.jpg)
HSDF THE PODCAST
The Homeland Security and Defense Forum proudly presents HSDF THE PODCAST, an engaging series of policy discussions with senior government and industry experts on technology and innovation in government. HSDF THE PODCAST looks at how emerging technology - such Artificial Intelligence, cloud computing, 5G, and cybersecurity - is being used to support government missions and secure U.S. national interests.
HSDF THE PODCAST
Whole-of-Government Cyber Coordination and Readiness P 3 of 3
Welcome to “HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum
Federal cybersecurity leaders discuss how they're measuring security outcomes beyond tool deployment, focusing on operational metrics like meantime to detect, respond, and recover. The panel shares insights on industry-government information sharing, the SharePoint vulnerability response, and how interagency coordination is creating resilience against nation-state threats.
Featuring:
- Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer
- Michael Duffy, Acting Federal CISO, Office of Management and Budget
- Matt Hayden, Vice President, Cyber Client Engagement, GDIT
- Luke McCormack, Former CIO at DHS and DOJ (moderator)
This discussion took place July 23rd, 2025, at HSDF’s Cybersecurity Symposium, Navigating Cybersecurity Strategies in a Volatile World
Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.
Please, right here in the front, hold for the mic, though, please.
Audience:Rob Cooper of Palo Alto Networks. I guess the question is for Mike. We talk a lot about measuring deployment of tools and capabilities. In the Fed's SIV space we track our investments pretty well. I think $12 billion in the 26th budget in cybersecurity spend is proposed. How are we measuring cybersecurity outcomes and how are we holding agencies accountable for performing against those metrics?
Michael Duffy, Acting Federal CISO, Office of Management and Budget :It's a great question and I guess it's the logical follow-on of what I've said for zero trust remaining kind of core to our cyber strategy. One of the things, as I mentioned, looking at how that interoperability across the zero trust pillars, how we make that real, how we measure operational success in deploying these capabilities to detect, meantime to respond, meantime to recover, level those out, make sure that agencies have that as a metric that they are measuring progress against as they are integrating and deploying Zero Trust architectures across their environment with capabilities and making deliberate steps to shorten those time periods. That's a outcome that we are working towards right now to show that Zero Trust isn't just a checklist and it isn't just the initial sprint that we took several years ago, but we're actually reshaping the way that we look at security operations, at cyber defense mechanisms. All of the above let's find a metric and a way to measure that and the meantime to detect, respond and recover are really important for us.
Audience:Hi, Greg Bunwin from Siemens. First I want to thank Ms Arrington for coming back to government. Thank God you did, because we needed your help. And I can tell you, if you get to continuous ATO, I've got my CIO willing to get a CMMC tattoo.
Speaker 6:Awesome. I love it.
Audience:Please get to connect. That is such a breath of fresh air for industry. One of the things I was curious about, though, is you and also how OMB is looking at this from the federal CISO standpoint. Are you getting information coming to you from industry? How can we do better at providing you the things we're seeing? I mean, we're always asking you tell us what threats you're seeing, tell us how we can impact what you need. Are you getting the same type of information from us back to you, showing where our threat vectors are coming from?
Speaker 6:Absolutely, I can speak to that directly. There are people that you know. I would say one of our greatest vulnerabilities right now is open source software. That you know we have to think about where we're getting the source from right and I get more from industry on that, you know, when they're finding vulnerabilities in source code from open source. I mean that's one of my main areas that I get a great deal of feedback from industry on Other areas that industry has been really great at communicating with me and I can speak for just myself. In my office I'm bringing in industry every day and asking them what are the major thwacks that are happening that I'm not doing enough to help and assist? So it's a good feedback.
Speaker 6:But the doors of the Pentagon are open. I've always had that mentality that I work for the taxpayer, I work for you guys. We need to hear from you what's going on, what's working, what's not working. That will continue for as long as I'm around, but you know I'm going to hold the bar as high as I hold it for myself, as I hold it for you. But I think that's where industry really has been coming in a lot and telling me you know, oh, this open source is an issue, right. How do we crack down on it?
Speaker 6:You know, one bad line of code on an open source capability spreads like wildfire, and I think that's where we need to start thinking, because the adversary pivoted right. When we said Huawei bad, zte bad, you think they went away? Do you think that they just said, oh, we'll just walk away? They have been pivoting through those networks and going through that capability, so we always have to look at the next venture. So, but I appreciate, simmons. You guys have been a great partner. In fact, you were part of one of our original studies on Swift, so we thank you.
Luke McCormack, Former CIO at DHS and DOJ (moderator):I think we have time for one last question and I want to give each panel member a moment to ask or give some parting thoughts over here.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:Hey guys, justin Doubleday with Federal News Network, hey, hey, I think I talked to all of you. Sharepoint, or the SharePoint vulnerability, no-transcript, that's for kind of Michael and Katie, but it's going to be on Michael, right.
Michael Duffy, Acting Federal CISO, Office of Management and Budget :I'm happy to start a bit. I mean timely question. Luke mentioned how we are reflecting and responding to these kind of cross-government events and incidents that we're seeing. I can say it's early in the coordination process right now, but the partnerships that we've built through CISA and industry partners and the interagency coordination mechanisms that have been going on, the investments that I mentioned in technology across the enterprise, have done their job and I think that's a good place for us to be as a government in knowing where to focus our efforts, how to communicate issues and patch information and other coordination that needs to follow on. That is happening right now.
