security here. we are honored to have a distinguished panel to discuss the new cyber security framework. essentially, the document represents the best efforts of the administration and industry representatives will work together to address what president obama has called one of the greatest national advantages the united

states faces. i'm looking forward to hearing more about how the framework will be. we are taking a moment to remind ourselves that the framework poses existence -- owes its existence to the failure of congress to fail to achieve consensus in 2012. that led to the president issuing the executive order on improving critical .nfrastructure set out to do three things, improve information sharing within the private sector, raise the level of cyber security cross our infrastructure -- across our infrastructure and maintain privacy. while the executive order

contained a whole lot more than just a voluntary framework, it is clear that the framework has into the centerpiece for the sake of order and the --inistration by extension for the executive order. according to the executive toer, the firm work set out provide a performance based, cost-effective approach to managing cyber security risk. it has to be completed within one year. argued to can be remove some of the lyrical rank or from the debate -- rancor from the debate. the real question we have to discuss today is whether the

framework is going to make it any safer. some pretty fundamental questions on what is the framework, how it is meant to work, will it be adopted, even if it does, will it be sufficient to deal with the greatness of the threat that the president described. very pleased to be joined by the very man who was charged with delivering that framework. the 14th director of the department of commerce. him, the distinguished fellow in the governance program and the previous general counsel acting secretary and the president and ceo of the information technology industry's counsel. i will not take too long on the bios.

you have those. in 2009, you, served for the director of commerce for standards and technology. from thened your phd university of pittsburgh, where he is due to return later this , having just been elected the new chancellor. ed in december from the m.i.t. media lab. you work across the bewildering range of legal issues and before , studyingere a lawyer telecommunications law. he became the president and ceo

positiona representing the tech sector around the world. he held positions at the motion picture association of america and the recording industry association of america. fantastic to have you here. begin handing it over the three panelists to give some short remarks, then i will leave a bit of discussion and then we will open up to the floor to ask questions. yourld ask you to keep phones switched to silent. feel free to tweet or e-mail. nistcff.ecommending #

thank you very much for joining us. congratulations on the framework. even among those people who have been critical in the past, they are being universally complimentary about how the this.ent has run well done on that. just to kick off, perhaps you could start by telling us what the framework is, how it is meant to be used, and then touch youhe process for how develop the framework. and then explain to us why this is going to do what the president wants and make us all safer. >> in just a few minutes, right? first of all, is great to be here. let me start with the what is the framework question. and answer it in a nontypical way. you're probably expect me to lay

out how to structured, with the key parts of the framework are, a lot of you are taking a look at the framework. let me actually do it from a different perspective, which is some of the key attributes. the framework is a loving document. one thing to really keep in mind is that it is not static. when we asked the question, is this framework going to solve the problem? you really get to a different answer, which is this ongoing framework process continuing to adapt and work for us. this is a very fast, dynamic area and it is important that you understand it is an ongoing process. .his is a market response what do i mean by that? you characterize this as being a failure of congress. actually don't view it that way. the discussion in congress was focused on questions of authority.

therefore, it had a lens already on the problem in terms of what solution set was. one of the best way to address cyber risk is to have the private organizations and technology providers come up with a set of best practices. bethat to happen, it had to a document that was a product of industry. so what this did was actually adopt an approach that we use very much and standards, to act as a convener and act as a facilitator, if you will, of a very broad multi-stakeholder come getting the band together to have that critical discussion. because it had to be aligned with business, it means that the framework in the end was both what you would expect and something new.

what you would expect is a set of controlled solutions and standards that were drawn from best practices against -- across all the sectors. in the framework, in a very indirect way, because it points to a whole set of standards and reference standards. meaty detailsthe are. the other part of the framework is a structure to put all of those things into practice. in particular, to integrate this practices into the way the organization runs. so it specifically is designed to not only talk to the st, but to the leadership. it is designed to align with risk management, designed to , and designed to look at your maturity as an

organization. like many other risk mitigation behaviors in an organization, you get better. that was important to knowledge, you draw the analogy with safety management. you start by implement insert rules and doing things in a particular way, but with higher majority, you recognize risk and adapt it to be more proactive. is what the, framework is. both practices and structure with which to support innovation. theses promising -- attributes. it is owned by the stakeholders that have most to gain by managing cyber risk. it can be aligned with business practices and integrated into other types of risk management organizations. adaptive toc and

the changing way that we will use this technology and the way it is unfolding. in terms of the process, it is not over. we met the deadline of one year that was given in the executive order, but we stated from the beginning that for this framework to make sense, we are really talking about a continuous process. the finish line here is not being done, it is being normal. where this is just part of the breathing and operating that we do routinely. what we are looking for is operation on an endpoint. the process has been one that was based around industry ownership and participation. we used every trick in the poll book that we used to put things up publicly. nobody was surprised by the framework. it was multiple workshops across working together.

