[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]






                                     

                         [H.A.S.C. No. 112-39]

 
                        IMPROVING MANAGEMENT AND
                       ACQUISITION OF INFORMATION
                       TECHNOLOGY SYSTEMS IN THE
                         DEPARTMENT OF DEFENSE

                               __________

                                HEARING

                               BEFORE THE

           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
                                 OF THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD

                             APRIL 6, 2011


                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

                  U.S. GOVERNMENT PRINTING OFFICE
65-810                    WASHINGTON : 2011
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  
  


           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                    MAC THORNBERRY, Texas, Chairman
JEFF MILLER, Florida                 JAMES R. LANGEVIN, Rhode Island
JOHN KLINE, Minnesota                LORETTA SANCHEZ, California
BILL SHUSTER, Pennsylvania           ROBERT ANDREWS, New Jersey
K. MICHAEL CONAWAY, Texas            SUSAN A. DAVIS, California
CHRIS GIBSON, New York               TIM RYAN, Ohio
BOBBY SCHILLING, Illinois            C.A. DUTCH RUPPERSBERGER, Maryland
ALLEN B. WEST, Florida               HANK JOHNSON, Georgia
TRENT FRANKS, Arizona                KATHY CASTOR, Florida
DUNCAN HUNTER, California
                 Kevin Gates, Professional Staff Member
                 Mark Lewis, Professional Staff Member
                      Jeff Cullen, Staff Assistant


                            C O N T E N T S

                              ----------                              

                     CHRONOLOGICAL LIST OF HEARINGS
                                  2011

                                                                   Page

Hearing:

Wednesday, April 6, 2011, Improving Management and Acquisition of 
  Information Technology Systems in the Department of Defense....     1

Appendix:

Wednesday, April 6, 2011.........................................    27
                              ----------                              

                        WEDNESDAY, APRIL 6, 2011
IMPROVING MANAGEMENT AND ACQUISITION OF INFORMATION TECHNOLOGY SYSTEMS 
                      IN THE DEPARTMENT OF DEFENSE
              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Ranking Member, Subcommittee on Emerging Threats and 
  Capabilities...................................................     1
Thornberry, Hon. Mac, a Representative from Texas, Chairman, 
  Subcommittee on Emerging Threats and Capabilities..............     1

                               WITNESSES

McGrath, Hon. Elizabeth A., Deputy Chief Management Officer, U.S. 
  Department of Defense..........................................     3
Takai, Hon. Teresa M., Acting Assistant Secretary of Defense for 
  Networks and Information Integration, and Chief Information 
  Officer, U.S. Department of Defense............................     4

                                APPENDIX

Prepared Statements:

    Langevin, Hon. James R.......................................    31
    McGrath, Hon. Elizabeth A....................................    32
    Takai, Hon. Teresa M.........................................    44

Documents Submitted for the Record:

    [There were no Documents submitted.]

Witness Responses to Questions Asked During the Hearing:

    [There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

    [There were no Questions submitted post hearing.]
IMPROVING MANAGEMENT AND ACQUISITION OF INFORMATION TECHNOLOGY SYSTEMS 
                      IN THE DEPARTMENT OF DEFENSE

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
         Subcommittee on Emerging Threats and Capabilities,
                          Washington, DC, Wednesday, April 6, 2011.
    The subcommittee met, pursuant to call, at 2:46 p.m., in 
room 2212, Rayburn House Office Building, Hon. Mac Thornberry 
(chairman of the subcommittee) presiding.

OPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM 
     TEXAS, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND 
                          CAPABILITIES

    Mr. Thornberry. The hearing will come to order. And we 
thank you all for your patience as we had some votes that have 
just concluded.
    The subcommittee meets today to receive testimony on the 
impact of recent initiatives that affect the capability of the 
Department of Defense to acquire and manage information 
technology systems. The advent of the information revolution 
has not only changed how we as a Nation do business, but it has 
significantly impacted how we provide for the common defense.
    Information technology includes everything from hardware 
and software, to data standards, to commonly agreed-upon 
architectural frameworks, and has completely permeated the 
national security enterprise, at least the information 
technology portion of the budget that has been submitted by the 
President. It is approximately $38\1/2\ billion, so a not 
inconsiderable sum of money. Obviously we are interested in how 
that money is spent, whether it is spent efficiently. Most 
importantly to me is whether it enables the warfighter to do 
what we ask them to do.
    But as you all know, this subcommittee is also particularly 
interested in the security of our systems this year and 
cybersecurity for the Nation. So we are interested in what we 
are buying and how secure it is. So we appreciate our witnesses 
and the ability to discuss this topic today.
    And I would yield to the ranking member, the gentleman from 
Rhode Island, for any comments he would like to make.

  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM 
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS 
                        AND CAPABILITIES

    Mr. Langevin. Thank you, Mr. Chairman.
    I would also like to welcome our witnesses here today. It 
is good to have the Honorable Elizabeth McGrath and the 
Honorable Teresa Takai here, and I look forward to their 
testimony.
    The issue of information technology is critically important 
to the Department of Defense, and I want to thank Chairman 
Thornberry for calling this hearing. IT [information 
technology] is a crucial factor in every aspect of the 
Department's activities. From the routine e-mail to the flight 
controls of the most sophisticated fighter jets in world, the 
Department depends on the smooth functioning of a myriad of IT 
systems. As the information age matures, we find that IT 
systems have expanded both in complexity and pervasiveness. As 
a result, today they represent one of the largest investments 
for the Department, and it presents a significant potential 
vulnerability if they should fail or be attacked.
    The business complexities are only made worse by the 
evolving cyberthreats that have begun to challenge the 
integrity of our current systems. Therefore, it is important 
for the Department to be properly organized and pursue IT 
acquisition, implementation, modernization and performance 
evaluation. Oversight is required for the full spectrum of 
activities, but bureaucratic redundancy creates confusion and 
complexity.
    Now, the DOD [Department of Defense] IT enterprise must be 
as streamlined and efficient as possible. I understand that as 
part of the Secretary of Defense's efficiency initiative, we 
will see some changes in how the Department manages IT and 
perhaps some cost savings along with it. Now, this is welcome 
news, provided it achieves the desired effect without reducing 
capability or injecting unnecessary risk into the process.
    We must also be vigilant that as we move forward, the 
security of our systems is at the forefront of our efforts. Our 
acquisition systems furthermore are barely suitable to large-
scale weapons projects requirements for IT systems that evolve 
rapidly, and the systems need more flexibility if it is to 
manage proper acquisitions of these systems.
    As Mr. Thornberry mentioned previously, last year's 2010 
National Defense Authorization directed the DOD to develop and 
implement a new acquisition process for IT, and I certainly 
look forward to hearing more about how that process is 
proceeding today.
    With that, I yield back and look forward to our witnesses' 
testimony.
    [The prepared statement of Mr. Langevin can be found in the 
Appendix on page 31.]
    Mr. Thornberry. I thank the gentleman.
    It would be no surprise to you all that there are a number 
of meetings going on now, including a Republican conference on 
the funding situation with the government, so we may have 
Members coming in and out at strange times. But I appreciate 
your patience with that.
    The witnesses today, as the gentleman mentioned, is the 
Honorable Teresa Takai, Acting Assistant Secretary of Defense 
for Networks and Information Integration and the Department of 
Defense Chief Information Officer; and the Honorable Elizabeth 
McGrath, Deputy Chief Management Officer of the Department of 
Defense.
    Without objection, your full written statements will be 
made part of the record, and you are both certainly welcome to 
summarize them in any way that you see fit now. Thanks for 
being here.

