b'<html>\n<title> - [H.A.S.C. No. 112-39]IMPROVING MANAGEMENT AND ACQUISITION OF INFORMATION TECHNOLOGY SYSTEMS IN THE DEPARTMENT OF DEFENSE</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n                                     \n\n                         [H.A.S.C. No. 112-39]\n\n \n                        IMPROVING MANAGEMENT AND\n                       ACQUISITION OF INFORMATION\n                       TECHNOLOGY SYSTEMS IN THE\n                         DEPARTMENT OF DEFENSE\n\n                               __________\n\n                                HEARING\n\n                               BEFORE THE\n\n           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n                                 OF THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                             APRIL 6, 2011\n\n\n                                     \n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n                                     \n\n                  U.S. GOVERNMENT PRINTING OFFICE\n65-810                    WASHINGTON : 2011\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="95f2e5fad5f6e0e6e1fdf0f9e5bbf6faf8bb">[email&#160;protected]</a>  \n  \n\n\n           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n\n                    MAC THORNBERRY, Texas, Chairman\nJEFF MILLER, Florida                 JAMES R. LANGEVIN, Rhode Island\nJOHN KLINE, Minnesota                LORETTA SANCHEZ, California\nBILL SHUSTER, Pennsylvania           ROBERT ANDREWS, New Jersey\nK. MICHAEL CONAWAY, Texas            SUSAN A. DAVIS, California\nCHRIS GIBSON, New York               TIM RYAN, Ohio\nBOBBY SCHILLING, Illinois            C.A. DUTCH RUPPERSBERGER, Maryland\nALLEN B. WEST, Florida               HANK JOHNSON, Georgia\nTRENT FRANKS, Arizona                KATHY CASTOR, Florida\nDUNCAN HUNTER, California\n                 Kevin Gates, Professional Staff Member\n                 Mark Lewis, Professional Staff Member\n                      Jeff Cullen, Staff Assistant\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                     CHRONOLOGICAL LIST OF HEARINGS\n                                  2011\n\n                                                                   Page\n\nHearing:\n\nWednesday, April 6, 2011, Improving Management and Acquisition of \n  Information Technology Systems in the Department of Defense....     1\n\nAppendix:\n\nWednesday, April 6, 2011.........................................    27\n                              ----------                              \n\n                        WEDNESDAY, APRIL 6, 2011\nIMPROVING MANAGEMENT AND ACQUISITION OF INFORMATION TECHNOLOGY SYSTEMS \n                      IN THE DEPARTMENT OF DEFENSE\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Ranking Member, Subcommittee on Emerging Threats and \n  Capabilities...................................................     1\nThornberry, Hon. Mac, a Representative from Texas, Chairman, \n  Subcommittee on Emerging Threats and Capabilities..............     1\n\n                               WITNESSES\n\nMcGrath, Hon. Elizabeth A., Deputy Chief Management Officer, U.S. \n  Department of Defense..........................................     3\nTakai, Hon. Teresa M., Acting Assistant Secretary of Defense for \n  Networks and Information Integration, and Chief Information \n  Officer, U.S. Department of Defense............................     4\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Langevin, Hon. James R.......................................    31\n    McGrath, Hon. Elizabeth A....................................    32\n    Takai, Hon. Teresa M.........................................    44\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    [There were no Questions submitted post hearing.]\nIMPROVING MANAGEMENT AND ACQUISITION OF INFORMATION TECHNOLOGY SYSTEMS \n                      IN THE DEPARTMENT OF DEFENSE\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n         Subcommittee on Emerging Threats and Capabilities,\n                          Washington, DC, Wednesday, April 6, 2011.\n    The subcommittee met, pursuant to call, at 2:46 p.m., in \nroom 2212, Rayburn House Office Building, Hon. Mac Thornberry \n(chairman of the subcommittee) presiding.\n\nOPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM \n     TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND \n                          CAPABILITIES\n\n    Mr. Thornberry. The hearing will come to order. And we \nthank you all for your patience as we had some votes that have \njust concluded.\n    The subcommittee meets today to receive testimony on the \nimpact of recent initiatives that affect the capability of the \nDepartment of Defense to acquire and manage information \ntechnology systems. The advent of the information revolution \nhas not only changed how we as a Nation do business, but it has \nsignificantly impacted how we provide for the common defense.\n    Information technology includes everything from hardware \nand software, to data standards, to commonly agreed-upon \narchitectural frameworks, and has completely permeated the \nnational security enterprise, at least the information \ntechnology portion of the budget that has been submitted by the \nPresident. It is approximately $38\\1/2\\ billion, so a not \ninconsiderable sum of money. Obviously we are interested in how \nthat money is spent, whether it is spent efficiently. Most \nimportantly to me is whether it enables the warfighter to do \nwhat we ask them to do.\n    But as you all know, this subcommittee is also particularly \ninterested in the security of our systems this year and \ncybersecurity for the Nation. So we are interested in what we \nare buying and how secure it is. So we appreciate our witnesses \nand the ability to discuss this topic today.\n    And I would yield to the ranking member, the gentleman from \nRhode Island, for any comments he would like to make.\n\n  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM \nRHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS \n                        AND CAPABILITIES\n\n    Mr. Langevin. Thank you, Mr. Chairman.\n    I would also like to welcome our witnesses here today. It \nis good to have the Honorable Elizabeth McGrath and the \nHonorable Teresa Takai here, and I look forward to their \ntestimony.\n    The issue of information technology is critically important \nto the Department of Defense, and I want to thank Chairman \nThornberry for calling this hearing. IT [information \ntechnology] is a crucial factor in every aspect of the \nDepartment\'s activities. From the routine e-mail to the flight \ncontrols of the most sophisticated fighter jets in world, the \nDepartment depends on the smooth functioning of a myriad of IT \nsystems. As the information age matures, we find that IT \nsystems have expanded both in complexity and pervasiveness. As \na result, today they represent one of the largest investments \nfor the Department, and it presents a significant potential \nvulnerability if they should fail or be attacked.\n    The business complexities are only made worse by the \nevolving cyberthreats that have begun to challenge the \nintegrity of our current systems. Therefore, it is important \nfor the Department to be properly organized and pursue IT \nacquisition, implementation, modernization and performance \nevaluation. Oversight is required for the full spectrum of \nactivities, but bureaucratic redundancy creates confusion and \ncomplexity.\n    Now, the DOD [Department of Defense] IT enterprise must be \nas streamlined and efficient as possible. I understand that as \npart of the Secretary of Defense\'s efficiency initiative, we \nwill see some changes in how the Department manages IT and \nperhaps some cost savings along with it. Now, this is welcome \nnews, provided it achieves the desired effect without reducing \ncapability or injecting unnecessary risk into the process.\n    We must also be vigilant that as we move forward, the \nsecurity of our systems is at the forefront of our efforts. Our \nacquisition systems furthermore are barely suitable to large-\nscale weapons projects requirements for IT systems that evolve \nrapidly, and the systems need more flexibility if it is to \nmanage proper acquisitions of these systems.\n    As Mr. Thornberry mentioned previously, last year\'s 2010 \nNational Defense Authorization directed the DOD to develop and \nimplement a new acquisition process for IT, and I certainly \nlook forward to hearing more about how that process is \nproceeding today.\n    With that, I yield back and look forward to our witnesses\' \ntestimony.\n    [The prepared statement of Mr. Langevin can be found in the \nAppendix on page 31.]\n    Mr. Thornberry. I thank the gentleman.\n    It would be no surprise to you all that there are a number \nof meetings going on now, including a Republican conference on \nthe funding situation with the government, so we may have \nMembers coming in and out at strange times. But I appreciate \nyour patience with that.\n    The witnesses today, as the gentleman mentioned, is the \nHonorable Teresa Takai, Acting Assistant Secretary of Defense \nfor Networks and Information Integration and the Department of \nDefense Chief Information Officer; and the Honorable Elizabeth \nMcGrath, Deputy Chief Management Officer of the Department of \nDefense.\n    Without objection, your full written statements will be \nmade part of the record, and you are both certainly welcome to \nsummarize them in any way that you see fit now. Thanks for \nbeing here.\n\nSTATEMENT OF HON. ELIZABETH A. MCGRATH, DEPUTY CHIEF MANAGEMENT \n              OFFICER, U.S. DEPARTMENT OF DEFENSE\n\n    Ms. McGrath. Good afternoon, Mr. Chairman, Congressman \nLangevin. Thank you for the opportunity to discuss the Defense \nDepartment\'s efforts to improve its business operations, and \nspecifically its acquisition and management of business \ninformation technology systems.\n    As the DOD Deputy Chief Management Officer, I am \nresponsible for instituting a framework to define clear \nbusiness goals, develop meaningful performance measures and \nalign activities through established and repeatable processes. \nThe purpose of DOD\'s overarching management agenda is the \nestablishment of an effective, agile and innovative business \nenvironment that is fiscally responsible.\n    The Department has taken decisive action to improve its \nbusiness processes, has identified areas where further work is \nrequired, and has several achievements to bring to your \nattention. My written statement addresses these in detail. I \nwill briefly touch on some of these topics, as I am eager to \ndiscuss with you the areas that interest you most.