Whole-of-Government Cyber Coordination and Readiness P 1 of 3 Artwork

HSDF THE PODCAST

The Homeland Security and Defense Forum proudly presents HSDF THE PODCAST, an engaging series of policy discussions with senior government and industry experts on technology and innovation in government. HSDF THE PODCAST looks at how emerging technology - such Artificial Intelligence, cloud computing, 5G, and cybersecurity - is being used to support government missions and secure U.S. national interests.

All Episodes

HSDF THE PODCAST

Whole-of-Government Cyber Coordination and Readiness P 1 of 3

November 06, 2025 • Homeland Security & Defense Forum

Welcome to “HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum

In this episode, we pull back the curtain on the complex world of cybersecurity oversight, revealing the delicate balance between streamlining CISA's operations and preserving its essential capabilities. This candid conversation offers a rare glimpse into how Congress shapes America's digital defense strategy during a time of escalating threats.

Featuring:

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer
Michael Duffy, Acting Federal CISO, Office of Management and Budget
Matt Hayden, Vice President, Cyber Client Engagement, GDIT
Luke McCormack, Former CIO at DHS and DOJ (moderator)

This discussion took place July 23rd, 2025, at HSDF’s Cybersecurity Symposium, Navigating Cybersecurity Strategies in a Volatile World

Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.

Luke McCormack, Former CIO at DHS and DOJ (moderator): 0:00

Thanks for sticking around and no question that we're going to have a nice active panel discussion here with a lot of horsepower. Actually, I'm going to start with Mr Duffy and let's just talk top line cybersecurity policy priorities, specifically in the CIO, ciso area. Coming out of the White House, paint that top-level brush. Let's start with that.

Michael Duffy, Acting Federal CISO, Office of Management and Budget : 0:31

That sounds good. It's good to be here, Luke, Great to see everyone here. I'd say the first thing, Luke, you mentioned this. I can't speak to all the priorities that are happening right now, but I think last month we saw the president Crank down into your lane.

Luke McCormack, Former CIO at DHS and DOJ (moderator): 0:43

that are happening right now, but I think last month we saw the president We'll crank down into your lane.

Michael Duffy, Acting Federal CISO, Office of Management and Budget : 0:45

Cybersecurity executive order that came out that identified a few really key areas that I think all of us have been tracking as very important for the interagency. For the federal government. These are things like enhancing the way that we look at encryption standards, looking at secure software, making sure that we are using artificial intelligence to identify and manage vulnerabilities, and one that's kind of near and dear to my heart too is modernizing the way that we're looking at the policy mechanisms across government, everything from those who are really deep into the policy world, like looking at circular A130, to machine readable policy standards that allow us to really make sure that we're making progress as a community. So all of those are kind of framing the way that we're thinking about where CIOs and CISOs need to go next when I'm convening the Federal CISO Council. The way that I've been thinking about this is really kind of three categories. The first is on focusing our enterprise cyber defense to make sure that we're not just looking at individual agencies and how to enhance their posture as an agency, but we have to think about how individual agencies are connecting into the larger whole I think that's kind of the theme of today's panel and how we're looking at operational resilience, how we can make sure that we are taking deliberate steps for agencies to hook into this larger enterprise cyber defense mechanism that we built over the years. Notice, I didn't say build it, I said let's focus it, let's make good use of the investments that we've made over the years so we can harness that power. We know that adversaries kind of fit and work within the gaps. They don't respect agency boundaries that are drawn up across agencies. It's important for us to be thinking collectively. How do we make sure we leverage our authorities to do continuous threat hunting? How do we make sure we're enhancing our information sharing, et cetera, et cetera. That also means how are we about the rationalizing our cyber investment? How do we look at the tool stacks that we're using? Eliminate any kind of redundancy and duplication. Focus on making this lightweight, meaningful, effective, so that we can take this enterprise approach.

