state and had a smiling barack obama, which i do not think we would have dreamed of seeing years ago, but do you agree with the statement that the united states is headed towards being the world new petro >> first of all, it depends on how you define petrol state. i don't want to provide a resource curse. on the other hand, the international energy agency has predicted that the united states will become the world's largest gas producer and oil producer in this decade. we are certainly already the producer inined btu terms of oil and gas. that is very real and we've already discussed some of the economic implications. >> thank you so much.

thank you all for coming. this has been a memorable first luncheon for me and i hope you will come back for many more, starting with next monday. we are adjourned. [applause] >> energy secretary announcing today at lunch and the approval by the energy department of a 6.5 million dollars federal loan guarantee for the first nuclear power plant built from scratch in this country in more than three decades. the secretary tomorrow travels to georgia to visit the

construction site of that $14 billion nuclear power plant construction facility. if you missed any of today's speech, you can always go online .t www.c-span.org we take you next to the brookings institution in washington where we will hear from the director of the national institute of standards and technology on his agency's release of the president's cyber security framework. it lies out guidelines for the sectors come including medication and energy providers. it should get underway momentarily c-span. -- it lays out guidelines for various sectors, including communication and energy providers. it should get underway momentarily, right here on c-span.

>> again, we will have this live from the brookings institute. while we wait for that, some remarks from last week. theael daniel talked about development of the framework and highlighted the administration's old mint gold, -- ultimate goal. we will show you that while we wait for the live event to get underway at brookings. with respect to the existing regulatory environment, the goal of the administration and what we laid out is to encourage harmonization among these among the existing

cyber security regulations. we are not expanding regulation. rather, our goal is to regulationsxisting and bring that into alignment with the framework over time. to that end, the president directed the executive branch agencies to review their programs in this area. consistenthis year, with the executive order, these agencies will propose actionszed, risk-based to mitigate cyber threats. we are encouraging those agencies to focus on efforts to support the adoption of a framework. , agencies areors encouraged to use their processes to bring their existing regulations into alignment with a framework. we can't direct the independent agencies to do anything, but we

the invited them to follow same process and some of them have indicated to us that they are interested in doing so. so what is next for the framework? as i've already mentioned today, the first step is to use it. we need to see it in operation, see how it functions in corporate environments and the government and figure out how we can actually make it work. that is the first thing, before we think about tweaking it were adjusting it or doing anything else with it. we need to capitalize on the rollout. >> hello and welcome on behalf of the brookings institute. i am visiting fellow for cyber security here. we are honored to have a distinguished panel to discuss the new cyber security framework.

essentially, the document represents the best efforts of the administration and industry representatives will work together to address what president obama has called one of the greatest national advantages the united states faces. i'm looking forward to hearing more about how the framework will be. we are taking a moment to remind ourselves that the framework poses existence -- owes its existence to the failure of congress to fail to achieve consensus in 2012. that led to the president issuing the executive order on improving critical

.nfrastructure set out to do three things, improve information sharing within the private sector, raise the level of cyber security cross our infrastructure -- across our infrastructure and maintain privacy. while the executive order contained a whole lot more than just a voluntary framework, it is clear that the framework has into the centerpiece for the sake of order and the --inistration by extension for the executive order. according to the executive toer, the firm work set out provide a performance based, cost-effective approach to managing cyber security risk.

it has to be completed within one year. argued to can be remove some of the lyrical rank or from the debate -- rancor from the debate. the real question we have to discuss today is whether the framework is going to make it any safer. some pretty fundamental questions on what is the framework, how it is meant to work, will it be adopted, even if it does, will it be sufficient to deal with the greatness of the threat that the president described. very pleased to be joined by the very man who was charged with delivering that framework. the 14th director of the department of commerce. him, the distinguished

fellow in the governance program and the previous general counsel acting secretary and the president and ceo of the information technology industry's counsel. i will not take too long on the bios. you have those. in 2009, you, served for the director of commerce for standards and technology. from thened your phd university of pittsburgh, where he is due to return later this , having just been elected the new chancellor. ed in december from the

m.i.t. media lab. you work across the bewildering range of legal issues and before , studyingere a lawyer telecommunications law. he became the president and ceo positiona representing the tech sector around the world. he held positions at the motion picture association of america and the recording industry association of america. fantastic to have you here. begin handing it over the three panelists to give some short remarks, then i will leave a bit of discussion and

then we will open up to the floor to ask questions. yourld ask you to keep phones switched to silent. feel free to tweet or e-mail. nistcff.ecommending # thank you very much for joining us. congratulations on the framework. even among those people who have been critical in the past, they are being universally complimentary about how the this.ent has run well done on that. just to kick off, perhaps you could start by telling us what the framework is, how it is meant to be used, and then touch youhe process for how

develop the framework. and then explain to us why this is going to do what the president wants and make us all safer. >> in just a few minutes, right? first of all, is great to be here. let me start with the what is the framework question. and answer it in a nontypical way. you're probably expect me to lay out how to structured, with the key parts of the framework are, a lot of you are taking a look at the framework. let me actually do it from a different perspective, which is some of the key attributes. the framework is a loving document. one thing to really keep in mind is that it is not static. when we asked the question, is this framework going to solve the problem? you really get to a different answer, which is this ongoing framework process continuing to adapt and work for us. this is a very fast, dynamic

area and it is important that you understand it is an ongoing process. .his is a market response what do i mean by that? you characterize this as being a failure of congress. actually don't view it that way. the discussion in congress was focused on questions of authority. therefore, it had a lens already on the problem in terms of what solution set was. one of the best way to address cyber risk is to have the private organizations and technology providers come up with a set of best practices. bethat to happen, it had to a document that was a product of industry. so what this did was actually adopt an approach that we use very much and standards, to act

as a convener and act as a facilitator, if you will, of a very broad multi-stakeholder come getting the band together to have that critical discussion. because it had to be aligned with business, it means that the framework in the end was both what you would expect and something new. what you would expect is a set of controlled solutions and standards that were drawn from best practices against -- across all the sectors. in the framework, in a very indirect way, because it points to a whole set of standards and reference standards. meaty detailsthe are. the other part of the framework is a structure to put all of those things into practice. in particular, to integrate this practices into the way the organization runs. so it specifically is designed

to not only talk to the st, but to the leadership. it is designed to align with risk management, designed to , and designed to look at your maturity as an organization. like many other risk mitigation behaviors in an organization, you get better. that was important to knowledge, you draw the analogy with safety management. you start by implement insert rules and doing things in a particular way, but with higher majority, you recognize risk and adapt it to be more proactive. is what the, framework is. both practices and structure

with which to support innovation. theses promising -- attributes. it is owned by the stakeholders that have most to gain by managing cyber risk. it can be aligned with business practices and integrated into other types of risk management organizations. adaptive toc and the changing way that we will use this technology and the way it is unfolding. in terms of the process, it is not over. we met the deadline of one year that was given in the executive order, but we stated from the beginning that for this framework to make sense, we are really talking about a continuous process. the finish line here is not being done, it is being normal. where this is just part of the breathing and operating that we do routinely. what we are looking for is

operation on an endpoint. the process has been one that was based around industry ownership and participation. we used every trick in the poll book that we used to put things up publicly. nobody was surprised by the framework. it was multiple workshops across working together. we anticipate that as we move into the next phase of the framework, we will maintain that approach. >> thank you. we will move on to cam. you have had the opportunity to step away and look at the process from the outside. which is a unique session to be

in. perhaps you could touch on three things. firstly, if you could just give us a sense of how things have changed over this process. and where we came from. it is important to remember how things felt just over one year ago. as the former general counselor of commerce, give a little bit of insight into the privacy discussions in the development , which drewwork some comments about the process that was changed in the final version. third, it might be interesting to get a sense of what you think the administration can learn from this process. thank you, ian and pat.