\n    I would like to highlight our IT acquisition reform \nefforts, other business IT initiatives, and successful cross-\nagency management efforts in which my office plays a key role.\n    Fundamentally, the Department\'s business IT systems are \nessential enablers of a broader set of integrated business \noperations rather than an end to themselves. We have identified \n15 essential what we call end-to-end processes, such as Hire-\nto-Retire and Procure-to-Pay. Our Business Enterprise \nArchitecture and senior governance bodies, including the \nInvestment Review Boards and the Defense Business Systems \nManagement Committee, both given to us by Congress, are better \naligned to manage within the end-to-end construct to identify \ndata standards, performance measures and policies necessary to \nimprove our business and make more informed enterprisewide \ndecisions.\n    End-to-end focus and strong governance are joined by a new \napproach to acquiring information capabilities. There has been \nno shortage of studies and reports, including one by this \ncommittee last year, that concluded the Defense Department\'s \ncurrent method for acquiring IT systems must change. Steps are \nbeing taken to address these issues.\n    Section 804 of the Fiscal Year 2010 National Defense \nAuthorization Act required us to develop and implement a new IT \nacquisition process with its focus on the Department\'s IT \nAcquisition Task Force, which I chair. The guiding principles \nadopted by the task force incorporate recommendations from the \nDefense Science Board report, including deliver early and \noften, with delivery capability in 12 to 18 months; incremental \nand iterative development and testing; rationalized \nrequirements; tailored and flexible processes; and finally, a \nknowledgeable and experienced information technology workforce.\n    I welcome the chance to elaborate here on how the task \nforce is addressing these areas. We expect to promulgate these \nin a policy later this year, such as establishing metrics to \nassess overall health of a program, combining certification and \naccreditation with traditional tests and evaluation activities, \nand assessing contracting strategies that enable a more modular \ndelivery of capabilities. Our pilot-based approach to validate \nthis new policy will allow us to modify as necessary based on \nlessons learned before the final issuance. We are currently \ntesting these changes to ensure they are working.\n    The Under Secretary of Defense for Acquisition, Technology \nand Logistics signed out new acquisition policy for defense \nbusiness systems called the Business Capability Lifecycle, or \nBCL, which provides a streamlined framework for development, \ntesting, production, deployment and support of a defense IT \nbusiness systems. The principal focus of Business Capability \nLifecycle is program implementation.\n    In my written testimony, I have an example of an Air Force \nprogram that was originally on a path to deliver capability \nmany years out. Using an innovative streamlined approach, we \nwere able to move that deployment 2 years earlier.\n    I also welcome the chance to describe for you our cross-\nagency efforts in modernizing health information technology and \nsecurity clearance processing. In particular, the Government \nAccountability Office\'s removal of the DOD Personal Security \nClearance Program from its high-risk list is a significant \nfirst for the Department and owes its success to our commitment \nto this results-oriented, end-to-end approach.\n    In closing, we are committed to improving management and \nacquisition of IT systems, as well as our overall business \noperations. These issues received significant management \nattention and are a key part of our overarching strategy to \nbuild better business processes that will create lasting \nresults for the men and women in uniform.\n    I look forward to continuing our work with this committee \nin the months and years ahead as we work toward greater \nefficiency and effectiveness and furthering the agility in the \nbusiness space of the Department, certainly enabled by modern, \ninteroperable IT capabilities. I look forward to your \nquestions. Thank you.\n    [The prepared statement of Ms. McGrath can be found in the \nAppendix on page 32.]\n    Mr. Thornberry. Thank you.\n    Ms. Takai.\n\n STATEMENT OF HON. TERESA M. TAKAI, ACTING ASSISTANT SECRETARY \nOF DEFENSE FOR NETWORKS AND INFORMATION INTEGRATION, AND CHIEF \n        INFORMATION OFFICER, U.S. DEPARTMENT OF DEFENSE\n\n    Ms. Takai. Good afternoon. Good afternoon, Mr. Chairman and \nCongressman Langevin. Thank you very much for the opportunity \nto testify today on the importance of information technology to \nthe transformation of the Department of Defense. My testimony \ntoday will focus on how the DOD is leveraging information \ntechnology to securely deliver mission-critical information \ncapabilities to the men and women of the Department of Defense \nand our mission partners.\n    The Department\'s fiscal year 2012 IT budget request, as you \nmentioned, of 38.4 billion, includes funding for everything \nfrom our desktop computers, tactical radios, identity \nmanagement technology, commercial satellite communications, and \nthe large information technology projects, some of which Ms. \nMcGrath spoke of. These investments support mission-critical \noperations that must be delivered in an environment of ever-\nchanging requirements and ever-increasing demand.\n    Where in the past the Department sought to balance the need \nto know with the need to share, today the warfighter expects to \nhave and needs to have the latest information in order to \ncomplete the mission. That coupled with the increasing use of \nsocial media, smart phones and tablet computers has made \ninformation-sharing an expectation, and this requires new \ncapability, particularly at the edge or in our tactical \nenvironments that have limited availability of persistent and \nbroad-range network capabilities.\n    Our challenge today is ensuring our networks can securely \nsupport the information demands of our users, who require that \ninformation anywhere and any time across our enterprise. To \nmeet this challenge, our networks must be designed and \noptimized to more effectively and efficiently support these \nmission operations while ensuring security.\n    DOD networks are under constant attack from cybersecurity \nthreats launched from the Internet or from malicious software \nembedded in e-mail attachments, removable media, or even \nembedded in the hardware the Department procures. Every device \nconnected to the network is susceptible to cyber \nvulnerabilities. While working to efficiently respond to the \ninformation demands of our users, we must be ever-vigilant in \nprotecting our information environment.\n    Just over $2.8 billion of the Department\'s overall budget \nis devoted to information assurance or cybersecurity activities \nthat defend our information systems and networks. The \nDepartment\'s fiscal year 2012 information assurance budget \nrequest ensures increased funding to address insider threat and \ncyber vulnerabilities, such as those identified in the \nWikiLeaks incident. Specifically, we have requested funding to \nsupport the deployment of a Public Key Infrastructure-based \nidentity credential on a hardened smart card for use on our \nSecret classified network, a successful technology very similar \nto the Common Access Card we use on our unclassified network. \nWe have also identified funds needed to deploy our Host-Based \nSecurity System to secure our classified systems; to provide an \nautomated capability to continually monitor the configuration \nand security of our network; and improve identity management \nacross the Department.\n    The DOD is planning for the investment and implementation \nof these IT and information-assurance capabilities within \ntoday\'s current resource-constrained environment. Recognizing \nthis, in August, the Secretary directed a number of initiatives \nto achieve savings in acquisition, sustainment and manpower \ncosts, while not degrading our ability to execute our mission. \nAmong these is the consolidation of our IT infrastructure while \nsimultaneously defending that infrastructure.\n    My office is responsible for leading the development of a \nstrategy and plan for consolidating the Department\'s IT \ninfrastructure in five broad areas: Our network services, our \ncomputing services, application and data services, our end-user \nservices, and our IT contracts and purchasing. I plan to issue \nthe DOD IT Enterprise Infrastructure Optimization Strategy this \nquarter. The plan represents the Department\'s strategy and \ninitial roadmap to achieve the goals of improving our \neffectiveness while heightening our security posture. This plan \ncommits us to changing policies, cultural norms and \norganizational processes to provide lasting results. The \ninitial focus is on obtaining tangible results in fiscal years \n2011 and 2012 while planning for aggressive consolidation \nthrough fiscal year 2015. It really positions us to embrace \nemerging technology and provide cutting-edge capability to our \nwarfighters.\n    The transformation of our IT capabilities described above \nis a very ambitious undertaking, one that will reap tremendous \nbenefits to the Department and our Nation when completed. It \nwill require agility as well as new processes to both keep \nabreast of technological advances and defend the network.\n    My office is working closely with the Office of the Deputy \nChief Management Officer on efforts to develop a flexible, \nagile acquisition process that also addresses the DOD\'s \nrequirements and budgeting processes.\n    As you know, we have also been addressing the development, \neducation and continuous training of our workforce. The \nInformation Technology Exchange Program pilot reauthorized by \nthe fiscal year 2010 National Defense Authorization Act for DOD \nis one mechanism that we are pursuing. Under this collaborative \neffort, we have a pilot which will involve 10 individuals \nexchanging both industry and Department expertise to enhance \nour employees\' IT competencies and technical skills, and infuse \nboth DOD and the industry with new ideas in this fast-evolving \ndiscipline. My office is responsible for implementing ITEP [the \nInformation Technology Exchange Program], and we have created a \nguide to assist participating DOD components with the \nimplementation.