b"<html>\n<title> - THE ROLE OF SMALL BUSINESSES IN STRENGTHENING CYBERSECURITY EFFORTS IN THE UNITED STATES</title>\n<body><pre>[Senate Hearing 112-262]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n                                                        S. Hrg. 112-262\n\n                    THE ROLE OF SMALL BUSINESSES IN\n        STRENGTHENING CYBERSECURITY EFFORTS IN THE UNITED STATES\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n            COMMITTEE ON SMALL BUSINESS AND ENTREPRENEURSHIP\n                          UNITED STATES SENATE\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JULY 25, 2011\n\n                               __________\n\n    Printed for the Committee on Small Business and Entrepreneurship\n\n\n\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n\n\n\n\n\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n 71-267 PDF               WASHINGTON : 2012\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n            COMMITTEE ON SMALL BUSINESS AND ENTREPRENEURSHIP\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                              ----------                              \n                   MARY L. LANDRIEU, Louisiana, Chair\n                OLYMPIA J. SNOWE, Maine, Ranking Member\nCARL LEVIN, Michigan                 DAVID VITTER, Louisiana\nTOM HARKIN, Iowa                     JAMES E. RISCH, Idaho\nJOHN F. KERRY, Massachusetts         MARCO RUBIO, Florida\nJOSEPH I. LIEBERMAN, Connecticut     RAND PAUL, Kentucky\nMARIA CANTWELL, Washington           KELLY AYOTTE, New Hampshire\nMARK L. PRYOR, Arkansas              MICHAEL B. ENZI, Wyoming\nBENJAMIN L. CARDIN, Maryland         SCOTT P. BROWN, Massachusetts\nJEANNE SHAHEEN, New Hampshire        JERRY MORAN, Kansas\nKAY R. HAGAN, North Carolina\n  Donald R. Cravins, Jr., Democratic Staff Director and Chief Counsel\n              Wallace K. Hsueh, Republican Staff Director\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                           Opening Statements\n\n                                                                   Page\n\nCardin, Hon. Benjamin L., Chairman, a United States Senator from \n  Maryland.......................................................     1\nMikulski, Hon. Barbara A., a United States Senator from Maryland.     3\n\n                               Witnesses\n                                Panel 1\n\nGallagher, Hon. Patrick D., Director, National Institute of \n  Standards and Technology, United States Department of Commerce.     5\nWalsmith, Jennifer S., Senior Acquisition Executive, National \n  Security Agency, United States Department of Defense...........    17\nJohansson, Hon. Christian S., Secretary, Department of Business \n  and Economic Development, State of Maryland....................    25\n\n                                Panel 2\n\nIheagwara, Dr. Charles, Chief Marketing and Business Development \n  Officer, Unatek, Inc...........................................    44\nDjamshidi, Sarah, Executive Director, Chesapeake Innovation \n  Center.........................................................    56\nvon Lehmen, Dr. Gregory, Provost, University of Maryland \n  University College.............................................    68\n\n          Alphabetical Listing and Appendix Material Submitted\n\nCardin, Hon. Benjamin L.\n    Testomony....................................................     1\nDjamshidi, Sarah\n    Testimony....................................................    56\n    Prepared statement...........................................    59\n    Responses to questions for the record from Mary L. Landrieu..    88\nGallagher, Hon. Patrick D.\n    Testimony....................................................     5\n    Prepared statement...........................................     7\n    Responses to questions for the record from Mary L. Landrieu..    83\nIheagwara, Dr. Charles\n    Testimony....................................................    44\n    Prepared statement...........................................    48\nJohansson, Hon. Christian S.\n    Testimony....................................................    25\n    Prepared statement...........................................    28\n    Letter.......................................................    90\nMikulski, Hon. Barbara A.\n    Testimony....................................................     3\nvon Lehmen, Dr. Gregory\n    Testimony....................................................    68\n    Prepared statement...........................................    71\n    Responses to questions for the record from Mary L. Landrieu..    87\n    Letter.......................................................    94\nWalsmith, Jennifer S.\n    Testimony....................................................    17\n    Prepared statement...........................................    20\n    Responses to questions for the record from Mary L. Landrieu..    85\n\n \n                    THE ROLE OF SMALL BUSINESSES IN\n        STRENGTHENING CYBERSECURITY EFFORTS IN THE UNITED STATES\n\n                              ----------                              \n\n\n                         MONDAY, JULY 25, 2011\n\n                      United States Senate,\n                        Committee on Small Business\n                                       and Entrepreneurship\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 2:55 p.m., at the \nLaurel Municipal Center, City Council Chambers, 8103 Sandy \nSpring Road, Laurel, Maryland, Hon. Benjamin L. Cardin, \npresiding.\n    Present: Senators Cardin and Mikulski.\n\nOPENING STATEMENT OF THE HONORABLE BENJAMIN L. CARDIN, A UNITED \n                  STATES SENATOR FROM MARYLAND\n\n    Senator Cardin. Good afternoon and welcome to the hearing \nof the Committee on Small Business of the United States Senate. \nI first want to thank Chairman Mary Landrieu, who is the \nChairman of the Small Business Committee--I have the honor of \nserving on that Committee, for allowing me to conduct this \nhearing in Laurel, Maryland, on a very, very important subject \nto not only the small business community, but to our entire \ncountry, The Role of Small Businesses in Strengthening \nCybersecurity Efforts in the United States.\n    I want to thank my colleague and friend, Senator Barbara \nMikulski, for joining us today. Senator Mikulski, as I am sure \nyou all are aware, serves on three very important committees, \nbut two that are directly related to cybersecurity. One is on \nthe Senate Intelligence Committee, the other on the Senate \nAppropriations Committee. She also serves on the Committee on \nHealth, Education, Labor, and Pensions, which obviously is also \nan important Committee as it relates to the training of people \nin the cybersecurity area. So, Senator Mikulski, thank you for \njoining me today in this hearing.\n    I want to thank our friends from Laurel for allowing us to \nuse this facility, Mayor Moe. Thank you very much. The Council \npeople that are here. We very much appreciate your hospitality \ntoday. There could not be a better place for us to have this \nhearing. It is a growth area in Maryland and one that is very \nmuch connected to the cybersecurity issues.\n    I also want to acknowledge Delegate Susan Lee who is here. \nShe chairs the committee, along with Senator DeGrange, on \ncybersecurity issues, a committee that was established by \nlegislation that she helped author. So it is very nice to have \nyou here, Susan, and we look forward to working in partnership \nwith our colleagues in the State Legislature.\n    Cybersecurity is an issue that is of utmost importance to \nour country. In the last Congress, I had the opportunity to \nchair the Subcommittee on the Judiciary Committee that dealt \nwith Homeland Security, cybersecurity issues. And I mention \nthat, because during the course of that chairmanship, I had the \nopportunity to learn firsthand of the risks to our country.\n    There are cyber criminals out there and I think we all know \ncyber criminals. But in addition, we also have cyber terrorists \nthat are out there, people who are trying to do havoc to this \nnation through cyberspace to America. But there are also cyber \nsoldiers, agents of other countries that are operating, that \nare trying to compromise America's security.\n    They can do this through--cyber criminals can, of course, \ndo it by bank robberies that make the old bank robbers look \nlike they are pikers compared to the danger that can be \nattached to our financial system. In a matter of just a few \nhours, millions of dollars were stolen in several countries \nthrough the ATM machines. So we know that cyber criminals are \nout there.\n    But cyber terrorists are really trying to cause havoc to \nthis country. They are trying to compromise our security, \ntrying to deal with our energy grids, trying to deal with our \ntransportation grids. And we know that, other countries are \ninterested in trying to compromise our defense strategies \nthrough cyber-attacks. So these are issues that are of utmost \nimportance to our country.\n    I authored a bill, S. 372, which is aimed at cybersecurity \nand Internet safety standards by having the Government work \nwith the private sector to develop best practices for \nprotecting us from our vulnerability against cyber-attacks. \nThat legislation is moving forward as an effort to figure out \nhow we can do things better, which really brings me to the \ncurrent subject of how we and the small business community and \nin Maryland can help solve a national problem as well as \ngrowing our own economy.\n    In Maryland, we are very proud as being what we call the \nCyber Center for this nation. Governor O'Malley has called it \nCyber Maryland, putting a strong focus on the cybersecurity \nissues in our State through the tools of the State government.\n    We are proud of the Federal agencies that are located here \nand the new U.S. Cyber Command. Fifty key security and \nintelligence facilities located in the State of Maryland, 12 \nmajor military installations in the State of Maryland, our \ncolleges, our universities that have concentrated on \ncybersecurity issues.\n    There is a great deal of energy here in Maryland and we \nwant that energy, to a large extent, focused on the small \nbusiness community. We know that job growth in America will be \nthrough our small businesses. We know that we will get more \ninnovation through small companies. That is where the energy \nlevel starts, and we need to do a better job in energizing our \nsmall business community.\n    In the Congress, we passed recently several bills to help \nsmall businesses. We know about the concerns, of those in \nFederal agencies, as to whether they are allocating fair \ndollars to the small business community. We know of the abuses \nof bundling small contracts into large contracts, making it \nvirtually impossible for a small company to get the prime \ncontract.\n    We know of the frustration in a tough economy, as to \nwhether the agencies have adequate staffing to be able to reach \nout beyond their current suppliers and contractors. We want to \novercome those obstacles because we think it is critically \nimportant for job growth and innovation, to be able to make \nsure that the small business community is getting their fair \nshare of the work, and we also understand the issues of credit.\n    Secretary Johansson, I am glad that you are here, because \nwe are going to talk a little bit today about the efforts being \nmade by Congress. Congress made significant resources available \nto ease up credit. Part was direct through the Federal \nGovernment; part was through the States, and I would be \ninterested to hear the experiences in Maryland as it relates to \ngetting resources out to small businesses in order to move this \nagenda forward.\n    At this time, let me yield to my colleague, Senator \nMikulski, for her opening statement.\n\nOPENING STATEMENT OF HON. BARBARA A. MIKULSKI, A UNITED STATES \n                     SENATOR FROM MARYLAND\n\n    Senator Mikulski. Well, Senator Cardin, I want to thank you \nfor hosting this hearing. Your championship of small business \nis well-known, and your persistent advocacy is much \nappreciated.