congratulations on the framework and the university of pittsburgh announcement. both are terrific things. commerce and the country will miss you working on public policy issues. are in the outcome of this framework in a very different place than any of us would've predicted when this policy 3.5-fourn started years ago. at that time, the conventional wisdom was that the way to approach this issue was through

some form of government authority. address cyber security by conventional ruling and go out thatdopt a set of rules would create a standard that meet. had to this is a very different framework. what thistlined today framework does. this model implements something very different. some of that certainly is a congress'inability to legislate on this.

a lack that failure was of consensus about the right model and the right approach year. more than anything, the model that is reflecting the framework reflects in evolution in the thinking about policy in this area. and appreciation for the complexity of the issue. the speed with which the technology is changing. both on the company side in terms of what it is that you're risks out and the there. this is constantly evolving. simplyg at a pace that comes much faster than conventional rulemaking can deal with. --s is been a long process

this has been a long process. a lot faster than the pace of classic notice and comment rulemaking. this also is a model that is far more adaptive to the technology .pace to the world of digital communications and technology that really is at the heart of cyber security. that is an important piece to stress here. this model which had described as a living document is version 1.0. it is something that has been taken and moved over from

standards setting, which is why he was charged with responsibility here. he has done the guidance for federal agencies and the documents that inform the framework. the model reflects an success inn for developing standards. its engagement with industry. as an honest broker in the process. , what we have is something

needlell help move the in some important respects. has emerged as one of the critical boardroom issues that companies of all today'sd to address in digital economy. provides a set of benchmarks that corporate managers, boards of directors to ensure can apply cyberompanies are meeting security goals in ways that are going to particular assets and be cost-effective. they will meet the expectations andhareholders, customers

other stakeholders in that environment. the other piece that i want to iserscore in the framework that it has been designed as something that can cross borders. , we have taken a lead in framework,g a .stablishing some standards thating so with a model can be used around the world in this space. it has been difficult. the current international environment in the wake of the snowden disclosures. it is important that the united

states continued to lead here advocate forues to a model regulation in the digital space that is adaptive and does not operate by government prescription. this framework does that. that is an important thing. >> thank you. that is extremely good lead-in to you. if represent a private sector perspective. tech sector, but those your member support. be grateful if you could give us a sense of what you're hearing from the press sector about the framework.

are we going to get consensus of aid or will look into the bloodstream? if you could pick up cam's point about the international dimension. does this framework have the weights to build up an international following or will it bump up against european notions? role, talking to people on the hill, it would be great to hear what you're hearing from legislators about the framework. >> on the first question, i going to get into the bloodstream. pat described it, it

seemed inevitable and quite logical and linear. part applies because of the process that pat had come which was quite open, transparent and cooperative. he and the team need to become permitted for that. on the substance, i think there are three reasons why it will become part of the bloodstream. it will speak about the global impact. one is that these -- what the framework is quite flexible, based on risk management. it is not prescriptive. because of that and because of , folkslaborative nature will feel as if they had an input into it. and feel as if no matter what your business is like, there's something in there that enables you to integrate.

second, the foundation for a lot are globalework standards. develops through consensus-based, multi-stakeholder processes. because of that, because they are global and multi-stakeholder , thepen processes likelihood it will go globally is high. how thesemodel for processes should be run internationally, both in the process and the substance that results. finally are the preliminary iterative, butis not without a pathway forward. the conclusion of a roadmap that's weeks to nine different streams come including speaks tonal -- that nine different streams come including international, we all benefit. aream alluded, there

initiatives globally to shift to making it more vulcanized. it is a step in the right direction away from that. it is quite helpful. as far as congress, much of what we have heard thus far is twofold. one is, how can they help create a pathway for success? ,n the date was being advanced we got calls from members of congress saying, this is a positive step forward. we concur, how can we help? a a yearnd, which ago after the promise of getting this done, a week later we were in california at a cyber security conference and there was a lot of participation and

concern about what congress is going to do. my hope is that because of this framework, it creates a ce to getn for congress to take on the elements of this that still require public policy. so we intend to do everything to further encourage that. suffers andress says, what can we do to help? what are you telling them? guest: that's a great question. i tell them i need to talk to danielle, who works on our team. much of what we have been re's they ar issue of having real-time information sharing.

the second part is, how to relate to something that we published. they have an important role in his process going forward. how can we bolster what they do to enable success here? just before we do, you mentioned the roadmap. welcomed arta very of the document. part of the document. most people expect government to produce documents that sit on shelves and gather dust. what you described, putting out a living document, the roadmap and guidebook for that process, could you go into more detail on

aspects like the workforce, theral agency, alignment, international aspects? how do you see that working? >> we are pretty good at writing reports that sit on a bookshelf. this is not a government report. this was an industry document. in your opening comment, you talked about the executive order laying out one year. it was an interesting time frame that was put in the executive order because depending on what perspective you had, that was either hopelessly too fast or completely unresponsive to national needs. everybody was unhappy at some level. pragmaticy perspective, we deal built on existing foundations. quickly identifying those gaps and putting those on the to-do

list so the process continued to unfold. we were trying to pull the learning we were getting out of going through the process of the first time to make sure that we had everything we could capture from best practice. part of that to do list with the framework process, things that were identified as gap areas. they follow two areas. needed where the policy to be advanced. privacy, for example. a lot of work to continue to identify those. and the framework process itself. we got rid of adoptions and things like that. government adoption, to,rnational issues that go how do you provide a framework structure that is conducive to the widest possible adoption?

