united states, whether you are naturalized american citizen or by birth, you are talking the time you are a child to challenge orthodoxy. we are the only nation in the world where as difficult as our elementary school education is and we criticize it and we want to make it better and it must be made better, no child in america is ever criticized for challenging orthodoxy. think about every other country including our allies. orthodoxy. orthodoxy is the holy grail. you cannot build something new and less to break the old mold. that is the magic of this country. when i take a look at our attitude about ourselves as a people, it always surprises me when we do not have the degree of optimism we should about the state of the nation. in spite of who is president or in congress, the american people are so much stronger, so much

more recently and, so much more capable. even the ridiculous policies of our friends on the right can i keep them from moving forward. that is what you see all over. the other thing we have going for us in this moment is this is the first time in my career where on every major issue the american people agree with the democratic party. think about it. [applause] i really mean it. i know that sounds like hyperbole. every issue facing the middle class for what you were able to do at the debt ceiling, to minimum wage, 72% support an increase of minimum wage, immigration reform, background

checks on weapons, 90% of the american people, infrastructure. 80% think it is a way by which you can increase the means of the country. he said i do like south carolina but i like their port a lot, too. they meet hundreds of thousands of jobs. the american people agree with us. 55% marriage equality. overwhelmingly they want pay equity. 35% is all the difficulties with the aca. 35% of the people do not want to see it repealed. i cannot think of a time where most of the issues that affect

the middle class are overwhelmingly in support of us. i wish there was a republican party, make a deal or compromise in know when he got up from the table it was done. that is what political parties are able to do. all you had to do was look at the response of the state of the union, over three or four? i'm not being facetious. i think we should just get a little focus. let's get a little focus -- instead of focusing on the few things we do have problems with, focus on all we have going for us going forward in this election, and talk about them. the middle class, you have heard me say this before, we have great economists in the white

house who will debate with you whether middle class means $49,870 or $52,100. middle class is not a number. middle class is a value set. it is about whether or not you can own your home and not have to rent it. it is not whether not you can send your kid kids to the park in the neighborhood and not worry about whether he or she will be mugged or molested going to and from. it is about being able to send the kid to your school in the vicinity where you know if they do well they will qualify to go to school after they graduate, whether it is trade school or community college or a four-year college. it is knowing that you're going to be able to take care of your parents that are elderly and hope and pray your children will never have to take care of you. that is what being middle class is. the middle class is being clobbered.

they talk about the fact that we should not be talking about income inequality. i think it would be a sin if we did not talk about income inequality. [applause] when you go from when i was elected a ceo that made about 25 times more than the lowest paid employee, to now 240 times, i understand all the economic arguments. i understand globalization. i understand the consequences. the reason america is a strong and as vital as it is, it has the most robust and the most coherent middle class of any other nation in the world. this is why it happened. when the middle class does well, the rich gets richer and the poor have an avenue.

that aperture is closing. it seems to me the single greatest obligation is when people get in they stay in, and that is what everything we talk about is about, making sure we are building this country. the thing that amazes me most is about how with republicans all of a sudden infrastructure is bad. building things the country needs, i do not get it. i really don't, by the way. it is one of the things after all of the years i served in the senate and now five years as vice president, it is the one that perplexes me the most. i do not get it. their friends and business are for it. the american public is for it. we are for it. all they have to do is look around and see how badly the

need is, and yet there is this recalcitrance to do anything. i know we got a budget deal. it is a good thing that we're moving on to not have to refight the budget again this year and next. does anybody in this room think that the republican party has walked away from the ryan budget? does anybody in this room think if they are able to take the senate or maintain the numbers that is not what they will get back to? i campaigned for a lot of congressional candidates. i am proud to. many times i go into the districts and supporters are saying there are x number of republicans competing for nomination and better to have this one or that one.

kay hagan had a discussion wtih about 1500 people. i said the thing you have to ask anyone of the candidates, if they are elected, are they going to vote against when the republicans moved again to reduce taxes by another $220,000 a year for people making over a million bucks? are they going to vote against a woman's right to choose, access to a good job? what are they going to do? are any one of them going to deviate from the orthodoxy? the orthodoxy of the republican party in the house of representatives right now? folks, i think we have, between now and november is three political lifetimes. a lot can change, but the one thing i'm actually confident about in large part because of the caliber of candidates you have been able to recruit and the nature of your leadership

and because the american people are already where we want them to be, already with us, i cannot imagine our prospects of being viewed by the president and everyone else as being a whole hell of a lot brighter by the time we turn in september than now. keep your eye on the ball. keep your eye on the ball. the american people are where we are. let's go out and make every single effort not just to defend but to aggressively push our agenda. they are with us. they are with us. i am glad i am with you. thank you very much. -- president an obama also spoke at the retreat. >> please welcome the vice

chairman of the democratic caucus. >> thank you. , but ishort on time here can't stay here all day if you like. some of you would ask me if i would be seeing my introduction of the president. i do not want to disappoint you, but i will be disappointing you. i mentioned to the president that we had an opportunity to have a dedication to pete seeger, what have wonderful american, a singsong, and my new congress, aiend in great player and singer, we had others. we played a view all simon songs as well. i got the president to seal on the presidential podium, my mama loves me. if my mother could only see me now.

our next speaker is the perfect conclusion to what has been a marvelous and wonderful two days despite the weather. on helping us to shape our goals and agenda for the rest of 2014. critical issues including minimum wage including equal pay, unemployment benefits, immigration reform. they all need to be tackled. we need to help our country move forward. we should not bother in an election year. all of these issues get lost in the chaos of the republicans' lack of leadership. i say otherwise. so does our president. just look at what we have accomplished with this man, this wonderful man.

we are helping people today because of his leadership, the the leadership of nancy pelosi, steny hoyer, and all the house leadership because of what we have done in passing the affordable care act. history has a way of treating us better than we sometimes treat ourselves. i believe the same will be said about this democratic caucus and our leadership when it came to the issue of providing for the least amongst us. the aca is a reminder of what we can accomplish when we work together. our next guest understands what opportunity is all about. he understands what we have accomplished so far and when needs to be done.

as a boy from woodside, queens, it don't get much better than this. if my dad were here today, he would hardly believe it. all four grandparents, all immigrants, would hardly believe this is their son and the grandson. i thank xavier becerra for this opportunity to introduce to you the leader of the free world, more importantly, our friend, president barack obama. [applause] >> thank you. thank you, guys. thank you, everybody. everybody sit down. thank you. thank you, everybody.

sit down. it is good to see you. thank you for the wonderful introduction. let me be the first to say happy valentine's day to our fearless leader nancy pelosi. [applause] paul will hopefully get you more than just a thank-you. to steny, jim, javier, steve israel who was doing a great job under the circumstances. it is great to see you. we just saw each other at the white house recently. i'm not going to give a long speech here. i want to spend most of my time answering some more questions. let me just make a couple of observations since we saw each other.