\n    Like you, I join today to see how, in our effort to keep \nour country safe, particularly against the new enduring war of \ncyber war, we also want to build a safer and stronger economy \nby making sure that the money that we spend, both within \nGovernment and within the private sector, provides as much \naccess as we can--not only to big business who often knows how \nto work the system, but to small- and medium-size businesses so \nthat we can have a safer country--indeed, a stronger economy.\n    I am so proud of where Maryland is in this new enduring \nwar. It is here that we are on the battleground to protect \nAmerica. The key critical assets in both military and civilian \nagencies are right here in Maryland.\n    We truly are the epicenter of cybersecurity for the United \nStates of America, and because of our unprecedented know-how in \nthis area--particularly rested in the National Security Agency \nworking with the National Institute of Standards and \nTechnology--we are actually the epicenter, in many instances, \nfor the world, at least for the free world that wants to remain \nfree.\n    Just to list a few, to list, actually, the basic ones, of \ncourse, is what I affectionately call the ``Mothership,'' the \nNational Security Agency. That is the listening post for cyber \nand signals intelligence throughout the world, protecting our \ntroops in Iraq and Afghanistan, whether it is a Navy Seal going \nto take down Bin Laden, or it is a plane over Libya, or whether \nit is keeping an eye on North Korea or any other bad guy whose \nname is even too unmentionable to bring up.\n    They are on the job 24/7. The National Security Agency is \nalso the home to the Cyber Command. It is the job of the Cyber \nCommand to protect .mil for the entire United States of \nAmerica, and also be linked with treasured allies in its \nprotection.\n    And then we have special agencies: DISA, the Defense \nIntelligence Service Agency. The 10th Fleet that is there right \nnow--a fleet like no other fleet. It does not have aircraft \ncarriers. It does not have submarines. But boy does it have the \nNavy-Marine spirit in which their job is to protect the entire \ncritical Naval assets.\n    And then, as we move out, because we always need new ideas \nin this new enduring war, there is IARPA, the Intelligence \nAdvanced Research Projects Activity that is right next to \nCollege Park, for the synergistic effect with our intellectual \ncapital at the universities, where they will develop the new \nideas to protect not only .mil and .gov, but .com and \nindividuals who are threatened every day.\n    And then, in order to come up with the new ideas, you need \nnew products. You can't have new products without standards, \nand it is the National Institute of Standards and Technology, \nworking with both government and the private sector, that is \ncreating the standards so that we have interoperable products \nthat protect us, but also protect our economy.\n    Well--you think I am a little excited about it?\n    But, listen, I know the ``Mothership'' alone spends $2.5 \nbillion in contracts. So while I have extolled your virtues, I \nwant you to tell me how you will open the doors of Government \nor you have them opened already, so that small business can \ncompete on the basis of merit.\n    Senator Cardin: We do not give people contracts. What we do \ndo is fight for the opportunity for them to go after the \ncontracts based on their know-how, their ability, and the value \nthat they offer to the United States Government.\n    So we look forward to hearing from you. But right now, I \nsalute you because you are the front line warriors in this new \nand enduring war.\n    Senator Cardin. Well, thank you very much, Senator \nMikulski.\n    We will now go to our first panel. Let me welcome all three \nof our panelists. Dr. Patrick Gallagher was confirmed as the \n14th Director of the U.S. Department of Commerce's National \nInstitute of Standards and Technology, NIST, in 2009. He also \nserves as Under-Secretary of Commerce for Standards and \nTechnology. Dr. Gallagher brings high level oversight and \ndirection for NIST. The agency promotes U.S. innovation and \nindustrial competitiveness by advancing measurements, science, \nstandards, and technology. So we very much welcome you, Dr. \nGallagher.\n    We will then hear from Jennifer Walsmith. Jennifer Walsmith \nhas served as the Senior Acquisition Executive for the National \nSecurity Agency since January, 2009. In this role, she is \nresponsible for all procurement in support of NSA's signals, \nintelligence, and information assurance missions. While \nmanaging the agency's multibillion dollar budget, as Senator \nMikulski has pointed out--and Senator Mikulski is very much \naware of that as one of the appropriators----\n    Senator Mikulski. That is open source, too.\n    Senator Cardin. That is right. Ms. Walsmith has focused on \nbalancing acquisition discipline with mission agility.\n    And then we will hear from our own DBED Secretary, \nChristian Johansson. He was appointed Secretary by Governor \nMartin O'Malley in early 2009. He oversees Maryland's nearly \n250 employee business agency and its $25.6 million budget. \nDuring his tenure, he has helped the Governor craft strategic \nplans, and informed councils targeting Maryland's competitive \nbusiness trends in a rapidly changing industry such as biotech, \ncybersecurity, IT, and foreign direct investment.\n    All three of you, it is a pleasure to have you before the \nCommittee and we will start with Mr. Gallagher.\n\n                                PANEL 1\n\n  STATEMENT OF HON. PATRICK D. GALLAGHER, DIRECTOR, NATIONAL \nINSTITUTE OF STANDARDS AND TECHNOLOGY, UNITED STATES DEPARTMENT \n                          OF COMMERCE\n\n    Dr. Gallagher. Thank you very much, Senator Cardin and \nSenator Mikulski. It is a real pleasure to be here today to \ntalk about cybersecurity in business. I want to start by \nthanking Team Maryland for your leadership on cybersecurity, \nfor your recognition of its importance to the nation's \nsecurity, and to its economic future, and for helping to make \nMaryland really the epicenter of this effort.\n    Mr. Chairman, I will focus my testimony today on the \nimportant interplay between the small business community and \nthis cybersecurity effort. In my written testimony, I have some \nmore information about these efforts that I will not be able to \nget into in this time, particularly the National Initiative on \nCybersecurity Education and the Proposed National Cybersecurity \nCenter of Excellence championed by Senator Mikulski. Both of \nthese efforts will also benefit the small business community.\n    More than 99 percent of all U.S. businesses are small and \nmedium size enterprises. Small businesses are the growth engine \nof our economy, and they account for most of the new job \ncreation in this country. Information technology has brought \nhuge advantages to these businesses, but they also face \nsignificant threats and unique vulnerabilities caused by their \nsize and diverse organizations.\n    In fact, it has been recently reported that data and \nidentify theft are impacting small and medium size businesses \nat a rate greater than of individuals. Many of these businesses \nhouse very sensitive personal, health care related, or \nfinancial information. Many small businesses also provide \ndirect services to our Federal, State, local, and tribal \ngovernments, and therefore, have access to government \ninformation or systems.\n    In this interconnected environment, it is vital that small \nbusinesses be aware of the risks and take appropriate steps to \nensure that their systems are secure. And given their critical \nrole, a vulnerability common to the small business community \ncould pose a significant overall threat to this nation's \neconomy or national security.\n    NIST programs work with industry to set the standards that \nprotect businesses of all sizes, as well as the Federal \nGovernment, from cyber threats. Our efforts are broad and \ninclude cybersecurity research, standards, developing the tools \nand tests to demonstrate conformance with standards, guidance \ndocuments, and cybersecurity outreach and education.\n    Today I would like to focus on just two areas of critical \nimportance to the small business community, identify management \nthrough the National Strategy for Trusted Identifies in \nCyberspace, or NSTIC, and cloud computing.\n    So NSTIC was announced in April of this year at an event \nthat I had the pleasure of joining Senator Mikulski with, and \nthis program seeks to better protect consumers from fraud and \nidentity theft, to enhance individuals' privacy, and to foster \neconomic growth by enabling industry, both to move more \nservices online and to create innovative new services.\n    This strategy aims to make online transactions more \ntrustworthy and give businesses and consumers both the \nconfidence they need to work online. The Federal Government's \nefforts in this public/private effort will be led by NIST. Our \njob is to facilitate the development of interoperability \ntechnology standards and policies, and create an identity \necosystem where individuals, organizations, and the underlying \ninfrastructure such as routers and servers, can be \nauthoritatively authenticated.\n    Small businesses will be able to use this infrastructure to \navoid the cost of building their own cumbersome log-in systems \nand take their business online and reduce the cost to both \nthemselves, and make the user experience more convenient for \ntheir consumers. It can also expand their ability to reach out \nto new consumers across the nation and around the world.\n    Similarly, cloud computing and its growth offers a unique \nopportunity for small businesses in all sectors to make use of \npowerful computing resources without requiring up-front or \nlong-term IT investment. Small businesses can contract and use \ncomputing services through the cloud computing model and only \npay for those resources that they choose to use and actually \nconsume, and the model is providing a path for small businesses \nand others to be able to easily move data systems from one \ncloud provider to another.\n    It is for these very reasons that the Federal Chief \nInformation Officer is determined that it helps the Government, \ntoo. And under the Cloud First Strategy, NIST has been tasked \nwith working with the business community to develop the shared \nrequirements, standards, and best practices to promote adoption \nof the cloud computing in a way that continues to ensure \nprivacy, security of data in the cloud, and ensures that cloud \nservices are interoperable, portable, and reliable.\n    Small businesses play a special role in the NIST programs. \nThis is because they provide the critical technical \ncompetencies that allow us to do our work. It is by harvesting \ntheir entrepreneurial spirit and innovative capacity that NIST \nis able to integrate cybersecurity standards and safeguards in \na meaningful way into the technology that our nation depends \non.\n    In short, we cannot accomplish our mission at NIST without \nthis community. So I want to thank you for the opportunity of \nappearing before this Committee and I am happy to answer any \nquestions.\n    [The prepared statement of Mr. Gallagher follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Senator Cardin. Thank you very much for your testimony. Ms. \nWalsmith.\n\n     STATEMENT OF JENNIFER S. WALSMITH, SENIOR ACQUISITION \n EXECUTIVE, NATIONAL SECURITY AGENCY, UNITED STATES DEPARTMENT \n                           OF DEFENSE\n\n    Ms. Walsmith. Good afternoon. Thank you, Senator Cardin and \nSenator Mikulski. Thank you. I appreciate the opportunity to \ntalk with you both and the Committee on such a topic of vital \nimportance, the role of small business and the role that they \nplay in the success of our agency's mission.\n    If there was one thing that I could leave you with is the \nimportance that we place on outreach to small business and \ngiving them the opportunities that Senator Mikulski referred to \nearlier that is vital to our success and vital to our \npartnerships that we set forth with those businesses.\n    Cybersecurity, the protection and defense of our \ninformation systems, relies heavily, as you know, on \ntechnology. Small businesses play a role that no other can play \nin that regard. They have the agility and the innovation to \ncreate and deploy cyber products and services that are \ncustomized to NSA's missions needs through innovation and \ncollaboration.