that itself was open. as we go forward, we'll be having to do workshops with privacy workers. we will be continuing engagement we had through the framework process. at each one of these, we will be continuing to address cap areas. that will be a good thing. as people pick out the framework that they would like to comment on, what mechanism is in place to receive those comments? >> the framework website is still up. we have comments coming in continuously. we are acting to compile and add those to the group as we go forward. version will be subject to the same kind of public comment. one thing that is important to is that -- this is

an important point. if you're waiting for this to settle down before you do anything about it, you're going to miss the train. that is not what this is about. willmy view, the framework actually be driven by those that are the users and adopters of it. most of the learning we are going to be doing from the framework is going to come from the hard knock lessons about trying to put it into practice in your organization and fighting out where it works and where he didn't. and feeding that back into the process would can be improved. what we are trained to be careful about is, don't wait for perfection. asking those companies that are rolling up their sleeves and give this a try and a putting it to use and are willing to then participate in the framework going forward to help refine it from that perspective. that turns out to be the most precious perspective. apt in is particularly

that there is a whole discussion about incentives. we could easily spend all of our time focused on that and whether congress is going to enable it or whether it can, with forward. action come ideas are continuing to grow and improve. that this document -- cyber security is not a state, it is a process. this really helps to lay out a process to get there. it is a continuous one. >> the question of incentives is one that has been spent -- that we will spend some time on. demonstration put out some work on incentives that might have reflected some internal

discussion about how that ought to work. what i'm hearing from you is that you would rather take the discretion away from incentives and focus on other aspects. >> i wouldn't say ignore it. , this is a process. it is a process that we will continually improve. where we have improvement mechanisms, they will get integrated into this like everything else. in the intervening time, let's do the baseline work that we know is achievable today. but me make a quick comment on the incentives. d was,rspective i hav the challenge to industry was to serve national interest. we think it is in your business

interest to run elements to critical infrastructure to protect these assets. the best outcome of all is when it is totally aligned. when it is great business to be protective. that is the premise under which a market-based standards driven international deployed framework makes the most sense. that, wert to exercise may find areas where there is misalignment. where business interests aren't quite aligned. --re there is a natural where it is unnatural. -- anyot so much a caution is not about internal skirmishes. it is about timing. incentives will be formed by those organizations that are putting these in the practice. what you really want to zero in on is the barriers. >> i mentioned that this has been an issue of great concern

over theate suites last several years. that thereeflection are powerful incentives to address this. ask target corporation. ask the hundreds of thousands of companies that have had intellectual property stolen through cyber intrusions. forward, themove scc as guidance out there for assessing and disclosing cyber risk. benchmarks,set of it helps to inform that process. of good andenty

important business reasons for companies to address this issue. most companies know that. now we have some tools to help that. >> one of the challenges, of a company like target -- it'll be interesting to see how the framework helps this process -- is that some of those threats are getting more and more sophisticated. even if they take cyber security seriously, the cost of dealing with those hind threats is challenging. how is it going to help deal thatthose advanced threats are hitting the headlines more and more frequently? -- one ofuple of ways them is that a lot of those threats are enabled by the same moving parts that the framework

addresses. --lures and authentication failures in authentication. having the wrong behaviors within your organization that provide latent vulnerability that these threats are designed to tackle. they get more sophisticated in how they do it. that some lot there of the statistics show -- 80% of these are addressable by pretty basic application. the other part is that the a continuously improving process. risk management framework has the capacity to be able to identify what is happening. one of the behaviors you are looking for is self-awareness. the responsiveness to identify problems. it is faster. aree kind of behaviors specifically addressed.

that is, to the extent there is actually gaps in the framework itself. the technology space opens up and you have brand-new issues in the same mobility space. the reason the process has to be continuous is that there has to n ability to adapt. >> this is certainly one place where congress could help a. toislation can help facilitate the sharing of information about threats, sharing among companies, as well one direction with the government that can take place. the other direction is more competition. legislation would certainly help to make that easier. --is a known market failure

all the participants have identified this. the question is, what do we do about it? one other thing i would add, much of the conversation this far has focused on big businesses. we have talked to vendors and look at the framework and identified ways that we can improve, even in our organization come using the framework. the great thing about it is that , no matter your size of business or where you sit or which industry use it within, it is efficiently flexible and risk based so that you can find use out of it. peopleother area where have critiqued if not criticize the framework is those industries where the market does not dominate. where there iss a less obvious financial driver.

that -- how are you confident are you that the framework will be able to run national security objectives in those industries where the bottom line might never get you to the level of cyber security that is required to deal with a great threat? >> time will tell ultimately how effective this is in those kinds of markets. i should point out that those organizations operating under this market condition were part of the process from the beginning. it was a part of the discussion to make sure it was responsive to their needs and interest as well. the regulators themselves were part of the discussion. this effort to make sure alignment was real, that was a key part of the engagement that

had to be there. that that is not the case. the way i have articulated this to the companies themselves is thinking of are regulation as addressing market failure mode this is your chance to make sure the market has every opportunity to work. which is in everyone's best interest. intrinsic number of advantages, including the ability to operate a market scale come included overseas. the ability to be much more nimble and adjust to flexing technology. bought into that theory of the case. hopefully those alignment issues have burned brought in -- have been brought in. the word regulation in the context of a voluntary program. there are regulated sectors here. what we were trying to do is not end up in a situation where

everybody worked together on this framework but then were driven to do something different than that market solution by the regulations. this is really an effort by the existing regulatory entities to have an opportunity to align against a framework. that is the spirit in which they have been participating. that will be constructive one. >> i completely agree with that last point. some of that will be determined by what was outlined in the roadmap. agenciesnd related aligned behind the framework. that is one of the questions going forward. a good point to focus on. implementation of the framework is going to be key. having the industry involved in the framework, but within puttingnt, they will be

in the process. how is that process going to work? how will you make sure that the momentum you have created will dhs takes on the implementation echo >? guest: i don't see the responsibilities passing to dhs. the framework process continues and this continues to act as a convener. nothing has changed on that front at all. doing isis establishing a voluntary program that is there to support and promote adoption. aat includes acting as clearinghouse for best practices karen hopes that with authorities to support adoption, they've been working with us from the beginning. we have done everything possible to make sure our efforts are

aligned with the framework. i want to and on a final point. the most powerful force driving adoption are the companies themselves. we see that from their discussions. this not just about what you do internally. this is about your relationship to your vendors come your suppliers, your supply chain. how the sector community organizes. those are actually more powerful than almost anything we can do from helping on the government side. sometimes people let construed a voluntary program as toothless. i don't subscribe to that. standard ist safety self regulated by industry through standards. these can be very muscular approaches. that will be a lot of the driving force comes from.

