In this podcast, you will hear a chat with Matt Brown, CEO of Shorepoint, and Rob Palmer, EVP and CTO of Shorepoint, to discuss what impact the first Quality Services Management Office (QSMO) Shared Service offering from The Office of Management and Budget (OMB) & Cybersecurity and Infrastructure Security Agency (CISA) will have on Federal agencies.
Speaker 1: On behalf of Palo Alto Networks and Carahsoft, we would like to welcome you to today's podcast focused around the evolution of how cybersecurity is delivered as a shared service. Our panel of speakers will discuss what impact the first quality services management office shared service offering from the office of management and budget in cybersecurity and infrastructure security agency will have on federal agencies.
Coleman Mehta: Welcome everyone. I am Coleman Mehta, I'm the senior director for US policy at Palo Alto networks and I will be your moderator today. I'm very pleased to welcome you all today to our webinar on the evolution of cybersecurity as a shared service. As you saw, we have an exciting lineup of speakers this afternoon representing Congress, federal government, and an industry perspective, as well. So our goal is to offer background and insights on sets of quality services management office, its shared services offerings, how it will work going forward with the continuous diagnostics, and mitigation program, and opportunities for engagement. But before we get started with the panel, I'm very pleased to introduce Moira Bergin for opening remarks. Moira is the director for the cybersecurity infrastructure protection, and innovation subcommittee, and the US House of Representatives.
She is a fantastic resource for insight into Congress and congressional oversight on security issues. Moira's here this afternoon to tell us about Congress' priorities for CISA and for federal network security, and what she's focused on for the ballot for the year. So with that, Moira, thank you so much for joining us today and the floor is yours.
Moira Bergin:
Thanks, Coleman, and thank you for having me here today. I'm going to warn you, I'm participating from the Catskills, so hopefully my internet isn't too choppy and you can all hear me okay. So I've divided up my opening remark into three buckets, essentially. And the first bucket being what can we do in the near term, what can we do before Congress breaks for the election. And then the second bucket is the midterm. What will we do with the wrap up in the lane and we begin the next Congress? And then finally, what's our vision for CISA and how do we want to continue to help drive this to focus its mission and to be the civilian cyber hub that we have envisioned when we implemented the cybersecurity and infrastructure security act of 2018. So our near term goals will be no surprise. Election security, if anyone's been watching the news lately. It's a hot topic, so Chairman Thompson, who I work for, is focused on securing elections on essentially three different fronts.
He wants to fight this information, whoever the source, he wants social media companies and news organizations to collect this information coming from advocacy organizations, elected officials, anyone who can give people bad information leading into the elections and undermine confidence in the election results. Second place is he wants to ensure that the postal service is well positioned to do its part on election day. That means state and local officials will have to coordinate with postal service on what deadlines are appropriate to ensure the ballots are delivered to voters on time and then returned back to election officials so they can be counted. And finally we're concerned about general election security, general cybersecurity.
People will still be voting in person, so we want to make sure that people are implementing security packets for their voter registration databases or E-poll books and the election equipment themselves. Towards that end, we'll be leaning on CISA to push out stronger guidance on best practices, including making sure that election officials aren't using election equipment with wireless modems embedded in them. And making sure that they are signed up for a cyber scan. It's had a lot of success working with states on cyber scanning and implementing cyber solutions, but they've had less success working with local governments and counties. We want to see them push those services down to those more local levels, where there might be some more vulnerabilities that aren't being resolved. The second big bucket issue that we are focusing on from now until October is securing funding for state and local cybersecurity. This has been a big priority of the chairman since well before the COVID pandemic hit the United States.
However, the COVID pandemic has brought into focus the necessity for not only improving the cybersecurity pasture of state and local governments, but modernizing their IT systems. So making sure that they are ripping and replacing legacy technology that can't be patched and can't be updated. And we are protecting those systems to more cloud based and cloud friendly technologies as well as implementing cybersecurity plans to manage cybersecurity risks in an ongoing fashion in the years to come. Towards that end, there are two legislative initiatives that we've been pushing HR5823, the state and local cybersecurity act as well as the state and local IT modernization and cybersecurity act. HR5823 is authored by Mr. Richman, the latter is offered by Mr. [Languman 00:05:24], both are bipartisan pieces of legislation. Very important for getting state and local governments the resources they need to defend their networks from the kinds of crippling ransomware attacks that we've seen in recent years and it's continued throughout the pandemic.