\n    NSA engages in a variety of activities to promote \npartnership opportunities with small businesses and networks \nwith industrial organizations that focus on supporting our \nagency's missions. Some of these agencies or organizations that \nwe network with include AFCEA, American Small Business \nCoalition, Chesapeake Innovation Center, Chesapeake Regional \nTech Council, and the Fort Meade Alliance.\n    NSA has developed an acquisition communication tool at our \nAcquisition Research Center that facilitates such communication \nbetween NSA and industry. Currently there are over 2,700 \nMaryland businesses registered in the ARC of which over 82 \npercent of them are small businesses. NSA uses the ARC to \nperform our market research and provide those opportunities to \nidentify potential bidders for our efforts.\n    Our Office of Small Business Programs ensures that small \nbusinesses, including service-disabled veterans owned \nbusinesses (SDVOB) and HUBZone, all have the opportunity to \nparticipate in our acquisitions. The Department of Defense \nsmall business performance goal for NSA is 25 percent of prime \ncontract dollars. As of 30 June 2011, NSA's small business \nperformance was just over 17 percent.\n    We are working diligently to increase our small business \nutilization and NSA includes small business subcontracting \nrequirements in our large contracts, of which we tie to award \nfee to ensure their utilization. This is very significant. It \nresults in a significant amount of dollars to small businesses.\n    For example, in FY10, one of our prime contractors \nsubcontracted more than 60 percent of the work to small \nbusinesses. In that single contract alone, it represented over \n$100 million to small businesses. This is a consistent trend in \nour large contracts.\n    There are many other positive trends within our small \nbusiness area. Two that I want to mention briefly today are the \nutilization of our SDVOB and HUBZone small businesses. We put a \nparticular effort on this in 2008 to grow these two vital areas \nof business.\n    To just demonstrate the growth that we have seen in 2008, \nwe had .3 percent in SDVOB. When we closed FY10, we had 1.53 \npercent of our appropriated dollars were awarded to prime \ncontracts with SDVOB companies. This represents a five times \nincrease in those prime contracts.\n    HUBZone is a similar story. We have increased that amount \nby 93 percent between FY09 and FY10. These trends demonstrate \nNSA's commitment to creating set-aside opportunities for small \nbusinesses. We have a variety of programs to increase the \nopportunity and the dialogue with small businesses.\n    We all know the chicken and egg that comes with classified \ncontracting. If you do not have a security clearance, then you \nare often unable to break those barriers to understand what our \nbusiness is all about. With that, we introduced a program we \ncall the Provisional Industrial Security Approval Program, and \nwhat it does is it allows us to clear a set number of \nindividuals from companies that wish to do business with us to \nallow for the technical conversations and the business \ndevelopment opportunities, and later allow them to compete on \nour contracts.\n    I'll take a moment to also talk to you about several other \ninitiatives that we have specifically geared to small \nbusinesses. We have a large NSA set-aside called the NSETS \nProgram, which enables us to competitively acquire agency \nrequirements from a team of highly qualified small businesses. \nIn the first three quarters of FY11, NSETS awarded over $133 \nmillion to small businesses.\n    NSA provides and participates in a number of outreach \nprograms ranging from hosting large symposiums to small \nbusiness interactions facilitating one-on-one capabilities \nbriefings to promote their capabilities to individuals within \nour organization.\n    In the first three quarters of this year, NSA hosted over \n28 technology expositions which demonstrated and allowed small \nbusinesses the opportunity to come directly into our spaces and \nshare their capabilities with NSA personnel. Each event hosted \nover 20 to 25 companies and vendors had the opportunity to \ninteract with over 300 to 400 agency personnel.\n    While that is just a single way for them to interact and \nshow their capabilities, we also hosted several niche events \nthis year, focusing on cloud computing, cybersecurity, wireless \ntechnology, and many others.\n    NSA offers a biweekly pathway to success and which is \ndesigned to educate small businesses on how to do business with \nNSA. We know that is a tough area. Getting to know us and \nknowing how to move into our market is not easy for a new \nbusiness just getting started.\n    In the first three quarters of FY11, more than 650 \nbusinesses participated in our briefings. We hosted over four \nmajor events to promote activities that help them understand \nour upcoming competitive opportunities. These events \ncollectively attracted over 1,700 businesses to interact with \nus.\n    In addition, because it all is so much of how you get to \nknow us, we participate with speakers and subject matter \nexperts in many regional and national conferences all designed \nfor people to begin to understand our agency better.\n    Through the above-mentioned programs and our outreach \nevents, NSA programs connect with thousands of small businesses \na year in an effort to promote small business opportunities to \npartner with NSA. Without them, we could not achieve our \nagency's mission. I look forward to your questions and this \nopportunity to speak with you today.\n    [The prepared statement of Ms. Walsmith follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    \n    Senator Cardin. Again, thank you for your testimony. Mr. \nJohansson.\n\n STATEMENT OF THE HONORABLE CHRISTIAN S. JOHANSSON, SECRETARY, \n   DEPARTMENT OF BUSINESS AND ECONOMIC DEVELOPMENT, STATE OF \n                            MARYLAND\n\n    Mr. Johansson. Senator Cardin, Senator Mikulski, I greatly \nappreciate the opportunity to be here with you today at the \nSenate field hearing on Small Business and Entrepreneurship to \nreally testify on the critical role that small businesses have \nand will continue to have in strengthening cybersecurity \nefforts in Maryland.\n    I want to thank both Senator Mikulski and Senator Cardin \nfor standing sentry to protect our nation at home, abroad, and \nin the clouds, as well as your laser-like focus on our nation's \neconomic recovery. On behalf of Governor O'Malley, I also want \nto acknowledge your steadfast support for Cyber Maryland, our \nstrategic effort to make Maryland the epicenter for \ncybersecurity.\n    Let me also acknowledge Senator Mikulski's leadership in \nthe Senate to create a National Center of Excellence at NIST, \nand we appreciate all of her efforts on that.\n    My testimony today will outline some of the steps that we \nare taking in Maryland to support and create jobs in \ncybersecurity and preview planned business development \nactivities in the months ahead.\n    When President Obama first pledged to make securing the \ncountry's most vital computer networks a top economic and \nnational security priority in 2009, he called for greater \nleadership and collaboration. Maryland answered that call with \nCyber Maryland.\n    As Senator Mikulski outlined before, our State is uniquely \npositioned to seize upon this opportunity through our assets in \nFederal, private, and academic strengths, including, as the \nSenator mentioned, U.S. Cyber Command, a National Security \nAgency, the National Institutes of Standards and Technology, \nand numerous military commands, including a renowned academic \ninstitution producing the next generation of innovators and \ninventors, a broad base of entrepreneurs, and established \nbusinesses and intellectual capital second to none.\n    My agency engages stakeholders in Maryland's cybersecurity \ncommunity to quantify and qualify the strengths of our state, \nidentify business opportunities, and outline a strategic plan \nto capitalize on both. The results were unveiled 18 months ago \nby Governor O'Malley at NIST when Senators Mikulski and Cardin \njoined Dr. Gallagher and hundreds of business, academic, and \nfederal leaders to launch this business development initiative.\n    Additionally, with Delegate Susan Lee's vision and \nleadership, legislation was passed during the 2011 session to \ncreate the Commission on Maryland Cybersecurity Innovation and \nExcellence. Our strategic plan included ten major action steps \nand was organized around four key goals.\n    First, support the creation and growth of innovative \ncybersecurity technology in Maryland. Second, develop an \neducational pipeline to train new cybersecurity talent and an \nadvanced workforce development program like those being \npioneered by institutions like UMUC, whom you will hear from \nshortly.\n    Third, advance cybersecurity policies to position Maryland \nfor enhanced national leadership. And lastly, ensure the \nsustained growth and future competitiveness in Maryland's \ncybersecurity industry. I am pleased to report to you today \nthat by the steps we have taken in government, and with the \nprivate and academic sectors, are successfully moving Maryland \nforward and positioning the state for Federal leadership in \nbusiness, workforce, technology, and economic development.\n    In the interest of time and on behalf of my colleagues and \nother state agencies, I will touch upon three business \ndevelopment strategies we have successfully organized. The \nfirst one. We unified cybersecurity marketing under the Cyber \nMaryland brand to position our collective identity and enhance \ncommunication of the state's assets.\n    To date, a uniform logo, comprehensive website, and an \naggressive social marketing campaign have been launched. You \nmight see the logo here that we have created. I have got a \nslide here for the Website that you can access as well.\n    Next week, the Cyber Pulse will also debut that will \ncommunicate news about this growing IT sector. And you are \nseeing it before anybody else. In the coming months, we will \nlaunch a new strategic advertising campaign and target the \nmarkets and participate in a comprehensive outreach program of \nindustry-based trade shows and conferences.\n    Second, we have positioned new start-ups for growth for \ncapital funding by passing Invest Maryland in the 2011 \nlegislative session to recapitalize the Maryland Venture Fund. \nAnd, Senator Cardin, also thank you to you for your leadership \non the Senate Banking Committee when Congress passed the Small \nBusiness Credit Initiative. This is resulting in $23 million \nthat is going to help Maryland's small emerging and minority \ncompanies secure access to credit.\n    Both of these programs offer significant opportunities for \ncybersecurity companies, particularly, and software \ncommunications and IT security. For example, the Maryland \nVenture Fund has already invested in there cybersecurity \ncompanies, Tenable Security, Sourcefire, and Oculis Labs. We \nbelieve there are opportunities for further cybersecurity \ninvestments that are going to grow exponentially.\n    With the federal and state tools, DBED will target early \nstage companies and products and collaborate with our partners \nto find vet and co-invest in early stage cybersecurity \ncompanies. These investments will be 50,000 to 250,000.\n    Three, we have made real progress on academic workforce \nprograms to teach, train, and attract talent. For example, the \nDepartment of Labor Licensing and Regulation created the \npathways to Cybersecurity Careers Consortium, a three-year \nprogram to train 1,000 workers to fill cybersecurity jobs in \nMaryland. With the support of Senators Mikulski and Cardin, we \nreceived nearly $5 million in U.S. Department of Labor \ncommunity-based job training grant funding.\n    The Maryland Higher Education Commission provided BRAC \nhigher education fund grants to community colleges, colleges \nand universities to develop cybersecurity curriculum. The \nUniversity of Maryland College Park brought together all cyber-\nrelated disciplines in the new Cyber Center, MC2, which is \nfocused on cyber education, research, and testing.