>> cam? >> i'm ready to go to questions. >> you mentioned you had some thoughts on dhs having a role in promoting the framework. >> i think much of it is already contemplated. i know there are a number of workshops that have been scheduled already. t mentioned one of them. part of his education -- part of it is education. we need to make sure we are measuring the right things. developing clear metrics for evaluating the success of this effort. --have alluded to it earlier the focus on incentives. i think they are important, but we should not make them the only thing. process, thetive collaborative process that nist

has adopted that has worked exceptionally well. it is critical that we keep that part of the work going forward. it is the way to ensure that it becomes broadly integrated in ses operate. is >> i want to come back to what success looks like. i would like to open it up to questions. we have some microphones going around. the usual brookings rules apply. keep your questions short and ended with a? mark.on give your affiliation when you ask it. >> good afternoon afternoon. thank you for this opportunity. i want to ask a question about a as identifiednt

by the department of homeland security requiring all 15 to haveucture sectors gps, which is essential for a lot of networks. dhs appears to be looking at these 16 sectors to implement regulations with regard to that gps data that they require. i would like to hear from the panel what you see coming up with a roadmap in regard to the pnts to integrate data and ensure that organizations have what they need when they need it. so, anyone reading the 39 pages of the framework would not up.pnt showing that is one of those examples of

an issue that is embedded in the core. it points to a particularly class of position critical data. for the framework attendees, they were dependin addressing dependency. without getting to the specific threat of vulnerability that dhs is worried about ,nist has a lot to do with that. vehicleework becomes a for -- this is why the federal agency participation is so important -- there is a new class of vulnerability that is essential to critical infrastructure, across sectors like that. as ae counting on dhs participant to flag bad and take it back to industry as part of that process and make sure that the framework process does not have that as a cap area.

gap area. >> if i can add one thing, as a part of the executive order, all of the agencies are supposed to cascade the framework. to come back with their ideas within a defined time. that work is incredibly important as well. to dhs.t isletolated >> you there. when you use the safety model as an example, do you see in the

future a credit rating agency or type of third party to provide an audit function on companies? how will they implement the framework and then issue a grade? onlyppliers know, i am going to work with grade a suppliers. the way i would answer a question as to pick up the last thing raised. what we call these are conformity assessment. you develop a set of practices and it may very well be critical theive an organization knowledge that they're working with conform to some level within the standards. a voluntary program. the government is not going to be setting up a grade. something we opposed to the framework process is you may very well find for this to work you need that type of

assessment. there are a lots of different types. the trick is, there is not a right or wrong one. which is the right approach given the market conditions you are facing echo that is very much on the to-do list. the rumors hasof been this question of cyber insurance. there has been some suggestion that the foreign work might offer an opportunity to the insurance industry, giving it a t of metrics to use. what sense do have from your discussions about whether that is likely possible or realistic? >> i'm not sure my crystal ball is any better than anybody else's. in or forn an that reason.

as soon as you put in something, the idea of all those assets coming into play, including insurance markets, my sense is they have found a profit for use for them. they're still active discussions at breakout sessions on this particular issue specifically. to hearing from members of congress and your staff about it, the other folks we heard from our companies who intend to examine that space. insurance companies and law firms are evaluating what this all means. pat is absolutely right. >> this sort of audit process that you have mentioned and pat has outlined isn't example of how standards work in the marketplace.

i don't have a better crystal ball than pat to say whether that will definitely occur here. istainly, part of the idea creating the tools and benchmarks, to inform that process. a number of the organizations that they're involved with in one, thereds, iso is are others that perform audit functions -- some 40% of corporate sectors have insurance. insurance against data breaches. that is triggering exactly the sort of engagement by insurance to take a close look at people's practices. this is a way to benchmark that look. area, at thisy

point, most companies have been able to sort of sweep it aside by saying that the risk is not material. i'm not sure after the target experience that it is so easy to do that. shareholders, for or, there is a roadmap that people can look to to assess those issues. >> do think people are making assessments based on where people fit in the framework ? companies will have to take a more critical look at the disclosures that they make. that can influence investors.

>> the point he made x the point made earlier about ceo spending real time with board shareholders around this issue is indicative of how important this is, and the creation of a real market place to mitigate those risks. sex in the middle -- >> in the middle. >> i would like to follow-up on the question about pmt boehner ability. it has become quite the subject in late november. in fact, the u.k., russia, and china have terrestrial systems to back up their pmt to make sure they are not dependent on the signal from space. do i understand, peter, this has not been flagged as a problem by dhs or anyone in terms of cyber or ofty impacting -- impacting the cyber security of the nation?

>> no, i would not characterize it that way. i would say that to the extent of pmt standards are found, or lack of redundancy or whatever the issue is would be reflected in those things referenced in the framework core. what i'm not aware of is whether as a specific issue as we were putting together the top work -- top-level framework structure. that is not to say they did not raise it as one of the constituent standards. in other words, you have a little bit of an onion here in terms of the overall framework ross s, and then the constituent standards underneath. -- framework process, and then the constituent standards underneath. i would expect the pmt to be with the constituent standards discussion and not the overall framework. >> [indiscernible] clicks but the best -- >> but the best team in sitting in front, so if you want to follow-up afterward. [laughter]

>> this site on the aisle. with the canadian embassy. looking globally, can you talk about the reception you've had, both from allies and foreign companies? >> you might want to get a couple of perspectives here. the overall reaction we have gotten from the very beginning was a combination of intense interest, wanting to wait to see what it look like when it was promising of all, i think, and understanding that this can be used as a foundation for a variety of approaches around the world. even those areas that we are considering a more national response, including a regulatory response. because one of the things we point out, again, this is a global infrastructure. that really important information and data companies be able to operate on that scale. that is what makes these technology so powerful.

aligning too, just like we've asked our own internal regulators in the critical infrastructure space to align to this, it is something that can be done on the international scale. a lot of positive reaction to that. the most interesting reactions have come from europe and have to do with the fact that the same really -- the same week that the president released the executive order, there were some draft approaches that were going to be used for cyber security. from the very beginning, they have been quite interested in looking at this as a basis for moving forward. but 30% of the companies we represent our international entities, and the reaction there has been favorable as well. they operate in a world that has been global integrated and interconnected. they offer services, products, systems that they want to work , so theyal basis appreciate and welcome the framework. they are also competing in a

where increasingly, their efforts to use cyber security or national security as a market access barrier, whether multilevel protection scheme in china or some of the problems we had around preferential market access in india. having this framework that is built on global standards that are consensus based and developed through multi-stakeholder processes is helpful for those international companies as well. clicks -- >> what would be the process to internationalize the framework, or at least give it more encouragement to be used internationally? clicks what we did in this case is something modeled after the approach that we did with the smart grid standard a few years back. we started with the standard

that the framework process was immediate international. we invited international participation. i was meeting with delegations around the world. tomade a deliberate effort look at international standards as one of the building blocks of the framework, and where it asks companies to bring those forward. in some sense, we have been international from the beginning. the way, i expect the international flavor of the framework process to actually grow as we go forward. it was actually get identified in the roadmap. what is interesting is maybe more on the adoption side. in other words, the extent to which the certification and the product id, the extent to which those can be put into a global structure with global contacts can be very interesting. and then you are dealing with critical infrastructure. how do countries respond from that -- to that from their own

national policy perspective? that will be the issue, the between-- the matching befor the global markets and how the compliant piece itself works. that will be quite interesting. clicks -- >> dr. gallagher, can you speak more about the next phase in terms of how and when the framework will be realized? -- revised? >> we have not announced a revision schedule yet for the framework. what we have done is deliberately created a bit of a a bit of a in- --a pause in our

schedule for the very reason we wanted the framework and follow-up to be informed by those organizations using the framework. but we have set up a tentative schedule of workshops that are on the framework website. the first one is probably the privacy one in april, and i think there is another one this summer. in july. again, there is no super eyes on what the agenda is, because the roadmap was laid out -- no surprise on what the agenda is, because the roadmap was laid out in that process. i do not it at any major revisions to the framework itself. the impetus is going to be going after these gap areas, identifying these areas where we felt there was real work to be done. read your -- maturing what we call the governance discussion. in other words, we should seriously start taking on if this framework is going to go and be a normal process.