And, of course, as state and local governments became E-governments overnight during the pandemic. It really emphasized the need for this additional surge in funding. So in addition to pushing those two pieces of legislation, we've also tried to write to house leadership to encourage additional funding for state and local government cybersecurity. And there is different COVID packages unsuccessfully, but thank you to members on the call who have supported those efforts. That has been very helpful and we're going to keep plugging away with that moving forward. I would also point out that both pieces of legislation, the state and local cybersecurity act and the state and local IT modernization and cybersecurity act both direct CISA to develop national cybersecurity plans, which would set forth benchmarks for state and local cybersecurity standards. And require CISA to identify opportunities for state and local governments to leverage federal cybersecurity tools and programs to improve their own cybersecurity.
Right now state and local governments can buy off schedule 70, but we want to make sure that CISA is pushing that information out to people so state and local governments understand that they can do that. So that's our near term goals, then we have our midterm goals, which involve, number one, getting a post-COVID assessment of how the rapid transition to telework effected both federal network security as well as the security of federal contractors and private sector. That's going to be an ongoing process and we have a JAO report in the queue, so we'll get some good data from that, but what we've seen in the near term is similar trends that we've seen in the past. So there's an event that requires CISA to re-prioritize its activities. In this case, there was an increase in activity against HHS who decided to reprioritize CBM deployments and rapidly deploy tools to HHS, which made a lot of sense.
At the same time, however, it slowed the deployment of tools to other agencies that were in the queue, including national labs. We had concerns about when CISA's managing a crisis, having to press pause on the day to day operations in order to shift resources to meet the needs of an unanticipated event. This is not the first time we've seen that. It happened back in 2018 and 2017 when they were dealing with election security. And there was a wait for risk and vulnerability assessments for state and local governments. And so the nine month waiting period disappeared because federal assessments were put on hold in order to provide the vulnerability assessments to state and local governments. Robbing Peter to pay Paul works in a pinch, but it's not a policy you want to continue and crises will continue to happen. We need to think about ways we can equip CISA to surge resources in areas of high need without pressing pause on ongoing security programs.
I think one of the positive things that we've learned from the pandemic is the potential of telework and understanding that a lot of the cybersecurity activities that the federal government was doing could continue during telework. And what does this mean for addressing the cybersecurity workforce shortage in the federal government? Does that open up opportunities for CISA to source cybersecurity talent and other federal agencies to source cybersecurity talent in other regions of the country if people are able to work remotely. And I think that's something else that we're looking to because we've been very focused on addressing the ongoing cybersecurity workforce shortage across the federal government. Long term we're going to start looking at the results of the CDM JAO report that came out today.
I'm not sure it's public yet, but it will be public this afternoon. And one of the lessons learned from that report is that CISA needs to improve the way it coordinates and sends the liaison between service providers and the agencies it's supporting. And making sure it's translating what security tools and needs that an agency has accurately to a service provider to ensure that the tools are configured properly in a way that will provide situational awareness and the benefits of the end user into itself. So towards that, I think those lessons learned from the CISA report coming out this afternoon will benefit CISA as it implements its responsibility as a [inaudible 00:10:49] for cybersecurity. I'm pleased to see that they started off with some very discrete pilots and I appreciate the challenges that will entail, provide services across 99 federal agencies that have different risk tolerances, different risk postures, different capabilities to partner with CISA, and implement some of the tools that CISA recommends.
And so we'll be doing oversight on that moving forward, making sure that CISA is well positioned to execute its responsibilities with [inaudible 00:11:23] as well making sure that the partner agencies are well resourced and equipped to partner with CISA and work together to improve the security posture across the federal government. We're also going to be looking to clarify the roles of CISA versus the sector specific agencies. That's less of a .gov issue, but nevertheless an important issue. It's caused confusion across the private sector when it's unclear who you go to to get different pieces of information and report different pieces of information to when it comes to thrust the critical infrastructure. So we're going to look for opportunities to clarify those responsibilities moving forward. And, Coleman, I know I'm coming up on my time, so I would just wrap up by saying that CISA's success is dependent on ongoing and effective engagement with the private sector, understanding the needs of the critical infrastructure, owners and operators, and then understanding the needs of the agencies that it serves as the agencies that it serves as the agency responsible for securing the .gov.
So I encourage everyone on the call to continue their engagement with CISA. I know that's been helpful in helping CISA clarify its mission, and clarify its responsibilities, and its mission for civilian cybersecurity. So thank you all. And sorry, Coleman, I know I ran over a little bit.
Coleman Mehta: No, Moira, thank you so much. That was a really comprehensive look at what Congress is looking at from the cybersecurity perspective and very, very helpful. I'll note from Palo Alto Networks we strongly support your efforts and the committee's efforts to ensure that. Cybersecurity is incorporated into the IT modernization funding, whether that's at the state level or the federal level across the whole public sector. So we're looking forward to continuing to partner with you on that.