\n    These initiatives and others, like the Governor's Workforce \nInvestments Board and Cybersecurity Subcommittee, are preparing \nstudents, retraining employees, and fueling a pipeline of cyber \nwarriors.\n    In conclusion, cybersecurity offers business tremendous \nopportunities for collaboration with our universities; our \nincubators, including Chesapeake Innovation Center, the first \ndedicated to homeland and national security; our tech councils; \nour military commands; our Federal agencies.\n    Cybersecurity offers entrepreneurs and innovators of the \nprospect of discovery, detection, and defense to protect our \nnation's digital infrastructure and our State tools, talents, \nand technologies to lift our economies. Cybersecurity offers \nMaryland the potential to protect the nation's digital \ninfrastructure, to attract and expand Maryland businesses to \nprovide jobs for our highly skilled and well-educated \nworkforce, and to benefit all regions of the State.\n    We see the innovation and job creation prospect of \ncybersecurity every day in entrepreneurs like Eric Fiterman, a \nformer FBI special agent who founded Rogue Networks to provide \nprotection to government Internet, protection to government and \nbusiness clients, and Karl Gumtow who founded CyberPoint, and \nin just 18 months, created almost 100 jobs in Baltimore City.\n    We thank you for your support of these efforts.\n    [The prepared statement of Mr. Johansson follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    \n    Senator Cardin. Well, thank you all for your testimony. \nSecretary Johansson, let me first compliment the O'Malley \nAdministration. The purpose of this hearing is to put a focus \non cybersecurity and the role of small businesses, and I think \nunder the leadership of Governor O'Malley, we have seen a \nGovernor who has taken the advantages we have in Maryland \nthrough the Federal facilities that are there, the colleges and \nuniversities, and then put it together with the interest of the \nGovernor, support of the Governor, to really provide the \nimpetus for significant movement in our State with economic \ngrowth.\n    We are here to talk about small businesses and you said \nsomething during your testimony I want you to talk a little bit \nmore about. Part of the legislation we passed for the small \nbusiness community was the deal with the availability of \ncredit, which is one of the major concerns. Small businesses do \nnot have deep pockets, and during these tough economic times, \nit is hard to get loans.\n    So we made an extraordinary commitment of additional \nFederal resources. It was, quite frankly, all going to be \nmanaged at the national level through direct support to \ncommunity banks. Then a Governor named O'Malley petitioned the \nGovernment to say, Look, the States can leverage a lot of this \nmoney. Give us part of those funds.\n    And a very small part of those funds were allocated to the \nStates as a result of the efforts of Governor O'Malley and \nother Governors, with the commitment that those funds would get \nout to help small businesses.\n    We recently had a briefing from the SBA as to what was \nhappening with the Federal portion. I must tell you, there was \nbipartisan concern the money was not getting out fast enough, \nthat we needed to get it out quicker. And we are talking about \n$30 billion, a lot of money that could be leveraged.\n    You mentioned in your testimony about three companies. Can \nyou just tell us how the Governor has used these resources to \ntry to get money out to small businesses, particularly in the \ncybersecurity area?\n    Mr. Johansson. Sure. Here we go. First off, there was an \napplication that all the States needed to complete. I believe \nMaryland was the third State in the union--maybe was the fourth \nState in the union to complete it and receive funds which we \nrecently did. We are receiving $23 million. Out of that $23 \nmillion, we intend to split it between different pools.\n    Now, one pool will be going into our MIDFA program which \nhelps guarantee small business loans. About $7 million, \nhowever, is going to our Maryland Venture Fund. Almost half of \nthe opportunities that we have traditionally invested in have \nbeen technology opportunities, many of them in cybersecurity, \nand I just listed three examples of companies that we have \ninvested in, in the past.\n    Senator, I really thank you for your support of this \nbecause what this effectively means is, as a result of this, \nthere is $7 million, and if history is any guide, probably \nabout half of that is going to be invested directly into some \nof the more emerging, pioneering, small businesses here in \nMaryland that need equity capital to grow and to expand.\n    Senator Cardin. If you could make that information \navailable to our Committee, we would appreciate it very much \nfor our record, because I think it would be helpful to share \nthat with the other members of the Senate to show that we are \ngetting the money out faster through the States and leveraging \nit for more economic activities. So it would be good to have \nthe specific examples.\n    Mr. Johansson. We will get you that, Senator.\n    Senator Cardin. Director Gallagher, you mentioned a very \nimportant point about cloud computing, and when you think about \nit, if you are a small tech company, you are trying to compete, \ncomputer capacity is one area that is going to be raised by the \ncontractor as to the capacity versus the large, traditional \nprime contractors that you normally selected.\n    Can you just talk a little bit more about how you are \nworking on cloud computing so that it does somewhat equalize \nthe capacity of being able to use computer technologies for a \nsmall company that is using innovation and technology?\n    Dr. Gallagher. Yes, thank you. I think that one way to \nthink about the cloud model is it is an approach that turns IT \nresources from a built-in, capital-intensive enterprise that \nyou need to build out within your company and turns it, \nfrankly, into a commodity that you can purchase and scale up \nvery quickly.\n    So it is a great equalizer. In fact, I think it is poised \nto continue to make information technology even more of a \ncommercial advantage than it has already proven to be. If you \ncan imagine, the ability now to set up eCommerce sites, Web \nsites, and business systems through cloud services rather than \nhaving to build those servers and build that infrastructure \nwithin your own company and have the capacity inside to manage \nit, you can begin to see some of the tremendous advantage that \nit allows.\n    It also is one of the few approaches that can rapidly \nscale. So if your company is really growing, if you are \nattached to your enterprise hardware, it is very difficult to \nkeep up with the growth rate, perhaps, of a company. Whereas, \nthrough the cloud you can provision new resources almost \nimmediately and scale very quickly.\n    And I think that the business community faces the same \nchallenges in the cloud that the Federal Government does, which \nis it is still a new area. These different cloud-type services \ndo not work well together yet, and so we have concerns about \nmaking sure if you move something important in your business to \nthe cloud, you do not have a proprietary lock-in. You have got \nthe flexibility in the future to move your data and your \nservices to somebody else so that the market works.\n    You want to make sure the data that you put out in the \ncloud is secure. You want to make sure that the privacy of your \ncustomers is protected. And you want to make sure that it is \navailable and reliable. And the fact that somebody else is now \ndoing these things for you instead of you doing it yourself has \nchanged the nature of the relationships.\n    So we are working very closely with the business community \nto try to come up with that sort of collective behavior and \nthose standards to drive that forward. And I have to say, the \nsmall business community plays two very important roles.\n    One, they are going to be uniquely enabled by this \ninfrastructure, but a lot of the innovation that Christian was \ntalking about that is going to provide these solutions is going \nto come from that community as well. Their agility and their \ninnovative capacity is going to play a key role, and we already \nsee that in the NIST cloud efforts that the small business \ncommunity are very active participants in this early effort.\n    Senator Cardin. It is very exciting. I think NIST has a \nunique opportunity here, particularly as it relates to the \nportability and security and being able to make sure that you \ndo not lose the proprietary information, which is one of the \nmain problems for small businesses today. So I think it is \nextremely exciting, what you are doing there.\n    Ms. Walsmith, I want to ask you a question about your \nproblems in meeting goals on prime contracting. I know you have \nmade tremendous efforts: 17 percent is a good number, but 25 \npercent was the goal. So what are the challenges that you are \nconfronting in getting more prime contract work to small \ncompanies under NSA?\n    Ms. Walsmith. So we recognize that the goal is very \ncritical that we meet. Some of our challenges are actually \nsuccesses for the companies of which we do business with, and \nthat is, often when we establish a relationship with an \ninnovative small company, the first thing that happens, \nsometimes before I have even awarded the contract, they have \nbeen bought by a large company.\n    And so, that is a positive in terms of the overall aspect \nof what we try to promote in the American economy. On the other \nhand, as soon as a small business is bought, then I no longer \ncan take credit for that small business opportunity.\n    But other things that we have to address, I do not want to \nsay that it is that alone, is the growth of the small, small \nbusinesses. They do not always get represented in the first \nyear. So let me explain a little bit further. So as we reach \nout to these really new tech innovative companies, generally it \nstarts with a small dollar amount and then it grows over time.\n    So you do not immediately see the benefit in literal dollar \namounts, but it is the number of companies that we are doing \nbusiness with that really creates that pipeline in the seed \ncorn of the growth that we see in the long term. So that is \nanother important facet that you do not always see directly in \nthe number itself.\n    The third area is to the challenges of just making those \nconnections with the small businesses. It is a challenge for us \nto create enough time and opportunity for them to share their \ncapabilities with us and for us to get to know them. That is \nwhere we have strengthened and grown our PISA program that I \nreferred to earlier, our Provisional Industrial Security \nAccreditation Program, putting more in that pipeline this year \nthan we have in any other year.\n    So this year alone we have put another 153 businesses into \nthat, clearing them and their technical representatives in \nadvance of any contract. Statistically, over 50 percent of \nthose companies that are participating in PISA do result in a \nprime contract or business with us and within three years.\n    And so, those are the challenges that we face. We continue \nto push that further. We are very conscious of the large \ncontracts and one that we need to take the time to do those \nsmall business set-asides. And so, I myself, as well as all of \nmy leadership team within the Acquisition Directorate, have \nperformance goals specifically within our performance reports \nthat speak to having to meet and achieve those small business \ngoals.\n    But I would like to say one for a moment, it is not just \nabout the numbers. It is really about our success. It is the \nthing that we need to be successful as an agency, so we do \nfocus very much on bringing our numbers to the levels that you \nwant and expect us to deliver against, but it is also about \nbuilding that pipeline and the small set of businesses that we \nknow are critical to our future success.\n    Senator Cardin. Thank you. Senator Mikulski.