how do we set up a governance scheme where all of these different companies can work together to turn this into an ongoing, routine process? and again, we've had exterior -- experience doing that both in the cloud sector and smart grid and other areas. would like to continue those discussions as well. inwhat was your experience the cloud sector and smart grid sector tell you that will end up looking like? >> probably the most maturing right now is the discussions the smart grid, just because it is a little bit older than the cloud side. it was focused on the government adoption side. the smart grid, a smart grid interoperability panel, which is an actual 501(c)(3) organization , was put together because the stakeholder group felt there was

not an existing organization that could facilitate that process. they establish one of their own. this has provided funding for the operation of the organization. we remained working with them routinely today where you now have a living cycle of, ok, here are the changing issues, here the top ones, here are the ones to fix. the top panel does the triage. and in many cases, now works with all of the different standard organizations that are hey,rting that, saying, here are key areas to improve. and making sure the adoption side is worked out. because again, that was interfacing with the regulated industries as well. i think it might look different. it probably will. this is a different sector. we are not going in with an answer. and this may take a wild to put together, but it is worth continuing discussions about how

we do this if it is not a one-time process, but something we do year in and year out. >> thank you for this discussion. i am unaffiliated. you spoke a little bit about how the federal agencies are going to comment on this, and react, and how industry has incentive. i was wondering how you will get the state government to adopt this and get involved. there are many things at the state level that our matter -- that are very important. that is a great question. i will let you answer that. [laughter] >> we have had strong interest from the states. a number of state cio's were at .he event i was talking to them about their framework process. they end up touching this problem and a number of

different levels. many of these critical infrastructure entities are interacting heavily with the theys, and in some cases are regulated or involved with the states themselves anyway. again, this harmonization issue comes right out for them, that this is an important building , becauseuilding block it is something they can use as a framework for these organizations. think of the water utilities and others that are happening at this level. the other place that this is helpful to them is the extent to which we see widespread adoption of the framework means that the technology providers that are providing technology and software and security solutions to support these companies are now creating a market of some scale. they can help drive down costs and improve performance. affects all the states that may be in and of themselves would not have the market scale

to drive this. we encourage state participation from the very beginning. they have it involved in the framework process from the very beginning and you will continue to see their involvement ramp up. click the only thing is, one of the reasons we have been pushing for legislation at the federal level is the fear that you would end up with a mishmash of state legislation that doesn't allow for these types of efficient, effective markets. the framework is helpful, because it creates a baseline that is collaborative and based on the sort of standards full stop i think it's quite helpful. -- sort of standards. i think it's quite helpful. but how do you think it is handled at the federal level -- >> how do you think it is handled at the federal level? there are requirements of security at the federal government. how do you see this being ruled -- rolled out?

clicks -- >> at the rollout, we talked a little bit about this in terms of government use. the most straightforward thing that every adopting company is doing right now is to use the framework to develop profiles of your current practice. that is what is laid out in the framework. one of the first things we will be doing is at the agency level, we will be using this to, similar to your in the station, try to develop -- similar to your organization, try to identification. the security model aspect of the implementation of the framework could be extremely helpful to the federal government. they moved the debate past the and theion of controls notion that the only thing you can assess and measure is how many of the controls you put in

place. under the framework, that is a tier one implementation level. what this starts to point to is that you can move beyond that into a real risk management framework with a higher maturity level that has bigger advantages. it opens up the pallet of addressing this as a risk management exercise within the government. and finally, the last one is, there has been a tendency to address cyber security performance issues within the government i just making the cio's more and more muscular. the framework actually points to a different answer, which is integrating it with the program lines. this is going to the boardrooms and to the ceos. it points to a very interesting starting with is the cabinet level secretaries and accountability there and looking at this from an integrated perspective. we just started that, but i think it will be quite interesting. >> you have been a cabinet level secretary.

>> i was privileged to have a wonderful acting deputy , dr. patrick gallagher. and one of the things he has done in that capacity is to really take in hand the cyber security management at the department of commerce. i think you called it eating our own cookie. in terms ofat, making management at the highest levels of the department security,e for cyber and not simply something that our cio's deal with. >> when do you see that being made publicly available, published? know, there isou

no obvious exemption. there may be security issues and aspects of them. >> let me go back to the point that the framework is not about the controls. in any organization, you're going to have the dynamic set of controls. in piles are drowning of controls that they have been looking at, and by the way, other mandates outside the security space. what is unique about the framework from the government's perspective is the management approach to really integrate it into how you run the department. and to make those decisions, not just technology decisions, but skill sets and hiring and cost allocation, and all of the other things that are just as much a part of cyber security as controls. is a veryys, this fresh perspective on the government approach. and i think the management approach could be very public.

that is probably more important. that is where the real accountability lies. we have two questions. you can take them both, and then we will have two questions to finish. we will take both questions and then we will answer them. i wanted to come back on your comment about controls. if i understand correctly, the controls are the first step of four. does that mean that the controls are within the government today? bitet me be a little careful about what the implementation is pointing to. there are controls at every level. and controls are an important control ahow you particular risk. i'm not saying there are only controls at tier one and then you can get away from the

controls. what the mud -- the implementation here is pointing to is, in some ways, you are maturing and managing this risk. i think of tier one as being a rule following culture. in other words, you create it and the success is i got through the list and i can do all of this reliably and repeatedly. that is quite different than an adaptive or proactive type culture, where in addition to having the rules and controls, you are actively identifying new changes preemptively. it is going from ace -- from a set of static controls to an immune system. controls are everywhere. but you asked an interesting question -- where will the federal government and up as we start doing profiles? i don't know. i think, because -- my suspicion is that since we have been mesmerized by control belications, we should not

surprised to find ourselves near an implementation level that is focused on that, which would be ground one. but we will see. it will be quite interesting as we do that. >> final question. one of the things the panel talked about was the alignment of the business interests with the national interests. andme give you a scenario see how that would really change in the corporate world. i'm talking about a target named nieman marcus. i recently read a study where the u.s. credit cards are eons behind the european credit cards with a magnetic strip and everything. visa, mastercard, american now, a target like neiman marcus could be

losing $7 billion a year. replace all ofto the credit cards, it will cost us more like $11 billion, right? normally, cyber security they don't really do. case, they are doing that. how do you make sure that some interestin a financial does not overtake what you would call the national interest? >> underneath your question is one of the profound issues congress will face. if these are not aligned, then i think that is because ultimately, we are talking about something that if it fails under a cyber attack has great harm to the country. that is just going to get fixed somehow. but i think, backing up a little bit, i'm not sure that i would financial risk assessment that they were looking at was correct. in the following sense, you

know, you are correct that one of the issues the u.s. has seen in the sector is we were early adopters of car tech -- of card technology, but it was very expensive to deploy. it has been compared to mature -- too much younger technology for card readers and so forth. and with that legacy comes vulnerability. ie question will really be, yes -- that is why the risk management is so important. to what extent does the refresh of this technology help and mitigate and control those risks? i would assume that is what a good organization would be going after. but this is not just the direct financial loss of those customers who lost their information. and that is certainly not what i'm hearing from the ceo's. this is a profound reputational loss. this is potentially going right at their market share.