STATEMENT OF HON. ELIZABETH A. MCGRATH, DEPUTY CHIEF MANAGEMENT 
              OFFICER, U.S. DEPARTMENT OF DEFENSE

    Ms. McGrath. Good afternoon, Mr. Chairman, Congressman 
Langevin. Thank you for the opportunity to discuss the Defense 
Department's efforts to improve its business operations, and 
specifically its acquisition and management of business 
information technology systems.
    As the DOD Deputy Chief Management Officer, I am 
responsible for instituting a framework to define clear 
business goals, develop meaningful performance measures and 
align activities through established and repeatable processes. 
The purpose of DOD's overarching management agenda is the 
establishment of an effective, agile and innovative business 
environment that is fiscally responsible.
    The Department has taken decisive action to improve its 
business processes, has identified areas where further work is 
required, and has several achievements to bring to your 
attention. My written statement addresses these in detail. I 
will briefly touch on some of these topics, as I am eager to 
discuss with you the areas that interest you most.
    I would like to highlight our IT acquisition reform 
efforts, other business IT initiatives, and successful cross-
agency management efforts in which my office plays a key role.
    Fundamentally, the Department's business IT systems are 
essential enablers of a broader set of integrated business 
operations rather than an end to themselves. We have identified 
15 essential what we call end-to-end processes, such as Hire-
to-Retire and Procure-to-Pay. Our Business Enterprise 
Architecture and senior governance bodies, including the 
Investment Review Boards and the Defense Business Systems 
Management Committee, both given to us by Congress, are better 
aligned to manage within the end-to-end construct to identify 
data standards, performance measures and policies necessary to 
improve our business and make more informed enterprisewide 
decisions.
    End-to-end focus and strong governance are joined by a new 
approach to acquiring information capabilities. There has been 
no shortage of studies and reports, including one by this 
committee last year, that concluded the Defense Department's 
current method for acquiring IT systems must change. Steps are 
being taken to address these issues.
    Section 804 of the Fiscal Year 2010 National Defense 
Authorization Act required us to develop and implement a new IT 
acquisition process with its focus on the Department's IT 
Acquisition Task Force, which I chair. The guiding principles 
adopted by the task force incorporate recommendations from the 
Defense Science Board report, including deliver early and 
often, with delivery capability in 12 to 18 months; incremental 
and iterative development and testing; rationalized 
requirements; tailored and flexible processes; and finally, a 
knowledgeable and experienced information technology workforce.
    I welcome the chance to elaborate here on how the task 
force is addressing these areas. We expect to promulgate these 
in a policy later this year, such as establishing metrics to 
assess overall health of a program, combining certification and 
accreditation with traditional tests and evaluation activities, 
and assessing contracting strategies that enable a more modular 
delivery of capabilities. Our pilot-based approach to validate 
this new policy will allow us to modify as necessary based on 
lessons learned before the final issuance. We are currently 
testing these changes to ensure they are working.
    The Under Secretary of Defense for Acquisition, Technology 
and Logistics signed out new acquisition policy for defense 
business systems called the Business Capability Lifecycle, or 
BCL, which provides a streamlined framework for development, 
testing, production, deployment and support of a defense IT 
business systems. The principal focus of Business Capability 
Lifecycle is program implementation.
    In my written testimony, I have an example of an Air Force 
program that was originally on a path to deliver capability 
many years out. Using an innovative streamlined approach, we 
were able to move that deployment 2 years earlier.
    I also welcome the chance to describe for you our cross-
agency efforts in modernizing health information technology and 
security clearance processing. In particular, the Government 
Accountability Office's removal of the DOD Personal Security 
Clearance Program from its high-risk list is a significant 
first for the Department and owes its success to our commitment 
to this results-oriented, end-to-end approach.
    In closing, we are committed to improving management and 
acquisition of IT systems, as well as our overall business 
operations. These issues received significant management 
attention and are a key part of our overarching strategy to 
build better business processes that will create lasting 
results for the men and women in uniform.
    I look forward to continuing our work with this committee 
in the months and years ahead as we work toward greater 
efficiency and effectiveness and furthering the agility in the 
business space of the Department, certainly enabled by modern, 
interoperable IT capabilities. I look forward to your 
questions. Thank you.
    [The prepared statement of Ms. McGrath can be found in the 
Appendix on page 32.]
    Mr. Thornberry. Thank you.
    Ms. Takai.

 STATEMENT OF HON. TERESA M. TAKAI, ACTING ASSISTANT SECRETARY 
OF DEFENSE FOR NETWORKS AND INFORMATION INTEGRATION, AND CHIEF 
        INFORMATION OFFICER, U.S. DEPARTMENT OF DEFENSE