\n    Senator Mikulski. Senator Cardin, this is just a great, \ngreat hearing. I would like to go first to you, Dr. Gallagher. \nSenator Cardin, first of all, you know what a great asset NIST \nis. I mean, it is the agency that sets the standards for all \nprivate sector--anything that is a proprietary product, that is \ninvented and sold in the United States of America, the \nstandards are developed there.\n    You would be interested to know that their total annual \nbudget--under what I want to do, and what they consider \nadequate--is $1 billion. For $1 billion, we get a couple \nthousand people working in Gaithersburg, but also through what \nthey do, we have millions of people working in the United \nStates of America.\n    You would also be interested to know that the House \nAppropriations Committee has reduced Dr. Gallagher's \nappropriation to $700 million. They just think they are \ngovernment, they are just so expensive, let the private sector \ndo it. The private sector does not institute standards. They \ncannot institute standards. [The private sector] develops \nproducts that have to have standards, so they can sell it here \nand around the world. Seven hundred million dollars, which I \nthink will have a big effect. This is not an appropriations \nhearing by proxy, but when people talk about ``big government'' \nand how we are going to make it smaller, by making this \nGovernment smaller--we are going to make the private sector \nopportunities smaller. Government and the private sector cannot \ndo this.\n    Now, let us go to Dr. Gallagher. I wanted to, in last \nyear's appropriation, put in $10 million for a National Cyber \nCenter of Excellence to do tech transfer and some other things. \nCould you elaborate on what we wanted to do together? You have \nto know, in that awful CR shutdown situation that we went \nthrough, over which I am still prickly from that, let alone \nwhat we are facing now . . . so tell me what you thought it \nwould do and what opportunities you think we have missed out \non, or do we really need it? I am fighting, Senator Cardin, we \nare fighting for every nickel right this minute.\n    Dr. Gallagher. Thank you. I have to say, I am tremendously \nexcited about the idea of the Cyber Security Center of \nExcellence, and the reason for that touches on the point you \njust made about NIST being drawn very broadly and having to \ncover a lot of area. That is certainly true.\n    The only way we have been able to preserve our \neffectiveness is to leverage what the American private sector \ncan provide. It is really only in working in partnership with \nindustry that we can even begin to approach some of these \ntechnology challenges.\n    And the truth of the matter is that the innovation of the \nnew technologies, whether they are going to be to solve \nidentity management, whether it is to solve the use of the \ncloud, whether it is to solve cybersecurity, happens at this \nmixing zone between what the Government is doing and what the \nprivate sector is doing.\n    Senator Mikulski. A mixing zone?\n    Dr. Gallagher. A mixing zone.\n    Senator Mikulski. Is that not a great phrase?\n    Dr. Gallagher. And the President has been very vocal about \nthis idea of creating economic opportunity by solving the \ncountry's core problems, whether it is looking at energy \ntechnologies or what have you, we can simultaneously create new \nopportunities when we focus on a key challenge. I think \ncybersecurity fits in that arena.\n    By solving this big challenge, we are also opening up big \nopportunities for our businesses. And the concern we have had \nis, how do you provide an efficient forum for Government \nresearchers and staff to work with basically, and that is \nreally what the Cyber Security Center of Excellence was going \nto provide.\n    It is a place where those two communities get together and \nwork on shared problems. It is a place where the Government can \nbenefit from the innovations and new ideas that are there in \nthe private sector, and it is a place where the private sector \ncan benefit from some of the research results that are coming \nout from the university.\n    So it is almost more than tech transfer because we have \ninformation moving both ways, and I think a strong opportunity \ncreates a mutual benefit for everybody. So we are continuing to \nwork forward as much as we can with planning. We have been \ntalking to our partners in the State. We have been talking with \nour partners in our other agencies to see how we can make this \ncenter create a focal point for business to work with the \nGovernment on these types of shared challenges.\n    Senator Mikulski. Well, I am going to continue to fight for \nyou because that is really fighting for our--quite frankly, \nfighting for our jobs for both tech transfer and for NIST to be \nNIST. And in the world of the cyber domain, I think, Ms. \nWalsmith, if General Alexander were here, he would say, ``Our \nweakest link is our strongest link.''\n    In other words, wherever we are the weakest--and if small \nbusiness does not protect itself, because we forget that some \nof the biggest bad guys against us are not foreign nationals, \nbut organized crime, and they are going after small business in \nthe identity theft area. So that is a hallmark. We could go on \nall day with you, and we look forward to working with you.\n    But, Ms. Walsmith, I would like to go to you. First of all, \nwhat a great pamphlet. Is this the one that you give out \nanywhere and anywhere?\n    Ms. Walsmith. Yes.\n    Senator Mikulski. Now, if you could, Senator Cardin has \nalready asked a couple other questions, but first of all, if \nyou are a small business in Maryland, and I am thinking of the \nNational Security Agency, do you give out--does NSA give out \ncontracts to non-geek, non-security clearance agencies? Because \nmany businesses do not even come to you because they think they \nhave to be a geek company selling something in the world of \nsignals and intelligence, and that they have to have a security \nclearance, which in and of itself can tie up a lot of capital \nin order to become certified.\n    So do you help? Are there opportunities for the non-geek \ncompanies, and what would they be where you do not need a \nsecurity clearance, or maybe you do?\n    Ms. Walsmith. So that is frequently a myth about the \nNational Security Agency, is that all our work is classified. \nBut, in fact, nearly 40 percent of our work is unclassified, \nand that is something that most people do not realize. That \nbusiness range to support an enterprise worldwide ranges from \nthe guard dogs to the fences to snow removal to IT servers to \nmore traditional, high-end cryptanalytic capability.\n    But my point is that it crosses the spectrum of anything \nthat you would need to run a large corporation worldwide. So \nwe, in fact, have tremendous opportunities for businesses that \nare the non-technical organizations. In fact, when we look at \nour installation and logistics organization, if I looked at the \nstatistics last month, over--let us see--of their appropriated \nbudget, with the exception of the MilCon, they averaged around \n58 percent of their appropriated funds goes to small business \nawards.\n    And so, there is tremendous opportunity for companies, \nother than those technology companies, to do business with us.\n    Senator Mikulski. So as we troubadour these opportunities, \nwe can essentially say to small business, Anything you do to \nsupport any large enterprise--it could be security at a \ncommunity college--you could also look at agencies that are \nliterally teaching lessons around the world to bad guys, so \nthey should come to you.\n    Now, walk me through. If you wanted to get started at the \nNational Security Agency, what would you come to and where \nwould you get started?--\n    Ms. Walsmith. So the first thing----\n    Senator Mikulski [continuing]. To get beyond the fence.\n    Ms. Walsmith. So the first thing we would say is to come to \none of our biweekly sessions that talks to you about how to do \nbusiness with NSA. That is what I referred to that we had sent \nhundreds, literally thousands of companies through that process \nwhere we sit down and talk to you about the first steps of \ndoing business with us.\n    Senator Mikulski. So is that the gateway?\n    Ms. Walsmith. That is the gateway. That is now housed \nwithin our fence line. It is actually at a location in Hanover, \nMaryland that does not have the----\n    Senator Mikulski. So it is actually a disclosed location?\n    Ms. Walsmith. It is a disclosed location, though I will be \ncareful in that--but it is a location that you can come to and \nnot have to go through the normal process coming inside.\n    The second step is to register actually with our \nAcquisition Resource Center as we said. It is actually a \nmechanism to register companies and able to----\n    Senator Mikulski. And that is the ARC?\n    Ms. Walsmith. That is the ARC. So those are your first two \nsteps. From that, that then puts you in the availability pool \nfor us to--when we send out a market survey, if your key word, \nyour business that you submitted, what capabilities you had, \ntriggers that match within the database, then market surveys \nare automatically sent to you to provide you information on \nopportunities to do business with us.\n    We further move on to do one-on-one capability discussions. \nSo there certainly are those that need a security clearance, \nand so we then host those one-on-one capability discussions, \nand sometimes that will result in us sponsoring someone into \nthe PISA program. That is another avenue for them to come and \ndo business with us.\n    We always host at least once annually, a forum which is \nspecifically to unclassified companies to understand what it is \nlike in terms of what it would take to get a clearance, how to \ndo business with us, what is the ARC, what is the security \nprocess. And so, we are always trying to make it attainable.\n    Senator Mikulski. We would like to know the date of the \nnext one because offering the entire delegation on a bipartisan \nbasis--I know Congressman Bartlett is keenly interested in \nthis. I am not sure about Congressman Harris, but I know \nBartlett really is. He is an inventor, a patent guy, and has \nFort Detrick. We would like to know that.\n    But your point to me is that each step leads to the next \nstep, and so the gateway is at the Acquisition Resource Center \nand those first two biweekly meetings.\n    Ms. Walsmith. Right.\n    Senator Mikulski. You come to those and you get underway. \nIs that correct?\n    Ms. Walsmith. Yes, that is correct.\n    Senator Mikulski. Well, I would just like to say, \nCongressman--I have got the delegation on my mind now. Team \nMaryland. Mr. Johansson, again, we would like to thank Governor \nO'Malley for his leadership in making cybersecurity a top \neconomic development issue. Again, safer country, stronger \neconomy, and we all have to be smarter in how we do things.\n    I think Senator Cardin covered my questions to you, but we \nwould like to compliment you on your work, and let us keep the \npath going. I know Senator Cardin and I are going to have to go \nto the Capitol, so again, I could have 5,000 more questions for \n10,000 more small businesses, but I am going to stop because we \nare trying to avoid, literally, the collapse of our economy. So \nI think I have covered it.\n    Senator Cardin. Well, let me thank Senator Mikulski again \nfor being here. I know that she is going to have to leave \nshortly and I appreciate her joining the Committee for this \nperiod of time, and, of course, we appreciate her strong \nleadership in our delegation, to focus all of our resources of \nour delegation to support what the three of you are doing.\n    I have one last question which has to do with SBIR that we \nwere unable to get off the floor of the Senate, but we will \ncome back to it. My question to you, Dr. Gallagher and Ms. \nWalsmith, is, the goal, 2.5 percent, how you all are doing in \nmeeting that. This would increase it to 3.5 percent set aside \nfor innovative funds to small businesses. Are you meeting those \ngoals? Do we need to do something different than was in the \nreauthorization bill?\n    Dr. Gallagher. So you are talking about the targets for the \nSBIR collection rate?