first of all, i stated in our state of the union that the single most important thing we have to do, not just as a party, but as a country, is make sure there is opportunity for every single person, that we are focused every single day in this town or in washington on making sure that if you are willing to work hard and take responsibility that you can get ahead. it is not matter where you live or what circumstances you were born into. what you look like, who you love. you should be able to make it here in america. as i said at the state of the union, i want to work with congress to make that happen. i am not going to wait. there's too much to do. america does not believe in standing still. america insists on moving forward. we laid out some very specific

ways we can move the country forward, breaking them down into a few categories. number one, creating more good jobs that pay good wages. number two, making sure folks are trained to fill those good jobs. number three, making sure our kids have the best education in the world. number four, making sure that hard work pays off, that people are not poor if they are working full-time, that they have some semblance of retirement security, that they can count on health care if something happens to them. and already, just in the last couple of weeks, we put forward a range of executive actions that are going to make a difference. yesterday i had a chance to be with a group of minimum-wage

workers for federal contractors. these are folks who are washing dishes or cleaning clothes on our military bases. and sometimes the debates on capitol hill get so abstract, and to be next to folks, average age by the way, 35, these are not teenagers. these are looking after families in trying to raise kids and see what it would mean to them for us to have a federal minimum wage of $10.10 an hour and how much relief it would give them, and hoping somebody would be up there standing for them, it reminded me of why i am a

democrat. it reminded me of why i am so proud of this caucus. [applause] you are standing up on behalf of them. we signed the executive order. these folks are going to get a raise. what i said it is time for congress to act because america deserves a raise. i pointed out yesterday that the majority of low-wage workers are women. that is why we will push to make sure we have equal pay for equal work and we have sensible family policies. as i said, when women succeed america succeeds. i still believe that. we traveled to manufacturing plants up in wisconsin to talk

about how we can continue to accelerate advanced manufacturing and technology in this country. we have some great possibilities to create hubs that keep us on the cutting edge. we have already set up a new retirement account that allows people to get a starter retirement. a lot of people do not have 401(k)s. across the board, we are moving. as i said at the state of the union, i want to repeat today that we can get a whole lot more done if we got congress working with us.

this caucus has shown time and time again, under the most difficult circumstances, the kind of encourage and unity and discipline that has made me very proud. i was just talking to nancy before i came out here. the fact that we are no longer going to see anybody try to hold our government hostage and threaten the full faith and credit of the united states of america in order to contract policy concessions, the fact that we are able to pass a clean debt limit is just one example of why when you guys are unified you guys stick together, this country is better off, and i could not be more thankful, i cannot be more proud of what you are doing. just a couple more points. you have seen reports over the

last couple of days that we slightly exceeded our targets for aca enrollments this past month, january. we now have well over 3.5 million people who have signed up and are getting insurance to the marketplace for the first time. that does not count the 7 million who signed up for a medicaid or the 3 million who are starting on their parents' plan. we're going to keep on pushing on this to make sure here in america everyone can enjoy the kind of financial security and peace of mind for good quality health insurance provides. i just want to say thank you for hanging in there on an issue that i think 10 years from now or five years from now we will look back and say this was a monumental achievement that

could not have happened had it not been for this caucus. finally, there are some big things we have to do that i cannot do through executive action, where he have to get congress and where the american people are on our side. the federal minimum wage law is one of them. another is making sure we've got a smart immigration policy in this country that grows our economy, gets people out of the shadows, makes sure our businesses are thriving. that has got to be a top priority. i believe there are folks on the other side of the aisle who want to see this done but they are worried and scared about the political blowback. look. everybody here is an elected official. we can all appreciate the maneuvering that takes place particularly in an election year.

we have to remind ourselves that people are behind the statistics. their lives are being impacted. punting and putting things off for another two years or three years, it hurts people. it hurts our economy. it hurts families. part of what makes us democrats is not some abstract ideological set of beliefs, but the fact that we are reminded every single day that we're here to help a whole bunch of folks out there who are struggling still. they are counting on us. we has outstanding members of congress who are willing to fight for them regardless of the political cost starting with your leader nancy pelosi.

i'm grateful for you. we keep on making progress. even if we get resistance from the other side. the american people know that we could be breaking out if washington gets its act together. it is important for us to lead that process. thank you very much. [applause] all right. thank you. thank you. >> here is a look at her schedules. another chance to see these remarks at 8:00. finalussion about the security framework released earlier this week. the center for american progress

looks at climate change issues. earlier today jay carney discussed the lack of progress being made over serious and why the u.s. and russia continue to be on effort pages. here is more. what is happening in the syrian talks in geneva? it is athe u.s. thinks process, but what should we read into the process when the russians do not seem to agree with the u.s. on the actual is ite of being there, not just for finding a transitional government in syria? >> everyone understands and understood what the purpose was and is. thethere is no question

talks thus far have not produced significant breakthroughs, but it is important that everyone recognize the only resolution to this conflict comes through a negotiated political settlement. we are going to continue to pressure not just the assad regime but also countries like russia and iran to recognize it is a nobody's interest to see the continuing but shep -- bloodshed taking inside cheered. the president said last week that this is a difficult process, and we are far from achieving that goal we noisioned here, but there is other way to resolve this ongoing crisis that does not involve the two sides sitting across from each other. >> but is that process backtracking?

tablene came to the saying this is about finding a transitional body, and now you hear rush is saying that is not the point of the talks -- russia say that is not the point of the talks? recognize significant progress is not being it achieved, but it is important the talks themselves have taken place, and we are going to continue to press all sides, all parties to this to recognize there is no way out of this conflict. we continue to believe the name problem is the regime's unwillingness to engage constructively on the implementation of the geneva communique. the opposition has shown a seriousness of purpose. they continued to outline their vision for the future, and have shown they are willing to engage constructively, and we have not

seen that kind of engagement from the regime so far. again, we recognize the situation in syria continues to be terrible for the people of syria. our efforts, including our humanitarian efforts, at the security council to pass a resolution that would make it easier to deliver humanitarian aid, our efforts are aimed at bringing about a transition in syria that will lead to a better ica for the country. there is no other way to get from here to there. >> that was some of the date's white house reefing with jay carney. you can see the entire briefing online at our website, www.c-span.org. "washington journal," a look at the health

care law and the recent extension to medium-sized employers in providing health insurance. after that, a reporter discusses the future of the homeland security department under jeh johnson. journal,"shington live at 7:00 a.m. eastern on c-span. one of the things that we worry about, cyber attacks, and what ingers, always think is what keeps me up at night when i think about what can happen next. your greatest fear is as to a physical attack here in our country, general? >> i would answer it by two things. on the cyber side, i think an attack against our people

infrastructure that would have potential damaging effects, transportation, health care, financial is an area we have to pay those attention to. our energy sector. on the kinetic side, there is a range of things that keep me up at night. i-styleu see these mumba attacks, what happened at the mall in nairobi, what happened during the boston marathon, those are the kinds of things we have to work together in the intelligence community to make sure we are working as seamlessly impossible to share everything we have, not only within the defense side, the national side, but also on the federal, state, local, and tribal level, and that is an important aspect of what we are trying to do in the intelligence community, the coordination of this. saturday morning at 10:00 eastern.