    Ms. Takai. Good afternoon. Good afternoon, Mr. Chairman and 
Congressman Langevin. Thank you very much for the opportunity 
to testify today on the importance of information technology to 
the transformation of the Department of Defense. My testimony 
today will focus on how the DOD is leveraging information 
technology to securely deliver mission-critical information 
capabilities to the men and women of the Department of Defense 
and our mission partners.
    The Department's fiscal year 2012 IT budget request, as you 
mentioned, of 38.4 billion, includes funding for everything 
from our desktop computers, tactical radios, identity 
management technology, commercial satellite communications, and 
the large information technology projects, some of which Ms. 
McGrath spoke of. These investments support mission-critical 
operations that must be delivered in an environment of ever-
changing requirements and ever-increasing demand.
    Where in the past the Department sought to balance the need 
to know with the need to share, today the warfighter expects to 
have and needs to have the latest information in order to 
complete the mission. That coupled with the increasing use of 
social media, smart phones and tablet computers has made 
information-sharing an expectation, and this requires new 
capability, particularly at the edge or in our tactical 
environments that have limited availability of persistent and 
broad-range network capabilities.
    Our challenge today is ensuring our networks can securely 
support the information demands of our users, who require that 
information anywhere and any time across our enterprise. To 
meet this challenge, our networks must be designed and 
optimized to more effectively and efficiently support these 
mission operations while ensuring security.
    DOD networks are under constant attack from cybersecurity 
threats launched from the Internet or from malicious software 
embedded in e-mail attachments, removable media, or even 
embedded in the hardware the Department procures. Every device 
connected to the network is susceptible to cyber 
vulnerabilities. While working to efficiently respond to the 
information demands of our users, we must be ever-vigilant in 
protecting our information environment.
    Just over $2.8 billion of the Department's overall budget 
is devoted to information assurance or cybersecurity activities 
that defend our information systems and networks. The 
Department's fiscal year 2012 information assurance budget 
request ensures increased funding to address insider threat and 
cyber vulnerabilities, such as those identified in the 
WikiLeaks incident. Specifically, we have requested funding to 
support the deployment of a Public Key Infrastructure-based 
identity credential on a hardened smart card for use on our 
Secret classified network, a successful technology very similar 
to the Common Access Card we use on our unclassified network. 
We have also identified funds needed to deploy our Host-Based 
Security System to secure our classified systems; to provide an 
automated capability to continually monitor the configuration 
and security of our network; and improve identity management 
across the Department.
    The DOD is planning for the investment and implementation 
of these IT and information-assurance capabilities within 
today's current resource-constrained environment. Recognizing 
this, in August, the Secretary directed a number of initiatives 
to achieve savings in acquisition, sustainment and manpower 
costs, while not degrading our ability to execute our mission. 
Among these is the consolidation of our IT infrastructure while 
simultaneously defending that infrastructure.
    My office is responsible for leading the development of a 
strategy and plan for consolidating the Department's IT 
infrastructure in five broad areas: Our network services, our 
computing services, application and data services, our end-user 
services, and our IT contracts and purchasing. I plan to issue 
the DOD IT Enterprise Infrastructure Optimization Strategy this 
quarter. The plan represents the Department's strategy and 
initial roadmap to achieve the goals of improving our 
effectiveness while heightening our security posture. This plan 
commits us to changing policies, cultural norms and 
organizational processes to provide lasting results. The 
initial focus is on obtaining tangible results in fiscal years 
2011 and 2012 while planning for aggressive consolidation 
through fiscal year 2015. It really positions us to embrace 
emerging technology and provide cutting-edge capability to our 
warfighters.
    The transformation of our IT capabilities described above 
is a very ambitious undertaking, one that will reap tremendous 
benefits to the Department and our Nation when completed. It 
will require agility as well as new processes to both keep 
abreast of technological advances and defend the network.
    My office is working closely with the Office of the Deputy 
Chief Management Officer on efforts to develop a flexible, 
agile acquisition process that also addresses the DOD's 
requirements and budgeting processes.
    As you know, we have also been addressing the development, 
education and continuous training of our workforce. The 
Information Technology Exchange Program pilot reauthorized by 
the fiscal year 2010 National Defense Authorization Act for DOD 
is one mechanism that we are pursuing. Under this collaborative 
effort, we have a pilot which will involve 10 individuals 
exchanging both industry and Department expertise to enhance 
our employees' IT competencies and technical skills, and infuse 
both DOD and the industry with new ideas in this fast-evolving 
discipline. My office is responsible for implementing ITEP [the 
Information Technology Exchange Program], and we have created a 
guide to assist participating DOD components with the 
implementation.
    Maintaining an information advantage for our users is 
critical to our national interest. The efforts outlined in this 
brief will ensure that the Department's information 
capabilities provide better mission effectiveness and security 
and are delivered in a manner that makes the most efficient use 
of our resources.
    I want to thank you for your interest in our efforts, and I 
am happy to answer any questions that you have.
    [The prepared statement of Ms. Takai can be found in the 
Appendix on page 44.]
    Mr. Thornberry. Thank you.
    Let me start out with, I guess, some rather broad kind of 
questions. Ms. McGrath, about 10 years ago, the Defense Science 
Board did a study that found 16 percent of all IT projects 
complete on time and on budget; 31 percent were cancelled 
before completion; 53 percent were late and over budget. Of 
those that were completed, the final product contained only 61 
percent of the originally specified features 10 years ago. How 
much better is it now, do you think?
    Ms. McGrath. From a percentage perspective, I don't think I 
would be able to articulate percentage-wise how much better I 
think it is. I do think that the Department is taking a more 
holistic look at how IT fits into our broader capability needs. 
I would say 10 years ago, we would have a handful of people who 
are interested and focus on how IT worked and enabled in the 
entire environment, and today we are taking a much more 
enterprise perspective.
    I can talk about the many studies and reports that have 
been done in terms of how the acquisition process needs to be 
better to enable a more rapid capability and delivery of the 
information technology. Maintaining a standard, stable baseline 
of requirements, I think, can be found in every single one of 
the studies and reports that have been completed. So a lot of 
the focus of the Department not only on the IT side, but the 
weapon systems side has been to identify and stabilize those 
requirements such that we can meet them in a more--I am going 
to say to chunk the capabilities such that they are delivered 
in a spiral fashion and not try and solve the entire issue at 
the get-go.
    So, you know, percentage-wise, specifically I am not sure 
how to counter those numbers that you articulated, but I can 
say certainly within the last 5 years that there is a lot more 
management attention and focus on the requirement 
stabilization, the spiral implementation so that I do feel that 
we are moving in the right direction.
    Mr. Thornberry. And I want to talk more in a minute about 
some of the acquisition points that you make.
    Somewhat on behalf of one of my colleagues, let me ask you 
this: From time to time, we have asked about the ability of the 
Department of Defense to withstand an audit, and a lot of the 
answers that have come back to me over the years is, well, we 
just don't have the computer systems that can talk to one 
another, you know. So basically the business systems were not 
compatible in order to put all the pieces together. And I 
realize it is not your responsibility to audit the Department, 
but just from the business systems technology part of this, 
where are we now?
    Ms. McGrath. And I would agree, the systems were designed 
very locally and not with a broader auditability target in 
mind, nor with a common architecture framework in mind. So they 
were local solutions to handle local problems to do the sort of 
the math, if you will, accurately.
    Today the environment is very different. With the Business 
Enterprise Architecture standard--financial information of 
standards, a standards-based approach to implementing these 
Enterprise Resource Planning solutions, we have many ERPs 
within the Department that will contribute to the Department's 
ability to achieve financial auditability, and they are a very 
key factor in our success in that pursuit. And we do recognize 
that it is a business goal, a broad business goal, not just an 
IT problem, nor is it just a comptroller problem, but it is a 
shared responsibility across the functional space, meaning, you 
know, logistics, personnel. They all have a part because their 
transactions are where it all starts and then end up in the 
financial system at the end of the day.
    So we are taking, again, a very deliberate, cross-
functional enterprise approach to not only the IT aspect of it, 
but the business process, because it requires change in all of 
those areas.
    Mr. Thornberry. Well, I know there are a number of people 
on the committee as a whole that wants to hasten the day when 
that is possible. So I appreciate that.
    Ms. Takai, I guess the first question that leaps out at me 
for you is do you have the authority to do your job? And you 
said, I think, in your testimony, this includes everything from 
radios, to laptops, to the desktop computers. All of those 
spending decisions are made by the services or other entities. 
You are there kind of to help coordinate or strategize or 
guide, but they don't have to listen to you. Do you have the 
power to do your job?
    Ms. Takai. There are a couple of answers to that question. 
So let me phrase it in a couple of different ways.
    Certainly while the budget dollars for the information 
technologies expenditures are in the services, there are any 
number of the processes in the building that actually review 
that spend where my office has a major role. Certainly in the 
requirements process that Ms. McGrath talked about not only 
from a business systems standpoint, from also the standpoint of 
to the point of command-and-control systems for things like 
tactical radios, my office is involved in the review of those 
programs and certainly have the opportunity at that time, based 
on a technical review and based on just an overall project 
review, to weigh in on those projects. So there are those 
processes. There is also, obviously, our investment process 
through the CAPE [Cost Assessment and Program Evaluation] 
organization, where we look early on at our investment 
decisions.
    So while, in fact, we don't control the overall budget, 
there are requirements and investment processes. And then 
ultimately in the acquisition process, we are also a member of 
the groups that actually review the projects going through. So 
we do have opportunities certainly to weigh in.
    The other piece of it is that in our responsibilities, they 
are very definitely two-set policy, and in setting that policy, 
we are doing that, as I mentioned in our IT consolidation plan, 
in ways that actually direct the expenditure of the dollars, 
even though it resides within the services.
    Mr. Thornberry. And through these various committees and 
all this stuff that you sit on--let me ask this: How often is 
your organization's judgment overridden, would you guess?
    Ms. Takai. I wouldn't have a good view of that. I am fairly 
recent, as you know. I joined the organization in November, and 
so I don't, you know, actually have very real specifics or 
percentages or anything at this time to be able to give you.
    Mr. Thornberry. On the integration strategy that is coming 
out this quarter, is that going to be classified or 
unclassified?
    Ms. Takai. No. It will be available. And certainly as we 
complete it, it would be something we would very much like to 
share with you.
    Mr. Thornberry. But there will not be a classified version 
of it.
    Ms. Takai. No.
    Mr. Thornberry. Okay. Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    Again, I want to thank you both for your testimony here 