\n    Senator Cardin. Correct.\n    Dr. Gallagher. So for NIST, we tend to meet those targets \nfairly readily. We are not a large grant-making organization so \nour SBIR program is fairly modest by comparison. But we have \nbeen fortunate to not having any difficulty meeting those \nrequirements.\n    Senator Cardin. NSA, are you involved in this?\n    Ms. Walsmith. So we participate through DOD and we do very \nwell with the SBIR program, but we are participating in through \nthe DOD process.\n    Senator Cardin. I thank you for that. One last point, Ms. \nWalsmith. Your point about the contract officers and reaching \nout to small businesses, you made a very good point about the \nsmaller company being bought out by the larger company, which \nmany times is exactly what they want to happen. Sometimes they \nhave to do it by necessity because they need to be into a \nlarger enterprise. That may not always be the best, but in most \ncases, it is.\n    Just very quickly, does the current budget problems put an \nextra burden on your contract officers or directors as to \nwhether they have the resources to be able to look beyond their \ncurrent set of contractors?\n    Ms. Walsmith. So certainly as we have been--the challenges \nthis year with the continuing resolution and what it then \nresults in for us executing our budget in very distinct \nincrements puts an additional workload on our contracting \nofficers. That does draw attention away from the outreach to \nbring in new businesses.\n    We work to balance that very stridently to ensure that they \nare still spending the time, but the first thing that comes \nonto the plate is ensuring that we are appropriating the funds \nwe have aggressively and to meet the needs that we submitted \nthat budget for.\n    Senator Cardin. Well, thank you. On behalf of Senator \nMikulski and myself and the Committee, I want to thank all \nthree of you for your time, for getting through the weather \ntoday. It started out just muggy and hot, then it just became \nwet and muggy. But we thank you very much and we look forward \nto working with all three of you.\n    We will now turn to Panel 2.\n\n                                PANEL 2\n\n    Senator Mikulski. Senator Cardin, I am going to have to go \nbecause of the situation and trying to organize the women of \nthe Senate so we are not thrown under the bus.\n    Senator Cardin. Again, I thank you.\n    Senator Mikulski. So if I could be excused?\n    Senator Cardin. I think everybody knows the current \nsituation on Capitol Hill where we have eight days to a \ndeadline to make the August 2nd on the budget. Senator Mikulski \nis in the middle of some of those negotiations. When I leave \nhere this afternoon, I will be going back to Washington to join \nin that debate. Quite frankly, it is more enjoyable being here \nwith you all, but that will require me to go back to Washington \nthis evening.\n    Let me welcome all three of our panelists on this panel. \nFirst let me welcome Dr. Charles Iheagwara who is the Chief \nMarketing and Business Development Officer at Unatek, a U.S. \nGovernment information technology contractor. He leads business \ndevelopment efforts with several notable successes, including \npositioning Unatek as a major U.S. Government prime contractor \nand expanding corporate business lines, contracting, and \nmarketing services in the workforce.\n    He has also previously worked for the District of Columbia \nGovernment and a number of other companies including Lockheed \nMartin. Unatek recently received the Homeland Security Company \nof the Year award from the State of Maryland. Congratulations \non that.\n    Next we will hear from Sarah Djamshidi. As the Executive \nDirector, she oversees all of the Chesapeake Innovation \nCenter's activities, coaches and mentors in the member \ncompanies. CIC is a unique venture accelerator that connects \npromising technology companies and emerging technologies with \nGovernment agencies, major government contractors, and private \nsector customers.\n    Last we will hear from Dr. Gregory von Lehmen, who serves \nas Provost and Chief Academic Officer for UMUC, University of \nMaryland, University College. He joined UMUC as the Area \nDirector for Japan in 2001 and worked for UMUC Asia as Area \nDirector for Japan for four years.\n    He returned to the United States in 2005 where he served as \nthe Senior Associate Dean within the School of Undergraduate \nStudies and later as Senior Vice Provost. So with that, let me \nstart first with Dr. Iheagwara and then we will move on to our \nother witnesses.\n\n  STATEMENT OF CHARLES IHEAGWARA, Ph.D., CHIEF MARKETING AND \n           BUSINESS DEVELOPMENT OFFICER, UNATEK, INC.\n\n    Mr. Iheagwara. Thank you, Senator Cardin and members of the \nCommittee for inviting me to testify on this very, very \nimportant topic, that is the Role of Small Businesses in \nStrengthening Cybersecurity Efforts in the United States, and \nif I may, to a large extent, the cybersecurity portion of the \nentire planet.\n    As I stated in my written submission, my experience is one \nof ten years of both field practice and the academic work, and \nas you mentioned earlier, I worked with a couple of companies, \nincluding Edgar Online, Lockheed Martin, and the D.C. \nGovernment eight years.\n    On the academic side, also, I have been fortunate somehow \nto have written two topics on cybersecurity. My Ph.D. \ndissertation in Cardiff, Wales was on cybersecurity, and in \nparticular, the effectiveness of intrusion detection systems. I \nalso wrote a thesis recently at MIT on cybersecurity.\n    Having said that, Senator, I want to now focus--direct a \nfew points that the role of small businesses play in \nstrengthening cybersecurity in the United States. And in my \nwritten submission there are six key areas, one of which is \ntalent, the second is capacity creation, the third is \nincubation, and the fourth is innovation, both of course of new \ntechnologies, processes, and practices. The sixth obviously is \nproviding new services that are not always readily available \nfrom the large firms.\n    Now, all of these are important for the reason that in \nseeking a solution to, of course, America's cybersecurity \nproblems, it will be hard to think of any group closer to the \naction than small businesses. Small businesses in this case \ncarry an extraordinary burden of leadership in both addressing \nthe current threats and also, by the way, by way of their \ninnovativeness, charting a course for developing cybersecurity \nto process these technologies, et cetera.\n    By most accounts, one would really agree that in times of \njob creation, the significant impact here is that small \nbusinesses overall add the net growth in all jobs created. For \nexample, economists with the Kaufman Foundation have determined \nthat companies that produce most jobs are the new ones and that \nsince 1980, nearly all net job creation has come from companies \nless than five years old.\n    I do know this firsthand, having graduated recently from \nMIT, that this is true. The President of MIT, Susan Hockfield, \nstated--gave the statistics last week, and in the statistics \nshe mentioned that each year MIT alone creates 900 companies a \nyear. Well, if we go by the statistics readily available, 90 \npercent of them would fail. That means that 10 percent of them \nwill succeed, and that is 90 companies each year singularly.\n    Now, when we multiply this by dozens of other schools, who \nalone launch small businesses, then obviously we have a \nmultiplied effect here. That is very, very important. And why \nis this important to mention? It is very, very important to see \nsmall businesses not just as businesses that have been formed \nwithin the legal confine of what we typically call a corporate \nstructure.\n    Yes, these small businesses are independent consultants. \nThese small businesses have been graduate assistants who have \nbeen incorporated legally. Some were doing business with the \ngovernment or the state. So it is very, very important to say \nthat.\n    And by extension, the talent tool provided by small \nbusinesses is overwhelming, for the mere fact that small \nbusinesses are in the front line of solving problems, \naddressing security problems, and to a larger extent, in the \ngrowth economy, confronting also some of our problems. By \ncertain, they are able to develop talents which are not readily \navailable or acquired from the universities, so this is one \nsignificant area where small businesses contribute greatly to \nthe economy.\n    We want to also state that capacity creation is one of the \nsix main areas that small businesses are actively engaged in, \nin strengthening the cybersecurity of the nation. Many of the \ninitiatives at the Federal and State levels spur, as we know, \ncapacity creation. A case in point is the recent DFAR changes \nproposed by the DoD that will affect the entire DoD supply \nchain. This in itself is going to have a multiplier effect by \ncreating different capabilities that will affect job creation, \nnot just within small business establishments, but also for \nlarge businesses as well.\n    And, of course, we know that the most talked about efforts \non incubation and innovation of technologies of two processes \nand all sorts of innovations come from small businesses. This \nis very, very correct. For example, in our own Maryland here, \nState of Maryland, Sourcefire, Inc. created the SNORT. The \nSNORT is one of the intrusion detection system tools that is \nout there today. It is assumed to be the informal baseline. It \nwas created by a small business and has expanded today all over \nthe world. Somehow the SNORT is used as the standard.\n    We also have, as Secretary Johansson mentioned, Tenable \nSecurity, a software company located also in Columbia, Maryland \nhere. It is still the--the scanning tools, software scanning \ntools that it created also have set standards.\n    So we can go on mentioning countless small businesses \nthroughout the United States of America that have come up with \nnew technologies that have incubated them and that have \ninnovated existing technologies or that have somehow incubated \nnew ones outside the traditional confines of large institution-\nbased or Government-based research and development labs. Very, \nvery important.\n    And lastly, Senator, I will also submit that niche services \nis an area where we think small businesses have overwhelming \ngovernance. For example, in the field of cybersecurity, we do \nknow that the hacking skill is very, very important in the fact \nthat folks that have these skills are able to assist in what we \ncall penetration testing.\n    We have often heard about the Tiger Teams, Red Teams, et \ncetera, that are called in from small consulting firms or \nconsultancies to help big companies and Government agencies \nthat test the health of the security devices that they have \nmounted or employed.\n    Such niche services are never incubated by large \nbusinesses, but small businesses provide them, and, of course, \nwe have heard about the celebrated case by one of the famous \nhackers, Kevin Mitnick. He had great hacking skills and there \nare thousands of more like him today. So it is very, very \nimportant to say that niche services is an area where small \nbusinesses have overwhelming dominance.\n    But let me conclude my brief presentation by saying that \nthese contributions by small businesses, there are enormous \nobstacles, as you have noted, and also Senator Barbara \nMikulski. But I do want to suggest that it will be good for us \nto recognize that growing new ideas take money. Capitalization \nis very, very important.\n    We are aware of the fact that Congress has passed different \nlegislation to help small businesses secure loans, but the \nbanks are not lending. Recently my company, despite of our \nresources or in spite of our resources, I do not know which is \nbest to describe here, approached a bank to get $200,000 in a \nloan and we were declined because we have maxed out, and we \nhave a niche service that was tested that is very, very \nsuccessful. So this is one of the challenges.