watch live date long coverage of the savanna book festival saturday morning at 9:00 on c-span2. portraits of power, monday night at 8:00. >> the new www.c-span.org website gives you a access to n incredible library of news events, with coverage of politics, history, and nonfiction books. with thousands of hours of archived video. our video is all searchable and viewable on your decks top and phone.tablets, or smart look at the prominent search our.

it easy tosite makes watch what is happening today in washington and find people and events from the past 25 years. it is the most comprehensive video library in politics. earlier today the u.s. telecom association hosted an event assessing the final cyber security framework released this week by the national institute of standards and technology. this stems from an executive order to provide voluntary guidelines for companies to improve security and steps former pond -- responding to an attack. michael daniel provided opening remarks. he outlined the development of the framework as well as incentives for industry use. this is nearly two and a half hours. >> good morning.

i am walter mccormick, and i want to thank you all for rating the snow to attend our event this warning. we have been glued to our television sets for the last couple of days, watching weather reports, somewhat uncertain as to whether or not we would be able to be here. i am grateful it worked out so we could have this important discussion about the release of the cyber security framework which the white house announced on wednesday. we believe this framework is an important step forward for our industry and helping the industry and achieve greater levels of security around critical infrastructure. it allows companies of all sizes to decide how to adopt the practices based on their unique includingces, specific threats, vulnerabilities, and risk tolerances. by creating a common language or protocol, the framework will help organizations to mitigate

about shared cyber security responsibilities with vendors, suppliers, customers, and partners. our industry takes these responsibilities very seriously, and we look forward to the framework to supplement and re-four -- reinforced existing best actresses. it is my honor to be able to introduce michael daniel, the special assistant to the president and the cyber security coordinator who has been a key architect of the framework. mr. daniel leads the inter-agency development of national cyber security strategy and policy. prior to joining the national security staff, he served for 17 years with the office of management and budget. from 2001 two 2012, he played a key role in shaping intelligence budgets and resolving major policy issues as the chief of branch,lligence

national security division. this 2007, mr. daniel has been heavily involved with federal cyber security activities, including the comprehensive national cyber security initiative, cyber security funding issues, and the annual cross customer group -- crosscut review of cyber security spending. these join me in welcoming uncle dan you -- michael daniel, who will talk about the framework of the evolution, the next steps, and how we go forward in improving article infrastructure security. mr. daniel? [applause] >> thank you. good morning, everyone. it is a pleasure to be here at the u.s. telecom event. michaeld, my name is daniel, and my title is too long

and formal. cap herder.ef today you have two great panels following me. jenny,like adam and , alla and chris, and nadia of whom will speak more competently than me on the framework, so you can -- i am like a warm-up act, the band you have vaguely heard of that warms real starsd so the have an easier time. to the u.s.hank you telecom association and its members for all the work and support on the framework. we appreciate all the time and effort that you put into helping to use it. it is a product that we can be proud of. a little bit of how we got here. back to theewind becameof 20 12, it

obvious that the cyber security legislation we were working on was not going to make it out of the senate. at that point we knew we had to shift to some alternative had this. we began looking inside the administration for what our options were, and over the latter part of the summer of 2012 and the fall of 20 12, we crafted this executive order. it was the result of a tremendous amount of effort on the part of a loss of different people who put in a lot of different time, who now are different -- in different decisions, doing different things, but who walk in transit. we completed that in the late fall of 2012, and then in day ofy 12, 2013, the the state of the union, the president signed the executive order on improving critical infrastructure cyber security. that order had a lot packed into

is a fairly short document, especially in washington terms. he told federal agencies to do three things. it said go out and increase information sharing with the private sector, push more cyber security information out to the private sector. also said create a framework of this practices and standards that critical infrastructure companies could use to improve their cyber security. the third inning it says was protect argosy and civil liberties while you are doing those things. it built in a lot of different , buts into that process what i want to focus on today was what happened with the creation of the framework of this track this is and standards. the order charged the department institute with leading the process, but doing it in a way that was playing a convenient role and lead

industry in the development of an industry framework, one that was actually owned the private sector. seriouslywas taken and put energy into this effort. they put a real a-team of people into the project, and it ran an amazing process for crafting such a complex document in just a year. i should say after the order came out, a flood of comments came into my office about the year-long deadline that the order sets for developing a framework. 50/50.ert divided about people said, are you people crazy? there's no way you could develop that in a year. and people said, are you lazy, you could do that in two weeks. i figured we must have hit it about right, and fortunately adam and the team have proved

that is correct, but it was an amazing effort to pull that off in a year. comments were collected from across an enormous array of participants. ehealth five workshops. my hats off to any of you who went to five of those whacked -- workshops. i know the stories that that was not in fact a trivial commit and. in the end, the participation from industry was amazing. we ended up with over 4000 comments from 300-something different organizations. or to the port, you can see how the framework evolved and grew in direct response to industry input. with each iteration it got stronger and more refined. framework.lly your it represents the best consensus we have among government, privacy community,

and others about how to do cyber security right now. that is because of the contributions of all of those different groups really stepped up and provided thoughtful and useful input. what is the groundwork -- framework, what does it do? the framework recognizes standards and practices to help organizations manage their cyber risks. i like to think it provides a common line which for discussing cyber security oath within and across different organizations. it offers guidance for how organizations can address privacy and civil liberties as part of its efforts to secure themselves. the framework consists of three components that reinforces connections. the framework core, the profiles and the framework tier. the core is the set of activities that almost every carry out,n has to including agencies.

we will come back to that. we will be using it on the federal side as well. out organizations to the business requirements, can be used to describe a current state or potential state you would like to get to, and it helps companies chart a path from how to get from where they are now to where there would like to be. can help organizations understand better their approach to cyber security compared to other companies and how that compares with other approaches and standards across their industry. attendees can make a better judgment ash companies can make better judgments aced on their own business requirements. this framework is aimed at reducing and better managing cyber risk, and offers a wide flexibility for a different range of organizations. into using the framework, prices for using the framework, -- the process, what

does it do for the base? riskfers a baseline for management, a baseline that all companies can't rely on, that theiran point to, that chief security information officers can point to, that has the advantage of being a widely accepted framework for doing that. a good wayo offer for communication. i find on the federal side the ability of the seniors and senior management to deal with cyber security has increased over the last few years, in my time in this position. still searching for those ways to have those conversations in a language everyone can understand. the framework will do a very good job of assisting with that. the framework will enable much better communication with boards of directors, that it will enable them to have that

conversation about why you are imagining your cyber security the way you are and whether the resources that we need to invest in this. this applies to very sophisticated companies that are very far ahead in cyber security. -- can help them internally as an external reference point, as a benchmark, something against which to measure, which we have not had in much of the cyber security world. if you are far ahead, it still provides a kind of a foundation and and work against what you can measure. companies will be able to use it externally with suppliers, for example, and other companies they work with as a way of communicating what cyber security requirements are and what they would like to see in terms of what other companies have in terms of their cyber security. and then finally, i would not ash i would be remiss if i did not point out it is a gigantic many opportunity for