today.
    Secretary Takai, I want to thank you for what you have had 
to say today. I would like to in particular discuss a major 
concern that I have about the Department's information 
technology consolidation. As you are aware, the 
Administration's Chief Information Officer, Vivek Kundra, if I 
pronounced that correctly, instituted a Federal cloud computing 
strategy in February, which mandated that all agencies modify 
their IT portfolios to fully take advantage of the benefits of 
cloud computing in order to maximize capacity, improve 
flexibility and minimize cost.
    While the benefits from cloud computing can certainly be 
great, I believe that the security of cloud architecture isn't 
fully understood, and remain very concerned that organizations 
may ignore security concerns in an effort to rapidly glean the 
vast cost savings available from migrating to the cloud.
    So further, the discussions of specific items such as how 
cloud computing will affect law enforcement, intelligence 
organizations hasn't also been fully analyzed as well in depth. 
Companies that suggest cloud server farms can be adequately 
secured overseas really aren't discussing the complex 
requirements for background checks and foreign servicing 
personnel or our ability to work with foreign governments to 
access data harmful to the U.S. when it resides on the same 
server amongst benign data from a foreign country.
    So, Madam Secretary, with these concerns in mind, what 
assurances can you give this committee that all aspects of 
security will be considered, discussed and planned for in 
advance of DOD's IT migration to the cloud?
    And second, as DOD begins its migration, is there a 
discussion of where data farms will reside? And if so, does 
that discussion include the Department of Justice and members 
of the Intelligence Community?
    Ms. Takai. Well, thank you very much for that question, 
because I think there is a significant amount of confusion as 
we talk about cloud computing. It has a tendency to mean 
different things to different people. So I think it is very 
important.
    You know, while we certainly agree with Vivek Kundra's 
assessment that there are opportunities, we also believe that 
we have to look at the way we move to the cloud in several 
different ways. And security is actually our paramount concern 
in terms of the way we look at cloud computing. So let me put 
that in our overall context.
    Our initial look at moving to cloud computing would be to 
look at what we call a private cloud. So it would effectively 
be taking the benefits of cloud computing, but rather than 
looking at how we would buy that service outside, to look at 
the way we would standardize our infrastructure, the way that 
we can utilize the organization like DISA [the Defense 
Information Systems Agency], which has several large computing 
centers today, and actually be able to bring in implementations 
from the services, for example, be able to get the cost-
effectiveness, but at the same time be able to assure the 
securities.
    So, for instance, right now Army is looking at a number of 
applications that they will be moving into a cloud where we 
will have full control of the security, including the points 
that you raised as it relates to the security required for 
employees, where we actually locate those centers and also the 
information that we have in those centers. So our initial 
foray, again, is to ensure that security is our number one 
concern in terms of being able to move forward.
    I think, as you mentioned in your opening remarks, while, 
in fact, efficiency is extremely important to us, we have to be 
sure that both from a security and protecting the warfighter 
that we are fully capable.
    Now, there will be instances--and we are looking at those 
now--where we will be able to use commercial cloud providers. 
But when we do that--and, in fact, this is a conversation that 
I think Vivek Kundra is looking at as well--we will have to be 
sure that those providers meet our security standards before we 
will utilize those services.
    And then lastly, we are looking now because we believe that 
there may be a few instances where we can go to a public cloud, 
but they would be for those things that don't require the kind 
of security on our networks and from an information 
perspective. And so those are the ones that we are taking a 
look at as well.
    So I do think while we are looking at this, it is important 
to put it in the context of the different types of cloud-
computing environments and the fact that we are actually driven 
in terms of our making the decision by our security concerns 
and our standardization issues as much as certainly from the 
standpoint of efficiencies.
    Mr. Langevin. So in that process, as you are moving to the 
cloud architecture, will that include discussions with the 
Department of Justice and also members of the Intelligence 
Community?
    Ms. Takai. Absolutely. One of the concerns that we have 
right now, in fact, is being able to take a look at our 
information-sharing capability across the networks that the 
Intelligence Community is responsible for and the SIPRNet 
[Secure Internet Protocol Router Network] and NIPRNet [the Non-
secure Internet Protocol Router Network] that we are 
responsible for. So as a part of our ongoing planning, it is 
very important that we are well coordinated with the 
Intelligence Community. And as they are looking at where they 
are moving forward, I think in conversations I have had with 
them, certainly security is also their number one concern.
    In answer to your second part of the question, which is 
Department of Justice, obviously with some of the challenges we 
have had from an insider threat perspective, it is very 
important that they be involved in any decisions we make about 
the location and the configuration of where we put our 
information.
    Mr. Langevin. If I can continue. Another area of concern is 
DOD's ability to continue its information-sharing efforts. As 
we are all aware, the 9/11 Commission highlighted some serious 
interagency deficiencies as to the timely sharing of sensitive 
information. Since that time, much of the Federal Government 
has made significant improvement, yet I am concerned that the 
insider threat-type setback, such as the WikiLeaks affair, is 
going to hamper further efforts to improve the sharing of 
threat and intelligence information across the spectrums of 
threats both physical and cyber amongst agencies.
    So, Secretary Takai, does the DOD have the capability to 
track insider threats to our information systems, particularly 
those processing classified information? And what effect has 
the WikiLeaks case had on our information-sharing efforts both 
internally as well as interagency?
    Ms. Takai. Well, let me answer that, first of all, by 
saying we are continuing to be focused on information-sharing. 
And it has been a major concern for us to ensure that we can do 
that information-sharing in a secure way, because, as I 
mentioned, we feel that certainly for the warfighter, the need 
to have access to that information has never been more 
important than it is today. So what we take as our 
responsibility is to be sure that we can do that information-
sharing in a secure manner.
    And that is really why I mentioned several areas of 
technology that we are implementing so that we can continue to 
do that sharing, and yet do it in a secure way. One of the 
tools that we are deploying at this point in time is our Host-
Based Security System. And that is really, again, in response 
to your question about knowing who is on the network and 
knowing who has access to information.
    We have two additional tools that are going to be very 
important in actually helping us with that. We are currently 
testing a tool and plan to roll out a tool which will actually 
detect what we call anomalous behavior.
    So to your question of do we know who is on the network? 
Yes. And then what we need are tools that begin to detect where 
there is access to information that looks different than what 
we would expect to see and then will trigger our ability to get 
in and take a look at that.
    Then we are deploying much stronger identity management 
capabilities so that we will be able to tag information to 
particular users and then be able to continue to protect.
    Now, while these technology enhancements are extremely 
important, we also are improving our processes and our 
procedures for access to that information. So I think, as you 
know, we have put policies out about the use of removable 
media, but to ensure that the warfighter has the capability to 
see that information, we have also instituted processes, for 
instance, which is a two-person rule around access to 
information so that we are sure that there is always a check 
and balance when there is the need to know.
    So again, to summarize, the challenge for us is to put the 
technology in place, but also, because there is never a 100-
percent solution, to be sure that we also have the policies and 
the processes in place to be able to manage our information.
    Mr. Langevin. I have further questions, but thank you for 
that, and I will wait until maybe a second round.
    I yield back.
    Mr. Thornberry. Thank you.
    Mr. West.
    Mr. West. Thank you, Mr. Chairman, and, Mr. Ranking Member. 
And, ladies, a pleasure to be here, and, Secretary, and 
Honorable McGrath.
    I spent a few days in the military myself, and I can tell 
you when I first came in, you know, everything in the artillery 
was charts and darts, and now everything is computerized. And, 
of course, I was in Desert Shield, Desert Storm where you stood 
in line for about 3 hours to get, you know, a 2-minute phone 
call.
    I spent 2\1/2\ years in Afghanistan. I can tell you from 
the experiences then to now, information technology and the 
network systems that we have deployed in these combat theaters 
of operation are just incredible. But one of the things that I 
know that we have to also be able to do is to protect those 
systems in a combat zone, which is something we experienced for 
about 48 hours in Afghanistan. I think you know what I am 
talking about back, I believe, in 2006, and we were able to 
trace that back to a very interesting country.
    So one of the things I look at as we go probably from, you 
know, so much of nation-building, so much of occupation-style 
warfare, and we get back to maybe power projection, forceable 
entry, more austere environments, what lessons have we learned 
in the operations in Iraq, the operations in Afghanistan that 
will make us better prepared, make us, you know, more secure 
with the implementation of our network systems as we move 
forward, you know, Libya, Tunisia, who knows where is next?
    Ms. Takai. Well, just some examples, I think, to add to 
your comments, which I think really do reflect the changes that 
we are seeing actually in theater. First of all, we are seeing 
very definitely that our need for network security going 
forward needs to include our coalition partners. And so what we 
saw in Afghanistan was the need to actually put a network in 
place that allowed for each of the coalition partners to have 
their own secure network, but at the same token have a network 
which was protected at the point that each of our coalition 
partners connected to it so that if, in fact, we had an issue 
at any of those points in time, we could then block that and 
not have that impact the entire network.
    One of the things that we see going forward is that we have 
to be cognizant of several things: Number one, what I just 
mentioned, that while we might not necessarily deploy the 
technology in the next conflict in the same way we did in 
Afghanistan, we certainly would deploy the concepts that we are 
using there, again because of the coalition.
    The second piece of it is that what we have seen is the 
need to share information--and this really gets back to some of 
the other questions--across our unclassified and classified 
networks. While we have seen that in the past, I think we 
haven't seen it to the extent that we are seeing it today. And 
so our future networks will need to plan for that level of 
information-sharing.
    And then lastly, these tools that we are putting in place 
now are really aimed at being able to better secure these 
networks when we go in.
    And then finally, what we are really recognizing is that we 
have to standardize our networks because it is not just the 
networks, but it is what folks want to connect to the networks. 
And they are bringing any number of devices. They are familiar 
with devices, commercial devices that just weren't even things 
that were conceived of being used in theater, and they are 
bringing them with them. They are used to them. They don't 
stand in line to make a phone call. They have a device in their 
hand.
    Mr. West. You are absolutely right.
    Ms. Takai. And we have to recognize that that is the 
situation, but the challenge for us is ensuring that when they 
do have access to the network, they have access to the network 
in a secure way. So it isn't then everyone can bring anything 
they want, but they have to have that capability, and our 
networks have to be secure enough to sustain that.