\n    Maintaining an information advantage for our users is \ncritical to our national interest. The efforts outlined in this \nbrief will ensure that the Department\'s information \ncapabilities provide better mission effectiveness and security \nand are delivered in a manner that makes the most efficient use \nof our resources.\n    I want to thank you for your interest in our efforts, and I \nam happy to answer any questions that you have.\n    [The prepared statement of Ms. Takai can be found in the \nAppendix on page 44.]\n    Mr. Thornberry. Thank you.\n    Let me start out with, I guess, some rather broad kind of \nquestions. Ms. McGrath, about 10 years ago, the Defense Science \nBoard did a study that found 16 percent of all IT projects \ncomplete on time and on budget; 31 percent were cancelled \nbefore completion; 53 percent were late and over budget. Of \nthose that were completed, the final product contained only 61 \npercent of the originally specified features 10 years ago. How \nmuch better is it now, do you think?\n    Ms. McGrath. From a percentage perspective, I don\'t think I \nwould be able to articulate percentage-wise how much better I \nthink it is. I do think that the Department is taking a more \nholistic look at how IT fits into our broader capability needs. \nI would say 10 years ago, we would have a handful of people who \nare interested and focus on how IT worked and enabled in the \nentire environment, and today we are taking a much more \nenterprise perspective.\n    I can talk about the many studies and reports that have \nbeen done in terms of how the acquisition process needs to be \nbetter to enable a more rapid capability and delivery of the \ninformation technology. Maintaining a standard, stable baseline \nof requirements, I think, can be found in every single one of \nthe studies and reports that have been completed. So a lot of \nthe focus of the Department not only on the IT side, but the \nweapon systems side has been to identify and stabilize those \nrequirements such that we can meet them in a more--I am going \nto say to chunk the capabilities such that they are delivered \nin a spiral fashion and not try and solve the entire issue at \nthe get-go.\n    So, you know, percentage-wise, specifically I am not sure \nhow to counter those numbers that you articulated, but I can \nsay certainly within the last 5 years that there is a lot more \nmanagement attention and focus on the requirement \nstabilization, the spiral implementation so that I do feel that \nwe are moving in the right direction.\n    Mr. Thornberry. And I want to talk more in a minute about \nsome of the acquisition points that you make.\n    Somewhat on behalf of one of my colleagues, let me ask you \nthis: From time to time, we have asked about the ability of the \nDepartment of Defense to withstand an audit, and a lot of the \nanswers that have come back to me over the years is, well, we \njust don\'t have the computer systems that can talk to one \nanother, you know. So basically the business systems were not \ncompatible in order to put all the pieces together. And I \nrealize it is not your responsibility to audit the Department, \nbut just from the business systems technology part of this, \nwhere are we now?\n    Ms. McGrath. And I would agree, the systems were designed \nvery locally and not with a broader auditability target in \nmind, nor with a common architecture framework in mind. So they \nwere local solutions to handle local problems to do the sort of \nthe math, if you will, accurately.\n    Today the environment is very different. With the Business \nEnterprise Architecture standard--financial information of \nstandards, a standards-based approach to implementing these \nEnterprise Resource Planning solutions, we have many ERPs \nwithin the Department that will contribute to the Department\'s \nability to achieve financial auditability, and they are a very \nkey factor in our success in that pursuit. And we do recognize \nthat it is a business goal, a broad business goal, not just an \nIT problem, nor is it just a comptroller problem, but it is a \nshared responsibility across the functional space, meaning, you \nknow, logistics, personnel. They all have a part because their \ntransactions are where it all starts and then end up in the \nfinancial system at the end of the day.\n    So we are taking, again, a very deliberate, cross-\nfunctional enterprise approach to not only the IT aspect of it, \nbut the business process, because it requires change in all of \nthose areas.\n    Mr. Thornberry. Well, I know there are a number of people \non the committee as a whole that wants to hasten the day when \nthat is possible. So I appreciate that.\n    Ms. Takai, I guess the first question that leaps out at me \nfor you is do you have the authority to do your job? And you \nsaid, I think, in your testimony, this includes everything from \nradios, to laptops, to the desktop computers. All of those \nspending decisions are made by the services or other entities. \nYou are there kind of to help coordinate or strategize or \nguide, but they don\'t have to listen to you. Do you have the \npower to do your job?\n    Ms. Takai. There are a couple of answers to that question. \nSo let me phrase it in a couple of different ways.\n    Certainly while the budget dollars for the information \ntechnologies expenditures are in the services, there are any \nnumber of the processes in the building that actually review \nthat spend where my office has a major role. Certainly in the \nrequirements process that Ms. McGrath talked about not only \nfrom a business systems standpoint, from also the standpoint of \nto the point of command-and-control systems for things like \ntactical radios, my office is involved in the review of those \nprograms and certainly have the opportunity at that time, based \non a technical review and based on just an overall project \nreview, to weigh in on those projects. So there are those \nprocesses. There is also, obviously, our investment process \nthrough the CAPE [Cost Assessment and Program Evaluation] \norganization, where we look early on at our investment \ndecisions.\n    So while, in fact, we don\'t control the overall budget, \nthere are requirements and investment processes. And then \nultimately in the acquisition process, we are also a member of \nthe groups that actually review the projects going through. So \nwe do have opportunities certainly to weigh in.\n    The other piece of it is that in our responsibilities, they \nare very definitely two-set policy, and in setting that policy, \nwe are doing that, as I mentioned in our IT consolidation plan, \nin ways that actually direct the expenditure of the dollars, \neven though it resides within the services.\n    Mr. Thornberry. And through these various committees and \nall this stuff that you sit on--let me ask this: How often is \nyour organization\'s judgment overridden, would you guess?\n    Ms. Takai. I wouldn\'t have a good view of that. I am fairly \nrecent, as you know. I joined the organization in November, and \nso I don\'t, you know, actually have very real specifics or \npercentages or anything at this time to be able to give you.\n    Mr. Thornberry. On the integration strategy that is coming \nout this quarter, is that going to be classified or \nunclassified?\n    Ms. Takai. No. It will be available. And certainly as we \ncomplete it, it would be something we would very much like to \nshare with you.\n    Mr. Thornberry. But there will not be a classified version \nof it.\n    Ms. Takai. No.\n    Mr. Thornberry. Okay. Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Again, I want to thank you both for your testimony here \ntoday.\n    Secretary Takai, I want to thank you for what you have had \nto say today. I would like to in particular discuss a major \nconcern that I have about the Department\'s information \ntechnology consolidation. As you are aware, the \nAdministration\'s Chief Information Officer, Vivek Kundra, if I \npronounced that correctly, instituted a Federal cloud computing \nstrategy in February, which mandated that all agencies modify \ntheir IT portfolios to fully take advantage of the benefits of \ncloud computing in order to maximize capacity, improve \nflexibility and minimize cost.\n    While the benefits from cloud computing can certainly be \ngreat, I believe that the security of cloud architecture isn\'t \nfully understood, and remain very concerned that organizations \nmay ignore security concerns in an effort to rapidly glean the \nvast cost savings available from migrating to the cloud.\n    So further, the discussions of specific items such as how \ncloud computing will affect law enforcement, intelligence \norganizations hasn\'t also been fully analyzed as well in depth. \nCompanies that suggest cloud server farms can be adequately \nsecured overseas really aren\'t discussing the complex \nrequirements for background checks and foreign servicing \npersonnel or our ability to work with foreign governments to \naccess data harmful to the U.S. when it resides on the same \nserver amongst benign data from a foreign country.\n    So, Madam Secretary, with these concerns in mind, what \nassurances can you give this committee that all aspects of \nsecurity will be considered, discussed and planned for in \nadvance of DOD\'s IT migration to the cloud?\n    And second, as DOD begins its migration, is there a \ndiscussion of where data farms will reside? And if so, does \nthat discussion include the Department of Justice and members \nof the Intelligence Community?\n    Ms. Takai. Well, thank you very much for that question, \nbecause I think there is a significant amount of confusion as \nwe talk about cloud computing. It has a tendency to mean \ndifferent things to different people. So I think it is very \nimportant.\n    You know, while we certainly agree with Vivek Kundra\'s \nassessment that there are opportunities, we also believe that \nwe have to look at the way we move to the cloud in several \ndifferent ways. And security is actually our paramount concern \nin terms of the way we look at cloud computing. So let me put \nthat in our overall context.\n    Our initial look at moving to cloud computing would be to \nlook at what we call a private cloud. So it would effectively \nbe taking the benefits of cloud computing, but rather than \nlooking at how we would buy that service outside, to look at \nthe way we would standardize our infrastructure, the way that \nwe can utilize the organization like DISA [the Defense \nInformation Systems Agency], which has several large computing \ncenters today, and actually be able to bring in implementations \nfrom the services, for example, be able to get the cost-\neffectiveness, but at the same time be able to assure the \nsecurities.