113 HR 4500 IH: To improve the management of cyber and information technology ranges and facilities of the Department of Defense, and for other purposes. U.S. House of Representatives 2014-04-28 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

I 113th CONGRESS 2d Session H. R. 4500 IN THE HOUSE OF REPRESENTATIVES April 28, 2014 Mr. Kilmer (for himself, Ms. Tsongas, and Mr. Connolly) introduced the following bill; which was referred to the Committee on Armed Services A BILL To improve the management of cyber and information technology ranges and facilities of the Department of Defense, and for other purposes.

1.

Cyber and information technology ranges

(a)

Management of cyber ranges and facilities

Subsection (b) of section 932 of the National Defense Authorization Act for Fiscal Year 2014 (Public Law 113–66) is amended— (1)by adding at the end the following new paragraphs: (3)

List of cyber and information technology ranges and facilities

(A)

In general

The Principal Cyber Advisor designated under subsection (c)(1) shall establish a comprehensive list of the cyber and information technology ranges and facilities of the Department of Defense. (B)

Terminology

In establishing the list under subparagraph (A), the Principal Cyber Advisor shall denote whether each cyber and information technology range and facility is— (i)a cyber range, as defined by the Principal Cyber Advisor pursuant to subsection (c)(2)(C); or (ii)an IT range, as defined by the Principal Cyber Advisor pursuant to such subsection. (C)

Submission

Not later than one year after the date of the enactment of the National Defense Authorization Act for Fiscal Year 2015, the Principal Cyber Advisor shall submit to the congressional defense committees the list established under subparagraph (A). (4)

Management of systems

The Principal Cyber Advisor shall determine, on a case by case basis, whether a cyber and information technology range and facility listed under paragraph (3)(A) should be centrally managed under paragraph (5) to increase efficiency, provide capability or capacity to more elements of the Department of Defense, or both. (5)

Coordinating entity

(A)

Establishment

Not later than 270 days after the date of the enactment of the National Defense Authorization Act for Fiscal Year 2015, the Secretary of Defense shall establish an entity, or designate an element of the Department of Defense, to coordinate cyber and information technology ranges and facilities that the Principal Cyber Advisor determines should be centrally managed under paragraph (4). (B)

Duties

With respect to the cyber and information technology ranges and facilities designated under paragraph (4), the head of the entity established or designated under subparagraph (A) shall be responsible for the following: (i)Managing the cyber and information technology ranges and facilities, including coordinating the scheduling of ranges and facilities. (ii)Identifying and providing guidance to the Secretary with respect to opportunities for integration among the cyber and information technology ranges and facilities regarding testing, training, and developing functions. (iii)Assisting the military departments, the National Guard, and the elements of the Department gain access to the cyber and information technology ranges and facilities. (C)

Reports

The head of the entity established or designated under subparagraph (A) shall submit to the congressional defense committees— (i)an annual report on the opportunities for cost reduction and improvements to the integration and coordination of the cyber and information technology ranges and facilities; and (ii)by not later than one year after the date of the enactment of the National Defense Authorization Act for Fiscal Year 2015, an initial report on the status, integration efforts, and usage of cyber and information technology ranges and facilities. (6)

Cyber and information technology ranges and facilities defined

In this subsection, the term cyber and information technology ranges and facilities means cyber ranges, test facilities, test beds, and other means of the Department of Defense for testing, training, and developing software, personnel, and tools for accommodating the mission of the Department.; and (2)in the heading, by inserting and information technology after Cyber. (b)

Common terms

(1)

In general

Subsection (c)(2) of such section is amended by adding at the end the following new subparagraph: (C)Establishing and maintaining a list of terms and definitions with respect to commonly used terms relating to cyber matters to improve the coordination and cooperation among the military departments and among other departments and agencies of the Federal Government.. (2)

Establishment

In carrying out section 932(c)(2)(C) of the National Defense Authorization Act for Fiscal Year 2014 (Public Law 113–66), as added by paragraph (1), the Principal Cyber Advisor shall— (A)establish the list of terms and definitions by not later than 270 days after the date of the enactment of this Act; and (B)use as a basis for such list Joint Publication 1–02, Department of Defense Dictionary of Military and Associated Terms (as amended through 31 January 2011). (c)

Pilot program

(1)

In general

The head of the entity established or designated under section 932(b)(5)(A) of the National Defense Authorization Act for Fiscal Year 2014 (Public Law 113–66), as added by subsection (a), shall carry out one or more pilot programs to demonstrate commercially available, cloud-based cyber training, exercise, and test environments (both unclassified and classified) that are available to meet the mission of the Department of Defense while providing the defense laboratories, the National Guard, academia, and the private sector access to such training, exercise, and test environments. (2)

Evaluation

The pilot programs under paragraph (1) shall evaluate the costs and benefits with respect to the following matters: (A)Persistent capability. (B)Remote access. (C)Capability to transfer information across classification levels. (D)Reuse of environments. (E)Routine integration of new technologies. (F)Use of commercially available cloud-based solutions that are compliant with the Federal Risk and Authorization Management Program. (G)Pay-per-use utility pricing model. (H)Any other matters the head determines appropriate. (3)

Eligible entities

The head shall select, using competitive procedures, defense laboratories and federally funded research and development centers to carry out pilot programs under paragraph (1). (4)

Follow-on activities

Based on the information learned under the pilot programs under paragraph (1), the Secretary of Defense may carry out any of the following activities: (A)Transition a pilot program to be carried out by the Secretary for operations, maintenance, and continued use by cyber organizations of the Department. (B)Provide persistent year-round accessibility of the environment for continued training during non-exercise periods. (C)Provide a certification quality environment for initial and recurring training of all cyber teams. (D)Replicate the capability of a pilot program to provide similar high-end training and exercise opportunities for non-Department cyber professionals, including in coordination with the Secretary of Homeland Security. (E)Sustain the research and development effort under a pilot program to continue updating network environments, targets and defended assets, and integration of new cyber tools. (F)Sustain technology infusion under a pilot program to apply and evaluate advanced concepts and solutions to problems that affect multiple mission spaces of the Department. (G)Create a library of virtual cyber templates that are ready to be used on short notice without the capital expenditures that would otherwise be required.