we anticipate that as we move into the next phase of the framework, we will maintain that approach. >> thank you. we will move on to cam. you have had the opportunity to step away and look at the process from the outside. which is a unique session to be in. perhaps you could touch on three things. firstly, if you could just give us a sense of how things have changed over this process. and where we came from. it is important to remember how things felt just over one year ago.

as the former general counselor of commerce, give a little bit of insight into the privacy discussions in the development , which drewwork some comments about the process that was changed in the final version. third, it might be interesting to get a sense of what you think the administration can learn from this process. thank you, ian and pat. congratulations on the framework and the university of pittsburgh announcement. both are terrific things. commerce and the country will

miss you working on public policy issues. are in the outcome of this framework in a very different place than any of us would've predicted when this policy 3.5-fourn started years ago. at that time, the conventional wisdom was that the way to approach this issue was through some form of government authority. address cyber security by conventional ruling and go out thatdopt a set of rules

would create a standard that meet. had to this is a very different framework. what thistlined today framework does. this model implements something very different. some of that certainly is a congress'inability to legislate on this. a lack that failure was of consensus about the right model and the right approach year. more than anything, the model that is reflecting the framework reflects in evolution in the thinking about policy in this area. and appreciation for the

complexity of the issue. the speed with which the technology is changing. both on the company side in terms of what it is that you're risks out and the there. this is constantly evolving. simplyg at a pace that comes much faster than conventional rulemaking can deal with. --s is been a long process this has been a long process. a lot faster than the pace of classic notice and comment rulemaking. this also is a model that is far more adaptive to the technology .pace

to the world of digital communications and technology that really is at the heart of cyber security. that is an important piece to stress here. this model which had described as a living document is version 1.0. it is something that has been taken and moved over from standards setting, which is why he was charged with responsibility here. he has done the guidance for federal agencies and the documents that inform the framework.

the model reflects an success inn for developing standards. its engagement with industry. as an honest broker in the process. , what we have is something needlell help move the in some important respects. has emerged as one of the critical boardroom issues that companies of all today'sd to address in digital economy.

provides a set of benchmarks that corporate managers, boards of directors to ensure can apply cyberompanies are meeting security goals in ways that are going to particular assets and be cost-effective. they will meet the expectations andhareholders, customers other stakeholders in that environment. the other piece that i want to iserscore in the framework that it has been designed as something that can cross borders. , we have taken a lead in

framework,g a .stablishing some standards thating so with a model can be used around the world in this space. it has been difficult. the current international environment in the wake of the snowden disclosures. it is important that the united states continued to lead here advocate forues to a model regulation in the digital space that is adaptive and does not operate by government prescription.

this framework does that. that is an important thing. >> thank you. that is extremely good lead-in to you. if represent a private sector perspective. tech sector, but those your member support. be grateful if you could give us a sense of what you're hearing from the press sector about the framework. are we going to get consensus of aid or will look into the bloodstream? if you could pick up cam's point about the international dimension. does this framework have the weights to build up an international following or will it bump up against

european notions? role, talking to people on the hill, it would be great to hear what you're hearing from legislators about the framework. >> on the first question, i going to get into the bloodstream. pat described it, it seemed inevitable and quite logical and linear. part applies because of the process that pat had come which was quite open, transparent and cooperative. he and the team need to become permitted for that. on the substance, i think there are three reasons why it will

become part of the bloodstream. it will speak about the global impact. one is that these -- what the framework is quite flexible, based on risk management. it is not prescriptive. because of that and because of , folkslaborative nature will feel as if they had an input into it. and feel as if no matter what your business is like, there's something in there that enables you to integrate. second, the foundation for a lot are globalework standards. develops through consensus-based, multi-stakeholder processes. because of that, because they are global and multi-stakeholder , thepen processes likelihood it will go globally

is high. how thesemodel for processes should be run internationally, both in the process and the substance that results. finally are the preliminary iterative, butis not without a pathway forward. the conclusion of a roadmap that's weeks to nine different streams come including speaks tonal -- that nine different streams come including international, we all benefit. aream alluded, there initiatives globally to shift to making it more vulcanized. it is a step in the right direction away from that. it is quite helpful. as far as congress, much of what we have heard thus far is twofold.