Moira Bergin: Thank you.
Coleman Mehta: Great. Well, thank you, Moira, so much. That was really helpful. And why don't we turn now to the panel itself. So as I mentioned, we have an exciting lineup of speakers today to talk about CISA's activities and how they delivered shared services, be it through the new office, the quality of services management office, the CDM program, or more. So quick introductions, we have James Sheire who's the branch chief for the quality services management office at CISA. Alongside Jim, we have Matt Brown who is the CEO of the cybersecurity services form Shorepoint and Rob Palmer who is chief technology officer at Shorepoint as well as a former deputy chief technology officer at Homeland Security. And finally we have David Knisely. David is the director of strategic programs at Palo Alto Networks.
So thank you all for being here today. On those I'd like this to be as conversational as possible. So even if we direct a question specifically to one person, I hope that you all will feel free to jump in as you see fit. So let's get started. Jim, let's kick it off with a question for you. So I think we've all followed the concept of quality service, management offices since the OMB and the memorandum came out last year. And then CISA subsequent designation as the lead for cybersecurity shared services under that concept, but maybe you could just take us through a bit of the background of the QSMO cybersecurity service, what the near term looks like for you, and what maybe the initial service offerings might be.
James Sheire: Yeah, thanks for the nice introduction. So, as you said, yes, if you can believe it, it was only about a year and a quarter ago that the N memo 1916 came out that established the share and quality services strategy and the designation of QSMOs and how the government would work. And we were at that time predesignated as the cyber QSMO. So after some work with the OMB and with GSA to get our program together, working with the shared services governance board, working with the senior agency points of contact, of course with our agency customers. We spent our year standing up our program management office and our various capabilities and things. Yes, we did actually just this spring receive our formal designation, so the official blessing. Importantly, though, the route chosen was to designate us for three specific service areas for starters.
So one is invulnerability disclosure, so a vulnerability disclosure policy platform. Another is for protective DNS and the last one for security operation centers. And so those are the three areas that we started in on early and for which we were formally designated. I'll start with SOC, so that's an area that many are familiar with. So originally based on foundational work, OMB and CISA had donned to understand the maturity of security operations and agencies. So taking a look at that varying maturity state, as Moira said, different networks, different configurations, thinking about how we could bring services to bear to help agencies fill those gaps. So optimize, mature, fill credible capability caps. And we started in our first year in the SOC as a service designation by partnering with Department of Justice. So they have a standing service that they offer, primarily to small agencies who want to outsource or leverage a managed service for their security operations.
So we're working with them to stand them up as an assessed and a provider in our marketplace of solutions. So Department of Justice are already offering their good services, so we're working to enshrine that. And then secondly in GDP, this also built on a key policy area, so CISA issuing a draft binding operational directive, outlining how agency should enable the receipt of researcher reports. So researchers finding potential vulnerabilities on federal agency systems and finding a way to bring those to the attention of the agencies for remediation. So CISA, the QSMO, looked at this early and said might it make more sense, be more cost effective, to create one government wide platform where not only researchers can come to submit reports centrally, but that agencies can leverage as a shared service to enable the receipts of those reports. So we established the standards of requirements for that, working with our company wide agencies, did some market research, and in fact just a few weeks ago offered up our feed, so our responses coming in for that.
So we are in the middle of acquisition and our plan is to go live with that service this fall. The third is the protective DNS service, so this is in the early phases. Bear two and market research, but moving toward acquisition as well. This is to stand up a single protective DNS resolver for government wide. And in terms of acquisition strategy, for those who are familiar with the QSMO work, we actually are working with GSA on the VDP platform for starters. And two major reasons for that, one they have [inaudible 00:18:27] but in [inaudible 00:18:32] other areas, but a big benefit is that the contract that'll be established will be available to all agencies to procure directly. So the [inaudible 00:18:43] platform, they can simply go work with GSA on this government wide vehicle that we've established with a lot of flexibility for the agency implementers.
And that's an approach that has worked well so far. I mean, we learn something new everyday, but we do anticipate to work to establish these government wide vehicles. And importantly that allows us to play a key role in the requirements on the work, but it allows the agencies then to capture those true economies of scale in looking at government wide implementation. And that is also preliminarily the approach we intend to take in SOC. So as mentioned, we started with DOJ, a federal shared service provider, but we are looking at exploring a government wide acquisition vehicle for that as well in the coming year. Coleman, could I have one more minute or should I wrap it up?
Coleman Mehta: Please. No, continue. This is great.