people, for them to provide services and other things to the small and medium-sized enterprises are those that are not as sophisticated into space. it provides a lot of opportunities, whether you're talking about a small or medium enterprise, looking to figure out how to do cyber security in a meaningful way up to those who are very far ahead. so in addition to establishing and directing develop the cyber security framework, which all the panelists will talk more about this morning, the e.o. directed the department of homeland security to develop a program for critical structure cyber security and serve as a coordination point for resources and to support the increased cyber resilience by promoting the use of the framework and so program,reated that

and we are the government so we can reuse acronyms many different ways. bed can talk about c cu meaning you have a convergence game,ources in this per you can to as connecting the stakeholders together in the national security resilience effort and coordinating those cross-sector efforts to maximize national security cyber resilience. i think the voluntary program represents a long-term effort for us in cyber security. we launched that on wednesday along with the framework, that it is not done, and we acknowledge that. there is a reason why it is not done, because it needs to be the with industry participation and industry involvement. another -- there are things in the voluntary program, including

dhs eating able to support cyber resiliency reviews which is a way that dhs can provide resources to help organizations assess its information technology resilience. these kind of reviews can be done either with -- through facilitation with dhs or on its own. dhs has conducted over 330 of these at the request of radical infrastructure entities nationwide, and we are bringing this together with a voluntary program so it is clear these resources are there. dhs will also offer another range of cyber security resources to outlook and private sector organizations, including information on vulnerability and threats, cyber incident resources such as the national cyber security indications center, and the u.s. computer emergency response readiness ics. and

so all of these things will come to gather in the voluntary program. hs will work with the sectors' specific agencies to offer other assistance we can provide that will be best suited to that particular sector's capabilities and what they require. nift hopes to build out security platforms based on the framework. and the department of energy is offering guidance and assistance to their program that supports the energy sector capability model. again, government, we love acronyms. i think we are looking at the voluntary program through dhs as one that needs to grow and reflect in partnership with

toustry what is needed in implement the framework. what is the way forward? governmentom the side in typical white house fashion, our reward is going to be more work. after all there's no point where we reach 100% security and can declare ourselves done. instead we have to be refocused on reducing and managing cyber security risk. this requires staying engaged over time. about our path forward in how we are going to plan to build on our success. i will talk about three things, what is happening with the regulatory direction and the direction that dealt with the regulators, what the future plans for the framework are, and where we are going with incentives. with respect to the existing regulatory environment, the goal

of the administration and what we laid out in the order is to amongage harmonization them regulations and between those regulations and the framework. we are not -- the goal of the administration is not to expand regulation. rather, our goal is to streamline existing regulation and as much as possible bring that into alignment with the framework over time. to that end, the president directed the executive branch agencies to review their existing regulatory or voluntary programs in this area. and in may of this year, consistent with the executive order, these agencies will propose prioritized risk-based, efficient, and coordinated actions to mitigate cyber risk. we encourage those agencies to focus on voluntary efforts and programs to support the adoption of the framework. for those sectors where regulations exist, agencies are

encouraged to use their processes to bring their existing regulations into alignment with the framework. we cannot direct the independent agencies to do anything, but we have invited them to follow the same process, and some of them have indicated to us that they are interested in doing so. what is next for the framework? as i have mentioned today, the .irst step is to use it we actually need to see it in operation, see how it functions environment, in the government environments, and figure out how we can make it work, and that is the first thing before we think about tweaking it or adjusting it or doing anything else with it. on the to capitalize rollout that we have had, the trend of increased ceo engagement in this area, and really get robust use of the framework going. excuse me.

we have always used the framework as needing to be a living document. as the framework is used by various organizations, nift plans to integrate those lessons learned in future versions of the framework. adam may talk about this more, but nift intends to hold future workshops to address specific areas identified for further development and alignment. in particular, your feedback on how the framework orcs in practice will be invaluable. nift will discuss the it is -- potential for transfers shining -- transitioning this to a private organization at a time. it needs to be owned and operated by industry over time. consistent with the open and transparent process that he used to develop framework, any move to do a transition of the

framework is going to be done in the same way and will not happen overnight. that itong run we view will be much better if this was actually something that industry could own and continue to drive. the last area i want to mention is what we are doing with incentives to encourage the use of the framework. we believe that developing incentives around a framework is a key endeavor for us and we intend to keep moving with that process. back in 2013 we released a set of potential incentives that we intended to review, and we have been doing this over the last few months. the agencies have defined the scope and that forward or incentives, and cleaning technical -- including technical assistance, grants, cost recovery, but recognition, regulatory streamlining, and procurement, and they will be shared of oakley with the next

few -- shared publicly in the next few months. as discussed earlier, dhs and other agencies will utilize the existing programs to provide technical assistance for companies to assist in their efforts to adopt the framework as part of the voluntary from -- program, and we will elicit feedback to the voluntary program. at the end of the day, i feel that the best drivers for adoption or use of the cyber security framework will be market based. i think the government incentives are important for us to get right and pursue, but it is the market that will make the business case. the federal government can try to make the cost lower, the benefits higher, but that is the icing on the cake, so if the cake is not tasty enough, in and of its self, i know a lot thes like to eat icing from can, no amount of icing will

make a framework really work. that is what i believe we can roll out the framework now and companies can begin to use it as we continue working on the incentives. i look forward to keeping the inentum going moving forward this area. we have gotten off to a great start. it was an amazing endeavor to watch this framework him together and to watch it jel out of the different versions that i saw as it went along. it was really quite amazing. i will believe this can be the beginning of a major shift in how companies talk about cyber security and how this government can talk to the industry about cyber security and we can use the framework to really -- to kickstart conversations that really need to happen. the u.s. government staff, including many of the ones you received this morning, will be traveling around the country to promote the framework over the next few months, and i hope the telecom industry can continue its support that it has shown so

far for the framework. kick the tires, try it out, see where it works, where it does not, and let us know about it. that is the only way he can make it better over time. if we can do that, then maybe we can really lay the foundation for improving our baseline sever security and really start go after the real combat guys in this area and make cyberspace a lot savor for all of us. thank you for letting me speak to you this morning. i know you are going to enjoy your panels. thank you very much. [applause] >> thank you very much, mr. daniel, for that introduction and presentation. i am vice president for industry and state affairs for telecom. i'm involved in cyber security the communications community and other sectors, and

i think i share never ship in the league of cap herders -- cat herders and probably do so. i would like the catalyst to come up and we will introduce them, and we will turn it over to the moderator shortly. i think it is also fair to say that when the executive order came out and spoke about eight delivery, a framework in one year, there was universal concerned that that was extraordinarily aggressive. i think once folks, stakeholders got involved with this particular group of leaders, it became clear to us that no matter what they were going to achieve their objective, and they did it in a way that was remarkable in terms of its transparency and inclusiveness of stickles. moore,introduce samara

the director of cyber security, critical infrastructure protection on the national white house security council staff and coordinate efforts across the government to address cyber security policy areas for all critical and shutter sectors. she worked as a senior information technology and cyber security advisor at the department of energy about focusing on cyber security for the energy sector and managing public-private hardships. she played a key role in i.t. and cyber security governance and led to the maturity model. she received a bachelor's degree from virginia tech in accounting and information systems, and a masters degree from george washington university, where she currently is an adjunct professor. panelist worked as a

senior policy advisor for the department of commerce and was the senior internet policy advisor for the national institute of standards and technology, nist, where he represented the organization as a member of the department of commerce internet was a task force. between 1998 and only 10, he led efforts to promote reductions in the digital age and expanding access to government information by way of the internet by the vice president for the center of democracy and technology. the 2010 online trust award and in 2007 he was named one of the top five influential i.t. security thinkers by secure computing magazine, any holiday bachelors degree from brandeis university.