\n    So one way that small businesses can actually capitalize \nfast is for them to get contracts as primes or subcontractors. \nWe do note that the big companies are good at what they do, \nbut, of course, it is also the fact that they are greedy. They \ngo after $50 contracts head to head with small businesses.\n    So I think one of my first recommendations is that Congress \nprobably should consider mandating a certain percentage of all \nFederal contracts to go to small businesses. Then secondly, I \nthink in furtherance of the different loan programs out there, \nit might be good for also Congress to consider ways of granting \nlow-interest loans to support small business innovations such \nas I have described, the one of growing the company.\n    And also, we have heard that Cyber Maryland has an \ninitiative that falls outside cybersecurity in the State, but \nit will also be good if small businesses are included in such \ninitiatives both at the Federal and State level. Oftentimes the \nimpression is that they are included, but obviously if you look \naround, you do not know who is included.\n    So, Senator Cardin, I want to thank you and the Committee \nfor giving me the opportunity to testify here today, \nrepresenting thousands of small businesses. I would be glad to \nanswer your questions.\n    [The prepared statement of Mr. Iheagwara follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Senator Cardin. Well, thank you very much. Ms. Djamshidi.\n\n STATEMENT OF SARAH DJAMSHIDI, EXECUTIVE DIRECTOR, CHESAPEAKE \n                       INNOVATION CENTER\n\n    Ms. Djamshidi. Senator Cardin, thank you so much for \nholding this very important hearing on the role of small \nbusiness in the cybersecurity area and----\n    [Discussion regarding microphone.]\n    Ms. Djamshidi. So thank you for holding this very important \nhearing on the role of small business and in the area of \ncybersecurity. I am delighted to be here and provide a voice to \nthousands of small businesses that are working and innovating \nin this particular area.\n    By way of background, CIC is a unique business accelerator \nand incubator that is focused on the role of small business in \nthe area of----\n    [Discussion regarding microphone.]\n    Ms. Djamshidi. Okay, much better.\n    Senator Cardin. Much better. Let us start all over again. \nWell, not all over again.\n    Ms. Djamshidi. So let me begin by providing background \ninformation on CIC. Many speaker members here referenced \nChesapeake Innovation Center, and so I am delighted to provide \na little bit more background, and also offer a perspective from \nthe small business side of the equation.\n    So by way of background, CIC is a unique business \naccelerator that is specifically focused on serving as a direct \nconnection between users of technology, and that would be \ngovernment agencies and system integrators, as well as the \ncreator of those technology and innovation areas, so small \nbusinesses are leading the way in innovation in the areas of \nhomeland, national, and cybersecurity areas.\n    CIC was formed in 2003 and is located in Anne Arundel \nCounty and has served as the nation's first business \naccelerator focused on homeland and national and cybersecurity \nareas. Since then, we have worked with more than 50 technology \ncompanies. These are all small businesses. We have incubated \nand accelerate them through various programs that we have.\n    And then the other program that I have provided more \ninformation in my written testimony on, which is basically a \nprogram called Tech Bridge, we have worked with more than 170 \ntechnology companies from across the country, as well as \nglobally, and we have brought them here to the State of \nMaryland and we have showcased their innovative technologies in \nthe area of homeland defense and cybersecurity in front of some \nof the system integrators and Government agencies, particularly \nmajor security stakeholders around the Fort Meade area. So I \nwould be more than happy to provide more information on that.\n    CIC is a Anne Arundel Economic Development Corporation and \nwe have shared great success since 2003. Our companies have \nraised more than $100 million in private capital. Our companies \nhave also won more than $300 million in Government contracts. A \nnumber of them have been acquired along the way, and more \nimportantly, one of them in particular, in the area of \nbiodefense and homeland security has gone public, and that is \nPharmAthene. So we are very proud of them.\n    So today we spent a lot of time talking about the fact that \nwe live in a digitized society. We enjoy many good things like \nFacebook and iPad, but we also talked about the importance of \ncybersecurity in this new era, in protecting our data, and how \nit is more important than anything else, and also it has \nserious impacts in our socioeconomic and national security \nareas.\n    One of the keys things I wanted to highlight is that more \nthan 90 percent of Government critical infrastructure is built \nand supported by the private sector. Mission critical systems \nare built by defense contractors, and increasingly, Government \nagencies are relying on the private sector-built networks and \nsystems and solutions.\n    So the question is, where does small business come into \nthat? With small business, the majority of the private sector, \nwhich is comprised of, as we talked about earlier, by small \nbusinesses, are developing these innovative cyber technologies \nand tools to be able to support and basically secure this \ncritical infrastructure.\n    So we think that in this new era, innovative small \nbusinesses play a very key and important role in this whole \ndynamic, and organizations, public/private partnership \norganizations like CIC, that is a partnership between the \ncounty, the State, and Federal agencies, is a key component in \nthat whole mix.\n    At CIC, we spent a lot of time understanding the market and \nlooking at some of the issues that small businesses face, some \nof the things that are important to you and we have talked \nabout already here today. We understand there are a number of \ngaps in the marketplace, and so we have created a number of \nprograms specifically designed to help small businesses \nnavigate through those issues. And again, I have provided more \ndetailed information in my written testimony.\n    Some of the programs to highlight include, for example, \nnumber one, we provide hands-on support and access to funding \nand Government opportunities. We have created a three-year long \nrigorous company building process where we navigate some of \nthese small businesses. Again, the ones that are working on, as \nSenator Mikulski remarked, the geek companies, the technology \ncompanies that are developing unique innovative technologies in \nthe areas of homeland and national and cybersecurity and \nhelping them cross the chasm, if you will.\n    It is a difficult task to do and we serve through our \npartnerships. We bring in a lot of resources to be able to do \nthat, and we partner with a lot of organizations across the \nState of Maryland in order to provide that.\n    Second, again, in partnership with various academic \ninstitutions that includes the community colleges, it includes \nthe major academic institutions around the State, and various \nother organizations like Workforce Development Corporation, we \nbring in some of this training and education so that we can \ncreate those next generation cyber warriors and fuel the \ninnovation inside some of these technology companies.\n    And then third, we have created various programs to bring \nthe public and private together and showcase some of these \ninnovative technologies. Today some can argue there are no \neffective, or there are not that many effective, ways of \nbringing some of these innovations to the marketplace. So they \ncan actually see the light of the day and go solve tough \nproblems.\n    We have created specific programs to do that, and that is \nthe program that I referenced earlier as Tech Bridge, and \nthrough that, we look across the country. We have screened and \nvetted hundreds and hundreds of companies. And then we bring in \nmore than--we have brought in more than 180 companies to date \nto the State of Maryland, showcased their innovative \ntechnologies to major stakeholders such as the National \nSecurity Agency and other agencies, and we have brought those \ninnovations here to the State of Maryland.\n    We think that is a great attraction tool. We hope that some \nof these companies will think of the State of Maryland as \neither their expansion area or their home, for example.\n    Finally, in support of the entrepreneurship culture around \nthe region, we think that is an important thing to do and we \nplay a key component in that. And so, we have launched several \nprograms, one of which, for example, is the Business-to-\nGovernment CEO Roundtable which is meant to put our finger on \nthe pulse of small business issues and understand that and \ncreate value-added services in partnership and help with others \nand bring those to the small businesses.\n    One of the key things I wanted to highlight is that I \ntalked about our companies historically have raised or brought \nhundreds of millions of dollars in private capital and \nGovernment contracts. But I want to share with you one very \nrecent example.\n    One of our current companies in our portfolio, Inovex \nInformation Systems, is a small company headed by three first-\ntime entrepreneurs who serve Fort Meade, works in the area of \ncybersecurity and support in that region, and this company came \nto us in 2009 with 13 employees. Today they have not only \nquadrupled their revenues, but they also employ more than 43 \nhighly-skilled workers.\n    So that is a great example that is very close to home. It \nis probably one of the best kept secrets, and I definitely \nwanted to share that with you. Is that all, enough, to your \npoint? We think there is more work that can be done. And are we \ndoing it all? I do not think so. And so, with that, I think a \nlot of people touched on it, and you also mentioned it.\n    We think that access to capital is absolutely huge and \ncrucial toward continuing the innovation and bringing these \ntechnologies to the marketplace. We also think support for \npublic/private partnership organizations also is important in \nsupport of the small businesses because this is a huge task \nthat is going on.\n    And finally, I think in observation of what is going on, I \nthink it is crucially important for various counties, agencies, \nFederal, State, what have you, to work in close collaboration \nwith each other so that we can continue this innovation in the \narea of cybersecurity that is so important to us. And then I \nwill take any questions.\n    [The prepared statement of Ms. Djamshidi follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Senator Cardin. Well, thank you very much for that \ntestimony. Dr. von Lehmen.\n\nSTATEMENT OF GREGORY VON LEHMEN, Ph.D., PROVOST, UNIVERSITY OF \n                  MARYLAND UNIVERSITY COLLEGE\n\n    Dr. von Lehmen. Thank you, Senator Cardin. On behalf of the \nUniversity of Maryland University College, I thank you for the \nopportunity to appear in this field hearing of the Senate \nCommittee on Small Business and Entrepreneurship. Both you and \nSenator Mikulski have alluded to the threat in this area of \ncybersecurity.\n    I have been invited here to talk about how the University \nof Maryland University College is working to meet the workforce \nneed in this area, particularly in educating cybersecurity \nprofessionals, many of whom we believe will use their knowledge \nto further small business expansion, both here in Maryland and \nthroughout the United States.\n    In my capacity as Provost, I led a very talented academic \nteam, starting about 18 months ago, to launch three \ncybersecurity degree programs in collaboration with an advisory \nboard of public and private sector industry leaders, many of \nwhom had a long background and distinguished career in the \nDepartment of Defense and the military services.\n    Thanks to their tremendous input, our programs are \nspecifically mapped to professional expectations in industry \nand government, which is an important distinction when it comes \nto effectively meeting critical State and national workforce \nneeds.