\n    So, for instance, right now Army is looking at a number of \napplications that they will be moving into a cloud where we \nwill have full control of the security, including the points \nthat you raised as it relates to the security required for \nemployees, where we actually locate those centers and also the \ninformation that we have in those centers. So our initial \nforay, again, is to ensure that security is our number one \nconcern in terms of being able to move forward.\n    I think, as you mentioned in your opening remarks, while, \nin fact, efficiency is extremely important to us, we have to be \nsure that both from a security and protecting the warfighter \nthat we are fully capable.\n    Now, there will be instances--and we are looking at those \nnow--where we will be able to use commercial cloud providers. \nBut when we do that--and, in fact, this is a conversation that \nI think Vivek Kundra is looking at as well--we will have to be \nsure that those providers meet our security standards before we \nwill utilize those services.\n    And then lastly, we are looking now because we believe that \nthere may be a few instances where we can go to a public cloud, \nbut they would be for those things that don\'t require the kind \nof security on our networks and from an information \nperspective. And so those are the ones that we are taking a \nlook at as well.\n    So I do think while we are looking at this, it is important \nto put it in the context of the different types of cloud-\ncomputing environments and the fact that we are actually driven \nin terms of our making the decision by our security concerns \nand our standardization issues as much as certainly from the \nstandpoint of efficiencies.\n    Mr. Langevin. So in that process, as you are moving to the \ncloud architecture, will that include discussions with the \nDepartment of Justice and also members of the Intelligence \nCommunity?\n    Ms. Takai. Absolutely. One of the concerns that we have \nright now, in fact, is being able to take a look at our \ninformation-sharing capability across the networks that the \nIntelligence Community is responsible for and the SIPRNet \n[Secure Internet Protocol Router Network] and NIPRNet [the Non-\nsecure Internet Protocol Router Network] that we are \nresponsible for. So as a part of our ongoing planning, it is \nvery important that we are well coordinated with the \nIntelligence Community. And as they are looking at where they \nare moving forward, I think in conversations I have had with \nthem, certainly security is also their number one concern.\n    In answer to your second part of the question, which is \nDepartment of Justice, obviously with some of the challenges we \nhave had from an insider threat perspective, it is very \nimportant that they be involved in any decisions we make about \nthe location and the configuration of where we put our \ninformation.\n    Mr. Langevin. If I can continue. Another area of concern is \nDOD\'s ability to continue its information-sharing efforts. As \nwe are all aware, the 9/11 Commission highlighted some serious \ninteragency deficiencies as to the timely sharing of sensitive \ninformation. Since that time, much of the Federal Government \nhas made significant improvement, yet I am concerned that the \ninsider threat-type setback, such as the WikiLeaks affair, is \ngoing to hamper further efforts to improve the sharing of \nthreat and intelligence information across the spectrums of \nthreats both physical and cyber amongst agencies.\n    So, Secretary Takai, does the DOD have the capability to \ntrack insider threats to our information systems, particularly \nthose processing classified information? And what effect has \nthe WikiLeaks case had on our information-sharing efforts both \ninternally as well as interagency?\n    Ms. Takai. Well, let me answer that, first of all, by \nsaying we are continuing to be focused on information-sharing. \nAnd it has been a major concern for us to ensure that we can do \nthat information-sharing in a secure way, because, as I \nmentioned, we feel that certainly for the warfighter, the need \nto have access to that information has never been more \nimportant than it is today. So what we take as our \nresponsibility is to be sure that we can do that information-\nsharing in a secure manner.\n    And that is really why I mentioned several areas of \ntechnology that we are implementing so that we can continue to \ndo that sharing, and yet do it in a secure way. One of the \ntools that we are deploying at this point in time is our Host-\nBased Security System. And that is really, again, in response \nto your question about knowing who is on the network and \nknowing who has access to information.\n    We have two additional tools that are going to be very \nimportant in actually helping us with that. We are currently \ntesting a tool and plan to roll out a tool which will actually \ndetect what we call anomalous behavior.\n    So to your question of do we know who is on the network? \nYes. And then what we need are tools that begin to detect where \nthere is access to information that looks different than what \nwe would expect to see and then will trigger our ability to get \nin and take a look at that.\n    Then we are deploying much stronger identity management \ncapabilities so that we will be able to tag information to \nparticular users and then be able to continue to protect.\n    Now, while these technology enhancements are extremely \nimportant, we also are improving our processes and our \nprocedures for access to that information. So I think, as you \nknow, we have put policies out about the use of removable \nmedia, but to ensure that the warfighter has the capability to \nsee that information, we have also instituted processes, for \ninstance, which is a two-person rule around access to \ninformation so that we are sure that there is always a check \nand balance when there is the need to know.\n    So again, to summarize, the challenge for us is to put the \ntechnology in place, but also, because there is never a 100-\npercent solution, to be sure that we also have the policies and \nthe processes in place to be able to manage our information.\n    Mr. Langevin. I have further questions, but thank you for \nthat, and I will wait until maybe a second round.\n    I yield back.\n    Mr. Thornberry. Thank you.\n    Mr. West.\n    Mr. West. Thank you, Mr. Chairman, and, Mr. Ranking Member. \nAnd, ladies, a pleasure to be here, and, Secretary, and \nHonorable McGrath.\n    I spent a few days in the military myself, and I can tell \nyou when I first came in, you know, everything in the artillery \nwas charts and darts, and now everything is computerized. And, \nof course, I was in Desert Shield, Desert Storm where you stood \nin line for about 3 hours to get, you know, a 2-minute phone \ncall.\n    I spent 2\\1/2\\ years in Afghanistan. I can tell you from \nthe experiences then to now, information technology and the \nnetwork systems that we have deployed in these combat theaters \nof operation are just incredible. But one of the things that I \nknow that we have to also be able to do is to protect those \nsystems in a combat zone, which is something we experienced for \nabout 48 hours in Afghanistan. I think you know what I am \ntalking about back, I believe, in 2006, and we were able to \ntrace that back to a very interesting country.\n    So one of the things I look at as we go probably from, you \nknow, so much of nation-building, so much of occupation-style \nwarfare, and we get back to maybe power projection, forceable \nentry, more austere environments, what lessons have we learned \nin the operations in Iraq, the operations in Afghanistan that \nwill make us better prepared, make us, you know, more secure \nwith the implementation of our network systems as we move \nforward, you know, Libya, Tunisia, who knows where is next?\n    Ms. Takai. Well, just some examples, I think, to add to \nyour comments, which I think really do reflect the changes that \nwe are seeing actually in theater. First of all, we are seeing \nvery definitely that our need for network security going \nforward needs to include our coalition partners. And so what we \nsaw in Afghanistan was the need to actually put a network in \nplace that allowed for each of the coalition partners to have \ntheir own secure network, but at the same token have a network \nwhich was protected at the point that each of our coalition \npartners connected to it so that if, in fact, we had an issue \nat any of those points in time, we could then block that and \nnot have that impact the entire network.\n    One of the things that we see going forward is that we have \nto be cognizant of several things: Number one, what I just \nmentioned, that while we might not necessarily deploy the \ntechnology in the next conflict in the same way we did in \nAfghanistan, we certainly would deploy the concepts that we are \nusing there, again because of the coalition.\n    The second piece of it is that what we have seen is the \nneed to share information--and this really gets back to some of \nthe other questions--across our unclassified and classified \nnetworks. While we have seen that in the past, I think we \nhaven\'t seen it to the extent that we are seeing it today. And \nso our future networks will need to plan for that level of \ninformation-sharing.\n    And then lastly, these tools that we are putting in place \nnow are really aimed at being able to better secure these \nnetworks when we go in.\n    And then finally, what we are really recognizing is that we \nhave to standardize our networks because it is not just the \nnetworks, but it is what folks want to connect to the networks. \nAnd they are bringing any number of devices. They are familiar \nwith devices, commercial devices that just weren\'t even things \nthat were conceived of being used in theater, and they are \nbringing them with them. They are used to them. They don\'t \nstand in line to make a phone call. They have a device in their \nhand.\n    Mr. West. You are absolutely right.\n    Ms. Takai. And we have to recognize that that is the \nsituation, but the challenge for us is ensuring that when they \ndo have access to the network, they have access to the network \nin a secure way. So it isn\'t then everyone can bring anything \nthey want, but they have to have that capability, and our \nnetworks have to be secure enough to sustain that.