James Sheire: I'll just wrap it up. Two key points, and I'm glad Moira raised this because it's something we work on everyday. One, we're very strong backers of a strong voice of customer approach. So we engage our agency customers extensively to get their requirements and needs, find out what their [inaudible 00:19:52] are to make sure that the services are what they named. And secondly, yes, we engage industry extensively in developing these solutions. It could be through forums such as this or through innovation summits. We're looking at maybe reverse industry days to get feedback and then of course it's through the formal acquisition process, so standard RFI market research stages, as well. But we are definitely thinking about how to engage industry for best practices. And in the VDP, for instance, that's where we did our market research, where we decided it was best to go with a SaaS solution rather than building something from scratch.
So we're really able to leverage best in class solutions in the marketplace. And so we'll take that forward, but in both areas, voice of customer, industry engagement, always looking to improve. So always appreciate the feedback on how we're doing.
Coleman Mehta: That's great, Jim. I appreciate it. And for those of you who don't know, I believe Jim comes from the GSA world, as well. And so I expect that you're quite able to make use of the synergy between CISA and GSA to make it as effective as possible.
James Sheire:
Okay, great. Why don't we turn to Matt quickly. Matt, you have been involved with the continuous diagnostics and mitigation, the CDM program for admitting users. As you look at CISA's approach to shared services, what can be leveraged from your perspective from CDM in terms of lessons learned? How can it all fit together?
Matt Brown: Yeah, I think there are a number of things that can be built upon from CDM over the years. Number one is they partner with GSA early on with the assisted acquisition of the BPA. And that worked very well in terms of attaching both products and services onto the original BPA, and then moving them over to learn lessons off of that, and then move the products over to the CDM sends on GSA schedule to enable acquisition across the federal government for that. I think secondly CDM learned a lot of lessons between the task order two series and the send series, where task order two was a solution built by an integrator, pushed out to agencies, but the agencies themselves had ideas of how they want a debt solution to be built. And how they wanted to align their own cyber priorities with some of the CDM capabilities that were being brought online.
And so they built in the RFS process to defend, to enable the agency to have a voice on what technologies they need to secure their mission and meet their priorities, both departmental wise as well as compliance related. And allowed them to really set their own priorities and align some of their future planning for budgets and for technologies in line with what CDM's done. And I would say lastly under Defend F or the task order two [inaudible 00:22:50] program, where CDM was delivered as a man of service to some of the small micro agencies. They learned a lot of lessons off of how well that capability was implemented. And then as we move into Defend F, how the small micro agencies can consume services that they would not normally have the manpower or the resources to be able to build. And so to Jim's point earlier, where you're looking at what are the specific capabilities that can be commoditized, and served, and issued as a service to agencies to procure and leverage this internet, the resources to do it.
Defend F has a lot of examples how that can be done. And then one of the things they're doing with Defend F is building out the portfolio of capabilities that are mapped out over time. And so an agency can look at that portfolio and say, "Maybe I do import management really well, but I really struggled with having an enterprise vulnerability management program." And maybe I want to consume the CDM services for that. And so they can pick and choose what capabilities they need and how they fit into their specific cyber priorities to determine what they want to enable. And so I would say in closing the more you're wrapping in the agency in terms of what their needs are and then align those to the capabilities being offered and trying to keep that in sync to some degree.
I think that is where you get the biggest bang for your buck in terms of success because you've got alignment of what does the outcome look like across the agency, the integrator, the provider, and ultimately the CDM program or CISA in terms of what they're offering as a service that will need to be consumed by the agency.
Coleman Mehta: Yeah, I think it's a really interesting point. Thank you, Matt. And the one piece of that that I think I would focus even more on and would love to hear your perspective about is how you think about prioritizing services for various agencies of maybe a different size. So do you start with the CFO act agencies because maybe they have more capabilities or do you start with the smaller micro agencies as you called them because that helped you build confidence? Is there a sweet spot in there? How does it all fit together?
Matt Brown: Well, I think whenever you're talking about consuming managed services, you have a lot of things in play here. You've got budgets in play, you've got [inaudible 00:25:11] resources and responsibilities in play, you've got schedules and contracts that have been issued prior that are in play. So bringing the cabinet level agency off of their on prem delivered or internal capabilities that they've been building out over time. And making them move all over to managed service may be a little bit difficult. I think some of the smaller micro agencies are a little bit more ripe to being able to test out and vet the capabilities because they don't have the long programs in place. They don't have contracts that have already been let to companies that are delivering these services for them, or an organization structure built out to deliver them as well. And so they're probably a little bit easier to consume some of those capabilities faster.