what i'm hearing from ceo's is a very acute sensitivity that this is a big deal and that is why it is rising to the very top of the boardrooms as the discussion. i would be surprised if they were reaching that kind of simple apples to oranges comparison, because that does not track from what -- track with what i'm hearing from ceo's today. >> i think that is right. the cost benefit analysis is, in today's environment, wrong. i think it reflects what has challengerically the in dealing with cyber security. , the compliance , they were whirring about it, but it is a cost issue. it is difficult to get attention. i think because of reputational concerns, because of the impact if you are a company that has a , i thinknt failure

that is reaching -- that is changing, as reflected in the level of concern that was talked about. and i think we are seeing that reflected in some of the demand in the corporate sector to change, for example, card technology, despite the economics that you talked about. >> i work in a highly disruptive sector where companies don't , largely based on new innovation. the key to the success of those companies are trust and integrity. to the extent that we don't take cyber security seriously, we are undermining that trust and integrity. and that is a principal reason why it is one of the issues that fromr, perhaps, most often our most senior executives in the companies that iraq present. it is truly one of their top

priorities. in anright and pure analytical or quantitative sense might not show up. but the and the brand damage is so significant that it is conscious of those issues. >> one penultimate question whate we end up looking at this is like in this. and that is, the question of privacy. what is explicit when the president gives his executive orders that he needed to respect privacy. and throughout the process, from the --ncern what you might call the privacy lobby -- to ensure that was the case. and you have produced a response

in -- a response to that. could you tell us the story so that we have a better understanding of how you have altered the framework to reply to some of those concerns? >> i think, the short version of that story is the one you laid out, that privacy was the explicit requirement for us to consider as we developed the framework from the very beginning. it was actually part of every discussion and every workshop we had, including the kickoff workshop. i remember having a discussion about the incorporation of privacy at that point. -- weeemed to happen could come back and have a discussion about what the psychology was, but it was intended to be an issue where, first of all, the maturity of how you implement the building .locks those were less mature than what was true in a lot of the cyber

security areas. and partly based on that, it was relegated -- even though we brought it up at every workshop, it is one that we kept going back to, saying that we need to work on this. and one of the consequences of this is that midway through the process, the privacy principles were basically in a standalone section as an appendix. what think maybe that is caught everyone's attention. when that construct was finally there, then i think the stakeholder group was working on them,amework, all 3000 of they jumped in. it was an interesting perspective of how the framework works. the whole industry stood up and said, this does not make sense to have this be a full on attachment. this is based on the same kind of data protection principles that are integrated. they made a counter proposal to integrate those into the main framework. now it is actually integrated and not bolted on. that is where we stand today.

>> i think where it ended up is the right place. security is an essential ingredient of privacy. it is part of the privacy principles, part of the white consumer privacy bill of rights. it is not a standalone issue. privacy implications on some of the cyber security practices, particularly when you get into sharing information , or inird parties particular the government. incorporateant to into the framework the privacy practices, as has been done.

it really is part and parcel of security. we were one of the stakeholders who were concerned with the bolted on approach. but we think it ended up in the right place. i do note that it is one of the nine more extremes, so we intend to engage and make sure it progresses forward. >> which brings me to my last question, which is as we do what do werward, think success is going to look like? and an important part of the framework, i hope i am correct is to assess where there may be a requirement for legislation or others to engage. a question for each of the knowists is, how will we

,hether a direction is required but more importantly, what does becess look like, and can we confident that this is delivering what we think it should deliver? would come down this way. >> i think a big part of it is adoption. the extent to which most businesses are looking at the framework and integrating it into their operations, much in the way we talk about ceo's taking it apart of their boardroom discussion. the second part of it is that if it am i in fact, does not become a stale document that sits on the shelf, but does become a living, breathing, iterative process as opposed to an -- whereby we be are still working on it 10 years from now. gaps with congress. i think we have spoken to those. and the most pressing that can

be dealt with on its own is around information sharing. >> how much confidence do you have that those can happen? >> a high degree of confidence. the question is when. [laughter] my confident, i'm sitting in a discussion with congressman rogers and ruthless burger on -- lossless burger on monday. i hate to say anything that would give away my position. it is highly unlikely, but i think it is possible. or one version, 2.0, point some significant number. because i think that would be a that there is active

engagement, active adoption, and is leading toe the iterative process, and any indication that the model is working? it to getways like asked this question. acid test of all of this is our nations critical infrastructure, is it better protected, and it is also hard to measure. that is going to be very challenging. so i think of the success story as having sort of two elements. one is the near-term. i think that is the adoption, and the way i have characterized that, is that inevitable? and we are struggling with those kinds of nuts and bolts issues. they may be tough, but the kinds

of things that can only come up with those trying to use this. that is a big success, because that means this is actually need put into practice, and you have a framework to improve, and then i think there is an intermediate set of metrics that i think are potentially very powerful, and it kind of goes to the safety comparison, so while the final outcome could be something we are only retrospectively looking back, i hope that we start seeing some very meaningful improvements in what i call security behavior, and that could be the capacity within organizations to be able to identify risks, that could be the capacity of staff, it could be skill level, and it could also be behaviors like self awareness, the idea that we know what is happening on our systems more or that the speed improves. i think it is quite measurable. it would point to a healthier organization in managing these risks, and my hope is we will be working with industry. nist thing toof a

do, looking for meaningful measurements along those lines. >> thank you. we will be looking forward to the cyber security framework 2.0 or 3.0 and perhaps have comment on it, and i would like to thank all of you for joining us here today and invite you to join me thinking dean garfield, pat gallagher, and others for a fantastic panel. [applause] [captioning performed by national captioning institute] [captions copyright national cable satellite corp. 2014]

>> a big deal -- thanks very much. to seeyou will be able this event shortly in our video library at c-span.org. well, as the violence continues in ukraine with some 25 reported dead and hundreds injured, that country's president, viktor yannick overage, has replaced the chief of the country's armed forces. the active defense minister said the army may take part in a nationwide antiterrorist operation to restore order.

back in the united states, busby reports that senator john mccain and senator chris murphy are writing a bill that would enact sanctions against those responsible for the violence there. the specific details are not clear yet. they say that mccain and murphy today, ast it reported in buzz feed. meanwhile, president obama responded with a statement about ukraine, saying, in part -- we expect to hear more from president obama, a news conference this evening with the canadian and mexican leaders coming up at 8:15 pm eastern, and that will be live on c-span.org. museum, wereationism

are looking at believes based on the bible, but we are also talking about believes and what one can observe. i think we are teaching people to think critically and to think in the right terms about science. i believe it is the creationist that should be educating the kids out there, because we are teaching them the right way to think. we admit, our origins of historical science are based on the bible, but we are asking people to challenge the evolution aspects. >> i encourage you to explain to us why, why we should accept your word for it that natural just 4000 years ago, completely, and there is no record of it? there are pyramid's that are older than that. there are human populations that are far older than that, traditions that go back farther than that, and it is just not reasonable to me that everything changed for thousand years ago.