    Mr. West. And, Ms. McGrath, a question. In the aftermath of 
what we saw with the WikiLeaks, have we gone back and really 
looked at our, you know, security clearance processes? You 
know, have we gone back to some type of retraining, 
recertification process?
    Ms. McGrath. With regards to the Federal investigative 
standards, those have been looked at by both the security 
executive agent, which is the Director for National 
Intelligence, and also the suitability executive agent, which 
is the Director for Office of Personnel Management, to ensure 
that when we are pursuing either a hiring action or a clearance 
determination, that we have done the appropriate level checks 
for the level of access or job that that individual will have.
    So we have, from a Federal perspective--not only just DOD, 
but this is a much broader Federal--paid attention to the 
information that we gather to ensure that we are collecting the 
right information to make those determinations. And we also 
applied some of the sort of innovation and technology to that 
process because historically it has taken much, much too long 
to obtain a security clearance. So we did, through process 
analysis and innovation and technology, apply those 
appropriately to the process to enable speed without 
degradation of quality.
    Mr. West. Thank you very much.
    And I yield back, Mr. Chairman.
    Mr. Thornberry. Thank you.
    Mrs. Davis.
    Mrs. Davis. Thank you, Mr. Chairman.
    And, Ms. McGrath, thank you very much, both of you, for 
being here, Ms. Takai.
    One of the discussions that we have been having in the 
personnel committee over quite a number of years is bringing 
together electronic records, of course, of the DOD and the VA 
[Department of Veterans Affairs]. And I see that in your 
written testimony you alluded to that, and I am sorry I wasn't 
here at that time. It is my understanding that there are three 
options that they were looking at, and how is that progressing, 
and what are those options, I guess? And what does the timeline 
look like that might bring us to a decision?
    Ms. McGrath. The ``they'' you are referring to in my 
assumption is both Secretaries Gates and Shinseki recently met. 
Actually it was on March 17th. We gave them a presentation. We 
did look at options in determining our collective way forward 
for electronic health records. One was looking at upgrading our 
existing capabilities. DOD uses AHLTA [the Armed Forces Health 
Longitudinal Technology Application], and the VA has VisTA [the 
Veteran's Health Information Systems and Technology 
Architecture] as their major IT system. The other was taking a 
joint approach to a--I will use the term ``single solution,'' 
but I really mean single approach to capability delivery. And 
the other one was pursuing our own separate IT capability 
initiatives with a bridging mechanism to share data, which is 
mostly how we interface and exchange information with VA today. 
So those were the options that were discussed with the 
Secretaries.
    The decision was that we agreed to use a common 
architecture, common data services and data centers, and it 
would be a standards-based approach to exchanging data as 
opposed to the interfaces that we do today. So it would be a 
data-driven approach to information exchange.
    We have agreed to joint development/acquisition, and it is 
probably more acquisition than development because there is a 
lot of commercial-off-the-shelf capabilities; a number of the 
functional areas, like pharmacy and labs and those kinds of 
things.
    For an integrated electronic health record, we will look at 
using commercially available solutions first, adopt an 
application if one of us has a best-of-breed that we are 
currently using. And then finally, our last option would be we 
would develop it.
    In saying that, the difference really is that we are taking 
a lighter architectural approach as opposed to a heavy systems-
based approach. Today our data and system are very much 
integrated, and so it limits our ability to be agile and 
exchange at the data level. The major difference in the 
approach that we are taking is exchange at the data level. That 
will require us to develop this common architecture that is a 
significant difference in how we do things today.
    Governance will be key going forward, having the effective 
governance in place to ensure that we are staying aligned to 
the agreements that had been made by the Secretaries, and also 
with regard to the capability we have currently deployed in the 
North Chicago Medical Center. We have agreed to pursue any 
capability that is not yet delivered there, pharmacy and 
consults being the major two, to pursue those jointly.
    Saying all that, those are the agreements that we reached. 
We have a comeback to the Secretary, both Secretaries, early in 
May where we are to deliver more details with regard to the 
implementation timeline.
    Mrs. Davis. Are there any steps that either the DOD or the 
VA are taking now where their efforts essentially would not be 
very productive if they move ahead in the separate ways that 
they have been moving all these years? I guess are there 
certain investments, certain expenditures that are moving 
forward in the different architectures that would not 
necessarily mesh with what may eventually be the----
    Ms. McGrath. The message is to ensure that the investments 
that we are making in today's environment are needed today. And 
if there are things that we can defer such that we ensure 
alignment with this integrated electronic health record, that 
is what we would like to do. North Chicago is a really good 
example. Each of the departments was pursuing a separate 
pharmacy solution that would interact through interfaces. We 
have stopped those separate development efforts, if you will, 
to ensure that we pursue----
    Mrs. Davis. I guess can I ask you, given the cultures and 
given the difficulty with getting to this place, how successful 
are we going to be?
    Ms. McGrath. I mentioned the governance. Governance is key, 
and the agreements by the Secretaries and then the persistent 
engagement by the Secretaries I think will be key to enabling 
success here. Both Secretaries have agreed to continue to 
monitor the progress that the two Departments are pursuing, in 
addition to the Deputy Secretaries of both organizations and 
our Joint Chiefs of Staff.
    Mrs. Davis. If you were overseeing this, and as a 
committee, what would you want to see in 3 months and in 6 
months from now? Where should we be?
    Ms. McGrath. Those things that we have currently agreed to 
with regard to the data standards and data center 
consolidation, certainly we should be able to provide plans and 
enter milestones on where are we to achieving those goals. I 
certainly would ask for those. Those are things that we will be 
delivering to the Secretaries. And we will need those in place 
to then be held accountable to managing towards--you know, to 
achieving the overarching goal. And I think that as we define 
how we are going to pursue different capabilities, certainly, 
you know, cost and schedule for all of those are absolutely 
what I would ask for.
    Mrs. Davis. All right. Thank you. I appreciate that.
    As you can sort of sense my impatience here because--aside 
from the fact it is very costly, I think, just to the 
government, to all of us, it is also costly to the warfighter. 
And we know that we have been working at this for a long time. 
So I am really hopeful that we can have a deliverable soon.
    Ms. McGrath. I would just like to add, we do between the 
two Departments share so much data today with regard to the 
medical. I mean, it really is incredible when you look at how 
much data the two Departments share today. What we are talking 
about is enabling the sharing of that information, taking a 
different approach from a data perspective so that we can 
eliminate redundancies, you know, increase efficiencies so it 
is a better experience for our military members.
    Mrs. Davis. Thank you.
    Mr. Thornberry. Is that a 3-year project or a 10-year 
project?
    Ms. McGrath. I don't think it is a 3-year project to be 
completed, but I do think that there are, again, phases of 
implementation we will be able to achieve in terms of the data 
standards. There are already international health data 
standards out there. DOD has already enabled standardization 
within our own enterprise. It is aligning with VA. I don't see 
that as--certainly not a 10-year. So I actually think that we 
will be able to achieve some of that interoperability much 
sooner than the 10-year mark. So I do think that there are some 
opportunities in the nearish term, the near being relative, to 
achieve greater interoperability than we have today.
    Mr. Thornberry. Thank you.
    As you all know, one of the provisions of last year's bill 
was to provide the Department some rapid acquisition authority. 
I think maybe you both make reference to it in your written 
statements. But can you update us on where that is? Is it being 
used? Have we gotten far enough to know whether it is the kind 
of authority you need?
    Ms. McGrath. I can start, and certainly Ms. Takai can add 
on to my initial comments.
    We have established--as the lead for the IT Acquisition 
Task Force--and the Department is certainly working very 
closely with Ms. Takai's office and our acquisition, technology 
and logistics organization, and, frankly, every organization, 
it seems like, within the Department from a test and evaluation 
to the comptroller, because we are all somehow involved in 
enabling delivery of capabilities with regard to our 
acquisition process.
    We have established many work groups; focus on very 
specific areas like measures, metrics, what are leading 
indicators that we should be looking for when things are in a 
particular program to ensure that we achieve better outcomes; 
combining the certification and accreditation for testing with 
the regular test process. Typically we treat them separately, 
and they are not concurrent; they are sequential. So we are 
looking to take that timeline significantly down.
    Taking a much more portfolio-management approach to 
overseeing these IT investments so that we are not just looking 
at one system at a time. We are looking at how does this one 
particular system fit within the broad portfolio within which 
it will be deployed, but also what other systems do we have 
that also utilize that same capability, how many financial 
systems do we really need. So you can look at it from a 
functional perspective and also within an operating 
environment.
    Requirements I think I mentioned. Every study says that we 
don't baseline the requirements, we don't hold them stable. So 
we are ensuring that when we pursue a new IT solution, that the 
requirements are small enough that you can deliver them more 
rapidly in a 12- to 18-month timeframe. Typically we put all 
the requirements in one big bucket, and it is 5 years before we 
hit our initial operational capability. So in order to make 
those timeframes smaller, we need to parse the requirements 
such that we are delivering incremental capabilities.
    Contracting is also an area that we are extremely focused 
on. I don't think there is anything within a FAR, Federal 
Acquisition Regulation, rewrite that we need. I think we need 
to be more creative about how do we utilize the contracting 
aspects, authorities that we currently have. But we need to 
contract differently than we currently do today. On the one 
hand, some programs will be a firm fixed price, but if you 
don't have your requirements nailed and definitized enough, 
fixed price is not the right way to go. But then time and 
materials does not seem like the most accountable way to also 
pursue an IT solution. So it is coming up with the balance, 
when should you use those types of contracting, and 
understanding that not one size fits all.
    And then the other very key is the IT acquisition 
workforce. The Defense Acquisition University has a program 
management course down there. It is terrific, and I happen to 
be a graduate. But they don't teach IT the way we procure IT 
today. These enterprise resource planning program systems 
capabilities didn't exist previously. And so it is really 
putting a very fine point on our acquisition workforce to say, 
hey, IT today is very different from source lines of code and 
function point counts that we used to do. We are actually 
buying a lot more commercial-off-the-shelf capability and 
ensuring that we have got the right credentials for those 
folks.
    We are taking very much a piloting approach. In my written 
testimony I highlighted an Air Force financial system called 
DEAMS, the Defense Enterprise Accounting Management System. We 
did utilize some of these different approaches to move their 
implementation significantly forward. Both Army and Air Force 
have their integrated personnel and pay systems. We are looking 
at establishing their acquisition strategy aligned with the 
more streamlined capabilities. The same with the Joint Space 
Operation Center mission system and the Navy's intelligence, 
surveillance and reconnaissance capability.
    So we expect through the use of pilots we will learn more 
to ensure before we institute our final policy we have actually 
tried it out a little bit to see where we need to course 