And then you test them out and then determine if they can roll more to a larger agency. I'm sure there's plenty of examples of larger agencies that are able to consume things faster than mail service, certainly components that may be looked to the department where the department may provide services that they can consume. I think in my mind it's a little bit easier for some of those small and micros to test out [inaudible 00:26:29] the service and then determine what are the entanglements that a larger agency may need to look at to manage through as they look [inaudible 00:26:39]
Coleman Mehta: That's great. That's a good segue into Rob. Rob, as we noted, you were the deputy chief technology officer at DHS, which makes you at the time a customer of CISA's. Maybe you can draw on that experience just a little bit with previous departmental efforts to consolidate the service offerings. And just talk us through what considerations agencies will be taking into account when they review shared service offerings and determine how to proceed.
Rob Palmer: Yeah, just a poll from what both Jim and Matt are discussing is, really, there's only a few levers in the agency, at least what we've learned over the years has been a pull to decide on shared services or managed services. One is cost, not just financial, but organizational cost. What is it going to cost an agency to move in that direction and not hit on a bunch of that. Capability, maybe it's a capability that you don't have and that's the only place to get it. So sometimes that comes into play. And then we also can't ignore the congressional mandates or agency mandates, as well. Usually it takes two or more of those to overcome the organizational cost to move in that direction. And I think as Jim alluded to, and I think it's all over there, the way that it's been presented is there's been a lot of lessons learned over the years in terms of both positive and negative and in terms of shared services, both big and small.
All of them in one shared perform made a ton of sense in all the discussions. And for one reason or another, whether it was implementation or sometimes it was just the evolution of the technology itself, where it just aged out. But all those factors have brought us really to this point where there's a lot of smart people doing this stuff and I believe those lessons learned are going to carry forward in whatever implementation happens. So as much as we can keep all of those things in mind and collectively go after this new instantiation of this. Jim already alluded to a lot of the lessons learned and how things just in describing the three areas that have been officially adopted or whatever the term we're using is. But, really, we've found a sweet spot. Jim didn't say we're going to do all things for all people. He said we're starting out on what we know there's a market for and then if it grows from there, great, but that's really where we're starting.
And I think that in it of itself is an indication of the lessons that have been learned and what we have to look forward to in establishing services.
Coleman Mehta: It's a really great point. Thanks, Rob. And we should absolutely underscore that. I think DHS and CISA specifically are really taking through the foundational steps now and thinking about how to build off of those. I was struck by the three considerations that you offered, cost of financial, organizational, and capability, and department or agency conditional mandates. And, really, only one of those, the capability side, is technical. I think it's really telling that what we're talking about here is governance activities, and budget cycles, and all the things that go into making technology successful that aren't always technology specific. But the one I didn't hear you talk about, which I wonder if it might be on the minds of other departments and agencies in their CIO shops, is access and control over their environments. And maybe you could speak just a little bit about how agencies might be approaching what they see called as control of their environments or how they might be able to make use of the shared service, be willing to share that responsibility with CISA and others.
Rob Palmer: Yeah, I think that is a good point. I would say that if those other factors are there and compelling, the idea that you lose a little bit of maybe perception of control or have to provide some additional insight into your environment, I think that goes away if those other factors are strong and really support and move in that direction. Not always the case, there's no absolutes in this game, but I think that would be my thought on that, is that if you really work through and you take an honest look at those factors, whether I lose a little bit of flexibility in financial insight, or something like that, or I give up a little bit of that. If those other things make sense, that's not as important. You think about how many [inaudible 00:32:24] efforts have happened in the federal government over the last 10 years. I mean, it seems like it's a constant. We're going to consolidate SOCs onto one of the department level or one's going to do employ management and the others are going to do network monitoring or whatever the case may be.
And where I think there always hesitancy to give up power and give up access. Where that has worked is when you have the competent provider or competent capability that provides us the same level of visibility, the quality of data, that they know what they're getting, and transparency and reporting that what they're seeing is accurate and there's value being provided back to the agency. I think if you can do those things, then you have a greater capability of success or a greater opportunity for success. Then you start to build trust with the agency that maybe I don't need to do this and I've got enough of the data, and the visibility, and it's being handled correctly. But until you get to that level of trust, I think it's always going to be a dicey proposition. Which is why I think it's smart to take an approach of starting slow and starting with demonstrated capabilities, like Jim mentioned, DOJ and their proven capability of being a SOC provider to other agencies.