\n    Mr. West. And, Ms. McGrath, a question. In the aftermath of \nwhat we saw with the WikiLeaks, have we gone back and really \nlooked at our, you know, security clearance processes? You \nknow, have we gone back to some type of retraining, \nrecertification process?\n    Ms. McGrath. With regards to the Federal investigative \nstandards, those have been looked at by both the security \nexecutive agent, which is the Director for National \nIntelligence, and also the suitability executive agent, which \nis the Director for Office of Personnel Management, to ensure \nthat when we are pursuing either a hiring action or a clearance \ndetermination, that we have done the appropriate level checks \nfor the level of access or job that that individual will have.\n    So we have, from a Federal perspective--not only just DOD, \nbut this is a much broader Federal--paid attention to the \ninformation that we gather to ensure that we are collecting the \nright information to make those determinations. And we also \napplied some of the sort of innovation and technology to that \nprocess because historically it has taken much, much too long \nto obtain a security clearance. So we did, through process \nanalysis and innovation and technology, apply those \nappropriately to the process to enable speed without \ndegradation of quality.\n    Mr. West. Thank you very much.\n    And I yield back, Mr. Chairman.\n    Mr. Thornberry. Thank you.\n    Mrs. Davis.\n    Mrs. Davis. Thank you, Mr. Chairman.\n    And, Ms. McGrath, thank you very much, both of you, for \nbeing here, Ms. Takai.\n    One of the discussions that we have been having in the \npersonnel committee over quite a number of years is bringing \ntogether electronic records, of course, of the DOD and the VA \n[Department of Veterans Affairs]. And I see that in your \nwritten testimony you alluded to that, and I am sorry I wasn\'t \nhere at that time. It is my understanding that there are three \noptions that they were looking at, and how is that progressing, \nand what are those options, I guess? And what does the timeline \nlook like that might bring us to a decision?\n    Ms. McGrath. The ``they\'\' you are referring to in my \nassumption is both Secretaries Gates and Shinseki recently met. \nActually it was on March 17th. We gave them a presentation. We \ndid look at options in determining our collective way forward \nfor electronic health records. One was looking at upgrading our \nexisting capabilities. DOD uses AHLTA [the Armed Forces Health \nLongitudinal Technology Application], and the VA has VisTA [the \nVeteran\'s Health Information Systems and Technology \nArchitecture] as their major IT system. The other was taking a \njoint approach to a--I will use the term ``single solution,\'\' \nbut I really mean single approach to capability delivery. And \nthe other one was pursuing our own separate IT capability \ninitiatives with a bridging mechanism to share data, which is \nmostly how we interface and exchange information with VA today. \nSo those were the options that were discussed with the \nSecretaries.\n    The decision was that we agreed to use a common \narchitecture, common data services and data centers, and it \nwould be a standards-based approach to exchanging data as \nopposed to the interfaces that we do today. So it would be a \ndata-driven approach to information exchange.\n    We have agreed to joint development/acquisition, and it is \nprobably more acquisition than development because there is a \nlot of commercial-off-the-shelf capabilities; a number of the \nfunctional areas, like pharmacy and labs and those kinds of \nthings.\n    For an integrated electronic health record, we will look at \nusing commercially available solutions first, adopt an \napplication if one of us has a best-of-breed that we are \ncurrently using. And then finally, our last option would be we \nwould develop it.\n    In saying that, the difference really is that we are taking \na lighter architectural approach as opposed to a heavy systems-\nbased approach. Today our data and system are very much \nintegrated, and so it limits our ability to be agile and \nexchange at the data level. The major difference in the \napproach that we are taking is exchange at the data level. That \nwill require us to develop this common architecture that is a \nsignificant difference in how we do things today.\n    Governance will be key going forward, having the effective \ngovernance in place to ensure that we are staying aligned to \nthe agreements that had been made by the Secretaries, and also \nwith regard to the capability we have currently deployed in the \nNorth Chicago Medical Center. We have agreed to pursue any \ncapability that is not yet delivered there, pharmacy and \nconsults being the major two, to pursue those jointly.\n    Saying all that, those are the agreements that we reached. \nWe have a comeback to the Secretary, both Secretaries, early in \nMay where we are to deliver more details with regard to the \nimplementation timeline.\n    Mrs. Davis. Are there any steps that either the DOD or the \nVA are taking now where their efforts essentially would not be \nvery productive if they move ahead in the separate ways that \nthey have been moving all these years? I guess are there \ncertain investments, certain expenditures that are moving \nforward in the different architectures that would not \nnecessarily mesh with what may eventually be the----\n    Ms. McGrath. The message is to ensure that the investments \nthat we are making in today\'s environment are needed today. And \nif there are things that we can defer such that we ensure \nalignment with this integrated electronic health record, that \nis what we would like to do. North Chicago is a really good \nexample. Each of the departments was pursuing a separate \npharmacy solution that would interact through interfaces. We \nhave stopped those separate development efforts, if you will, \nto ensure that we pursue----\n    Mrs. Davis. I guess can I ask you, given the cultures and \ngiven the difficulty with getting to this place, how successful \nare we going to be?\n    Ms. McGrath. I mentioned the governance. Governance is key, \nand the agreements by the Secretaries and then the persistent \nengagement by the Secretaries I think will be key to enabling \nsuccess here. Both Secretaries have agreed to continue to \nmonitor the progress that the two Departments are pursuing, in \naddition to the Deputy Secretaries of both organizations and \nour Joint Chiefs of Staff.\n    Mrs. Davis. If you were overseeing this, and as a \ncommittee, what would you want to see in 3 months and in 6 \nmonths from now? Where should we be?\n    Ms. McGrath. Those things that we have currently agreed to \nwith regard to the data standards and data center \nconsolidation, certainly we should be able to provide plans and \nenter milestones on where are we to achieving those goals. I \ncertainly would ask for those. Those are things that we will be \ndelivering to the Secretaries. And we will need those in place \nto then be held accountable to managing towards--you know, to \nachieving the overarching goal. And I think that as we define \nhow we are going to pursue different capabilities, certainly, \nyou know, cost and schedule for all of those are absolutely \nwhat I would ask for.\n    Mrs. Davis. All right. Thank you. I appreciate that.\n    As you can sort of sense my impatience here because--aside \nfrom the fact it is very costly, I think, just to the \ngovernment, to all of us, it is also costly to the warfighter. \nAnd we know that we have been working at this for a long time. \nSo I am really hopeful that we can have a deliverable soon.\n    Ms. McGrath. I would just like to add, we do between the \ntwo Departments share so much data today with regard to the \nmedical. I mean, it really is incredible when you look at how \nmuch data the two Departments share today. What we are talking \nabout is enabling the sharing of that information, taking a \ndifferent approach from a data perspective so that we can \neliminate redundancies, you know, increase efficiencies so it \nis a better experience for our military members.\n    Mrs. Davis. Thank you.\n    Mr. Thornberry. Is that a 3-year project or a 10-year \nproject?\n    Ms. McGrath. I don\'t think it is a 3-year project to be \ncompleted, but I do think that there are, again, phases of \nimplementation we will be able to achieve in terms of the data \nstandards. There are already international health data \nstandards out there. DOD has already enabled standardization \nwithin our own enterprise. It is aligning with VA. I don\'t see \nthat as--certainly not a 10-year. So I actually think that we \nwill be able to achieve some of that interoperability much \nsooner than the 10-year mark. So I do think that there are some \nopportunities in the nearish term, the near being relative, to \nachieve greater interoperability than we have today.\n    Mr. Thornberry. Thank you.\n    As you all know, one of the provisions of last year\'s bill \nwas to provide the Department some rapid acquisition authority. \nI think maybe you both make reference to it in your written \nstatements. But can you update us on where that is? Is it being \nused? Have we gotten far enough to know whether it is the kind \nof authority you need?\n    Ms. McGrath. I can start, and certainly Ms. Takai can add \non to my initial comments.\n    We have established--as the lead for the IT Acquisition \nTask Force--and the Department is certainly working very \nclosely with Ms. Takai\'s office and our acquisition, technology \nand logistics organization, and, frankly, every organization, \nit seems like, within the Department from a test and evaluation \nto the comptroller, because we are all somehow involved in \nenabling delivery of capabilities with regard to our \nacquisition process.\n    We have established many work groups; focus on very \nspecific areas like measures, metrics, what are leading \nindicators that we should be looking for when things are in a \nparticular program to ensure that we achieve better outcomes; \ncombining the certification and accreditation for testing with \nthe regular test process. Typically we treat them separately, \nand they are not concurrent; they are sequential. So we are \nlooking to take that timeline significantly down.\n    Taking a much more portfolio-management approach to \noverseeing these IT investments so that we are not just looking \nat one system at a time. We are looking at how does this one \nparticular system fit within the broad portfolio within which \nit will be deployed, but also what other systems do we have \nthat also utilize that same capability, how many financial \nsystems do we really need. So you can look at it from a \nfunctional perspective and also within an operating \nenvironment.