correct, and so we get some fact-based feedback to ensure that 
we have policies that are in line with where we want to go.
    Mr. Thornberry. Ms. Takai, it seems to me that, having 
heard all of that, it just seems very difficult for the 
Department to keep up with the change in technology, the way 
technology changes and with all that has to go on before a 
purchasing decision is made. So does that mean we are always 
going to be behind?
    Ms. Takai. Well, it doesn't always mean we are going to be 
behind. There is a qualified answer to that, if I could add to 
what Ms. McGrath was talking about. And let me add to that, in 
addition to the many process changes that we have been working 
with her team on, we also believe that the efforts around 
streamlining and standardizing the technology we use are a 
critical part of being able to get innovative technologies in 
more quickly.
    Right now what we do is we reinvent, in many cases, the 
same technology platforms over and over again because we bring 
them in in separate instances for separate projects. And so 
just as an example, you know, as we have been working together 
from the standpoint of business systems, if we can get 
standardized platforms, then it really does give Ms. McGrath an 
opportunity to build on those standard platforms and not have 
to worry about the technology coming in the door, but to be 
able to spend the money and the resources on understanding what 
business processes have to ride on it.
    The second piece of that, though, is that if we can 
standardize and improve the security of our backbone, we can 
then look at more innovative technologies and not have to 
invent them all the way from the data center, the server, the 
network out, but rather look at how those innovative 
technologies can hook into our standard infrastructure. It 
gives us more flexibility in looking at those kinds of 
capabilities.
    Having said that, as we build that out, we will need to, as 
Ms. McGrath mentions, look at shorter timeframes for bringing 
these technologies in. We will need to look at our testing and 
accreditation processes, because that is one of the inhibitors 
that we are aware of today in terms of retesting platforms for 
every upgrade as opposed to recognizing that there are standard 
platforms and there is not the need to test.
    So some of those things are the things that we are looking 
at from an information assurance perspective in terms of the 
policies that we put out as well as the accreditation and the 
testing that we do at DISA to, again, allow for bringing new 
technologies in, but at the same token making sure that when we 
do, we aren't increasing our risk from a security perspective.
    Mr. Thornberry. And I guess related to that, what are your 
concerns about supply chain? You know, in general in 
cybersecurity we hear more and more concern about so many 
pieces of hardware and software that are not made here, and 
certainly many components are not made here. But as you and Mr. 
West were talking, you know, we have got soldiers out in the 
field that are taking whatever they have got out of their 
pocket to do their job or to communicate back home. That has 
got to create all sorts of challenges for you in looking at the 
overall enterprise.
    Ms. Takai. We totally agree with you, and there are really 
two answers to the question you are asking about supply chain. 
One of them is just an awareness of the issue that you have 
mentioned. And we have two programs that we are working with 
NSA [the National Security Agency] and also with our policy 
office. One of them is to actually look at the ground rules 
around the way that we bring technology in and the, if you 
will, background information that we gather on the companies 
that we purchase from. So that is a key part of what we do. 
And, of course, in that, we are aided by information that we 
get through our intelligence sources as well about those 
particular companies.
    The second thing from a supply-chain perspective is to work 
with our defense industrial base. And we have any number of 
programs that Deputy Secretary Lynn has been really 
spearheading around how to work and share information 
effectively with our defense industrial base, because, again, 
the supply chain problem isn't really just an issue of DOD. It 
really involves our key partners.
    But the other piece of that is to recognize that as we move 
forward, and as there is obviously a globalization and a 
dispersion of where the information--or rather the components 
from a hardware and software standpoint come from, it is really 
to look at cybersecurity in that light, which is why we are 
focused not only on protecting at the perimeter, which has been 
a focus, I think, for everyone in terms of trying to prevent 
intrusions, to prevent invasions in your network. And now what 
we are recognizing is that while that is still a deterrent, it 
is not a complete answer from a security perspective. And so we 
have to look more at the way that we are classifying our 
information, the way we are linking that to the identities of 
the individuals that can access it. So, again, we have a second 
level of defense actually at the information level, and that we 
are acknowledging that we will have some of these kinds of 
intrusions inside our network, and we are prepared to handle 
them.
    Mr. Thornberry. Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman.
    One last here that I wanted to talk about is the depth of 
DOD's bench in IT career fields. Secretary Gates' IT 
initiative--I realized individuals assume that the new IT 
positions after efficiency implementation would require greater 
technical expertise and experience to efficiently maintain the 
Department's IT needs across all of the military branches. In 
the fiscal year 2009 NDAA, the committee directed DOD to look 
at the feasibility of identifying and retraining, for example, 
wounded servicemembers in information technology and other 
fields.
    So my question is considering the challenges recruiting a 
competent IT workforce, have you leveraged any of those 
programs to help build your workforce there, and is there more 
that this committee can do to retain the skills and expertise 
of these wounded warriors to help meet our needs for a trained 
IT workforce?
    Ms. Takai. Well, we have been moving forward in terms of 
looking at those individuals that are returning from theater, 
and particularly the wounded warriors programs, around the 
capability and making sure we have technology skills. But going 
forward we will continue to be vigilant and need to be vigilant 
on this. And while it involves, I think, as you mentioned, 
being sure that we are retaining and training our workforce, it 
also is a focus for all of us in terms of making sure that we 
have enough professionals coming up that are educated in 
cybersecurity and certainly educated in the sciences and the 
maths.
    So some of the things that we are doing in that regard is 
to participate in and encourage many of the cybersecurity 
programs that are focused on our high school students as well 
as our university students, to get them interested at a very 
early age in a career in the science and maths, and 
particularly moving into cybersecurity. That is something that 
my office is very heavily engaged in, something that the policy 
office is very much engaged in. So it is going to be a 
combination of retaining the workforce we have, being able to 
grow it, but also making sure that we have an influx of 
individuals that have those skills.
    Mr. Langevin. Let us not at all forget about our wounded 
warriors and see how they might be incorporated into these job 
opportunities. I think that would be important.
    I am also glad to hear that you have a focus on bringing up 
the next generation, whether it is focusing on high school or 
college. I actually starting working with the SANS Institute. 
We created the cybersecurity challenge at the high school 
level. My home State was one of three of the pilot States that 
originally tested the program through high schools in our 
State, and now we have kicked it off statewide. And it is 
amazing how talented these young people are. And the cyber 
challenge sets up the different hurdles that they have to kind 
of work through and test their skills, and hopefully get some 
on the career path, thinking about a career path in 
cybersecurity.
    Ms. Takai. Yes, sir. And I just came, I think, as you may 
know, from the position of the CIO in California, and we were 
very much able to take advantage of that cybersecurity 
challenge program. And, in fact, I think we were the first to 
institute the high school version of that program, in order to 
be able to bring young people in and get them interested.
    Mr. Langevin. Very good. If I could, just going back to 
Congressman Thornberry's line of questioning. You talked about 
the supply chain. And I actually had Secretary Lynn in my 
office yesterday, and we were actually talking about the supply 
chain industry. We were also talking about working with the 
defense industrial base and how do we best work with them on a 
voluntary basis to better secure their own networks.
    And I was curious, when you say you look at companies you 
are doing business with, and you look at from the supply chain 
perspective, how far back do you drill down with each of those 
companies? The problem is not just the company that you are 
doing business with, but it is who they are doing business with 
and who they are doing business with. Since the supply chain 
can cover a range of problems, you know, it is not just the 
initial companies, but where are they getting the products from 
as well. So I guess how deep does that go?
    Ms. Takai. The initial pilot that we did did not really--
and I am sure that Secretary Lynn mentioned to you--we were 
able to go down deep in some companies. But when we really 
looked at the level of resource that was needed to actually be 
able to do all of that research, we recognized that we will be 
able to do a certain amount through research, but in many ways 
it is not going to be the full answer to looking at how we do 
supply chain.
    And that is really why we are taking now a step back from 
that. We know we have to do a certain level of that, but it is 
also going to be we are not going to be able to do all of the 
research; we are going to have to engage with our partners.
    And then, lastly, we are going to have to have other ways 
of looking at how to defend. Because I think your point is very 
well taken. You really can't have enough resource to be able to 
go down to every last component, and so you have to look at the 
major components, but yet that doesn't give you the complete 
picture. So that is why we are looking at not only being able 
to do that kind of research, but also recognizing that when we 
have threats inside our network, we are going to have to be 
able to mitigate them.
    Mr. Langevin. Fair enough.
    And the last area of questions I want to get into, 
something in addition to and very much tangential to 
cybersecurity is the security of our military bases and 
critical infrastructure that supports our military bases. As 
you know, much of our critical infrastructure is owned and 
operated by the private sector. I am becoming increasingly 
concerned about Supervisory Control and Data Acquisition 
attacks in particular on critical infrastructure, particularly 
the electric grid. Our military bases around the country so 
much rely on these outside power grids for their own power, and 
I have been involved with reviewing how secure those bases are.
    I have the chiefs of the services before us, and I have 
asked what their level of knowledge is on this, and it is 
troubling to them certainly as well. Our bases are not 
independent of the power grid. So I know this is a bit outside 
your area in particular, but it does relate to IT and cyber.
    So in your work, do you have anything to add, any awareness 
that you have, on what we are doing to better secure our 
military bases in the event that something happens to critical 
infrastructure off the base and how they would be affected?
    Ms. Takai. Well, let me add to the discussions. I know you 
have talked with Deputy Secretary Lynn about this. One of the 
things that he has been spearheading is to work very closely 
with the Department of Homeland Security for exactly that 
reason, because while clearly it is the Department of Homeland 
Security's responsibility to look at critical infrastructure as 
it relates to certainly the U.S., at the same token it does 
affect our military operations in those cases. And so what we 
are doing is to really work collaboratively with them around 
taking a look at those threats, being able to share 
information.
    I think, as you know, there has been a close working 
relationship between Secretary Gates and Secretary Napolitano 
around the sharing of that information. And one of the things 
that we will be moving forward on as part of what Secretary 
Lynn calls our enduring security framework is now to move more 
into review of critical infrastructure protection, including 
not only our power grid, but also taking a look at some 
emerging areas, particularly, for instance, with nuclear power.
    Mr. Langevin. Very good.
    Thank you, Mr. Chairman. I yield back.
    Mr. Thornberry. Thank you.