Where there is proof and there is maturity, it allows a lot more trust and access for the agency to believe that that's going to work. Where there's not or if it starts off on the wrong foot, it quickly goes south. And then you come back to what is the driver for me doing this? Is it money? Is it because I'm being told to do it or is it because it's the best thing for my agency? And I think that's key to the success of being able to consume managed services, to be confident, to be transparent, and to create a lease to level of value, if not, a higher level of value of what they have from a technical perspective, not just from a budget perspective.
Coleman Mehta: No question building those foundational efforts is important. David, why don't we take this in a slightly different direction. So CISA and its various network security offerings, even if they work together they're also, I would say, all in their own state of evolution. I think more to the point programs like CDM, they now have to account for agencies deploying their cloud capabilities and all the visibility challenges and integration challenges that that entails. So maybe you could tell us a little about what you have seen from your perch about how agencies are filling cloud gaps in the CDM program.
David Knisely: Really, I've worked with the CDM program for coming up on a decade, various software companies, and the CDM program is just getting to the point where it's deploying bound capabilities at scale. Cloud gap fill is something that we are working with numerous agencies on right now. You look at group E and group F as examples of the only places that you really see cloud gap fill capabilities being considered, and acquired, and deployed. Hopefully at some point in the very near future I think we look at how do we get in front of that next thing. How do we try and anticipate technology requirements, but do them to a point where they make sense? I would say, Jim, something to look at, I'm sure your team already is, is the secure edge. So SaaS-y is a term that Gartners come up with. I would see an opportunity for the QSMO office to step in potentially alongside CISA and be a thought leader.
And maybe have that as something that would be a future for you all, a shared capability, because we're really talking about cloud delivered capabilities at that point. We've had to partner very strong. I mean, we're not the only player in that. There's a lot of folks who do that. We'd all need to work together in terms of said ramp qualifications and what security concerns that would come with that. Overall, I think we're excited to see the progress that's happening in CDM. Very happy to continue to be a vendor and a partner to numerous agencies with their CDM deployments. And I think industry is standing ready to accelerate that process as our message when it comes to cloud.
Coleman Mehta: That's great. Thank you, David. I'll also note, one thing that [inaudible 00:37:21] that I think is worth talking more about is what capabilities through the technical requirements with the CDM program entails for cloud deployments. [inaudible 00:37:36] focused on data security, but maybe that's not the whole world to what a comprehensive cloud security deployment might look like in CDM. Can you speak a little bit about what the whole world looks like?
David Knisely: Obviously those phase four, as they used to be called, capabilities are something that everybody's still thinking through. The data protection and the layer of securing the data is something that we're all struggling with how to implement correctly at scale. I think the answer there honestly comes back to, again, cloud and how do you do these advanced capabilities embracing a cloud infrastructure in the backend because the on prem infrastructure just is not going to support the level of AI, ML environments and requirements that's needed. If we don't go off prem to do those things, we won't be able to do the data protection and cloud security that we need to at scale. I think everybody realizes that and so we just look forward to partnering with the federal government and wherever areas we can to prove that the cloud based offerings that we all have, and we're not the only one, are secure and are as secure.
And that our CSP partners are wonderful, Amazon, Azure, Oracle, IBM, Google. They're all phenomenal partners to us and we want to partner with the government with a multi cloud approach so that we can do something that scales at an agency level or ultimately at a group RFS level, something like that.
Rob Palmer: I think the cloud one is a good example of where there has to be a common understanding between what agency, and CDM, and the integrator about what they're trying to accomplish. I mean, CDM has a dual mandate. They have a mandate for the cyber tools to do what the cyber tools do and securing the infrastructure, but they also want to provide visibility back to the federal government about the security posture of that infrastructure. And so [inaudible 00:39:50] at the end of the dashboard. And so there's one goal of getting technology in there to provide visibility and there's another goal, having that technology do security things to make it make sense. And an agency may hear cloud from CDM and say, "All right, well, I'm getting academy solution or I'm getting some solution that's going to help me identify my cloud usage across the enterprise and help me protect it.
And that may be the case, but it also may be the case that the integrators in there are trying to figure out what do you have and what can I pull from it to provide visibility back to the dashboard for how well this was being protected. And so I'm trying to pull that thread through to just point out a good example of trying to align everyone's understanding of what the goal and the outcome is to enable that capability to be delivered well and people to say, "Yes, I got what I need out of that." So the more agency input can go into what do I need out of cloud securities that is from CISA, or from QSMO, or from a capability that I'm trying to consume that would help me do my mission or make decisions about what I move to the cloud and what I don't. The more that that conversation happens, I think the more we all have the ability to fine tune exactly the offering that needs to be delivered to that particular agency or what the priority of that capability needs to be for a shared services capability to be consumed.