Michael Duffy, Acting Federal CISO, Office of Management and Budget : 3:01

Secondary that I've been talking about quite a bit is increasing operational resilience. That's something that is the theme, I think, of this summit today, which is timely. I personally think that we've made the right investment over the years in investing in the front half of the NISH cybersecurity framework the identify, protect, detect. And right now I'd like to think about how we can, in a cost-effective way, think about the latter half respond and recover. Make sure that we've taken the time to think through the procedures, the protocols, the connectivity across agencies so we can say we are resilient against all of the threats that we're seeing in this evolving threat environment. That's extremely important right now. Let's plan for that before the next crisis occurs.

Michael Duffy, Acting Federal CISO, Office of Management and Budget : 3:45

And the third area is how do you secure a modern US government? Something that's very important now is the government is thinking about how we change the way that we do business, how we leverage new technology to serve the American people better. All of this plays a role of post-quantum cryptography to artificial intelligence. All of this plays a role of post-quantum cryptography to artificial intelligence. And, frankly, how do we make sure that we are ensuring the privacy of American data? How we are looking at enforcing protocols to ensure that any interaction with the US government to the American people is secure. Those things are extremely important. So, as we work this, with the cyber executive order as that framing, I've been convening CISOs to have conversations about what this means to put this action plan into progress and into action to make sure we're making progress across the board.

Luke McCormack, Former CIO at DHS and DOJ (moderator): 4:38

I appreciate that top line. Katie, let's drop down into DOD. I want to talk specifically about Zero Trust, full target level 2027. What does that mean and what does that look like? How do you measure it? Are you on target?

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer: 5:02

on target, I will say that if you haven't, met me.

Luke McCormack, Former CIO at DHS and DOJ (moderator): 5:03

Hi, my name's Katie Arrington and I don't take no for an answer.

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer: 5:05

Hell yeah and yeah, zero trust. So you know, since you know, if anybody knows me, I've been talking about this since what? 2019, that the adversary isn't going to wait for us, and that you know I use the analogy a lot of the times about the movie phenomenon the bunnies are in the farm. Our adversaries are already here in our networks to think that they're not as ridiculous. So basing everything on the zero trust principles is the only way that we can do it. One of the areas that we highly focus on in the Department of Defense is moving everything to zero trust environments. That means DISA, that means Army, that means Air Force, you name it. We are moving at, I would say, the speed of which we are doing it is only the thing that holds us back is the amount of employees that we have to do it to help do that, and I think we've overcome that. So, absolutely have zero trust principles. Blank speed Thunderdome, you name it.

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer: 5:56

We're rolling out Mission Network as a service, which is going to be a secret fabric that will be in every COCOM, that way, through ICAM, identity, credential Access Management, working with CDAO. I don't know if any of you know Dr Doug Maddy. He's a director of the CDAO now we are absolutely working on the data labeling and tagging effort in the department to make sure all the legacy data that we've got moving into these zero-trust environments is relevant. Do we need it, is it tagged and labeled appropriately to be in a zero trust environment? So I can allow multiples in that zero trust environment, but only through the ICAM credential are you able to access that data?

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer: 6:38

We need to realize that our world globally defend the homeland isn't just here, it is a global presence and we have to have that capability. But Zero Trust, absolutely. The PMO stood up. I couldn't be prouder of Randy Resnick and what Dave McEwen have been doing. And then, if any of you are following Paul Stanton, general Stanton, down in Dissa, they are moving out like wildfire and this is the rack and stack priorities Zero Trust, cmmc, swift are all pieces of the puzzle, as Mr Duffy was stating, that we have invested in and now we're going to execute on.

Luke McCormack, Former CIO at DHS and DOJ (moderator): 7:14

And we're going to crack open CMMC and SWIFT in a minute. But let me ask Mr Duffy, on the backside, you described zero trust, and let's talk civilian here for just a moment, and then I'm going to get Matt's perspective on this. On the backside of that, what does that look like? So 2024, there was a whole lot of goals that had to be met. I think the civilian agencies, if I must say, did a brilliant job of getting there right. What does that backside look like? And is it this full target level? Is it something different? What does that look like when one realizes that capability, and when do you think that happens? Rough timeframes.