    Mr. Johnson.
    Mr. Johnson. Thank you, Mr. Chairman, for holding this 
hearing.
    Secretary Takai, three intelligence contractors named 
HBGary Federal, Palantir Technologies and Berico Technologies 
have a proposal under the name Project or Team Themis. Are you 
familiar with this proposal that has been purportedly made by 
those three firms, all of which are defense contractors? Are 
you aware of that proposal that was leaked from the HBGary 
Federal e-mails which would offer the counterterrorism and 
intelligence techniques to prospective private parties, i.e., 
Bank of America, U.S. Chamber of Commerce, for use against 
critics of those firms? Are you familiar with that situation?
    Ms. Takai. No, sir, I am not familiar with that specific 
proposal. So, you know, we are happy to take that for the 
record and gather that information and be able to get back to 
you on it.
    Mr. Johnson. Well, now it has been about 2 weeks I 
requested that information. Do you know what has happened to 
that request and whether or not it is being complied with, or 
there is an intent to comply with it?
    Ms. Takai. No, sir. I don't have that information. I 
wouldn't want to give you something that was incorrect. I will 
make sure that my office takes a look at it, and that we get 
right back to you on it.
    Mr. Johnson. Now, it is my understanding that the firm 
HBGary Federal had developed malicious software that allows 
users to monitor the networks and computers used by third 
parties. Is that the kind of capability that they have provided 
to the Department of Defense?
    Ms. Takai. Again, sir, I am not familiar with that company. 
So, again, my staff will definitely get that information and 
make sure that we get right back to you.
    Mr. Johnson. If there is a misuse of properties of the 
Federal Government paid for by citizens of the United States 
through their tax dollars, i.e., tools to disrupt foreign 
intelligence, foreign terrorism, and if that technology is used 
on Americans, would that be a breach of the contract between 
DOD and any particular contractor? Are there provisions in the 
contracts that prohibit such use?
    Ms. Takai. Again, I would need to go back and take a look 
at that specific instance and get that information back to you.
    Mr. Johnson. You do agree that that is a problem, that we 
should not use taxpayer-funded techniques on taxpayers who may 
disagree with a private domestic business entity?
    Ms. Takai. Well, we at DOD are concerned with any breach to 
our networks or any risk to the security of our information, 
and we take that very seriously. It is a major part of the way 
that we construct our technology. And so any breach of that 
type is of paramount concern to us.
    Mr. Johnson. Well, if the same technology used by the 
Department of Defense to protect its own internal security, 
cybersecurity issues, if that technology were used to do the 
reverse to a private citizen of America, that would not be a 
proper use of DOD techniques, would it?
    Ms. Takai. Well, again, any breach, and any malicious 
software or hardware, or any breach to DOD information----
    Mr. Johnson. Well, no, I am not talking about DOD 
information; I am talking about DOD information being used 
against American citizens for the use of private entities.
    Ms. Takai. Again, I am not familiar with any particular 
instances of that. Certainly if there are areas that we can 
research and take a look at, then we would be very happy to do 
that and get back to you.
    Mr. Johnson. Well, again, I would like to request copies of 
any and all contracts between the Department of Defense and the 
three subcontractors or the three contractors that I mentioned, 
HBGary Federal, Palantir Technologies, and Berico Technologies. 
Would you be able to provide me with that information, and also 
the chairman of the committee?
    Ms. Takai. I don't have that information directly myself, 
but certainly again I will have staff research that, and we 
will get back to you with an answer to that question.
    Mr. Johnson. Well, I think it is a very important issue 
that I am not planning on sweeping under the rug. I want to at 
least get those contracts and analyze them to determine whether 
or not they have been used or they have been breached. So I 
need that information.
    Ms. Takai. Yes, sir. Again, we will have my staff research 
it, and we will get back to you with an answer.
    Mr. Johnson. Thank you.
    Anything you can add, Ms. McGrath?
    Ms. McGrath. No. I do not have my own self familiarity with 
the proposal nor those three companies. Certainly the contracts 
are written in accordance with the Federal Acquisition 
Regulations, and we would have to look at the scope and 
conditions of each one of those to make sure that there is not 
a breach of contract. But I do not see an issue with complying 
with your request to have copies of those contracts, and I will 
ensure that Ms. Takai has all the support she needs to get 
those.
    Mr. Johnson. Well, Ms. Takai, I tell you, while I was 
asking you some questions, out of the corner of my eye, I saw 
somebody come up and give you a note, and that always kind of 
arouses my curiosity. I won't ask you what is in it, but I am 
concerned about this case and the way it is being swept under 
the rug.
    Thank you, Mr. Chairman.
    Mr. Thornberry. Mr. Conaway.
    Mr. Conaway. Recognized for 7, 8 minutes? Excuse me.
    Ms. McGrath, thank you.
    Ms. Takai, thank you for being here.
    You talked to us about the impact that the--I am blanking 
on the name--the $100 million reprogramming exercise that DOD 
went through to try to find $100 million in monies that they 
would put other places within the system itself, what impact 
that had on the efforts to get the Department of Defense's 
financial statements audited. Did it hurt, helped?
    Ms. McGrath. To be clear, the $100 billion efficiency 
initiative. I think we all wish it was $100 million and not 
$100 billion.
    The Department, as certainly the members of this committee 
are well aware, took an initiative with Secretary Gates leading 
to look for efficiencies in all aspects of not only the way we 
do business, but what we are procuring, how we are procuring 
it, how we are organized; you know, are we positioned to be the 
most efficient and effective organization that we can be, and 
to look for opportunities to identify efficiencies.
    Mr. Conaway. But how did it--help or hurt?
    Ms. McGrath. So I think that some of the lasting impacts of 
the efficiency initiative we won't know until we are actually 
realizing some of those efficiencies. We have identified the 
opportunities for those efficiencies. I can talk----
    Mr. Conaway. Well, let me ask the question this way. Do you 
have the accounting systems, internal control systems, and 
management systems in place to actually track that $100 billion 
and know that it went from one spot to the other?
    Ms. McGrath. So we have the mechanism in place, will be led 
by Secretary Lynn, with Mr. Hale, our comptroller, and myself 
looking at--and with the Under Secretaries of the military 
departments leading the data collection, if you will, for their 
organizations, along with their CFOs [Chief Financial 
Officers], to ensure that we understand the--I will say how 
close we got to the efficiencies that we identified.
    So from a systems perspective, I want to be clear, I think 
we have the governing structure in place to ensure that we can 
accurately identify the efficiencies.
    Mr. Conaway. Then why can't we audit that governance 
structure?
    Ms. McGrath. Some of the data collection that we will 
utilize will not be 100 percent systems-based. It will require 
a combination of both manual and IT, if you will, to enable the 
data collection. And I think that you are aware that from an 
auditability perspective, if you put people on a problem or an 
initiative like auditability, you don't have a sustained 
process. And the path the Department is pursuing for 
auditability is one of sustainment.
    Mr. Conaway. I can't put words in your mouth. I am doing a 
pretty poor job of it. If you had better systems in place, 
would there be less manhours required to manually track the 
$100 billion? Because if you are using manhours to put together 
one-time schedules that track that big nut, that is the least 
efficient way to do it. You get it done, and perhaps the 
numbers would be good. But if you had better systems that spoke 
as you talk, end to end and across the systems and all those 
buzzwords that MBA [Masters of Business Administration] guys 
who write these papers use currently, that current lexicon, 
would it be easier to do that? Would it be easier to do the $78 
billion in cuts in terms of trying to find those?
    Ms. McGrath. Yes.
    Mr. Conaway. Thank you. I appreciate that.
    Because much of this auditability does rely around the 
purchase of systems, and we have had these age-old issues of 
one branch likes one general ledger package, and another branch 
likes a different one, can you talk to us about progress that 
you are making in helping, you know, one common HR [human 
resource] system, one common fixed-asset handling system, those 
kinds of things, in order to gain efficiencies, and to do it 
the way an enterprise would do it versus stand-alone 
subsidiaries, as an example of the business?
    Ms. McGrath. So the Defense Department, being as large and 
complex as it is, we have multiple systems that establish 
transactions to then feed into the broader general ledger 
system. We are pursuing, I will say, five main financial 
systems, one for each of the services and then the defense 
agency-wide initiative. We are also taking a standards-based 
approach to ensure that we have commonality of data, the 
standard financial information structure, so that we can 
aggregate the information at the end of the day.
    It is not just those financial systems, as you mentioned. 
It is the logistics systems, it is the personnel systems, and 
again ensuring that they have the financial standards in them 
so that when we feed from a transactional level up to the 
financial, then we can aggregate the information.
    Mr. Conaway. If the chair will indulge me. You have got to 
have some system to track progress against that. We need to 
have oversight on the success of what you are doing. We are not 
going to do what you have to do, we are just simply asking you 
to do it. And so perhaps off-line conversations about how you 
satisfy yourself as the person responsible, or one of the folks 
responsible, for making this happen, that you are on task, on 
time to make that 2017 deadline, which I think we all want to, 
which is systems in place that are sustainable and, oh, by the 
way, auditable and audited.
    Thank you, Mr. Chairman. I yield back.
    Mr. Thornberry. Thank you.
    Ms. Takai, in answering some of Mr. Langevin's questions a 
few minutes ago about some of the tools you are putting in 
place to prevent WikiLeaks-like things, one of the things you 
mentioned was a new tool to detect anomalies. Surely there is 
commercial products very suited to that. I mean, every time you 
go overseas and use your Visa card, they call, for example.
    Ms. Takai. Yes, sir. The tool that we are looking at is a 
commercial product. And what we are doing is testing the 
integration of that product with our Host-Based Security System 
to ensure that, again, we have that integration.
    The second thing with any commercial tool is that we have 
to do a level of testing, because the volume and the size of 
our implementations are generally larger than what any of the 
tools are doing in the commercial space. So we always take a 
look and make sure that we have scalability in those tools. But 
in this particular case, that tool is a commercial-off-the-
shelf product, yes.
    Mr. Thornberry. You mentioned a few minutes ago as $38 
billion, roughly, in the accounts we are looking at; $2.8 
billion, I think you said, for information assurance kinds of 
things. Is that enough?
    Ms. Takai. Well, we are looking at that. In fact, it is 
interesting that you would ask that question, because Secretary 
Gates actually also asked us that same question as we were 
relating to him the review of what we are doing from an insider 
threat mitigation standpoint.
    Certainly for the calendar year, we believe that that $2.8 
billion will successfully allow us to implement the tools that 
I mentioned, as well as helping us to look at some of the 
emerging threats and what we need to do.
    I think one of the things that is important to know is that 
improving our security isn't totally in just what we spend 
under the cybersecurity label. The things that we are doing 
around standardization of our infrastructure actually are all, 
if you will, cybersecurity investments, but are not labeled as 
such. So to some extent, when we talk about that spending, it 
isn't totally representative of everything we are doing.
    Mr. Thornberry. Fair point. Fair point.
    I think we have run out of questions for the moment. Thank 
you both for being here and for answering questions on a wide 
variety of topics. We look forward to continuing to work with 
you both towards the things you are trying to achieve.
    With that, the hearing is adjourned.
    [Whereupon, at 4:12 p.m., the subcommittee was adjourned.]
?

