to introduce them we will turn it over to the moderators.

is also fair to say with the executive order cannot with day to the free or a framework of one year their funds universal concerts that was extraordinarily aggressive. i think once the stakeholders' got involved with this particular group of leaders it became clear that no matter what they would achieve their objective is no way that it is remarkable with transparency with stakeholders. but be start by introducing director for cybersecurity for critical of the structure of the white house national security council staff to coordinate efforts across the federal government with the private sector to address cybersecurity policy areas. previously she worked as a senior advisor at the department of energy focusing on the energy

sector in aunt betty jeanne public-private partnerships and also played a key role of governments with the capability richard a.. receiving a bachelor's degree from virginia tech and engineering management systems and is an adjunct professor. to her right serving on the national security staff as director for several security privacy civil liberties and a policy previously worked as senior policy advisor four department of commerce in senior internet policy adviser at the national interest -- is to to the of standards. between 1988 and 2010 he led efforts to have privacy

protection in the digital age and expanding access as the vice president and chief operating officer. he won both the todd -- 2006 and 2010 awards for public service and in 2017 to one of the top five influential thinkers by secure computing magazine in holds a bachelor's degree in sociology from brandeis university for to his right he bases his m recently with the beard but it is nice. [laughter] the senior information and technology policy adviser and it represents the department of commerce with the task force coordinating projects with critical partners but the framework

with the infrastructure sector. with the adviser to the council coordinating as previously handled several security and technology policy and in 2008 and 2013 received the contributions for information technology community. and to his right to andy is the director of the stakeholder engagement cyberinfrastructure resilience division that department of homeland security and provided

infrastructure at the united states computer readiness team. serving as the deputy director of partnerships and is the program network for clinical -- critical bumpers and for large scale integration firms did receive your mba from the university of chicago and was selected as a member of the senior executive services in 2009. we have a very distinguished panel of want to get to questions quickly and would reduce our moderator alexis please step to the podium. the commerce privacy to report executives with bloomberg taking a deposition in 2003 and has written extensively on

cybersecurity advertising and government surveillant -- surveillance. >>. >> thank you to u.s. telecom for putting this together and to touch on the of questions i had what we set the stage how does this move the ball forward from where we overstanding two years ago? to compile standards that were already out there? >> what the framework does we are in a critical period

to see how that question can be answered because we had a good process and a lot of folks stand up now to say they want to use the framework but really success is measured by how many people use it and to reduce cybersecurity risk. it moves the ball for virgin the couple of different ways. it makes it a lot easier for companies to have these conversations. we always talked about whatever solutions are created there is a statistic that we might understand the origins 85% of critical infrastructure is owned by the private sector. those solutions that we help companies do something they can support and embrace and use.

the natural place is the existing practices that are out there. having that foundation that is already out there tends to be clear with those underlying standards for go no part of this is static that that structure we have presented goes beyond those set of existing practices. bought the underlying standards that the hundreds that excess. with that structure they developed to understand the concept as michael alluded to it needs to be something that is embraced. so what it does have a common set of practices that may be could not have

happened before. that is what we saw from the of their workshop. to bring those stakeholders through the ecosystem and ways to address that. that is going forward as lee think about in the document that we call the road map that lays that out with the process is always about identifying those practices federal there to elevate the use of those with the infrastructure and how we work with industry is up to help with innovation and index setup problems that we see. >> five follow-up -- if i follow up a large fortune

500 energy company data and use that framework to talk to their board but with their preliminary a framework now is used with the final framework. one of the top five largest banks are using it and had a conversation with their board as well. we heard from one of the largest 80 companies in the country is hiring a new chief information security officer to judge as a baseline of the person does their job and how they move forward. i think that gives a sense already is used.