one is, how can they help create a pathway for success? ,n the date was being advanced we got calls from members of congress saying, this is a positive step forward. we concur, how can we help? a a yearnd, which ago after the promise of getting this done, a week later we were in california at a cyber security conference and there was a lot of participation and concern about what congress is going to do. my hope is that because of this framework, it creates a ce to getn for congress to take on the elements of this that still require public policy. so we intend to do everything to

further encourage that. suffers andress says, what can we do to help? what are you telling them? guest: that's a great question. i tell them i need to talk to danielle, who works on our team. much of what we have been re's they ar issue of having real-time information sharing. the second part is, how to relate to something that we published. they have an important role in his process going forward. how can we bolster what they do to enable success here? just before we do, you

mentioned the roadmap. welcomed arta very of the document. part of the document. most people expect government to produce documents that sit on shelves and gather dust. what you described, putting out a living document, the roadmap and guidebook for that process, could you go into more detail on aspects like the workforce, theral agency, alignment, international aspects? how do you see that working? >> we are pretty good at writing reports that sit on a bookshelf. this is not a government report. this was an industry document. in your opening comment, you talked about the executive order

laying out one year. it was an interesting time frame that was put in the executive order because depending on what perspective you had, that was either hopelessly too fast or completely unresponsive to national needs. everybody was unhappy at some level. pragmaticy perspective, we deal built on existing foundations. quickly identifying those gaps and putting those on the to-do list so the process continued to unfold. we were trying to pull the learning we were getting out of going through the process of the first time to make sure that we had everything we could capture from best practice. part of that to do list with the framework process, things that were identified as gap areas.

they follow two areas. needed where the policy to be advanced. privacy, for example. a lot of work to continue to identify those. and the framework process itself. we got rid of adoptions and things like that. government adoption, to,rnational issues that go how do you provide a framework structure that is conducive to the widest possible adoption? that itself was open. as we go forward, we'll be having to do workshops with privacy workers. we will be continuing engagement we had through the framework process. at each one of these, we will be continuing to address cap areas. that will be a good thing. as people pick out the

framework that they would like to comment on, what mechanism is in place to receive those comments? >> the framework website is still up. we have comments coming in continuously. we are acting to compile and add those to the group as we go forward. version will be subject to the same kind of public comment. one thing that is important to is that -- this is an important point. if you're waiting for this to settle down before you do anything about it, you're going to miss the train. that is not what this is about. willmy view, the framework actually be driven by those that are the users and adopters of it. most of the learning we are going to be doing from the framework is going to come from

the hard knock lessons about trying to put it into practice in your organization and fighting out where it works and where he didn't. and feeding that back into the process would can be improved. what we are trained to be careful about is, don't wait for perfection. asking those companies that are rolling up their sleeves and give this a try and a putting it to use and are willing to then participate in the framework going forward to help refine it from that perspective. that turns out to be the most precious perspective. apt in is particularly that there is a whole discussion about incentives. we could easily spend all of our time focused on that and whether congress is going to enable it or whether it can, with forward. action come ideas are continuing to grow and

improve. that this document -- cyber security is not a state, it is a process. this really helps to lay out a process to get there. it is a continuous one. >> the question of incentives is one that has been spent -- that we will spend some time on. demonstration put out some work on incentives that might have reflected some internal discussion about how that ought to work. what i'm hearing from you is that you would rather take the discretion away from incentives and focus on other aspects. >> i wouldn't say ignore it. , this is a process. it is a process that we will

continually improve. where we have improvement mechanisms, they will get integrated into this like everything else. in the intervening time, let's do the baseline work that we know is achievable today. but me make a quick comment on the incentives. d was,rspective i hav the challenge to industry was to serve national interest. we think it is in your business interest to run elements to critical infrastructure to protect these assets. the best outcome of all is when it is totally aligned. when it is great business to be protective. that is the premise under which a market-based standards driven international deployed framework makes the most sense. that, wert to exercise may find areas where there is

misalignment. where business interests aren't quite aligned. --re there is a natural where it is unnatural. -- anyot so much a caution is not about internal skirmishes. it is about timing. incentives will be formed by those organizations that are putting these in the practice. what you really want to zero in on is the barriers. >> i mentioned that this has been an issue of great concern over theate suites last several years. that thereeflection are powerful incentives to address this. ask target corporation.

