mr. graff. >> a couple points quickly. one thing that would move us towards the situation you would like to see in terms of preparedness is more cooperation from computer manufacturers and software vendors and producing products that are easier to secure and i say that to someone who used to work for a software manufacturer years ago. there are a lot of issues that are not a problem. if we make the assistance with your vulnerability is then the smaller banks and financial institutions would be replaced. i also want to point out quickly in addition to information sharing which is paramount we don't have time for a lengthy discussion but the supply chain problem, the threats of supply chain attack are really perhaps not the most serious issue that faces us and one that would be most susceptible to help from government. i have been working in the government sector for a long time and it is one where u.s. government could make the biggest decision. >> that is very helpful. i yield back. >> thank you, mr. chairman. thank you al

mr. graff? >> you put your finger on it and and essentials problem which is how do we share that information securely? and there are fairly sound that fits i could talk about to protect the challenge, but the technology is there. i think the more intense concern might be protecting it once it has a right inside the federal networks. they are a very strong target and that is frankly a concern of ours. we want to work with the federal agencies to make sure the information that's given is sufficient but no more than the need. and also we would like assurances about the way that they protect those internal systems as well. i think that is an important problem. i'm familiar with fisma. it does encourage good security. i think there's a lot of room for improvement there, too. >> mr. weiss. >> i'm sorry i'm not particular with that legislation. >> i want to go back then to mr. clancy. there's multiple aspects. one is the transmission of the data and second, once the data gets to the ofr, you know, how

that for the exchanges where you have more resources than some of the smaller institutions that mr. graff was talking about, to protect themselves, where are we in terms of where we need to be with some of these smaller institutions? some of the local banks, you know, we as government have put out there certain bench marks where we want there to be minimal coverage and protection for some of the smaller institutions, but number one, is that enough? do we need to do more to require those smaller institutions to provide greater protection to their customers? and is there also -- is there also a delta in terms of what we require the exchanges to do and where you think we need to be? perhaps you do even more -- i'm sure that most of the big exchanges do more than the government requires. and so, i'm trying to get a fix on where we are with the smaller and larger institutions and where we need to be. ms. kantly. >> thank you, speaking on behalf of attempts to address the smaller institutions, the fsisac thinks it's important and part of the effort has been focused on education and we have held

mr. graff? >> you put your finger on a problem, which is, how do we share that of permission securely? there are several methods to talk about. the technology is there. i think the more intense concern might be protecting a once it is in the federal networks. that is, frankly, a concern of ours. we want to work with the federal agencies to make sure we give them a sufficient, but no more than they need. we also like assurances about the way they protect those systems as well. i think that is an important problem. is does encourage good security. i think there's a lot of room for improvement there, too. >> i am sorry. i'm not familiar with the particular regulation. >> ok. i want to go back then that to mr. clancy. there are multiple aspects of that. one is the transmission of data. and then two, once the data gets to ofr, how will it be protected? who will then have access to that data moving forward and how they use that data? and those are areas you have some concern. >> i think access to the

mr. graff? >> you put your finger on a problem, which is, how do we share that of permission securely? there are several methods to talk about. the technology is there. i think the more intense concern might be protecting a once it is in the federal networks. that is, frankly, a concern of ours. we want to work with the federal agencies to make sure we give them a sufficient, but no more than they need. we also like assurances about the way they protect those systems as well. i think that is an important problem. is does encourage good security. i think there's a lot of room for improvement there, too. >> i am sorry. i'm not familiar with the particular regulation. >> ok. i want to go back then that to mr. clancy. there are multiple aspects of that. one is the transmission of data. and then two, once the data gets to ofr, how will it be protected? who will then have access to that data moving forward and how they use that data? and those are areas you have some concern. >> i think access to the