to his right, adam is the senior information policy advisor at the national institute of standards and technology, and represents the organization as a member of the department commerce internet nis newestd the project which we are discussingt's for the critical infrastructure sector. coordinatedining, he initiatives and previously handled cyber security and policy for the senate committee on homeland security and government affairs. am received the federal 100

award for his contributions to information technology through the information technology community. ofe served in the office infrastructure rejection. prior to joining the department of homeland security she held a variety of leadership roles and received her ma and ba from the university of chicago. she is a graduate of the initial

cadre of fellows and was selected as a member of the senior executive service in 2000 nine. we have a very distinguished panel i want to get to the .uestions very quickly i will introduce our moderator. if you will step to the podium. since taking on that position he has written extensively on topics such as cyber security, online behavioral advertising and government surveillance. i will turn it over to you. good morning, everyone. thanks to u.s. to look him for putting this together. it is a very good panel and it will be very informative. michael daniel did a very nice job of laying things out and touched on a lot of the questions i had but you guys are not off the hook.

before we get into the next steps let me set the stage by asking you how does this framework move the ball forward on cyber security from where we were a year or two ago. since it compile standards that were already out there. that one.start with does, we willwork have -- we are in a critical time where we will see how that question can be answered. we had a good process and there are a lot of folks that are standing up and saying they want to use the framework. it is measured by how many people use it and it effectively does reduce cyber security risk across critical infrastructure. it moves the ball forward in a couple of different ways. it makes it easier for companies to have these conversations. we have ours -- always talked about

whatever solutions are created, we need support. 85% of critical infrastructure sector. by the private those solutions in the things we do to help companies need to be something they can support and embrace and use. a natural place for that to start is looking at these existing practices that are out there. having that foundation what is out there in the market and to be clear, the underlying standards are things that evolved to meet business interests. is static.this the structure we have presented their goes beyond the set of existing practices. i think about framework not only about those underlying standards , the ones that we have mapped in but the 100 that exist.

also that overlying structure we developed were you think about the profiles, really understanding the concept that this is something as michael alluded to you do not walk away from. it needs to be something that is embraced by the cultures of organizations. what it really does is having this common set of practices, this common set of understanding and could allow conversations to occur that could not happen before. the not think we realize at time this was starting off how unique it was to bring in all the different stakeholders across the ecosystem and have these broad conversations about what are the challenges and think about ways to address that. that is part of our work going forward. mike will talk to that as we think about next steps in the document we put out called the roadmap. is about identifying

existing practices that are out there, elevating the use of those that we know to be effective and that is the structure we created and the third key pieces the next steps in how we work with industries to develop solutions to help innovation and deal with the next set of problems we see. already in thed days since the framework has come out, we heard from large -- a large energy company that said there having the conversation and they are doing that with the preliminary framework. we have have one of the top five largest banks that they are using it to have the conversation with their board as well. we have heard from one of the largest i.t. companies in the newtry that is hiring a security officer and they will

judge as a baseline how that person does their job based on the framework and how they use theyramework and whether meet and how they move forward based on the tears that are set. leg gives us a sense that it is being used and that is a good sign for what we thought it would accomplish moving forward. >> let's talk about next steps. this is the beginning of the process. announced that was the other day was the launch of the dhs program. that is probably a question for jenny. could you talk about this program and how it will benefit companies? pre-k's thank you. program and we are excited about the cq name. are excited about what it is going to be able to do.

one is the way that we are going to coordinate outreach and engagement with our critical infrastructure partners across the country. some of that will be done through critical infrastructure sectors. we are going to work more broadly with organizations like the u.s. chamber of commerce. how do we get out to the small and medium businesses nationwide who may not historically have participated in these national level discussions about cyber security and an important part of our infrastructure but sometimes we do not talk about his state and local government. we have an active outreach campaign for them. when you think about the sensitive data that resides on state and local government networks and the critical programs including implemented through state and local governments. they operate municipal water systems and they are an important part of our outreach effort. a key part will be the website.

you can go to dhs.gov that has the program information but that will take you over to the u.s. cert website that has far more extensive information and that is the second important part of the voluntary program. it is a place to bring together the resources that we have across dhs and some of our federal partners as well. we want to expand making at that place to go. tools, capabilities, whether it is things like access to the cyber-resilience review where you can get in touch with us to come out and do a site visit or we have a downloadable version where you can do it yourself if you choose. a broad set of tools, capabilities, best practices mapped against the areas of framework. workforcelike diagnostics and best practices, exercises you can go to. we also recognize there is not a

one-size-fits-all set of tools that will be helpful. we have been recognizing more and more as we mature that there are different needs across the community here in cyber security, the continuum of maturity of organizations, some folks are incredibly sic sophisticated. toe are thinking they need work on cyber security. we recognize the unique needs of those different pieces of the community. we have something up there that we are excited about now that it will be a lot more to come for different stakeholder groups. stay tuned over the next couple of months. the next problem is we recognize we need to get feedback. we are planning to grow and improve and make this better going forward and we need to get feedback from the community about what is now working with the program, about your needs

and how we can build those together. as we work will get on things like the site assessment that we can feed back to our colleagues as they work the iterations of the framework. >> a question on the cyber-resilience review, a service that you will be offering. do you feel like dhs has adequate resources to incorporate this into the program, given that it will be national and a variety of different sectors, you have to accommodate those? >> we have been providing the cyber resilience review for the past several years trade we have done over 300. demand.y be increased we have updated the cr. we have mapped the frameworks and made this tool available where you can do it yourself or you can have a vendor do it for you.