ask the hundreds of thousands of companies that have had intellectual property stolen through cyber intrusions. forward, themove scc as guidance out there for assessing and disclosing cyber risk. benchmarks,set of it helps to inform that process. of good andenty important business reasons for companies to address this issue. most companies know that. now we have some tools to help that. >> one of the challenges, of a company like target -- it'll be interesting

to see how the framework helps this process -- is that some of those threats are getting more and more sophisticated. even if they take cyber security seriously, the cost of dealing with those hind threats is challenging. how is it going to help deal thatthose advanced threats are hitting the headlines more and more frequently? -- one ofuple of ways them is that a lot of those threats are enabled by the same moving parts that the framework addresses. --lures and authentication failures in authentication. having the wrong behaviors within your organization that provide latent vulnerability that these threats are designed to tackle. they get more sophisticated in how they do it. that some lot there

of the statistics show -- 80% of these are addressable by pretty basic application. the other part is that the a continuously improving process. risk management framework has the capacity to be able to identify what is happening. one of the behaviors you are looking for is self-awareness. the responsiveness to identify problems. it is faster. aree kind of behaviors specifically addressed. that is, to the extent there is actually gaps in the framework itself. the technology space opens up and you have brand-new issues in the same mobility space. the reason the process has to be continuous is that there has to n ability to adapt. >> this is certainly one place

where congress could help a. toislation can help facilitate the sharing of information about threats, sharing among companies, as well one direction with the government that can take place. the other direction is more competition. legislation would certainly help to make that easier. --is a known market failure all the participants have identified this. the question is, what do we do about it? one other thing i would add, much of the conversation this far has focused on big businesses. we have talked to vendors and look at the framework and identified ways that we can improve, even in our

organization come using the framework. the great thing about it is that , no matter your size of business or where you sit or which industry use it within, it is efficiently flexible and risk based so that you can find use out of it. peopleother area where have critiqued if not criticize the framework is those industries where the market does not dominate. where there iss a less obvious financial driver. that -- how are you confident are you that the framework will be able to run national security objectives in those industries where the bottom line might never get you to the level of cyber security that is required to deal with a

great threat? >> time will tell ultimately how effective this is in those kinds of markets. i should point out that those organizations operating under this market condition were part of the process from the beginning. it was a part of the discussion to make sure it was responsive to their needs and interest as well. the regulators themselves were part of the discussion. this effort to make sure alignment was real, that was a key part of the engagement that had to be there. that that is not the case. the way i have articulated this to the companies themselves is thinking of are regulation as addressing market failure mode this is your chance to make sure the market has every opportunity to work. which is in everyone's best

interest. intrinsic number of advantages, including the ability to operate a market scale come included overseas. the ability to be much more nimble and adjust to flexing technology. bought into that theory of the case. hopefully those alignment issues have burned brought in -- have been brought in. the word regulation in the context of a voluntary program. there are regulated sectors here. what we were trying to do is not end up in a situation where everybody worked together on this framework but then were driven to do something different than that market solution by the regulations. this is really an effort by the existing regulatory entities to have an opportunity to align against a framework. that is the spirit in which they have been participating. that will be constructive one. >> i completely agree with that last point.

some of that will be determined by what was outlined in the roadmap. agenciesnd related aligned behind the framework. that is one of the questions going forward. a good point to focus on. implementation of the framework is going to be key. having the industry involved in the framework, but within puttingnt, they will be in the process. how is that process going to work? how will you make sure that the momentum you have created will dhs takes on the implementation echo >? guest: i don't see the

responsibilities passing to dhs. the framework process continues and this continues to act as a convener. nothing has changed on that front at all. doing isis establishing a voluntary program that is there to support and promote adoption. aat includes acting as clearinghouse for best practices karen hopes that with authorities to support adoption, they've been working with us from the beginning. we have done everything possible to make sure our efforts are aligned with the framework. i want to and on a final point. the most powerful force driving adoption are the companies themselves. we see that from their discussions. this not just about what you do internally. this is about your relationship to your vendors come your suppliers, your supply chain. how the sector community organizes.