>> now let's talk about the next upside is the beginning of the process. was a key item announced was the launch of the d.a.'s jazz program. cayenne you talk about this program and how it benefits companies? >> we are excited about the names especially c cubed in short and catchy that would be done through the critical infrastructures sector and work more broadly with the chamber of commerce and howard rigo to those small and medium plus to be in

these national level discussions and with critical of the structure and sometimes we don't talk about as much as state and local governments we have the active reach campaign when you talk about the sensitive data that is on the government that works and the critical programs that are implemented for state and local government and the things that they do. water systems is also an important part of so that disinformation and of c cubed to go to the web site that has more extensive information that is the second part of the voluntary program to bring together the resources that we have across fda tests with the

cyberresilience review to have someone do a site visit or a downloadable version if you choose but a broad set of tools, capabilities, best practices work force diagnostics, incident response, exercises you can go to and there is not a one size fits all set of tools that there are very different leads across the community with the continuing of maturity and some folks that are sophisticated have been thinking about this for years may be summer just waking up to this.

and to recognize these unique needs and the pieces of the community. whether this state and local so stay tuned over the last -- next couple of months we need to get feedback to grow and improve to make this better going forward. what your needs are and how to build this together and feedback with that cyberresilience review does dhs had adequate resources

given that it will be a national that you have to accommodate those needs? >> to be across the critical sectors there may be increased demand so adapted to the framework see you could do it yourself or a vendor direct for euro so that helps with the scale ability aspect as well. >> talk about the framework that is voluntary what does she have to do that?

looking into the tools and resources one is awareness so we the relationships that we could work closely with the framework. and also looking into incentives we can work with the assisting authorities with the homeland security and commerce those reports recommended eight incentive areas.

we recommended further analysis to use the framework to how best develop the incentives to encourage the use but kranz, a cost recovery research and development streamlining regulation so since those reports were issued with the interagency is to do that further analysis in the near-term what is the timeframe in the coming months with that path florida in those areas.

where we can take some action in the near-term. with the technical assistance and to the framework. we have agencies that have taken a leave a certain area is and furthering some work to see how we could pursue cost utilities with that insurance industry to hold a series of workshops to further promote and develop

this. as the use the framework for to have more insight to promote use of. >> i would add to that the other key step headed it was to be a cross sector with that critical infrastructure but we realize there would be to be additional work celadon of that high enough level with those standards and practices to identify

and protected respond and recover those ways to communicate within the organization to think about what they're doing to better manage it cybersecurity risk but there is a lot more we can do now that it is out there to bring it down a few levels and with the in telecoms so they'll understand the unique challenges they have in their environment which is very different from the energy sector or other sectors that are out there. so with those technologies providers with critical of the structure fake about

those tools -- to think about those two will. >> one more point that we heard throughout the of workshop in developing a process and also free heard the panel last wednesday during the rollout was the interdependency that we have within sectors and across sectors and how the framework can be used to support with did use of cyberrisk within the supply chain we believe that to use adoption over the framework overtime. that we heard through the working group we the asean framework development

sessions. >> can you elaborate on the road map you are expecting? is that ideas are the action plan? will there be a time line improved the board with implementation? >> as it relates you will see a list of the past four word for both the full areas. we have identified that time the boat some of baby three or five years. looking at the grants to influence the process takes some time to work that into the process. the specific eppley ince will be shared for example, there be open requests for information for targeted feedback on targeted areas.

>> will there be any legislative recommendations? >> a gabby are looking to see how the framework is used specific asset tuned requested the legislative space. as the organization's use it how they encourage use of the framework. >> the pacesetter is important folks to said it is hard to drive adoption did what commentators said it would have been a waste of time. it has spent over stated as we said the day that this

rolled out we have very large companies 70. which has a domino effect we hear from companies those that are committee to do that with the supply chain with anyone they may have contracts with with the risk british red project. would figure the right direction and already war will help but companies will not use it we see that is already not true. >> you don't see it -- see that lack of incentives with liability limitations would it weakened the program? >> if we don't?

>> they will help and the reason it was with the executive order. because of the great support from industry to create the framework in doubt in the beginning stages it is not as essential as some commentators have said it would be. we heard that from the panel of lockheed martin, but at&t and. all said there you see the framework that incentives were not an important driver. added is a good example of right there those companies that we hear from to open the framework with the judgment of risk minutes to read to it as we move

forward with risk be vigilant to find those incentives at the front end of this. this is where the incentives kicking and with the group that makes up the critical mass then we will see after that to get incentives. >> i have one or two questions that i would give the audience the opportunity. obviously there has been so the society in the business community about regulatory agencies. michael daniel has spoken to this today in the industry should have spoken but i want to give you the opportunity to elaborate what role is an efficient and what type of action invite we expect and what