the will help with scalability. >> let's talk about driving adoption of this framework given it is voluntary. what tools are options does administration have to do that, to drive adoption of the framework as well as program arches a patient? it -- we have been looking into different tools and resources we have with our existing authorities to be able to do that. been awareness of the framework. we intend to continue to build thattheir relationships formed over the years and particularly those we have had a chance to work closely with during the development of the framework. also we are looking into some

incentives in different areas that we can work with their existing authorities to promote use of the framework. of the you may be aware reports that were submitted last from the department of homeland security, commerce, and treasury. we essentially in each of those reports recommended further analysis especially as the framework is final. we will get a better idea how to best develop those incentives to encourage use but those areas included cyber insurance, grants, cost recovery, liability limitations, research and development, technical profit --, and process reference and public recognition. we have been working since those reports where -- were issued in

the summer of last year. within the interagency to do some of that further analysis, see what is feasible in the near term. what is the timeframe and the more particular scope that we would like to move forward on. and so in the coming months we , aend to issue a roadmap path forward in those particular areas. there are some areas where we are able to take some action in the new -- near-term. we discussed technical assistance. some programs we are ready had we can align with the framework and support organizations that want to use the framework. we have some agencies that have taken leads in certain areas where it makes sense to further analysis.

the department of energy is taking the lead in that area and furthering some work with some state organizations to see how we can pursue cost recovery for certain utilities. we have dhs that has been working with the cyber insurance industry. they are working to hold a series of workshops to be able to further promote and develop this. we are looking forward to that. we believe that as organizations use the framework more we will into whatore insight incentive areas can really make increase andand promote use of the framework. we do believe that market-based incentives will be the best drivers for use of the framework. >> one of the other key things and steps we think should help is the framework was designed to be truly cross sector so it was looking at

practices that could be used the 16 different sectors that make up critical infrastructure. we also realized that there would need to be additional work to think about the sector specific needs. the framework was an effort to make high enough level that was extensible, setting those existing standards and practices higherose five categories. there were ways to use it that you could communicate within an organization or small or medium could begin to think about what managee doing to better cyber security risk. there's a lot more work we can do now that it is out there to think about the sector-specific needs and bring it down a few levels for those communities and i think for example, with telecom, that would be the work we do with the

folks in the room. so that they understand the unique challenges they have in their environment which might be very different from the energy sector or other sectors that are out there. that is part of the work that we can do now that the framework is final. we did that somewhat and we asked sectors to come in. that is a key next step that we hope to use as well as working with technology providers that provide the services to critical infrastructure and think about how they provide these tools to manage cyber-risk. >> related to that, i will make another point. one of the points that we heard throughout workshops and development process and also i think we heard a bit in the panel, the ceo panel last wednesday during the rollout event was really the interdependency we have within and across sectors and how the framework can be used to support

within the supply chain. we believe that as it occurs that will really, we hope that can help to encourage support and use and adoption of the framework over time. heardas something that we through our working group meetings as well as the framework development sessions. >> can you elaborate on the roadmap you are expecting, is it ideas or an actual action plan and will there be a timeline in terms of actually moving forward with implementation of incentives? >> sure. as it relates, you will see a list of the path forward for multiple areas. some of them we have identified a high level timeframe. some of them may be relatively near term. some made be three to five years. as we're looking at grants to

really influence and picked -- grants process, they can be hard to work it into the process. the specific plans and path forward will be shared along with how to get engaged. there may be requests to receive additional targeted feedback on particular areas. will there be legislative recommendations as part of this effort? again, we are looking to see how the framework is used to help us target specific ask and request as it relates to that in the legislative space. ideant to have a better particularly now that the framework is out but as organizations use it, how to best leverage legislation to encourage use of the framework.

>> obviously the incentive pieces very important there. adequatee said without incentives that it is going to be hard to drive adoption. one commentator said if you do not have the right incentives all this will have been a waste of time. >> that has been somewhat overstated. this thing rolled out, we have very large companies implementing and tomorrow is another great point which is in the supply chain which has a domino effect of making sure there is implementation. we are hearing from companies committingluntarily to do that with their entire supply chain. theink we're moving on

right direction already even with very limited incentives. more will help, i agree with that. i think this idea that companies are not going to use it, we are seeing that is already not true. >> you do not think the lack of , you does -- incentives not think that will weaken the program? >> if you do not have it? crexendo think increased incentives will help and that is one of the reasons we're spending time on it and the reason he was in the executive order. because of the great support we have had from industry and creating the framework and proving not it is to be as essential as some people have said it would be. we heard that from the panel we had. the ceo of lockheed martin and

pepco, they are using the framework. all of them said the incentives were not that much of an important driver to get them to use the framework. this is a good example right there of the kinds of companies we are hearing from right now that are committing to public -- using the framework in their judgment of risk management. moved -- we move forward we will learn more about how to use it and we can figure out where the levers are and the incentives to get those that are not at the front end of this and move them forward. i think that is where the incentives kick in. we have this group that make up the critical mass are getting this moving and we will see who is the laggards after that. we can get some incentives aimed specifically at them. >> one or two additional questions and i will give the

audience an opportunity to ask questions. there has been some anxiety about the role that regulatory agencies my plan the process and michael daniel has spoken to this today and we wanted to give you an opportunity to elaborate on what role you have envisioned for regulatory agencies and what type of actions might we expect the agencies to take and what type of timeline are they working with. >> i will respond to that question. for the regulatory agencies, the executive order did have some directives to executive grants regulators. we had reports that were submitted on the 12th a couple of days ago. snow day.t is a related to just that. reviewed their

existing regulations and over the next few months in may, they will submit their actions to address cyber risk as appropriate within their sector. in particular, they are reviewing along with the framework for alignment with the framework but are encouraged to leverage voluntary means to address any identified risks that the sector feels needs to andddressed. there are some one of the incentive areas i mentioned was streamlined regulations and that is an area where we do want to work with existing regulators to harmonize over time. we recognize you cannot flip a switch. where appropriate we would like to harmonize with the framework. we know and we have heard from organizations that are members of multiple factors and having

some streamlined and harmonized regulations would definitely be of value to them. to underscore what my boss michael daniel said we are not looking and pushing for new regulations. we are promoting the voluntary approach and voluntary use of the framework. it clear thatake we worked with the regulatory agencies throughout the entire process. they came to our workshops and submitted comments to the initial request for information and the preliminary framework itself. the reason we did that is they are a key part of this ecosystem. we also have companies that were , what were the issues they considered.

