.jpg)
HSDF THE PODCAST
The Homeland Security and Defense Forum proudly presents HSDF THE PODCAST, an engaging series of policy discussions with senior government and industry experts on technology and innovation in government. HSDF THE PODCAST looks at how emerging technology - such Artificial Intelligence, cloud computing, 5G, and cybersecurity - is being used to support government missions and secure U.S. national interests.
HSDF THE PODCAST
Whole-of-Government Cyber Coordination and Readiness P 2 of 3
Welcome to “HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum
Defense cybersecurity leaders discuss lessons learned from recent major cyber events and initiatives to transform outdated security processes. Government agencies are working to improve operational collaboration, speed up software acquisition, and counter nation-state threats through cultural and technological transformation.
Featuring:
- Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer
- Michael Duffy, Acting Federal CISO, Office of Management and Budget
- Matt Hayden, Vice President, Cyber Client Engagement, GDIT
- Luke McCormack, Former CIO at DHS and DOJ (moderator)
This discussion took place July 23rd, 2025, at HSDF’s Cybersecurity Symposium, Navigating Cybersecurity Strategies in a Volatile World
Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.
Let's talk about lessons learned with. Well, with Volt, Typhoon, et cetera, right, All of these different, various events that have happened over the course of the last few years. Reflecting back on that, let's start with you, Michael. What's from where you sit today, knowing all the things that we've put in place, the anticipation of things that we will be doing, the experiences that we've had from these situations? What's the lessons learned?
Michael Duffy, Acting Federal CISO, Office of Management and Budget :All the lessons learned from all of those major events. What we're seeing? The need to patch more rapidly to have true operational collaboration across industry, government interagency Is that getting?
Luke McCormack, Former CIO at DHS and DOJ (moderator):better. It seems like you know. I'll just be critical here for a minute. It seems like we keep saying the same thing when these things happen right and you know, it hits the fan and we're on the phone as they say. Yeah.
Michael Duffy, Acting Federal CISO, Office of Management and Budget :I think that's where I mentioned that the operational resilience is one of my top priorities as I'm working with interagency CISOs. Because of that making sure that we are working as quickly as possible, leveraging the technology that we have, making sure we have the right people in the right places. Taking on these tasks in the right places. Taking on these tasks I think the sharing has gotten a lot better across the interagency with partners, with DoD and FedSiv, with others. I think that realization that lessons we learned of a patch comes out and time to exploit is narrowing and we know that if something is hitting one agency or entity, it's only a matter of time before it hits something else. So let's make sure that we're sharing that information effectively and, practically speaking, how we are closing off that attack surface. All of those are lessons over time that you build. On top of that. You're looking at the kind of living off the land type activities. You're looking at leveraging kind of a business infrastructure to evade detection. How are we looking at the tools and capabilities that we have right now? I mentioned this early on in the conversation. It's time to really rationalize our tool sets that we have. Do we have what we need for today's adversaries for the threat environment that we're dealing with, Do we have the mechanisms in place to be able to respond fast enough? Many are saying right now, with artificial intelligence, maybe not. Maybe we do need to rethink about how these mechanisms work to share information.
Michael Duffy, Acting Federal CISO, Office of Management and Budget :I think what's important now, Luke, is that we are looking across the board, understanding that attack surface and being able to, as a community, prioritize what to do.
Michael Duffy, Acting Federal CISO, Office of Management and Budget :First and that is something that I think we've done effectively over the years is, say, we are seeing movement in this area. Let's take that in, let's assess what that means for the larger interagency and let's take action more collectively. Obviously, more work needs to be done, but that cycle of being able to see something happening in one part of government and transitioning that into a fix somewhere else is important. Now, the final thing I'll say to that is we've seen time and time again that adversaries are working on the other side of it. They are. As soon as we deploy EDR technology, they're hitting edge devices. As soon as we make progress on patching for this type of device, it's somewhere else. So they are creative, they are agile. We need to make sure that the broader enterprise cyber defense apparatus is equally agile, that we are able to adapt and change the way that we are defending, because this is happening at such pace.
Luke McCormack, Former CIO at DHS and DOJ (moderator):Matt, I'm going to ask you you know you all, in particular a lot of other companies in the same situation right, you're in the Intel community doing God's work in regards to the security environment, certainly over at DOD in the civilian areas what's that look like as far as the gaps and the capabilities there across those three spectrums, when it comes to lessons learned and then things that we need to be doing as a community to sort of shore that up and make sure that environment across that ecosystem is working as intended?
Matt Hayden, Vice President, Cyber Client Engagement, GDIT:We see strengths in every bucket, and so when we look at DoD, we see the Doden and we're like, oh my gosh, the controls they have the ability to deploy across all those nodes and all those environments and to have that consistency and to mature as a bulk. At the same time, in the IC environment, where you're talking about a strong set of air-gapped environments that have added layers of security, then you look at the civilian population and you're like that have added layers of security. Then you look at the civilian population, you're like, oh, they can actually work pretty nimble and pretty quickly in certain cases to evolve some of their maturity because they don't have as much tech debt in some of these legacy systems and so there's advantages to each. What we'd love to see is some of that to get stretched across. And so where can we learn from the DoD shared services model, where you can actually take some of that security liability out of operators' hands and provide them with secure environments that actually have those in place? At the same time, looking at the way the IC responds to threats and make people more resilient to some of these hard asymmetric warfare activities of nation-state actors I mean, we're talking about Volt Typhoon.