Michael Duffy, Acting Federal CISO, Office of Management and Budget : 7:56

I think the way that Katie just described it is really important that zero trust has to be a central piece of this strategy that we are implementing over time. It was really important for us to have meaningful targets, near-term targets, early on, for two reasons One, because we had to demonstrate progress, because we were coming out of a pretty massive cross-agency incident event that made us think this is the architecture that we need as a government. We needed to show some progress. We couldn't say we know this takes time, we'll leave it, kind of, however long it takes. So, having those near-term timelines, those milestones, we were able to meet those largely across government, with a lot of support from our partners across the board, and that was important for two reasons One, because we started to build that foundation of Zero Trust and two, because we were able to then reflect back that this is a culture change.

Michael Duffy, Acting Federal CISO, Office of Management and Budget : 8:51

It's become almost cliche now to talk about Zero Trust as a journey, not a sprint, but if you look at that, everyone keeps asking me well, what's next? What's the next timeline, what's the next 30 days? This is intended to be a long-term effort. We are very pleased in the way that agencies have thought about this, really been considering what it means over the long term to make these investments, to bring on capabilities, to build upon that foundation of Zero Trust, and we've seen that. We've seen implementation plans that came in at the end of last year.

Michael Duffy, Acting Federal CISO, Office of Management and Budget : 9:22

We've been working with our partners over at CISA to see how we can continue to drive progress across the board and I'll say that right now my focus is on how we look at zero trust as reality in practice, not looking at new ways to say, well, in theory, we think it looks like this or that by the checklist we're seeing this.

Michael Duffy, Acting Federal CISO, Office of Management and Budget : 9:47

Looking at things like in the zero trust maturity model from CISA, there are cross-functional capabilities. I've been looking at those and really interested in exploring how we can measure to progress, showing that agencies can demonstrate how zero Trust is supporting their security operations, how they are using visibility analytics to detect adversarial activity, how we can look at how the interoperability across those Zero Trust pillars are showing actual progress and not just showing another metric, and I think that's an important place for us to be in. I think that's a positive place. We've hit the foundations, we've shown progress as an enterprise and now's the time for us to think about what it means to mature over time what it means to operationalize these investments and actually deliver on the commitments that we made as a cybersecurity community.

Luke McCormack, Former CIO at DHS and DOJ (moderator): 10:38

Yeah, and I just wanted to underline investment. I think that was really important. Right Once we got laser focused on top priority, we were able to put the right investments in place to realize these things and implement them. Matt, you've sort of sat on both sides of this fence, so to speak, and seen it from both perspectives. What's this look like from an industry perspective, and are the right requirements being generated? Do we have the right demand signals? Are you all, as an industry, prepared to sort of take it on to the next level, the backside of this? We'll call it for a moment and help realize those. Do you understand what that means?

Matt Hayden, Vice President, Cyber Client Engagement, GDIT: 11:17

So the good news is the industry has a very good idea of how the government's being targeted, because we're being targeted too. The threat space isn't limited to government, and so, as a large defense contractor or someone that supports anyone in that supply chain, you now have become a bigger target as the Pentagon, and so the strengths of understanding how to defend yourself cascade into a lot of these conversations we have with industry where we're leveling things to make things harder to look at the control sets we have, and what we're seeing from the threat landscape is that there aren't as many low-hanging fruits across the enterprises that we work with, whether they be in government or out, and you start to see them going after individuals and starting to attack the identity layer, and, instead of investing a lot of the adversarial capital into a single vulnerability, they start going to marketplaces to try and obfuscate how they're working so that they don't have to just rely on single tool sets because they're less successful right now. So zero trust is having an impact at scale across the board. The challenge is nimbleness, to both Ms Arrington and Mr Duffy's points.

Matt Hayden, Vice President, Cyber Client Engagement, GDIT: 12:27

It's difficult to pivot in the cyber enterprise landscape if you don't have a baseline set of flexible and dynamic tools, and that's what we're seeing the government investing in. They're not saying, build me something that's safe for today. They're saying build me something that's safe for today that has the ability to be dynamic and incorporate additional controls into the future as we see adversaries challenging our defenses. And that's where we're looking to work hand-in-hand with all our government and, candidly, our state and local partners to have a shared perspective of where those services are needed and to work across the board to make sure they have the ability to share information with government so they get those tea leaves and indicators and warnings early on as well. So we all have this shared vision and strategy of what the next generation of Hardin needs to be.