it would not be something that would be great for managing risk but completely impossible to implement. so i think as smart as -- that is right. the regulators know that it is alla one size fits approach. there -- they have been working and they understand the framework for the key part of perhaps not the technical implementations, it is how are you meeting those goals and exactly what you are doing. will bring them more into the conversation more. ask one of the challenges before the administration is how it

you're going to measure the effectiveness. how much thought has been put into that and do you have any options at this point? >> lots of thought put into it. it is a bit of a challenge. there are many organizations that are going to adopt the framework and available in cells of the resources they make available we will never know about. what we can do is we can -- we do our reviews and when we do what isget an idea of going on and what is the posture within an organization and some of them that we do multiple visits with we can see changes there. we can see how many people are visiting our website and how many people are using the different tools. we participate with the number of sector organizations, associations i can give us information about adoption within their sector. there are associations that have a set of practices that all

their members agreed to abide by. we can get an idea that things are getting adopted within those sectors and working with the provider community, there are a number of industry partners we know will be rolling out services and tools and hopefully they can get an idea of how much those things are being adopted across the sector. a challenge. we have things like the paperwork reduction act that make it difficult for us to survey. we will leverage all of our partnerships and ways to attract -- to track that information to thatn idea of how radley implementation is. we always welcome suggestions in this area because metrics are tough. we have been talking about this for quite some time. we someed to identify success.s of

jenny addressed many of the ones we have come up with. when you look at the framework, there is many different ways the framework could be used. ist we're shooting for management of cyber-risk trade we want to strengthen how we're managing the cyber-threats that impact the delivery of our critical success. infrastructure that could have the potential to negatively impact our businesses and that is what we are trying to promote. there are some organizations that may use the framework. they may have robust cyber protections but they are using it to aid in communications with their business partners are boards. andow do you capture measure that? there are some who will indicate cyber requirements and expectations in their supply chain. we are looking at different indicators of success. some of the feedback that we get from the community is part of it. the ability i talked about

streamlining and harmonizing our really chelation's overtime, are we able to do that and we think it will be an indicator, do we start to see sector specific guidance a lining, are we aligning our federal programs to support use of the framework, are we using it to support functions that are outlined in the framework. we are putting our money behind this. we have identified several different indicators but do look for feedback and as we continue to work through our partnership and the voluntary program we are seeking to hear that feedback. i will turn to the audience and see if there are -- anyone in the audience who has a question. before askingelf your question. we appreciate it. anybody? >> we do have a couple of online questions. if no one else is ready to jump and i will read those for you.

the first question is will following the framework be mandatory for government contractors? >> we have the report that was done jointly by general services administration department of defense on government procurement. a set ofrt included recommendations on how we can better manage cyber risk through procurement efforts. tot effort is the effort implement and move forward on that recommendation. that report was not something per diem deed given a vacuum. they did it in a very similar transparent and open process and as they look to implement those

-- there will be requests for information as we figure out how we could best use the framework to help drive and influence how we are managing met -- risk through procurement. >> >> can you talk about what to government is doing encourage information sharing and the absence of legislation of that. >> in particular within the executive order, section 4 for those who follow closely, it was focused on information sharing. they were a number of things that we had in their.

within the executive order we he to it is our house improve how we are sharing information with the private sector. and to do it in a more timely basis and in a way that is the needs of the recipient of that information. within the federal government, we have been working diligently to improve some of our internal processes on how we do that. for example, developing some moreuctions we can share timely and relevant on classified information with the community. also recognizing that while it helps to share more information, there is still a need to share some classified information and so we have worked on improving our processes to grant clearances, to critical infrastructure. on jenny's area

including the enhanced cyber security services program. do you want to speak to that? >> we have made some good ryegrass since the implementation of the executive order and information sharing on the classified site trade we have our program where government shares classified indicators with ict providers so they can use that information to 'rotect their customers networks. did the executive order was allow this program to be made available through those ict providers to all 16 critical infrastructure sectors. we have been working since that time. the program is available to these sectors. there were policies and procedures and activities that needed to take place to make that happen. we have increased the frequency of the indicator sharing so

they're getting more information on a more frequent basis. beennitial providers have isp's and we have well over a dozen companies from other -- other components of the community that have expressed an interest in being providers and sign a memorandum of agreement to go through the process to participate. who haveur partners customers outside the defense and industrial-based sector. it is a program we look to continue to grow and expand. can the ict community uses classified information recognizing the importance of keeping it secure to protect their riggle infrastructure customer so we will continue to work both with the providers and customers to expand the program and make it as valuable as possible. two other important areas, the clearance grant, to give you a

tangible real-world example of how that has been put into place. it has taken a long time to get ourugh the process. partners came up with a streamlined process where they person inif you are a the industry and there's a briefing a need to attend we need to have an expedited track to get you to the front of the lines he can participate in that briefing. a couple of weeks ago we had a request from the rail sector. these are specific things we would like to receive government briefings and it classified level. we would like to attend and some of those folks had clearances and some did not. we would like to have our canadian rail partners attend. to -- expedited through the process. some of those folks got their clearances to participate within

a couple of weeks of submitting their information. everyone who submitted their information, yes, within a couple of weeks. we were able to get clearances past and they were able to receive a briefing on the list of requirements. tsa and the the national security agency provided briefing so it was a great example of bringing those capabilities for information sharing together. share the sensitive but unclassified indicators with partners and that continues to grow. .e have 70 organizations they share information back with us and he goes out through the

group. we also use that to do quarterly analyst analyst information exchanges. so lots of progress going on in that area. >> we think legislation is necessary. we have seen an increase in information sharing at least and it really. some sectors, there is still hesitant see and we are trying to map why that is. we are still supportive of legislation in general. we had it in our package that went to the hill in may 2011. we have continued to work with industry and congress and other stakeholders to figure out where the problem has been and holding

legislation. we issue is key outstanding although there are others we would like to see past as well from the package we put out in 2011. s? any other question >> executive and independent agencies have submitted reports and will submit section 10 b reports within 90 days of the final framework inc. forwarded to the administration. will these reports enjoy the same level of openness and transparency that every other aspect of the executive order and framework presses have enjoyed? for the reports that were submitted in response to the arective, those reports

used for internal deliberative processes only. our plan is to not make those public. as agencies move forward for 10 b and their actions there, we are in the process of coordinating with them. we just received the 10 a reports but we are using those for our internal deliberative purposes. the agencies that have submitted reports to the white house. >> any other questions? a question on the regulatory agencies that the executive order had encouraged but does not require independent agencies to also look at this. can you elaborate on that and where it is question mark there are some independent agencies that are interested. >> we have been reaching out and

engaging. adam mentioned some of the independent regulatory agencies have been involved in the framework development process. regulatory agencies are invited to engage and we have received and heard some interest along those lines. discussions with them and they are looking into how the framework could be leveraged within the area of responsibility. independent regulators have participated in the process and we have panels with the regulatory's to see if fccs of relevance with the showing different parts of the

ecosystem. it is not a one-size-fits-all area. it is a mistake not to leave out the other parts of this ecosystem if you look at the state regulators. you look internationally what other countries might do. the approach we have taken is one where you bring all those folks together. we think managing cyber risk benefits the broader community including those pieces of it. pre-k's maybe you touched on this but in terms of the actions that are called for in the executive order for the regulatory agencies to take, do you expect to see rulemakings, and if so, what is the timeline? this is regulatory --

remaking is required or necessary to harmonize and align with the framework that would be done to their existing open rulemaking processes. >> will we expect to see that this year? -- agencies aren't different and their processes might be different. with the framework just being issued the process to do that analysis. are our perspective we promoting voluntary use of the framework. if that is determined it is necessary it will go through their process. the involves engaging with industry partners in this process. i cannot provide a specific timeframe. -- we do notexpect

want new regulations. michael daniels said this earlier. if you see something like that it would be streamlining. with different regulatory industries. would be the only place you would see something like that. for any othere questions from the audience. i might ask one or two more. in terms of what the transition from the draft to the final framework is, i went to hear whether there were any significant differences. one issue that came up from a lot of industry commenters was the concern about the privacy language. if you could address that and how that was addressing any other major changes.