Michael Duffy, Acting Federal CISO, Office of Management and Budget :As we speak, people are back at my office and other offices having these discussions. The process is moving forward in that way. I think we'll learn more, kind of, as far as the lessons learned, but early. It looks a lot like what I mentioned of the lessons learned already, which is patch quickly, make sure that you are fully engaged in the interagency process, you know who to call and how to call and how to leverage the capabilities and the investments that you've made. Over the years. We've seen that many agencies have taken those lessons and implemented them and are finding themselves in a better place because of it.
Speaker 6:I'll just double down on that one. I think the interagency coordination has been absolutely insanely good and the fact that we caught it early right. We got on it, we notified everybody, we turned the lights on. Instead of trying to hide something, we put it out there. This is bad Patch, it Stop it. Now. That's got to be the culture that we take that there is no 100% guaranteed perfect system right. But if you have secure by design principles, you work in zero trust, you make sure you have a cybersecurity culture and you have the interagency cord. We are on it and we are working together.
Speaker 6:I know that as I was walking in, I was reading emails from Greg, from your office, from the FBI. I mean we're all involved, but things are gonna happen. Our adversaries are trying everything to get at us. I mean I think everybody needs to remember we are the target for the world. We are not talking about Chinese espionage, we are talking about Chinese, russian, iranian, north Korea all coming down on our networks. We have to be one team, one fight and when things like this happen, we need the communication. I applaud NSA Cyber Collaboration Center. They got the patches out ASAP. The DC-3 is up and live in the Department of Defense, and just being aware that we're the target of the world folks and bad things are going to happen, our ability to have policies and practices in place, to react to them timely and to lock them down is what's going to keep us at the bleeding edge. And we are the bleeding edge. We are the world leaders.
Luke McCormack, Former CIO at DHS and DOJ (moderator):You know, when they were bombing the bus buses in London, they learned the best defense there was resiliency, right, and these things will happen and you need to become resilient and it's 90% of these incidents is how you respond to them. With that, we're going to start with closing comments. Matt, with you first, please.
Speaker 5:Just a quick stop. The threat environment is getting nothing but noisier. The attribution is getting nothing but harder, the defenses are strengthening and becoming more dynamic, but what we're seeing is we now have great leaders in place in government that aren't taking the speed of government as an answer any further, and then we're seeing government moving away that is dynamic and looking for acquisition vehicles, opportunities and, candidly, walls to knock down that make it easier for those that are supporting warfighters or warfighters themselves to get the right tools at the right time. We are looking forward to Zero Trust for OT being fully implemented. That's that Volt Typhoon sector environment, because one of the biggest things we see with the government is their wallet. And when OT and ZT combine, that's when we can work with critical infrastructure to really get them locked in the same way, and there's a lot of investments being made there. So that's the future projection. Is that operational technology landscape?
Luke McCormack, Former CIO at DHS and DOJ (moderator):Sounds very promising, Michael.
Michael Duffy, Acting Federal CISO, Office of Management and Budget :I think my final notes is we are seeing progress. We are demonstrating progress as a community. I think that we, as I said at the beginning, this isn't about hey, let's start looking at collective cyber defense, let's start looking at enterprise cyber defense. Let's just make it happen. Let's build upon what we've already put forth. Let's build on the foundation of zero trust, upon what we've already put forth. Let's build on the foundation of zero trust. Let's take advantage of cross-government initiatives and programs and the collective buying power of government things like the Continuous Diagnostics and Mitigation Program it's CISA for the federal civilian agencies and make good use of it. Let's optimize this investment. Let's find ways to be more efficient as an interagency. Recent events have shown us that that matters. That type of quick response and reaction, the coordination across the government is making a difference. It's also allowing us to watch adversaries move their techniques, which ultimately benefits us as a nation. We can share what we're seeing across our departments and agencies and make sure that we're one step better moving forward.
Luke McCormack, Former CIO at DHS and DOJ (moderator):Well said, katie, take us home.
Speaker 6:Wow, okay, it's not perfect, but damn, we're the best. And amen and hallelujah, and twice on Saturday. And strong leadership matters, clear demand signals matter. I would love Congress and I can say this if it gets me in trouble I would love, you know, a three-year budget where we didn't have a color of money and we were able to do things we need to do, and I appreciate. Thank you, congress, for reconciliation. But industry, you guys are our partners. We don't fight wars without you, we win wars with you, and that is my motto One team, one fight. Nobody's perfect. The only guy that was has already gone back to heaven and let's work together instead of working against each other, because this democracy, this republic, is worth fighting for.
Luke McCormack, Former CIO at DHS and DOJ (moderator):Thank you because this democracy, this republic, is worth fighting for. Thank you, we have three patriots, three warriors and three leaders here and we're damn lucky that they're doing what they're doing to fight the good fight every single day to keep this country safe. Thank you all very much, and thank you all very much.
Speaker 6:Thank you.