\n    Requirements I think I mentioned. Every study says that we \ndon\'t baseline the requirements, we don\'t hold them stable. So \nwe are ensuring that when we pursue a new IT solution, that the \nrequirements are small enough that you can deliver them more \nrapidly in a 12- to 18-month timeframe. Typically we put all \nthe requirements in one big bucket, and it is 5 years before we \nhit our initial operational capability. So in order to make \nthose timeframes smaller, we need to parse the requirements \nsuch that we are delivering incremental capabilities.\n    Contracting is also an area that we are extremely focused \non. I don\'t think there is anything within a FAR, Federal \nAcquisition Regulation, rewrite that we need. I think we need \nto be more creative about how do we utilize the contracting \naspects, authorities that we currently have. But we need to \ncontract differently than we currently do today. On the one \nhand, some programs will be a firm fixed price, but if you \ndon\'t have your requirements nailed and definitized enough, \nfixed price is not the right way to go. But then time and \nmaterials does not seem like the most accountable way to also \npursue an IT solution. So it is coming up with the balance, \nwhen should you use those types of contracting, and \nunderstanding that not one size fits all.\n    And then the other very key is the IT acquisition \nworkforce. The Defense Acquisition University has a program \nmanagement course down there. It is terrific, and I happen to \nbe a graduate. But they don\'t teach IT the way we procure IT \ntoday. These enterprise resource planning program systems \ncapabilities didn\'t exist previously. And so it is really \nputting a very fine point on our acquisition workforce to say, \nhey, IT today is very different from source lines of code and \nfunction point counts that we used to do. We are actually \nbuying a lot more commercial-off-the-shelf capability and \nensuring that we have got the right credentials for those \nfolks.\n    We are taking very much a piloting approach. In my written \ntestimony I highlighted an Air Force financial system called \nDEAMS, the Defense Enterprise Accounting Management System. We \ndid utilize some of these different approaches to move their \nimplementation significantly forward. Both Army and Air Force \nhave their integrated personnel and pay systems. We are looking \nat establishing their acquisition strategy aligned with the \nmore streamlined capabilities. The same with the Joint Space \nOperation Center mission system and the Navy\'s intelligence, \nsurveillance and reconnaissance capability.\n    So we expect through the use of pilots we will learn more \nto ensure before we institute our final policy we have actually \ntried it out a little bit to see where we need to course \ncorrect, and so we get some fact-based feedback to ensure that \nwe have policies that are in line with where we want to go.\n    Mr. Thornberry. Ms. Takai, it seems to me that, having \nheard all of that, it just seems very difficult for the \nDepartment to keep up with the change in technology, the way \ntechnology changes and with all that has to go on before a \npurchasing decision is made. So does that mean we are always \ngoing to be behind?\n    Ms. Takai. Well, it doesn\'t always mean we are going to be \nbehind. There is a qualified answer to that, if I could add to \nwhat Ms. McGrath was talking about. And let me add to that, in \naddition to the many process changes that we have been working \nwith her team on, we also believe that the efforts around \nstreamlining and standardizing the technology we use are a \ncritical part of being able to get innovative technologies in \nmore quickly.\n    Right now what we do is we reinvent, in many cases, the \nsame technology platforms over and over again because we bring \nthem in in separate instances for separate projects. And so \njust as an example, you know, as we have been working together \nfrom the standpoint of business systems, if we can get \nstandardized platforms, then it really does give Ms. McGrath an \nopportunity to build on those standard platforms and not have \nto worry about the technology coming in the door, but to be \nable to spend the money and the resources on understanding what \nbusiness processes have to ride on it.\n    The second piece of that, though, is that if we can \nstandardize and improve the security of our backbone, we can \nthen look at more innovative technologies and not have to \ninvent them all the way from the data center, the server, the \nnetwork out, but rather look at how those innovative \ntechnologies can hook into our standard infrastructure. It \ngives us more flexibility in looking at those kinds of \ncapabilities.\n    Having said that, as we build that out, we will need to, as \nMs. McGrath mentions, look at shorter timeframes for bringing \nthese technologies in. We will need to look at our testing and \naccreditation processes, because that is one of the inhibitors \nthat we are aware of today in terms of retesting platforms for \nevery upgrade as opposed to recognizing that there are standard \nplatforms and there is not the need to test.\n    So some of those things are the things that we are looking \nat from an information assurance perspective in terms of the \npolicies that we put out as well as the accreditation and the \ntesting that we do at DISA to, again, allow for bringing new \ntechnologies in, but at the same token making sure that when we \ndo, we aren\'t increasing our risk from a security perspective.\n    Mr. Thornberry. And I guess related to that, what are your \nconcerns about supply chain? You know, in general in \ncybersecurity we hear more and more concern about so many \npieces of hardware and software that are not made here, and \ncertainly many components are not made here. But as you and Mr. \nWest were talking, you know, we have got soldiers out in the \nfield that are taking whatever they have got out of their \npocket to do their job or to communicate back home. That has \ngot to create all sorts of challenges for you in looking at the \noverall enterprise.\n    Ms. Takai. We totally agree with you, and there are really \ntwo answers to the question you are asking about supply chain. \nOne of them is just an awareness of the issue that you have \nmentioned. And we have two programs that we are working with \nNSA [the National Security Agency] and also with our policy \noffice. One of them is to actually look at the ground rules \naround the way that we bring technology in and the, if you \nwill, background information that we gather on the companies \nthat we purchase from. So that is a key part of what we do. \nAnd, of course, in that, we are aided by information that we \nget through our intelligence sources as well about those \nparticular companies.\n    The second thing from a supply-chain perspective is to work \nwith our defense industrial base. And we have any number of \nprograms that Deputy Secretary Lynn has been really \nspearheading around how to work and share information \neffectively with our defense industrial base, because, again, \nthe supply chain problem isn\'t really just an issue of DOD. It \nreally involves our key partners.\n    But the other piece of that is to recognize that as we move \nforward, and as there is obviously a globalization and a \ndispersion of where the information--or rather the components \nfrom a hardware and software standpoint come from, it is really \nto look at cybersecurity in that light, which is why we are \nfocused not only on protecting at the perimeter, which has been \na focus, I think, for everyone in terms of trying to prevent \nintrusions, to prevent invasions in your network. And now what \nwe are recognizing is that while that is still a deterrent, it \nis not a complete answer from a security perspective. And so we \nhave to look more at the way that we are classifying our \ninformation, the way we are linking that to the identities of \nthe individuals that can access it. So, again, we have a second \nlevel of defense actually at the information level, and that we \nare acknowledging that we will have some of these kinds of \nintrusions inside our network, and we are prepared to handle \nthem.\n    Mr. Thornberry. Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    One last here that I wanted to talk about is the depth of \nDOD\'s bench in IT career fields. Secretary Gates\' IT \ninitiative--I realized individuals assume that the new IT \npositions after efficiency implementation would require greater \ntechnical expertise and experience to efficiently maintain the \nDepartment\'s IT needs across all of the military branches. In \nthe fiscal year 2009 NDAA, the committee directed DOD to look \nat the feasibility of identifying and retraining, for example, \nwounded servicemembers in information technology and other \nfields.\n    So my question is considering the challenges recruiting a \ncompetent IT workforce, have you leveraged any of those \nprograms to help build your workforce there, and is there more \nthat this committee can do to retain the skills and expertise \nof these wounded warriors to help meet our needs for a trained \nIT workforce?\n    Ms. Takai. Well, we have been moving forward in terms of \nlooking at those individuals that are returning from theater, \nand particularly the wounded warriors programs, around the \ncapability and making sure we have technology skills. But going \nforward we will continue to be vigilant and need to be vigilant \non this. And while it involves, I think, as you mentioned, \nbeing sure that we are retaining and training our workforce, it \nalso is a focus for all of us in terms of making sure that we \nhave enough professionals coming up that are educated in \ncybersecurity and certainly educated in the sciences and the \nmaths.\n    So some of the things that we are doing in that regard is \nto participate in and encourage many of the cybersecurity \nprograms that are focused on our high school students as well \nas our university students, to get them interested at a very \nearly age in a career in the science and maths, and \nparticularly moving into cybersecurity. That is something that \nmy office is very heavily engaged in, something that the policy \noffice is very much engaged in. So it is going to be a \ncombination of retaining the workforce we have, being able to \ngrow it, but also making sure that we have an influx of \nindividuals that have those skills.