those are actually more powerful than almost anything we can do from helping on the government side. sometimes people let construed a voluntary program as toothless. i don't subscribe to that. standard ist safety self regulated by industry through standards. these can be very muscular approaches. that will be a lot of the driving force comes from. >> cam? >> i'm ready to go to questions. >> you mentioned you had some thoughts on dhs having a role in promoting the framework. >> i think much of it is already contemplated. i know there are a number of workshops that have been scheduled already.

t mentioned one of them. part of his education -- part of it is education. we need to make sure we are measuring the right things. developing clear metrics for evaluating the success of this effort. --have alluded to it earlier the focus on incentives. i think they are important, but we should not make them the only thing. process, thetive collaborative process that nist has adopted that has worked exceptionally well. it is critical that we keep that part of the work going forward. it is the way to ensure that it becomes broadly integrated in ses operate. is >> i want to come back to what success looks like. i would like to open it up to questions.

we have some microphones going around. the usual brookings rules apply. keep your questions short and ended with a? mark.on give your affiliation when you ask it. >> good afternoon afternoon. thank you for this opportunity. i want to ask a question about a as identifiednt by the department of homeland security requiring all 15 to haveucture sectors gps, which is essential for a lot of networks. dhs appears to be looking at these 16 sectors to implement regulations with regard to that gps data that they require.

i would like to hear from the panel what you see coming up with a roadmap in regard to the pnts to integrate data and ensure that organizations have what they need when they need it. so, anyone reading the 39 pages of the framework would not up.pnt showing that is one of those examples of an issue that is embedded in the core. it points to a particularly class of position critical data. for the framework attendees, they were dependin addressing dependency. without getting to the specific threat of vulnerability that

dhs is worried about ,nist has a lot to do with that. vehicleework becomes a for -- this is why the federal agency participation is so important -- there is a new class of vulnerability that is essential to critical infrastructure, across sectors like that. as ae counting on dhs participant to flag bad and take it back to industry as part of that process and make sure that the framework process does not have that as a cap area. gap area. >> if i can add one thing, as a part of the executive order, all of the agencies are supposed to cascade the framework. to come back with their ideas within a defined time.

that work is incredibly important as well. to dhs.t isletolated >> you there. when you use the safety model as an example, do you see in the future a credit rating agency or type of third party to provide an audit function on companies? how will they implement the framework and then issue a grade? onlyppliers know, i am going to work with grade a suppliers.

the way i would answer a question as to pick up the last thing raised. what we call these are conformity assessment. you develop a set of practices and it may very well be critical theive an organization knowledge that they're working with conform to some level within the standards. a voluntary program. the government is not going to be setting up a grade. something we opposed to the framework process is you may very well find for this to work you need that type of assessment. there are a lots of different types. the trick is, there is not a right or wrong one. which is the right approach given the market conditions you are facing echo that is very much on the to-do list. the rumors hasof

been this question of cyber insurance. there has been some suggestion that the foreign work might offer an opportunity to the insurance industry, giving it a t of metrics to use. what sense do have from your discussions about whether that is likely possible or realistic? >> i'm not sure my crystal ball is any better than anybody else's. in or forn an that reason. as soon as you put in something, the idea of all those assets coming into play, including insurance markets, my sense is they have found a profit for use for them. they're still active discussions at breakout sessions on this particular issue specifically. to hearing from

members of congress and your staff about it, the other folks we heard from our companies who intend to examine that space. insurance companies and law firms are evaluating what this all means. pat is absolutely right. >> this sort of audit process that you have mentioned and pat has outlined isn't example of how standards work in the marketplace. i don't have a better crystal ball than pat to say whether that will definitely occur here. istainly, part of the idea creating the tools and benchmarks, to inform that process. a number of the organizations that they're involved with in

one, thereds, iso is are others that perform audit functions -- some 40% of corporate sectors have insurance. insurance against data breaches. that is triggering exactly the sort of engagement by insurance to take a close look at people's practices. this is a way to benchmark that look. area, at thisy point, most companies have been able to sort of sweep it aside by saying that the risk is not material. i'm not sure after the target experience that it is so easy to do that. shareholders, for

or, there is a roadmap that people can look to to assess those issues. >> do think people are making assessments based on where people fit in the framework ? companies will have to take a more critical look at the disclosures that they make. that can influence investors. >> the point he made x the point made earlier about ceo spending real time with board shareholders around this issue is indicative of how important this is, and the creation of a real market place to mitigate those risks.