Coleman Mehta: That's a great point. We've heard from numerous CISA officials about thinking through visibility and agency cloud deployments, and the challenges that that presents, and how CDN might be utilized to effectuate better visibility along with better integration across the board. So that's a key point that I think we'll be focused on in the very near term. Jim, you have a whole host of industry experts in the audience and I'd love to hear from you what kind of engagement that you're looking for from industry, what experts use industry might be able to bring to bear, what kind of partnership model you're looking for here, how we can help.
James Sheire: I think I alluded to it earlier. So as we think about the next areas that we may want to move into to really leverage innovative solutions from the marketplace to bring to bear against those areas that have identified as likely candidates for shared services. We're going to go out in a variety of ways to learn more about those capability sets and sometimes even ask fundamental questions. Are we approaching this issue correctly? Are there considerations such as cloud architectures that have been discussed specifically that we didn't take into account? We want to look for a number of creative ways to basically get at what is the best in breed in technology to aim at our problems. And the QSMO really about seeing where we can aggregate that demand and, really, as I said earlier, get at those economies of scale to drive costs down for innovative solutions that agencies can then take advantage of.
And I mentioned formal acquisition routes, but are there innovation acquisition or agile acquisition paths that we have to look at where we may need a capability in a hurry and we need to move quickly to address a gap or a threat. Yeah, so that's the short of it. Dialogues not only around what we're procuring, but how we're procuring them. We're going to looking closely with our acquisition teams, and with DHS acquisitions, and with GSA as mentioned to figure that out.
David Knisely: Very quick followup to that, Coleman, if you don't mind.
Coleman Mehta: Please, David.
David Knisely: We see the DOD space moving forward at speed with OTA and [Crete 00:43:47] type acquisition paths. You mentioned some other things that you guys have been looking at there. Is that something that's been considered or is on the table?
James Sheire: I'm sure all avenues are being considered by our acquisition teams. So fortunately we were able to work closely with the teams that we're working with CDM, so really able to work with a skilled and experienced group there in looking at what our options are.
Coleman Mehta: Rob, Matt, you talked about the dual mission of CDM. Do you foresee the CDM mission changing in any way with the advent of Prisma and the shared service offerings or how do you see them working in partnership?
Rob Palmer: I think Defend F is a great place to start with QSMO and search capability of PDM being implemented. And determine what could be leveraged there, what works well for the small and micros is that crawl, walk, run approach for capability deployment, but I think CDM has to evolve to some degree to be more in line with the agency cyber priorities. And I think to date the work has been really focused on the foundational level of visibility of [inaudible 00:45:06] management, vulnerability management, the user management, but because that's taken a pretty good amount of time, the CISA focus has shifted from that to cloud usage, data protection, HVA protection, and things like that. And so keeping pace with the same priorities that the CISA and the CDM program connect to those I think will be key to the success of how well CDM matures and how well it's continually evolving. And then ultimately how it feeds into QSMO.
Matt Brown: I'll second that. Our teams are in the same part of CISA. We work closely. When I'm physically in an office these days, Kevin is just two doors down. So I'm always knocking on his door. Yeah, it's a close partnership.
Coleman Mehta: Yeah, totally agree. And it brings up a good point from what Moira was talking about earlier, which is digging through [inaudible 00:46:09] and the QSMO offering. DHS regularly goes through surge activities. The most recent and ongoing one, of course, is COVID and the rapid shift to secure remote work both for itself and for other agencies for all of its customer set. I wonder how you think about balancing those rapid search deployments, but also working to make sure current operations continue at pace, as well.
Matt Brown: Yeah, I think it's a balance of both. So we are certainly in our roadmap thinking about what our portfolio [inaudible 00:46:46] are, trying to think to the long term. And, again, I think it's just getting closely aligned with our agency customers in terms of what their operational needs are. So I think it's that balance of making sure we're offering value against gaps, and what our agency customers need, and securing their missions, their data with that search [inaudible 00:47:08]
Coleman Mehta: We've got just a couple minutes left, but why don't I give each of the four of you an opportunity for just one to two minutes on what the future looks like. Either the future of QSMO and what it looks like in five years, the future of shared services and what it might look like in five years, and then the things that you think we should be doing now to make sure that happens. David, why don't we start with you?