\n    Mr. Langevin. Let us not at all forget about our wounded \nwarriors and see how they might be incorporated into these job \nopportunities. I think that would be important.\n    I am also glad to hear that you have a focus on bringing up \nthe next generation, whether it is focusing on high school or \ncollege. I actually starting working with the SANS Institute. \nWe created the cybersecurity challenge at the high school \nlevel. My home State was one of three of the pilot States that \noriginally tested the program through high schools in our \nState, and now we have kicked it off statewide. And it is \namazing how talented these young people are. And the cyber \nchallenge sets up the different hurdles that they have to kind \nof work through and test their skills, and hopefully get some \non the career path, thinking about a career path in \ncybersecurity.\n    Ms. Takai. Yes, sir. And I just came, I think, as you may \nknow, from the position of the CIO in California, and we were \nvery much able to take advantage of that cybersecurity \nchallenge program. And, in fact, I think we were the first to \ninstitute the high school version of that program, in order to \nbe able to bring young people in and get them interested.\n    Mr. Langevin. Very good. If I could, just going back to \nCongressman Thornberry\'s line of questioning. You talked about \nthe supply chain. And I actually had Secretary Lynn in my \noffice yesterday, and we were actually talking about the supply \nchain industry. We were also talking about working with the \ndefense industrial base and how do we best work with them on a \nvoluntary basis to better secure their own networks.\n    And I was curious, when you say you look at companies you \nare doing business with, and you look at from the supply chain \nperspective, how far back do you drill down with each of those \ncompanies? The problem is not just the company that you are \ndoing business with, but it is who they are doing business with \nand who they are doing business with. Since the supply chain \ncan cover a range of problems, you know, it is not just the \ninitial companies, but where are they getting the products from \nas well. So I guess how deep does that go?\n    Ms. Takai. The initial pilot that we did did not really--\nand I am sure that Secretary Lynn mentioned to you--we were \nable to go down deep in some companies. But when we really \nlooked at the level of resource that was needed to actually be \nable to do all of that research, we recognized that we will be \nable to do a certain amount through research, but in many ways \nit is not going to be the full answer to looking at how we do \nsupply chain.\n    And that is really why we are taking now a step back from \nthat. We know we have to do a certain level of that, but it is \nalso going to be we are not going to be able to do all of the \nresearch; we are going to have to engage with our partners.\n    And then, lastly, we are going to have to have other ways \nof looking at how to defend. Because I think your point is very \nwell taken. You really can\'t have enough resource to be able to \ngo down to every last component, and so you have to look at the \nmajor components, but yet that doesn\'t give you the complete \npicture. So that is why we are looking at not only being able \nto do that kind of research, but also recognizing that when we \nhave threats inside our network, we are going to have to be \nable to mitigate them.\n    Mr. Langevin. Fair enough.\n    And the last area of questions I want to get into, \nsomething in addition to and very much tangential to \ncybersecurity is the security of our military bases and \ncritical infrastructure that supports our military bases. As \nyou know, much of our critical infrastructure is owned and \noperated by the private sector. I am becoming increasingly \nconcerned about Supervisory Control and Data Acquisition \nattacks in particular on critical infrastructure, particularly \nthe electric grid. Our military bases around the country so \nmuch rely on these outside power grids for their own power, and \nI have been involved with reviewing how secure those bases are.\n    I have the chiefs of the services before us, and I have \nasked what their level of knowledge is on this, and it is \ntroubling to them certainly as well. Our bases are not \nindependent of the power grid. So I know this is a bit outside \nyour area in particular, but it does relate to IT and cyber.\n    So in your work, do you have anything to add, any awareness \nthat you have, on what we are doing to better secure our \nmilitary bases in the event that something happens to critical \ninfrastructure off the base and how they would be affected?\n    Ms. Takai. Well, let me add to the discussions. I know you \nhave talked with Deputy Secretary Lynn about this. One of the \nthings that he has been spearheading is to work very closely \nwith the Department of Homeland Security for exactly that \nreason, because while clearly it is the Department of Homeland \nSecurity\'s responsibility to look at critical infrastructure as \nit relates to certainly the U.S., at the same token it does \naffect our military operations in those cases. And so what we \nare doing is to really work collaboratively with them around \ntaking a look at those threats, being able to share \ninformation.\n    I think, as you know, there has been a close working \nrelationship between Secretary Gates and Secretary Napolitano \naround the sharing of that information. And one of the things \nthat we will be moving forward on as part of what Secretary \nLynn calls our enduring security framework is now to move more \ninto review of critical infrastructure protection, including \nnot only our power grid, but also taking a look at some \nemerging areas, particularly, for instance, with nuclear power.\n    Mr. Langevin. Very good.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Thornberry. Thank you.\n    Mr. Johnson.\n    Mr. Johnson. Thank you, Mr. Chairman, for holding this \nhearing.\n    Secretary Takai, three intelligence contractors named \nHBGary Federal, Palantir Technologies and Berico Technologies \nhave a proposal under the name Project or Team Themis. Are you \nfamiliar with this proposal that has been purportedly made by \nthose three firms, all of which are defense contractors? Are \nyou aware of that proposal that was leaked from the HBGary \nFederal e-mails which would offer the counterterrorism and \nintelligence techniques to prospective private parties, i.e., \nBank of America, U.S. Chamber of Commerce, for use against \ncritics of those firms? Are you familiar with that situation?\n    Ms. Takai. No, sir, I am not familiar with that specific \nproposal. So, you know, we are happy to take that for the \nrecord and gather that information and be able to get back to \nyou on it.\n    Mr. Johnson. Well, now it has been about 2 weeks I \nrequested that information. Do you know what has happened to \nthat request and whether or not it is being complied with, or \nthere is an intent to comply with it?\n    Ms. Takai. No, sir. I don\'t have that information. I \nwouldn\'t want to give you something that was incorrect. I will \nmake sure that my office takes a look at it, and that we get \nright back to you on it.\n    Mr. Johnson. Now, it is my understanding that the firm \nHBGary Federal had developed malicious software that allows \nusers to monitor the networks and computers used by third \nparties. Is that the kind of capability that they have provided \nto the Department of Defense?\n    Ms. Takai. Again, sir, I am not familiar with that company. \nSo, again, my staff will definitely get that information and \nmake sure that we get right back to you.\n    Mr. Johnson. If there is a misuse of properties of the \nFederal Government paid for by citizens of the United States \nthrough their tax dollars, i.e., tools to disrupt foreign \nintelligence, foreign terrorism, and if that technology is used \non Americans, would that be a breach of the contract between \nDOD and any particular contractor? Are there provisions in the \ncontracts that prohibit such use?\n    Ms. Takai. Again, I would need to go back and take a look \nat that specific instance and get that information back to you.\n    Mr. Johnson. You do agree that that is a problem, that we \nshould not use taxpayer-funded techniques on taxpayers who may \ndisagree with a private domestic business entity?\n    Ms. Takai. Well, we at DOD are concerned with any breach to \nour networks or any risk to the security of our information, \nand we take that very seriously. It is a major part of the way \nthat we construct our technology. And so any breach of that \ntype is of paramount concern to us.\n    Mr. Johnson. Well, if the same technology used by the \nDepartment of Defense to protect its own internal security, \ncybersecurity issues, if that technology were used to do the \nreverse to a private citizen of America, that would not be a \nproper use of DOD techniques, would it?\n    Ms. Takai. Well, again, any breach, and any malicious \nsoftware or hardware, or any breach to DOD information----\n    Mr. Johnson. Well, no, I am not talking about DOD \ninformation; I am talking about DOD information being used \nagainst American citizens for the use of private entities.\n    Ms. Takai. Again, I am not familiar with any particular \ninstances of that. Certainly if there are areas that we can \nresearch and take a look at, then we would be very happy to do \nthat and get back to you.\n    Mr. Johnson. Well, again, I would like to request copies of \nany and all contracts between the Department of Defense and the \nthree subcontractors or the three contractors that I mentioned, \nHBGary Federal, Palantir Technologies, and Berico Technologies. \nWould you be able to provide me with that information, and also \nthe chairman of the committee?\n    Ms. Takai. I don\'t have that information directly myself, \nbut certainly again I will have staff research that, and we \nwill get back to you with an answer to that question.\n    Mr. Johnson. Well, I think it is a very important issue \nthat I am not planning on sweeping under the rug. I want to at \nleast get those contracts and analyze them to determine whether \nor not they have been used or they have been breached. So I \nneed that information.\n    Ms. Takai. Yes, sir. Again, we will have my staff research \nit, and we will get back to you with an answer.\n    Mr. Johnson. Thank you.\n    Anything you can add, Ms. McGrath?