Luke McCormack, Former CIO at DHS and DOJ (moderator): 13:11

And, by the way I didn't mention, we'll book about 10 minutes at the end here to make sure that we've got enough time for some good question and answers. So stay tuned for that and get those teed up. Katie, I'm going to jump back to you and talk about CMMC. You mentioned it a moment ago. How are we doing there? Is it going as intended? Big vendors, small vendors what's that look like from where you sit at this point?

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer: 13:41

Well, I started it in 2019 and we're in 2025. So I'll say you know what we need to do better. She is alive, she is happening. I don't know if you saw the memo from the secretary of defense on Friday afternoon codifying. We are moving out on the CMMC and I'll say one of the things- Hell yeah, hell yeah, and more, and twice on Sunday.

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer: 13:59

So here's why I say this, and I've gone out and spoken so many times about this your companies that work with you or for you, they're going out and telling the world on LinkedIn and everywhere else, how hard the CMMC is for them. They're actually telling you that they're not doing the NIST 171, which means you are just as vulnerable as they are. The CMMC was not brought into the sphere of why because we wanted a more, you know harder, you know bigger barrier to get into injuries because industry was not complying to the law. That's the full stop. We created a law in 2014. Barack Obama wrote an executive order that said the Department of Defense, the DIV, is your partner. You do not fight wars alone and you have to be as secure as each other. If I'm not secure, you're not secure, and the weakest link in any supply chain will be the downfall. So it was an imperative, a critical security imperative, to make sure that industry understood we mean business, and it's not because we want to make it harder. The problem set is, if you get hit with salt typhoon, vault typhoon ransomware, you're not part of my network. Salt typhoon, vault typhoon ransomware You're not part of my network. That means I've lost a piece of my battle space, my capability. We need you and that was the impetus of why the CMMC is going down. I will say most of our large GDIT being one of them. They have fully complied. They went through the joint surveillance early and often. But I had in the beginning of the CMMC in 2019, I was opening up and people had POAMs to 2099. 2099. So it is happening Now.

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer: 15:46

The small businesses that are saying that it's hard. Okay, I hear you, but instead of telling me what, tell me what. In the institution of the NIST itself, ron Ross is the godfather of the NIST 171. Tell me what requirement within the NIST is a barrier for you. Let's talk about that. Don't tell me the whole thing is too hard and let's start breaking it. You know, with a scalpel and I say the large primes you've got to look at your supply chain.

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer: 16:13

You have to look at cost realism, because if you're saying that you're not doing it and you're out on LinkedIn telling your vendor, hey, cmmc is too hard, the audit is too hard, are out defending this nation, 100% protected, working hand in hand with the Department of Defense. We would never have been that, I would say, demonstrate capability to show that we mean business and peace through strength is the only thing that our civilization is ever going to be banked on, because adversaries, if you do peace through prosperity, they're going to look for more money. And you look at what happened in Iran and every single one of the contractors, the subcontractors on that were locked down solid. The adversary didn't see it coming and years of your tax dollars investment went into that and you watched a precise hit taking out one of the most existential threats to humanity, which is Iran having a nuclear capability. And we should be proud as a nation that we did that.

Katie Arrington, Performing the Duties of the Department of Defense Chief Information Officer: 17:38

But remember, I'm only as good as the weakest link within the supply chain and our adversaries are not going at the general dynamics, it level. They're going down. They're going this way, then they're going this way, then they're going this way. So CMMC is not going anywhere. She's here to stay. Enjoy her, embrace her, tell me how to make her better, not tell me she's too hard. She is a she, she's mine, she's my baby.

Luke McCormack, Former CIO at DHS and DOJ (moderator): 18:02

Large and in charge. You heard it from the boss yes, here to stay, wanted to make sure that she had the platform to make that point. And let's face it, these collateral systems, that playbook gets run over and over. We saw with OPM, we see it.