by everything, i mean species, the surface of the earth, the stars in the sky, and the relationship of all of the other living things on earth to humans. it is just not reasonable to me that everything changed like that. >> evolution versus creationism, the science guy, bill not, working with the origin of the , debate tonight at 8:00 p.m. eastern on c-span. >> then on facebook, we are asking your thoughts on the evolution versus creationism debate. canael reynolds says you claim that humans did not evolve from apes. that may be, what to say evolution does not exist is just ignorant. go to the galapagos islands. share yourts -- thoughts at -- at facebook.com/c-span. coming up on primetime tonight,

book tv, and tonight, books on red,g with blinking compromise in american intelligence after 9/11, and then the shadow factory, the nsa from 9/11 to eavesdropping in america, and the book company man, 30 years of controversy and crisis in the cia, and then prime time tonight on c-span three, american history tv with a focus on lincoln's assassination. of the johnook wilkes booth conspirators, with commentary from those present, and that starts on c-span3. >> the all new c-span.org website is now mobile friendly. i means you can access our comprehensive coverage of politics, nonfiction books, and history where you want, when you want, and how you want.

the site's responsive design scales to fit screens, from your desktop, laptop, tablet, or smartphone, whether you are at work or on the office or on the go, you can now watch live c-span coverage of washington. check our program schedules or search our extensive video library whenever and wherever you want. the library makes it easy for you to keep an eye on what is happening in washington. >> now, a discussion on food safety and the implementation of the 2010 food safety modernization act, the law signed by president obama in january 2011 that aims to ensure the prevention of foodborne illnesses. the farm foundation hosted this discussion today. it is two hours. >> good morning. welcome to our forum

participants here in the room this morning as well as those participating with our podcast or audio cast, i guess i should say. cast audience cannot see the speakers but will see our powerpoint presentations and hear the conversation have the opportunity to participate by asking questions. those questions can be submitted at any time. the audio cast is made possible through a grant from the farm credit system. our thanks to them. for those in the room, we ask that you come to the microphone, identify yourself, present your question, and proceed from there. food safety modernization act. since the legislation was signed into law in 2010, the food drug administration has been addressing the process of issuing final rules. rules have been proposed in seven areas with comments closed. one maybe we -- reissue. fda continues to work to the

thousands of comments received. in fact, fda declined our invitation to participate in this forum, citing their heavy workload. the food safety modernization act shifts the focus of federal regulators to prevention of foodborne illnesses rather than simply responding to contamination. new regulations are proposed at the farm level. for some, food processing facilities and for food importers. we have a distinguished panel with us this morning, of those being affected by this new rule, or this new law come to discuss the impacts of this legislation. opening our session this morning is christopher waldrop, director of the food policy institute at the consumer federation of america. his bio is in your hand out and available on the audio cast. chris is going to provide some background on the act as well as consumer perspectives. chris?

>> thanks, charlie, thanks for the farmed foundation for the invitation. again my name is chris waldrop codirector of food policy. cfa is a nonprofit consumer advocacy or decision founded in 1968 to advance the consumer interest of research, education and advocacy and we are made up of about 300 member organizations national as a small state and local organizations all across the country. since fd is not here today i will do a little background on fsma and talk about the context of how fsma came into being because i think that's important as we're thinking about implementation. cpcs at 49 americans are second every year from foodborne illness, 3000 won a 20,000 are hospitalized. the economic costs society of foodborne els elves have been estimated to be $77 billion per year in terms of lost wages, medical costs, time off of work and that sort of thing.

in the years leading up to fsma consumer saw just a sort of steady stream of large nationwide foodborne illness outbreaks linked to common everyday foods that most consumers have in the house and consume on a regular basis, things like spinach, peanut butter, eggs, peppers, a number of other foods where consumers were seeing these outbreaks repeatedly and over and over again. in addition consumers were expressing concern about the safety of imported foods and the inability of fda to police the imports coming into this country. fda can only expect about one to 2% of all imports into the u.s. in addition we were seeing economic cost of the food industry as well. so the 2006 e. coli outbreak that was linked to spinach cost the leafy green entry $350 million, and kellogg's was broke and the pca peanut butter recall that was nationwide and caused kellogg's itself $75 million as a result of that recall.

so there were some real economic costs to producers and processors of cracks in a food safety system and a lead to declines consumer confidence both in terms of government as well as industry. and incidentally just last month a harris poll came out looking at consumer concerns and issues around food safety, and they found 73% of consumers want more oversight of the federal government around food safety issue. so clearly consumers expect the government to play a role in food safety and fsma was sort of the result of that and that 2006-2010 area. there were strong support for fsma by both consumer groups and the food industry. there were strong bipartisan support for the bill. congress passed the bill with bipartisan support in 2010 and president obama then signed in early 2011. now, the sort of key elements of fsma as charlie said, it fundamentally shifts fda approach from reaction to prevention because a huge shift

and most of the components in fsma were guided and focused around that. there's a new inspection mandate for fda that increases inspection frequency for both domestic and imported facilities. a requirement that food plants develop and implement preventive process controls to reduce contamination in food plants, requirement for the first time ever that standards for safe production of fresh fruits and vegetables on the farm. required fda to develop systems to address important safety and a better safety of imported food and there's such a different element, the voluntary qualified importer program and third party certification all kind of work together as well as working with foreign governments to develop, better ensure the import of food to push back towards the country that are exporting to the u.s. it requires enhanced traceability high risk food

products come enhanced surveillance of foodborne illness outbreaks and better cooperation between fda and other government agencies including state and local agencies, provides fda with a 30 to set standards to reduce pathogen and then provides a day with mandatory recall authority. those are sort of the fundamental and key elements of fsma. in addition to was that test -- the tester amendment which provided exemptions for certain small businesses that market the majority of their food to it directly to consumers or to certain restaurant and retail companies within a particular radius and that exempted these forms are these facilities from safety regulations. it provides, requires facilities to adopt modified preventive controls or to demonstrate document compliance with state and local, and for the farmed it requires the farms to label or have some sort of signage, contact information for the farm when they are selling the

products. now as charlie mentioned, all seven of the major proposals have been released. you can see them here. the first four, the public comment period has close although fda is going to reopen the public comment period for certain key provisions of the preventive controls and approaches the safety rules that were particularly controversial or fda want to sort of take a second attempt at them. and get additional comments and kind of see what they can do. the last three are still open to build the additional provisions like traceability, performance standards that will come later. fda also has to define sort of how they're going to fight high risk food for certain at this provision. they released the methodology on that and will begin develop in the list at some point in the future. the other thing to know about implementation is fda is now under a court order to publish all the final rules by june 2015, so the clock is ticking on this and fda is needing to work very hard to make sure they're reading all