Matt Hayden, Vice President, Cyber Client Engagement, GDIT:This is asymmetric warfare by a nation-state. That's not somebody in their basement trying to sell you or rip you off for a few Bitcoin. This is the type of adversary that everyone's getting popped on from the gov, the mil and beyond, and there are strengths in each. What we're hoping as we evolve and mature and get some of this tech data out of the way. What we're hoping, as we evolve and mature and get some of this tech data out of the way, that we can start to have some of these shared understandings across all those pillars where they start to work as a cohesive unit, which is what we're seeing in the foundations being laid out. It's just there isn't a CIO for the government, no offense that touches all of them directly in a way that can say thou shalt all make the strengths of your shared environment stronger, and so, because of the way we've got things a little pillared, it does make it to where we have some strengths that aren't as shareable with others.
Luke McCormack, Former CIO at DHS and DOJ (moderator):We're going to talk about interoperability in a minute, but let's talk about secure environments. Katie, you mentioned Swift. What is Swift? I heard you're going to blow something up. I'm not sure what. It is Hard enough. Yeah, so explain to everyone what this is, what you're going to blow up and how the world's going to be better because of it.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:So, first and foremost, when the SECDEF came in, one of the first memos he executed was the software acquisition pathway. I was a co-author of that back in the Trump won administration, because software is in everything. What is not software enabled? And why are we trying to cram EVM into milestones and development within software? Well, that's great, but if we don't have a way to ingest software rapidly, then we're stuck on silly again. So I'm like oh well, you can give me your SBOM and generally, you know and JC Hertz is sitting in the prior colleague of mine, she actually taught me this you can go and ask me for SBOM and what I'm going to do is take 90 days and I go back and I'm going to clean up my software and make sure it's good and the code is clean, right, how about you just do this? You give me a third party audit and you give me what you have. We ingest that into EMAS and I have AI and large language models on the backside to show me the deltas and let's just talk about the deltas. If all the prerequirements are met, okay, let's give you a provisional ATO and let's get you into the systems.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:The RMF process is coinciding with that right, which is an old, archaic way of doing things waiting for 167 signatures to say that software is good. We need to use our capability of industry. Because you guys have led this. I've interviewed virtually every large prime. Do you do continuous ATOs? Yes, wow, how do you do it? That's what the RFI was about. So we are automating the process. Continuous monitoring, we're going to be red teaming, we're going to be looking at the risk factors and more empowering the CSSP so that they're the true cyber defender that they need to be and make sure that they have the training and the education that they need, Because an ATO and the way we looked at it five years ago is a static document.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:It's not real world. It's not what the network looks like today. It's not what the network looks like today. It's not what the software looks like today. Imagine how often a patch goes out or an update and we're dealing with these ATOs that are archaic, that are keeping innovation away from the warfighter. So, software acquisition pathway, a way to ingest software quickly, rapidly going through the ATO process, going down from years to weeks, and making sure that our warfighter has the most lethal warfighting weapons they have at their fingertips. Because industry, you've shown it can be done. Now it's time for the Department of Defense to do the same.
Luke McCormack, Former CIO at DHS and DOJ (moderator):So is this in parallel or, I guess, in conjunction with just what Jen used to call software by design, right, oh, absolutely.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:Software by design is the base, core principle of software. But understand through. You know you made a point, matt, about tech debt, right, and Mr Duffy as well. You know I look at a lot of software companies that have bought small company B, small company A. They have ingested tech debt over decades Unbeknownst. Our adversary knew what we would be doing, so having that third-party analysis is actually a good way to look at what your company, what really is in your source code. You may not realize that. You know I bought this company and this company. Oh, by the way, this container was built by Huawei and it's somehow in my stack, so it's using the tools that industry has been amazing at creating and ingesting them rapidly to use innovatively for the warfighter.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:I work for the Secretary of Defense, who is lethality, readiness and efficiency and software-enabled. Everything is everything and I've got to get it to the warfighter and into the market faster and these are just steps that we've put into the process, with safeguards like the CMMC and Secure by Design, to make sure that you have a and I think you said it the culture that is the more important thing. All of these things come together is. You know we looked at the industrial revolution as a cultural shift. You know we looked at the industrial revolution as a cultural shift.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:We are now in a AI software enabled cultural shift and you have to have the cultural presence of cybersecurity and secure by design. It's a movement of culture and this administration, people like Mr Duffy, who's a great teammate to have Matt and industry these are teammates that are working to the same goal and the fact that we have that very defined, we're prioritizing. We can't fix everything, but the core principles is a cultural shift that cybersecurity, cyber readiness, cyber awareness is everything. Because tell me something in your life today that doesn't have cyber and I love the person that says love because I've met my husband on eHarmony. The algorithm works.
