fisma fisma's shortcomings or more in that area and they need to be updated and then completely replace. >> guest: one of the main stumbling blocks to legislation on cybersecurity is the industry believes that any regulatory regime may eventualleventuall y resemble fisma in that it is more focused on complying then operation of cybersecurity. >> guest: one of the things we have done is we are in the process of developing the executive order and we had extensive outreach with industry and academia. we held dozens of meetings, more than 30 actually with different trade associations and industry groups and companies in one of the things we stressed and that is the process we want to set uy collaborative and really rests on the practices that they themselves the leaders in their industries or already doing. it doesn't really do us any good to put out a compliance model that is -- that a company can't comply with or doesn't make any sense in their business because the goal is to improve cybersecurity. just checking the block doesn't actually do any good so i would say that the other thing that you can see an executive order is it's designed to be highly collaborative and bring in industry and have been distribute a one that's defining those standards. >> h

fisma. how has that worked, and if so why? if not, what are the failings? >> guest: so i would say that fisma has worked, but it needs to be updated. it was a good piece of legislation for when it was passed, and it moved the ball forward for that time period. but now we have a more sophisticated understanding of what you actually need to do in cybersecurity. so, for example, i would say one of the things that needs to be updated is a move away from a compliance model where you only periodically go back and check every so many years. um, that's not going to really work now in the modern cyberspace age, right? things move too fast. so we want to move to much more of a continuous diagnostics approach such that you are always getting information about the state of your network and where -- what assets do you have that are hooked up to the network, and what are your vulnerabilities? have you done the latest patching so that you have that information in realtime. i would tell you that fisma's shortcomings are more in that area, that it needs to be updated than sort of completely replaced. >> now, one of the main stumbling blocks, as you are aware, to legislation on cybersecurity is the industry believes that any regulatory regime may eventually resemble fisma and that it is more focused on complying than operationally incolluding security. how would you mollify those concerns? >> guest: well, i think that one of the things that we've done is we were in the process of developing the executive order, we had extensive outreach with industry and academia, really held dozens of meetings -- more than 30, actually -- with different trade associations and industry groups and companies. and one of the things that we stressed in that is the process that we want to set up is one that is very collaborative and really rests on the practices that they themselves, the leaders in their industries, are already doing. it doesn't really do us any good to put out a compliance model that is no