time line do they work with? >> for the regulatory agencies to have some directives of the executive branch and in fact, reports that were submitted on the 12th related to adjust to that. the agency's have reviewed their existing regulations and over the next few months they've will submit actions within their sector. and in particular they are reviewing along with the framework put also

encouraged to leverage voluntary means that the sector feels needs to be addressed. there are some of the areas of streamlined innovation that we want to work with existing regulators to harmonize overtime. we recognize you cannot flip the switch but would like to harmonize with the framework we have heard from organizations for multiple sectors to be of value but we are not pushing it but promoting the of voluntary approach of the framework.

>> i want to make it clear we work with the regulatory agencies throughout the process that came to our workshops and submitted comments in the reason we did that is they are a key part also asking the companies that were working with us what were the regulatory issues they considered so when we built the framework but also not completely impossible to implement. i would also say it is not one size fits all how they looked at the cedras security risk. they have been working you with us to understand the framework the key part is to think about the framework is

perhaps not the implementation so how are you reading those goals in that will be the work that we look at next to bring them into the conversation. >> one of the challenges before the id ministrations of is how do you measure that effectiveness edited say voluntary program? how much sought in do you have options at this point? >> it is a bit of a challenge to the voluntary program there are organizations that will adopt the framework to avail themselves that we will never know about.

but what we can do is the cyberresilience review so we get an idea what is going on moderate the posture to do the multiple visits over time to see changes, how many people visit the web site we participate with a number of sector organizations that can give us information about the adoption within the sector with a set of practices that all agree to abide by. we can get an idea things are adopted and working with the provider it industry partners that will roll out the two wills' hopefully they can give us an idea that those are adopted so it is a little bit of a challenge might the paperwork reduction act

making it difficult for us if people chose to respond that we will leverage the partnerships and weighs just to get an idea how broadly the implementation is going in and always welcome suggestions because the metrics are tough. >> we have been talking about this and start your identify those indicators of success and she addressed the of the ones we have come up with but when you look the way the framework could be used what we are shooting for is to strengthen hall of jay vitter etch the cyberthreats that has the potential to a negative impact the businesses so

there is some organizations that could use the framework but they use that to aid in communications. howdy you capture image measure that? so as a result we look at different indicators of success that it be back that we get is part of it. that ability to harmonize regulations over time if we can do that is an indicator. to restart to uc cpac long dash sector specific do real mind if it to the functions that are outlined? rehab identified different

indicators bet to look for a feedback as we look through the voluntary program we're seeking the feedback. >> does anybody in the audience have a question? ripley's identify yourself. >> we have online questions if nobody is ready. we'll follow in the framework be but a torrey for government contractors? >> we have the report that was done to really by gsa in

department of defense on government procurement. that report included a session of recommendations on how better rivage procurement efforts. that effort is the effort to implement it was not something that gsa did in a vacuum but it a very similar transparent and open process. as they look to implement those recommendations a similar process will be followed there will be a request for interrogation for feedback how can the best use that framework to influence for cyberprocurement? >> low-key yet the federal side and know what they can

put it in to help the cyber rest. >> talk about what the government will do to encourage integration in sharing in the absence of legislation. >> with the executive order section for if you follow closely just on information sharing so within the executive order to improve how we share information with the private sector and a more timely basis and the recipient of the permission we have banned werke diligently to improve the process and for example, to

develop of what we can share unclassified information with the community but also to recognize that while it helps to share more in for a ration of the unclassified level there is classified information we have work to improve our process for clearances to critical infrastructure in the next to the soviet pianist cybersecurity program civic we have made some good progress with in for reissue sharing on the classified side so where government shares classified indicators with the mighty providers to use that in for rationed to protect the customer's network. so the program is what was

referred to with the executive order did to allow this program to be made available through those providers to all 60 critical infrastructure sectors we have begged working since that time there are policies do procedures that needed to take place to increase the frequency so they get more government it permission on have frequent basis the initial provider's where i guess peace but we have well over one dozen companies from other sectors or other components that have expressed interest that has signed an agreement with us to participate and our partners now have customers