Luke McCormack, Former CIO at DHS and DOJ (moderator):True fact, michael. Talk about software design, software security by design, okay, and maybe every two to three weeks it seems like we hear about GSA doing another super deal with one of these vendors, whether it's Google or Microsoft or Oracle, et cetera. I'm curious to understand what kind of conversation are they having in regards to ensuring the integrity of the software, because, let's face it, there's been a couple of whoppers with some of these companies that have really exposed us from a government standpoint. Now we're doing these super deals. It seems like we have a lot of leverage in those types of situations. What's the thought process? How do you all get involved in that? Or is that discussion even happening when they're doing those deals?
Michael Duffy, Acting Federal CISO, Office of Management and Budget :all get involved in that, or is that discussion even happening when they're doing those deals? It's a good question because we have seen that one gov movement of late and Matt, I think you said it which is we leave a lot on the table when we aren't operating as one cohesive government. If there are silos, if there are different conversations happening across the government, it's hard for our partners to really understand where our priorities are, what we're expecting of these partnerships and what we need from kind of that secure by design and kind of the software principles that we're working towards. I should mention that in the cyber executive order, we are very focused on the secure software lifecycle, how we're working with NIST on the SSDF. All of this plays a role that Ms Arrington mentioned as well.
Michael Duffy, Acting Federal CISO, Office of Management and Budget :One area that I think is encouraging is how we've been able to build in security by default through initiatives like CISA's Secure Cloud Business Applications effort, what they call SCUBA. It's working with big players across government and saying let's put together what is the elevated security configuration baseline that all agencies are expected to apply across their environments. This isn't one contract for all of government in that case. This is how we apply these security controls individually but in a cohesive way, in a way that we can say no one forgot to click the button on a certain control or we are missing some of the capabilities that we've procured. This is making sure that there is a secure baseline across the federal government. You saw that in a directive last year in how CISA is moving that forward.
Michael Duffy, Acting Federal CISO, Office of Management and Budget :Omb has been supporting that through conversations with agencies to make sure that they have a handle on what their security posture is through these discussions, through these types of initiatives. So that's one area, luke, that I think is important to footstomp is the fact that there is both the front end of having those conversations with industry. This is the expectation. Here's how we would like to see security built into our products. It's also happening retroactively to say let's build out this secure baseline, so we're all operating in a similar way, we've operationally aligned. So when we're all operating in a similar way, we've operationally aligned. So when we're having conversations about technology, we're seeing eye-to-eye on those topics.
Luke McCormack, Former CIO at DHS and DOJ (moderator):Well, I've got a few more good questions, but I'm going to hold them because we've got a 10-minute signal here and I want to leave enough buffer for some questions. Here's one. Wait a minute, you can't ask a question.
Audience:I'm actually curious about operational security like Chinese back-end IT support for our military systems.
Luke McCormack, Former CIO at DHS and DOJ (moderator):Is that mic on? I don't think it is. Okay, hear me, there you go, yep.
Audience:So my question is about operational security, because we can assure software products all we want, but if we're getting our IT backend support from China for our military networks, there's an issue. How are you guys thinking about operational security for all the people that either directly or indirectly touch our systems, because this seems to be a gap.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:Can I answer that?
Luke McCormack, Former CIO at DHS and DOJ (moderator):Fire away so.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:I assume that you are hinting to the ProPublica article from last week about Microsoft and the digital exports.
Luke McCormack, Former CIO at DHS and DOJ (moderator):It seems to be a coincidence.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:Yeah, a little bit. So what I would say is there's no A Chinese individual sitting in the back room of any office touching my network Full stop. That is in the contract that has been. You know, we have walked that dog 90 ways from Sunday. We have security protocols that, even if they were to do something like that which they're not in my networks, on my systems, that I have security protocols in place, just like every single one of you, that that would not get through. Now does Microsoft have other entities that they do that with? Absolutely, they're a global company, but I can rock solid assure you, from the CEO down, that on my networks what is being touched the digital escorts are either cleared US defense contractors that have cleared personnel to overlook them.
Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer:But that's why the SECDEF put the memo out, that full stop. That is the way we work. Now, how do we get China out of our supply chains and out of our software supply chains? That's where SWIF Swift is coming in and we have to ensure that we and to Mike's point earlier, we have a lot of good requirements for security, but unless they're enforced they do no good. They're only good on paper, and I can tell you when I heard that article pop out, the first thing I did was pull out the contracts, called up the companies and said walk me through it. Let me look at your SSP and what are you doing day to day? And we're not going to hit 100% every single day because, yet again, we're relying on industry to do the job, what they're contractually obligated to do. But I can say that without fear of where I'm sitting today, that I'm not worried that there's a Chinese operator in my aisle five or aisle six cloud on the high side doing anything full stop.