>> i will start. moving from preliminary to final. this was an open process and we received comments multiple times. , we present something called the preliminary framework. put out the first full draft in the summer and it was the fors of the workshop -- workshop in dallas. we got by our count over 200 count that in by our was under 2500 separate comments. the changes we made our throughout the document. people were saying things like it would be helpful if you had an executive summary that made those high-level points.

it needs to be made clear in the document itself. it is not one-size-fits-all. even these tools within the framework, the concepts of it fors, you can tailor different ways within an organization. people ask for things like they better mappings to those existing standards would mention in the document as well. probably the biggest difference or one of the key differences was the change with the privacy section. what happened with that section is initially we had a separate section that was meant to encompass a privacy and civil liberties. we did that for two reasons. not only was it a key part of the executive order, it was something that the stakeholders ask for. if you go back to the questions we asked when this started in february of 2013, people did

identify as privacy and civil liberties and for this effort, one of the considerations when you are building strong cyber security programs. the feedback we got for the elementary framework and at the sessions leading up to that we had a really good panel at our colleague.op with my it was about this topic and what we ended up doing for the final version was instead of having a separate appendix stakeholders from both the privacy and does this community said given the mandate of the executive order it would be better if this was clearly about the privacy considerations when you are growing a cyber security reprimand the risks that could be out there to privacy and civil liberties when those programs are being built. that

is what we do in this section. the same material, this is all about writing tools and resources to critical infrastructure. that is there in the document but it is put in the context of how to use section so it is this is how you build a strong cyber security program. you cannot have one without the other. the other thing we have done and we did this throughout is another big change with the document was we separated out a section called areas for improvement. it is always about areas for us to improve or to work with the stakeholders to improve and not for the critical infrastructure community to improve. that is what we needed to do, more work to develop the best actresses and develop the standards. that section became separate and we put it out as a roadmap that

we released on wednesday. it lays out some of the things that michael talked about about future work and transitions and that list of key items that we need to do more work on. one of them is privacy. if you look at that roadmap you see what we heard from the community about what the needs are and that becomes something we can have future work on including a workshop that we are to bringg and april this diverse community back together and ask how do we make progress with those technical underpinnings that will help organizations manage privacy. back furtherke it from where adam started. when the executive order came out one of the things we pushed stakeholders for is to say we need a lot of involvement of privacy and privacy is extremely important in this process and we are putting together methodology, this is something that has not been done before

and we really need help from stakeholders to do that. we did receive some stakeholder involvement in that process, and was what was reflected in appendix b that was in the draft and preliminary version that came out. the work that was done there is interesting. sense more in an academic than this put forward. theas a good mapping of technical standards approaches internationally that have been done in the privacy space. what we heard back from stakeholders when they came out, we got a lot more involvement on privacy when that came out. what nist picked up on is that

they tried to be more tied to cyber security and that was not the case and appendix b was more about data protection and other related issues that could be used in the cyber security context and others as well. that these standards were not widely used by industry at the time which is part of the issue about the areas for improvement that nist was looking at. how do we get international standards that are being used more widely. because of that, the section changed to be more functionally oriented. we did hear from a lot of different groups as well that we needed to keep the basic principles that were in the appendix and tried -- nist tried to keep those in as well and moved that to the how to use section. it was tied direct way to how to use this framework to clearly tied to cyber security.

and i think it is a much more focused methodology now for privacy and civil liberties than it was before. we have heard eerie good things from industry that they do plan to use it. we have heard some criticism from privacy groups around the fact that is voluntaryfocused mr privacy and civil liberties than it was before. which as you have been hearing is an issue for the entire firm or. how do use the framework and we are hearing that people are planning on using the privacy section. that is something that has to be monitored as we monitor use of the entire framework. some of the privacy groups have land to do that. they continue to ask companies how they will use this privacy section. that will be useful feedback for and for moves along for -- and for nist different versions of the framework. >> we are very -- thank you to

the panel. 2 [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2014] >> thanks to our government partners for participating. i would like to ask the industry participants to come up for their panel. i will make the introductions.

we have a very distinguished group of industry leaders here and these are the folks who have put in a lot of the effort over thelast year to see framework come to fruition and we are hoping to hear some interesting perspectives in terms of what their views are on the framework and especially issues and opportunities and challenges going forward. i would like to start with and keep these brief. a seniorediate cyber security strategist. she is responsible for helping address standards from policy

and standards to practical implementation. to her right, christopher boyer , the assistant vice president of global public policy. he is responsible for developing and cordoning the public policy positions on issues impacting emerging services and technologies with a focus on cyber-security. to his right, doug johnson. he is the american bankers association's vice president and senior advisor of risk management policy where he is involved in a variety of public andcy and compliance issues he leads the association's enterprise risk, physical and cyber security business continuity and resiliency policy and fraud deterrence efforts. have angela, we

merkay. she is responsible for addressing complex global criticals related to infrastructure protection and information assurance across a wide range of topics, including strategic and operational risk management, information sharing, incident response, emergency communications, and software security and integrity. to her right we have catherine condello. she ios the current chair of the sector coordinating council. she is also the former immediate past chair of the communications icc information and share in alice's center where a lot of areoperational efforts

taking place. i would like to introduce charlie mitchell who many of you read about on a daily basis. charlie is the senior editor at insight cyber security -- inside cybersecurity.com. has extensive experience covering congress, energy, and the environment, health care, and other policy areas. he served as editor in chief at rollcall.com. >> thank you. i would like to start off and thank u.s. telecom and the folks who put in so much work in putting together this event.

is theve cyber security policy issue for how the government and industry will interact in the 21st century and the people we have had on these two panels of the ones who are going to make that work. not to put any pressure on anybody here but it is a huge challenge and this is a traffic panel of people who are right at the heart of what is going on in this area. let me ask a really basic question. is this framework a useful tool that companies will embrace and will improve the nation's cyber security? do you want to take a swing at that? >> sure. thank you. believe it is a useful tool. it the first time in history [indiscernible] saying these things that

some of us know in simple words, the rest of the public can understand, it provides a useful translation mechanism and a vocabulary that people can congregate around and work with and implementing good cyber security practice throughout the critical infrastructure. , in terms ofd whether it is going to be embraced or not, we have seen a lot of companies talk about how they are applauding the release of the framework including at&t. supportthere is general throughout the industry. as to whether that continues, the key is will the framework be used as intended. you are going to see a fairly widespread use amongst as for whether or not the

framework is going to improve cyber security, that is a harder question to answer. the framework is intended to raise the bar. that is something that they could help with, especially with small and medium-sized businesses. thatould all be clear cyber security is an ongoing issue that will not go away anytime soon. there is no panacea that will solve the problem. -- echold like to accu what he was saying. alot of times, when they have order of directors or conversation with senior leadership, they say, talk english. ising common language important at this juncture.