outside of the defense industrial base sectors we will continue and experienced for market innovation how can i use this information to keep it secure with critical infrastructure? we will work with the providers to reach that is valuable as possible. to other areas with clarence guiding how that is put into place with the private clearance program but it has taken a long time to get through the process. it to come up with a streamlined process to recognize if you're a person in the industry and a briefing you need to attend reedy the expedited track to get you to the front of the

line so couple weeks ago we had a request from the rail sector but these are very specific things here is the list from those who like to attend. son had clearance some did not be also like the canadian rail partners to attend so we could do is get people expedited. some got the clearance within a couple of weeks. ice-t jaws dropping. i go. [laughter] the canadian clearance was passed they could receive up briefing on the intelligence requirements that day had from teeeight chest but also fbi, t.s. day in a national security agency.

it was a great example to bring those capabilities also with the collaboration program which is where we share the sensitive but classified indicator reporters across all 16 infrastructure sectors that continue to grow. we have 70 organizations from across all sectors that are participating where we share information that goes out to the group did use that for collaboration and exchanges. lots of progress going on in that area. >> charlie mitchell. >> i will defer to my colleagues. >> the answer is yes that

legislation is necessary. we have seen it increase in some sectors but in others we still try to buy out why that is the barrier still supportive of legislation in general are package went to the hell and -- to a the capitol hill with other stakeholders to figure out where the problem is holding up legislation on this issue. if it is the key issue that is the standing although there are others you like to see pass as well from the package from 2011. >> period reid's executive predicted the agencies have submitted executive orders

and will later submit others within 80 days be imported to the administration will these reports to enjoy the same level of openness and transparency that every the aspect of the framework process having enjoyed? >> for those reports that were submitted this week in response to the directive of section 10 those are used for internal purposes zero billy and our plan is not to make those reports as agency's move forward we are in the process to coordinate with them we use those four the internal purposes.

>> those are the agencies reporting for word with reports to the white house. >> i have a question on the regulatory agencies encourages but doesn't require independent agencies to look at this. could you elaborate? fet michael daniel e. hanson -- mentioned those agencies that are interested. >> we have then reaching out that the agencies that had been involved in the process. the dependent regulatory agencies are invited to engage plagiary have received some interest along those lines.

we are in discussions with them and they are looking to how the framework could be leveraged within their area of responsibility. >> i would underline that began the independent regulators have participated in our process we had a panel with the regulatory agency that is of particular relevance to show pieces of the ecosystem that it is not one size fits all they have different authorities do it is a mistake not to leave out other parts of the ecosystem with state regulators on what other countries might do so with the approach about we have to read -- ben done without voluntary for work to

benefit the broader community in those pieces of it civic interests of the actions with the regulatory agencies to expect rule making a and what is the time-honored? >> it takes a state regulatory agencies if fed is required nor necessary it would be done through the existing aid old bid rulemaking process back is there any particular time we expect to see that? this year? >> the agencies are very different.

with the framework they're starting that analysis. we are promoting voluntary use of the framework but if that is determined it is necessary to generally that involves it cagy with industry partners so i cannot provide a specific time frame. >> the white house has said we want new regulations as well. that if you do see something like that to be streamlined across the different industry to make sure not to have different regulatory authorities.

>> and the other questions from the audience? in terms of the transition with the final free work if they're in the significative differences one issue that cable up was the concern of the privacy language. so if you can just address that with any other major changes? >> movie from preliminary to a final we received comments multiple times in october what we call the preliminary fryer mark the first full

draft of the workshop in dallas. by our account just over 200 submissions that was just over 200 separate comments. of the changes that we made throughout the document people said gains like it would be helpful if you had the executive summary with those under pending those that need to be clear with the document itself. it is not one size fits all but even these tools within the framework the concept of the profile you can tailor it to different ways it people ask for things like they helped us to better map begs to existing standards.

but that is the biggest difference was the stage with the privacy section. what happened was initially we had a separate section that was a bit too encompass the civil liberties and we did that not only as we have heard as a key part of the executive order but that the stake holders passed for going back to the questions february 2013 people identified as civil liberties and specifically for this effort with the privacy and civil liberties considerations building strong cybersecurity programs? id at the session's leading up to that we had a panel at the last workshop with my colleagu