sex in the middle -- >> in the middle. >> i would like to follow-up on the question about pmt boehner ability. it has become quite the subject in late november. in fact, the u.k., russia, and china have terrestrial systems to back up their pmt to make sure they are not dependent on the signal from space. do i understand, peter, this has not been flagged as a problem by dhs or anyone in terms of cyber or ofty impacting -- impacting the cyber security of the nation? >> no, i would not characterize it that way. i would say that to the extent of pmt standards are found, or lack of redundancy or whatever the issue is would be reflected in those things referenced in the framework core. what i'm not aware of is whether as a specific

issue as we were putting together the top work -- top-level framework structure. that is not to say they did not raise it as one of the constituent standards. in other words, you have a little bit of an onion here in terms of the overall framework ross s, and then the constituent standards underneath. -- framework process, and then the constituent standards underneath. i would expect the pmt to be with the constituent standards discussion and not the overall framework. >> [indiscernible] clicks but the best -- >> but the best team in sitting in front, so if you want to follow-up afterward. [laughter] >> this site on the aisle. with the canadian embassy. looking globally, can you talk about the reception you've had, both from allies and foreign companies? >> you might want to get a couple of perspectives here. the overall reaction we have gotten from the very beginning was a combination of intense

interest, wanting to wait to see what it look like when it was promising of all, i think, and understanding that this can be used as a foundation for a variety of approaches around the world. even those areas that we are considering a more national response, including a regulatory response. because one of the things we point out, again, this is a global infrastructure. that really important information and data companies be able to operate on that scale. that is what makes these technology so powerful. aligning too, just like we've asked our own internal regulators in the critical infrastructure space to align to this, it is something that can be done on the international scale. a lot of positive reaction to that. the most interesting reactions have come from europe and have to do with the fact that the same really -- the same week that the president released the executive order, there were some draft approaches that were going

to be used for cyber security. from the very beginning, they have been quite interested in looking at this as a basis for moving forward. but 30% of the companies we represent our international entities, and the reaction there has been favorable as well. they operate in a world that has been global integrated and interconnected. they offer services, products, systems that they want to work , so theyal basis appreciate and welcome the framework. they are also competing in a where increasingly, their efforts to use cyber security or national security as a market access barrier, whether multilevel protection scheme in china or some of the problems we had around preferential market access in india. having this framework that is built on global standards that

are consensus based and developed through multi-stakeholder processes is helpful for those international companies as well. clicks -- >> what would be the process to internationalize the framework, or at least give it more encouragement to be used internationally? clicks what we did in this case is something modeled after the approach that we did with the smart grid standard a few years back. we started with the standard that the framework process was immediate international. we invited international participation. i was meeting with delegations around the world. tomade a deliberate effort look at international standards as one of the building blocks of the framework, and where it asks companies to bring those forward. in some sense, we have been international from the beginning.

the way, i expect the international flavor of the framework process to actually grow as we go forward. it was actually get identified in the roadmap. what is interesting is maybe more on the adoption side. in other words, the extent to which the certification and the product id, the extent to which those can be put into a global structure with global contacts can be very interesting. and then you are dealing with critical infrastructure. how do countries respond from that -- to that from their own national policy perspective? that will be the issue, the between-- the matching befor the global markets and how the compliant piece itself works. that will be quite interesting.

clicks -- >> dr. gallagher, can you speak more about the next phase in terms of how and when the framework will be realized? -- revised? >> we have not announced a revision schedule yet for the framework. what we have done is deliberately created a bit of a a bit of a in- --a pause in our schedule for the very reason we wanted the framework and follow-up to be informed by those organizations using the framework. but we have set up a tentative schedule of workshops that are on the framework website. the first one is probably the privacy one in april, and i think there is another one this summer.

in july. again, there is no super eyes on what the agenda is, because the roadmap was laid out -- no surprise on what the agenda is, because the roadmap was laid out in that process. i do not it at any major revisions to the framework itself. the impetus is going to be going after these gap areas, identifying these areas where we felt there was real work to be done. read your -- maturing what we call the governance discussion. in other words, we should seriously start taking on if this framework is going to go and be a normal process. how do we set up a governance scheme where all of these different companies can work together to turn this into an ongoing, routine process? and again, we've had exterior -- experience doing that both in the cloud sector and smart grid and other areas. i think we