      
=======================================================================




                            A P P E N D I X

                             April 6, 2011

=======================================================================

      
?

      
=======================================================================


              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                             April 6, 2011

=======================================================================

      
      
    [GRAPHIC] [TIFF OMITTED] T5810.001
    
    [GRAPHIC] [TIFF OMITTED] T5810.002
    
    [GRAPHIC] [TIFF OMITTED] T5810.003
    
    [GRAPHIC] [TIFF OMITTED] T5810.004
    
    [GRAPHIC] [TIFF OMITTED] T5810.005
    
    [GRAPHIC] [TIFF OMITTED] T5810.006
    
    [GRAPHIC] [TIFF OMITTED] T5810.007
    
    [GRAPHIC] [TIFF OMITTED] T5810.008
    
    [GRAPHIC] [TIFF OMITTED] T5810.009
    
    [GRAPHIC] [TIFF OMITTED] T5810.010
    
    [GRAPHIC] [TIFF OMITTED] T5810.011
    
    [GRAPHIC] [TIFF OMITTED] T5810.012
    
    [GRAPHIC] [TIFF OMITTED] T5810.013
    
    [GRAPHIC] [TIFF OMITTED] T5810.014
    
    [GRAPHIC] [TIFF OMITTED] T5810.015
    
    [GRAPHIC] [TIFF OMITTED] T5810.016
    
    [GRAPHIC] [TIFF OMITTED] T5810.017
    
    [GRAPHIC] [TIFF OMITTED] T5810.018
    
    [GRAPHIC] [TIFF OMITTED] T5810.019
    
    [GRAPHIC] [TIFF OMITTED] T5810.020
    
    [GRAPHIC] [TIFF OMITTED] T5810.021
    
    [GRAPHIC] [TIFF OMITTED] T5810.022
    
                                  