David Knisely: Yeah, I'd say we're seeing the delivery of shared services done through multiple acquisition paths. Again, if you go back to the DOD example, there are OTAs in place for EIT as a service, enterprise network endpoint, and compute and store all being done as a service through OTA prototype contracts. You have the EIS contracts out of GSA that are the service provider community who have absorbed a lot of that. In some cases, even NOC, SOC capabilities being delivered alongside M tips and infrastructures there. TIC 3.0 being apart of that, but TIC 3.0 being apart of everything else we're doing on the on prem side. And then there are standalone RFPs being done. Then there are the shared services acquisition done through group F that I think Matt has talked about numerous times, group level RFSs for cloud security on group E. There are so many different places we're seeing with shared service model right now.
It really is a change in acquisition and delivery of service to the federal government and it goes alongside cloud. It'll be very interesting to see. We're trying to support them all and it's difficult, actually, as a vendor. I think the government wouldn't understand. There are a lot of different paths to try and get these solutions and it'll be very interesting to see which ones follow through in terms of success. And I think the history of eGov, and NBC, NFC, all the shared services centers that have had success in the past. I think this is a really good opportunity for CISA here and I think there's demand both on the agency side and on the vendor side to be able to deliver these core capabilities we know our customers need.
Coleman Mehta: Great. Thanks, David. Rob, over to you. What do you look for in five years? How does it look to some of those CISA customers?
Rob Palmer: Well, I think it's state of government, so it's going to be a continuation of a lot of what we're seeing right now, which is just pulling the thread on agency alignment with these federal mandates. And there's an abundance of technology available to get these objectives met. And so what we're seeing is that as long as we're adhering to those federal mandates there's a mix of technology that gets utilized. And that takes time, so it takes all the architecture, design, implementation, configuration, optimization, all of that good stuff that these agencies are going to be doing for the next few years. What I'm encouraged by is the fact that we continue to have those discussions about what that alignment needs to be, and how best to do that alignment, and gaining the visibility. And that seems to be that central or core [inaudible 00:50:47] that folks are going after in that move. Towards that is increasing visibility and awareness from a security perspective, so that's encouraging. So next five years, I think there's going to be a good bit of that.
And folks like Jim and QSMO will absolutely put the things in place that the market needs and will support that. And that's really what the federal apparatus is there for.
Coleman Mehta: Great, thank you. Matt?
Matt Brown: I mean, I think it's a really exciting time in the federal cyber space because you now have an agency that's responsible for cybersecurity of the entire federal government. And the opportunity that they have because of that is exciting because it can enable transformation much faster than having essentially 100 different agencies doing 100 different things to try to meet the same mission. So you get economies of scale very well there, you have centralized capability development that can be done faster and deployed faster. And you've got the workforce that is required to do that a little bit more centralized. So I think from all of those perspectives, it's a really exciting time. I think the challenges that we've talked about today are ultimately going to be what drives whether it's the success or not. And those challenges are organizational buy in. Are these organizations mandated [inaudible 00:52:22] some of these shared services capabilities. Do they get built out or do they get built out and no one consumes them?
And I think to be able to do that you really need to make sure that there's value being delivered to the agencies for them to say, yes, I want this, not just I have to have it or I have to do it because I'm told to, but I get value out of it. And I don't need to do other things because I get enough value out of what I'm getting. So I think if there's a focus around aligning the value proposition with the capabilities being deployed and I think QSMO is started very well in that place to leverage past successes. And where it's demonstrated to agencies and there's relationships already established. I think the more that that can be built on, the better opportunity is for success. I think as a citizen of the country, I think it's the right answer for this country to have an agency that is just totally responsible for the defense of cyber posture of the federal government.
And I think the ability for the capability to be built out that way and skillsets that are needed to deliver them, I think all of those things are pointing in the right direction now to a proof in the pudding to see if it actually works.
Coleman Mehta: 100% agree with CISA and its predecessor agencies and its continued building of capabilities over time. Last word, over to you, Jim.
James Sheire: No, I mean, I'll just echo what was said. I mean, the true measure of success is if in a few years from now we have a portfolio of services that are delivering real value, helping agencies address the threats to their networks, their data in a way that they derive a clear value proposition from, and find value in, and we have a true record of success with our services. I think that's what success looks like. So improved cybersecurity maturity, addressing the threats to our data is our mission. So if we've served that mission by making our agencies [inaudible 00:54:29] with good solutions, that's what success looks like to me.
Coleman Mehta: I know I speak for Palo Alto Networks and I'm certain I speak for the other panelists as well, Jim, that we are very much committed to that success, and to working with you, and to being a partner. And we look forward to continuing that partnership in the future.
Speaker 1: Thanks for listening. If you would like more information on how Carahsoft or Palo Alto Networks can assist your organization, please visit www.carahsoft.com or email us at mailto:paloaltomarketing@carahsoft.com. Thanks again for listening and have a great day.