\n    Ms. McGrath. No. I do not have my own self familiarity with \nthe proposal nor those three companies. Certainly the contracts \nare written in accordance with the Federal Acquisition \nRegulations, and we would have to look at the scope and \nconditions of each one of those to make sure that there is not \na breach of contract. But I do not see an issue with complying \nwith your request to have copies of those contracts, and I will \nensure that Ms. Takai has all the support she needs to get \nthose.\n    Mr. Johnson. Well, Ms. Takai, I tell you, while I was \nasking you some questions, out of the corner of my eye, I saw \nsomebody come up and give you a note, and that always kind of \narouses my curiosity. I won\'t ask you what is in it, but I am \nconcerned about this case and the way it is being swept under \nthe rug.\n    Thank you, Mr. Chairman.\n    Mr. Thornberry. Mr. Conaway.\n    Mr. Conaway. Recognized for 7, 8 minutes? Excuse me.\n    Ms. McGrath, thank you.\n    Ms. Takai, thank you for being here.\n    You talked to us about the impact that the--I am blanking \non the name--the $100 million reprogramming exercise that DOD \nwent through to try to find $100 million in monies that they \nwould put other places within the system itself, what impact \nthat had on the efforts to get the Department of Defense\'s \nfinancial statements audited. Did it hurt, helped?\n    Ms. McGrath. To be clear, the $100 billion efficiency \ninitiative. I think we all wish it was $100 million and not \n$100 billion.\n    The Department, as certainly the members of this committee \nare well aware, took an initiative with Secretary Gates leading \nto look for efficiencies in all aspects of not only the way we \ndo business, but what we are procuring, how we are procuring \nit, how we are organized; you know, are we positioned to be the \nmost efficient and effective organization that we can be, and \nto look for opportunities to identify efficiencies.\n    Mr. Conaway. But how did it--help or hurt?\n    Ms. McGrath. So I think that some of the lasting impacts of \nthe efficiency initiative we won\'t know until we are actually \nrealizing some of those efficiencies. We have identified the \nopportunities for those efficiencies. I can talk----\n    Mr. Conaway. Well, let me ask the question this way. Do you \nhave the accounting systems, internal control systems, and \nmanagement systems in place to actually track that $100 billion \nand know that it went from one spot to the other?\n    Ms. McGrath. So we have the mechanism in place, will be led \nby Secretary Lynn, with Mr. Hale, our comptroller, and myself \nlooking at--and with the Under Secretaries of the military \ndepartments leading the data collection, if you will, for their \norganizations, along with their CFOs [Chief Financial \nOfficers], to ensure that we understand the--I will say how \nclose we got to the efficiencies that we identified.\n    So from a systems perspective, I want to be clear, I think \nwe have the governing structure in place to ensure that we can \naccurately identify the efficiencies.\n    Mr. Conaway. Then why can\'t we audit that governance \nstructure?\n    Ms. McGrath. Some of the data collection that we will \nutilize will not be 100 percent systems-based. It will require \na combination of both manual and IT, if you will, to enable the \ndata collection. And I think that you are aware that from an \nauditability perspective, if you put people on a problem or an \ninitiative like auditability, you don\'t have a sustained \nprocess. And the path the Department is pursuing for \nauditability is one of sustainment.\n    Mr. Conaway. I can\'t put words in your mouth. I am doing a \npretty poor job of it. If you had better systems in place, \nwould there be less manhours required to manually track the \n$100 billion? Because if you are using manhours to put together \none-time schedules that track that big nut, that is the least \nefficient way to do it. You get it done, and perhaps the \nnumbers would be good. But if you had better systems that spoke \nas you talk, end to end and across the systems and all those \nbuzzwords that MBA [Masters of Business Administration] guys \nwho write these papers use currently, that current lexicon, \nwould it be easier to do that? Would it be easier to do the $78 \nbillion in cuts in terms of trying to find those?\n    Ms. McGrath. Yes.\n    Mr. Conaway. Thank you. I appreciate that.\n    Because much of this auditability does rely around the \npurchase of systems, and we have had these age-old issues of \none branch likes one general ledger package, and another branch \nlikes a different one, can you talk to us about progress that \nyou are making in helping, you know, one common HR [human \nresource] system, one common fixed-asset handling system, those \nkinds of things, in order to gain efficiencies, and to do it \nthe way an enterprise would do it versus stand-alone \nsubsidiaries, as an example of the business?\n    Ms. McGrath. So the Defense Department, being as large and \ncomplex as it is, we have multiple systems that establish \ntransactions to then feed into the broader general ledger \nsystem. We are pursuing, I will say, five main financial \nsystems, one for each of the services and then the defense \nagency-wide initiative. We are also taking a standards-based \napproach to ensure that we have commonality of data, the \nstandard financial information structure, so that we can \naggregate the information at the end of the day.\n    It is not just those financial systems, as you mentioned. \nIt is the logistics systems, it is the personnel systems, and \nagain ensuring that they have the financial standards in them \nso that when we feed from a transactional level up to the \nfinancial, then we can aggregate the information.\n    Mr. Conaway. If the chair will indulge me. You have got to \nhave some system to track progress against that. We need to \nhave oversight on the success of what you are doing. We are not \ngoing to do what you have to do, we are just simply asking you \nto do it. And so perhaps off-line conversations about how you \nsatisfy yourself as the person responsible, or one of the folks \nresponsible, for making this happen, that you are on task, on \ntime to make that 2017 deadline, which I think we all want to, \nwhich is systems in place that are sustainable and, oh, by the \nway, auditable and audited.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Thornberry. Thank you.\n    Ms. Takai, in answering some of Mr. Langevin\'s questions a \nfew minutes ago about some of the tools you are putting in \nplace to prevent WikiLeaks-like things, one of the things you \nmentioned was a new tool to detect anomalies. Surely there is \ncommercial products very suited to that. I mean, every time you \ngo overseas and use your Visa card, they call, for example.\n    Ms. Takai. Yes, sir. The tool that we are looking at is a \ncommercial product. And what we are doing is testing the \nintegration of that product with our Host-Based Security System \nto ensure that, again, we have that integration.\n    The second thing with any commercial tool is that we have \nto do a level of testing, because the volume and the size of \nour implementations are generally larger than what any of the \ntools are doing in the commercial space. So we always take a \nlook and make sure that we have scalability in those tools. But \nin this particular case, that tool is a commercial-off-the-\nshelf product, yes.\n    Mr. Thornberry. You mentioned a few minutes ago as $38 \nbillion, roughly, in the accounts we are looking at; $2.8 \nbillion, I think you said, for information assurance kinds of \nthings. Is that enough?\n    Ms. Takai. Well, we are looking at that. In fact, it is \ninteresting that you would ask that question, because Secretary \nGates actually also asked us that same question as we were \nrelating to him the review of what we are doing from an insider \nthreat mitigation standpoint.\n    Certainly for the calendar year, we believe that that $2.8 \nbillion will successfully allow us to implement the tools that \nI mentioned, as well as helping us to look at some of the \nemerging threats and what we need to do.\n    I think one of the things that is important to know is that \nimproving our security isn\'t totally in just what we spend \nunder the cybersecurity label. The things that we are doing \naround standardization of our infrastructure actually are all, \nif you will, cybersecurity investments, but are not labeled as \nsuch. So to some extent, when we talk about that spending, it \nisn\'t totally representative of everything we are doing.\n    Mr. Thornberry. Fair point. Fair point.\n    I think we have run out of questions for the moment. Thank \nyou both for being here and for answering questions on a wide \nvariety of topics. We look forward to continuing to work with \nyou both towards the things you are trying to achieve.\n    With that, the hearing is adjourned.\n    [Whereupon, at 4:12 p.m., the subcommittee was adjourned.]\n?\n\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             April 6, 2011\n\n=======================================================================\n\n      \n?\n\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             April 6, 2011\n\n=======================================================================\n\n      \n      \n    [GRAPHIC] [TIFF OMITTED] T5810.001\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.002\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.003\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.004\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.005\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.006\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.007\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.008\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.009\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.010\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.011\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.012\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.013\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.014\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.015\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.016\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.017\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.018\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.019\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.020\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.021\n    \n    [GRAPHIC] [TIFF OMITTED] T5810.022\n    \n                                  <all>\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'