the comments, incorporating all the changes, repurposing the key provisions and finalizing these rules by 2015. so just in my remaining few minutes i want to highlight a few consumer concerns, consumer issues would like to see in terms of changes to these rules. consumers, groups of jelly want to make sure that fda is something fsma in a timely way and consistent with the law and make sure that adequate protections for consumers but we generally have supported the rules that have come out so far we've commented on by the are some key areas we would like to see change. in terms of preventive control, fda did not record the company's to implement either environmental or finished product testing other products. that was not a requirement in the rule, neither did it get require food manufacturers to develop and maintain a supply of verification program. both of these things are best practices in food industry today. they are, practices and we think fda needs to restore those

elements into a final rule so that it is a requirement for testing and a requirement for supplier for vacation program. on the produce side, cfa supported fda's approach to regulate risky practices as opposed to risky products. so the practices that are going into the product in terms of worker hygiene, soil and menace, water, that sort of thing, but fda did carve out an exemption for certain products that they defined is rarely consumed raw. and we don't think that that is an appropriate exception. we think a lot of the products on the list actual our consumed raw by consumers, and that the cross-contamination issue that can occur in the kitchen if some of those products, with pathogen. we would like to see that exemption closed. we do support some sort of numerical standard for water testing to be able to have some determination that the water that's being used has met safety standards to fda is going to we

propose that so we're looking for commenting and see what that is proposal is similar for two that. we do think fda should require some sort of environmental testing in packing shed. this was particularly highlighted in the wisteria outbreak in 2011th link to cantaloupes weather was with us to contamination in that packing shed. had he been testing for that they may been able to find and avoid an outbreak of those deaths and illnesses. fda get require importers to develop and verify that their suppliers are producing food safety. the agency gave importers to options. one is an annual on-site audit of their suppliers any other sort of a range of options, a menu of options. we believe in annual on-site audit is essential so that the importer has some assurance on an annual basis that their supplier is producing safe food, providing them with safe food and not just doing a paperwork check so that they are on seconds he was going on and maintain a relationship with their suppliers.

and finally third party certification program, this is a new area for fda, sort of uncharted territory for the agency although they tried to align what to do with some of things that are of enough -- that are out there now. third party certification programs has been hurt by things like jensen forms npca and wright county as where third party auditors went into these farms are these facilities, gave them very high marks and then weeks or months later there was a huge nationwide outbreak that sickened hundreds of consumers. so conference in the systems isn't high. so for fda to build to incorporate those they need to ensure that the adequate transparency which includes things like providing the public with robust information about the entities involved, self-assessment reports, audit reports, unannounced audits and be an important part of that element as well and then adequate oversight of program, making sure fda has a good sense

of what's going on with the different entities that are performing these certifications so they can oversee that program and not just set it up, let it run and never pay attention to it again. those are just a few o of the areas where cfa has raised concerns and wants to see some changes. i'm sure we'll get into more detail in the commentary to look forward to that, and thank you very much for the time it. >> thank you, chris. [applause] >> next we welcome to the podium richard gilmore, ceo of gci trade in incorporated and founder of the global food safety forum which develop public-private partnership risk minimization. food safety strategies in asian markets in a global food chain. rick is going discuss the legislation issues related to food importers. >> good morning, everyone.

so, fsma is really, we regard fsma in the international perspective as a catalyst for change, both in the u.s. context but also globally. and our focus in global food safety forum has been the asian markets with prime attention in china where we have an office and are active and so probably what i have to say is certainly to a large extent influenced by the work we're doing in global food forum. the current problems that exist in the global supply chain, which this and is designed at least, it's objective, to

address, art, for example, regulatory gaps for the mitigation of risk, protection, protecting consumer health and racing consumer confidence as noted in the previous speaker. we have as another problem, inability to handle emergency contamination issues consistently and reliably. there's an absence of uniform treatment domestic and international product. i will be coming back to that and i'm sure that will be perhaps a source of interest for you since there's been a lot of discussion around that set of issues. frequently, there are less reliable technologies from foreign suppliers for tracing and certification from the point of origin in foreign supplier markets, or if you take just in an anecdotal way, when product is transported by truck and documentation is required for refrigeration, if you've ever

been to some of these, some of these locations where we source product, the ability to do that and conform to that documentation can be very difficult, and fsma nonetheless rightly requires. concerns regarding independent verifiable certification on site. this is the third party audits. if it was difficult in a domestic context, it's even more difficult in the international context. the acceptance of that third party certification and the problems that surround that. there is potential for fraud and gaming the system, and i'm sure you've all read some of the most flagrant abuses in that regard. and the absence of harmonized standards with international acceptance of those harmonized

standards is a need for private, public platforms. there's hosts for information sharing and collaboration. i want to stress that. that's our niche, but that's i think welcomed in the fsma strategy. the lack of equivalency in regularly systems worldwide. these disparities notwithstanding this month and the u.s.a., et cetera, are considerable. here are the international provisions that i would highlight, the sanitary -- within fsma, that certainly foreign suppliers are focusing on and gearing up to try to address. our moderator introduced me in saying that i would be addressing it from the importer site. i do want to note that fsma is

also, helps to identify the u.s. brand for food safety and food quality as an exporter. so sanitary transportation, focused mitigation strategies to protect food against intentional alteration, accreditation of third party auditors, foreign supplier verification programs, preventive controls for food and animals, and the private sector and preventive controls for human food. here's a bit of a status report of implementation, previous speaker certainly covered the first issue, namely the deadline of june 2015. and that's going with one respect to accommodate all the concerns of growth and industry

is an important timeframe, but at the same time having passed the fsma and introduced some of those regulations and announced them in draft form create a level of uncertainty for producers and manufacturers, not only in the united states but globally. fda's budgetary constraints which fda in testimony just last week on the hill didn't hesitate to say how they need 400-600 million more to get their inspections up to target and so that remains an important issue. continuing and potentially growing discord in the roar manufacturing a national supplier communities. there isn't a manifestly clear single voice when it comes to the endorsement of fsma, the application, and its acceptance

locally. what's the international footprint, we call it, for, that is impacted by fsma? this is just a little summary display that tries to show the relationships that all or involve inherently in the implementation of fsma. so in the center, because this is not, i mean, most importantly of course it's human element and consumer confidence, that at the same time this is an industry and is a very important one to our economy. so the commercial stakes are huge. and that's why they're in the center in this little organizational chart. trade and national security

interest, we don't always touch on those, but they are there. passage in viruses and fraud are disrupted to international trade. security concerns are very much there related to undetected viruses. there's the potential for international misunderstanding and weakening the fabric of international organizations and standards around codex and, of course, iso 9000. i forgot we got a very fancier. so my apologies. partially because i'm colorblind because i can't see red. the role of the private public platforms that's a global food safety forum. it is come one, maybe for some foremost is information exchange, too, its joint venture investment in new food safety technologies from the