\n    As the largest public university in the United States, by \nhead count, and one of the 11 degree-granting institutions \nwithin the University system of Maryland, UMUC was created 64 \nyears ago to meet the unique academic needs of working adults, \nmost of whom return to college for professional advancement.\n    Today we serve 94,000 students in all 50 States, 28 \ncountries, including some 40,000 active duty members, veterans, \nand their families. We do this face-to-face at more than 150 \nlocations around the world, and also, online through our award-\nwinning virtual campus.\n    We are supportive of opportunities for both emerging and \nestablished small business owners through our association with \nthe Minority Business Enterprise, whose award ceremony UMUC \nhosts each and every year, and our NBE-endowed scholarship fund \nwhich was established last year with awards to be made this \ncoming academic year.\n    In responding to the urgent needs for tens of thousands of \ncybersecurity professionals nationwide, the University of \nMaryland University College stepped forward to meet the \nchallenge, becoming a key player in Governor Martin O'Malley's \nplan to position Maryland as the country's epicenter for \ncybersecurity, and to be sure our university is exceptionally \nwell-positioned to shape the course of cyber education going \nforward, given its healthy track record and IT program \ndevelopment, its ongoing relationships with the Department of \nDefense, Federal agencies, and contractors, and its large \ncontingent of clearance-ready students.\n    What is more, UMC is one of 147 colleges and universities \nin the United States to be designated as an NSA DHS Center of \nAcademic Excellence in Information Assurance Education, and \nmore recently, we have begun working with the National \nInstitute of Standards and Technology on its NICE initiative \nwhich is to create a taxonomy of cyber work roles and then to \nmap curricula to those work roles. We think this is a very \nimportant effort to create a common reference point for \nacademic programs in cybersecurity.\n    Consequently, in developing its cyber initiative, the \nuniversity created two master degree programs, one in \ncybersecurity and one in cybersecurity policy. And \nadditionally, the university offers a bachelor's programs in \ncybersecurity and a number of graduate and undergraduate \ncertificates. All three degrees and these certificates offer a \nmarket-driven curriculum and are furnished primarily online.\n    We have also recruited an exceptional group of faculty \nmembers. We have built a remote access cyber virtual lab which \ncan accommodate up to 800 concurrent users. We have raised $1.2 \nmillion for cybersecurity scholarships, and we have signed \narticulation agreements with community colleges in Maryland and \nLouisiana that offer associate degree programs in cybersecurity \nto help create this pipeline of educated professionals.\n    In less than a year--in less than a year, we have enrolled \nclose to 2,200 cybersecurity students, nearly half of whom are \ncompleting one of two graduate degree programs that I \nmentioned, or one of the certificates in this field.\n    The vast majority of our graduate students, about 89 \npercent according to a recent survey of our students that we \nconducted, around 89 percent have at least five years \nprofessional experience in IT Information Assurance or computer \nsecurity in Government or across sectors of the economy, while \n61 percent of them hold security clearances.\n    Moreover, a significant number of these enterprising \nstudents will undoubtedly use their new skills to launch \nbusinesses of their own. And I close with two examples. One of \nour graduate students in the technical track are MS in \ncybersecurity, wants to start his own cybersecurity consulting \nfirm working with private corporations.\n    He is currently employed as an executive at a large firm, \nbut he plans to start his own consulting practice. And having \nmore than 27 years experience in military intelligence, he is \nnow acquiring the additional technical skills through our \nprogram that he needs to launch his new business.\n    And another of our graduate students, which I just happened \nto meet by chance last week at an AFCEA conference, is in our \nmaster's of cybersecurity policy. He started his own \ncommunications firm in 2006, focusing on public relations, \ncorporate and social responsibility planning, and digital \ncontent strategies.\n    His firm is not a cyber company yet, but as he says, and I \nwill quote, a comment that he makes, his vision is to focus on \nthe prevention, policy, and people side of cyber. Policy \ndevelopment, implementation, and communications, he notes, are \nso critical to the success of any organization, end quote.\n    These two students in their maturity and in their drive \nwell represent our student population as a whole, and I believe \nwill make a significant contribution to small business \ndevelopment in this State. So once again, Mr. Chairman, I \nappreciate this opportunity to speak before the Committee and I \nam happy to answer any questions that you might have.\n    [The prepared testimony of Dr. von Lehmen follows:]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Senator Cardin. Well, once again, let me thank all three of \nyou for your testimony and your contribution to this hearing.\n    Dr. von Lehmen, I found your presentation concerning the \ndemographics of your student body as it relates to \ncybersecurity programs to be very interesting. You have the \nlargest program in our country from the point of view of a \npublic university and your student body.\n    Can you share some more information? That 61 percent seemed \nlike a high number. Is that an increase? That is who had \nclearance, I think you used that.\n    Dr. von Lehmen. That is correct, sir.\n    Senator Cardin. Has that been running? Have you done \nstudies about that in previous years? Is that a number you \nthink is increasing or decreasing?\n    Dr. von Lehmen. Our cybersecurity programs were launched \nthe fall of last year, and so, this is the first survey of that \nstudent population. We do not have historical comparative data.\n    Senator Cardin. Did that number surprise you or did you \nexpect that it would be that high?\n    Dr. von Lehmen. I must say we were surprised that we had \nsuch a large number of individuals already cleared, but we \nattribute that to the mix of military students who are in our \nprogram, as well as those civilians who are working in the \ninformation assurance field for the Government or for \ncontractors.\n    Senator Cardin. And, of course, these are students that are \nenrolling in both undergraduate and post-graduate programs?\n    Dr. von Lehmen. Our baccalaureate program and our master's \nprograms.\n    Senator Cardin. Right. Can you tell us more about the \ndemographics or can you supply them to the Committee, like age, \nemployment background?\n    Dr. von Lehmen. I would be happy to provide that \ninformation about our cybersecurity students, in particular, \nbut I am fairly confident in saying that the profile of that \nstudent body probably matches very closely with the general \nprofile of our student body.\n    The average age is 32; they are more likely to be married \nthan not, more likely to have children than not, more likely to \nalready be employed than not. And so, these are students who \nwant to advance their career in some way, either within their \ncurrent employment or by changing their employment, and who \nhave made a very serious decision to go back to school.\n    One of the things we tell corporations, and we meet with \nmany of them in the cybersecurity sector, is that our students \nare very special. They made a decision to get into this field \nbecause they see a future in it, because they see the threat to \nour nation and they are committed to making a difference.\n    It is more likely that if they are employed by one of these \nfirms, they are not going to be leaving, but will make a \ncommitment to their work in that firm.\n    Senator Cardin. I think it is very encouraging, and, of \ncourse, there is a great advantage to us here in Maryland, \nalthough I know your program is international, that your \nstudent body is global, basically.\n    Let me change gears a little bit to Dr. Iheagwara and to \nMs. Djamshidi. You all put a face on this issue. You started \ntalking about specific companies and, of course, your company \nwhich I think is very helpful because we hear more about the \nstatistical information so it is good to see the specific \ncompanies that you talk about.\n    And you talked about, Ms. Djamshidi, about the importance \nof the public/private partnership, which I found very \ninteresting. And I am wondering if the two of you could sort of \nshare with us, maybe in priority order, what is the greatest \nconcerns you have in dealing with the Federal Government, or \ndealing with the State or local government?\n    I am sure the problems are different, but if you could sort \nof tell us where you think the greatest concern would be for a \nsmall company trying to advance in the cybersecurity area, \nworking with the Federal Government, what do you see are the \nmajor areas that we should be paying attention to, and then if \nyou could, help our State our, the State of Maryland.\n    Ms. Djamshidi. Sure. Did you want to take this?\n    Mr. Iheagwara. Ladies first.\n    Ms. Djamshidi. Oh, okay. Sure. So in us working in a hands-\non way with our companies, quite often we find these technology \ncompanies have dual purpose technologies. It applies in the \narea of cyber homeland security to the Federal space, but it \nalso applies to various other commercial sectors.\n    So one of the key challenges that we try to work with our \ncompanies is essentially staying alive enough to be able to \nprovide these innovations to the market. And so, quite often, \nthat encompasses a number of activities. One is going after \ndifferent markets; second is trying to help them get financed \nalong the way, technology development takes capital; and in a \nvery smart way, putting a capital strategy together is actually \nnumber one of the things that we work with our companies on \nthat.\n    Senator Cardin. But on capital, we are going through a very \ntough economic period.\n    Ms. Djamshidi. Exactly, right.\n    Senator Cardin. It is tough for anyone to get capital. Have \nyou seen any of the tools that have been made available showing \nany improvement in the availability of capital?\n    Ms. Djamshidi. I think so. I think I have seen some--it is \ndefinitely helpful, and with industry, we are lucky to have a \nDBED, we are lucky to have TEDCO. We have the MIPS program and \nvarious other programs that are available for financing the \ncompanies, and I think those are very helpful. Two of our \ncompanies most recently got TEDCO awards. That has been very \nhelpful. We always work with our companies to try to look at \nall of these resources that are available.\n    But I have to say, there is still a lot more to be done. \nAnd so, we are sometimes having to go to Boston or go to \nCalifornia to get some companies financed. And so, more of \nthat, I think, would be helpful. I think you also mentioned \nearlier that the capital to the companies, even though the \nbanks say that they do have the capital, but they are not \nlending fast enough, is one of those key things that we are \ntrying to tackle every day.\n    And we are trying to do everything we possibly can. For \nexample, in the last two years, specifically it has been very \ndifficult. One of the things that we have rolled into our \nservices is aggressive business development for our companies. \nWe are trying to get them faster and faster to their customers \nas a way of trying to bridge that gap. So we are trying to do \neverything that we possibly can to try to help expedite the \ncompanies so that companies do not fall sideways in the process \nas they are trying to bring some of these innovations out.\n    Senator Cardin. Thank you. Dr. Iheagwara, you are to be \ncongratulated, first, for being selected by DBED as Maryland \nHomeland Security Company of the Year, so I know you are going \nto say nice things about the State of Maryland. But could you \nperhaps tell us, in dealing with the Federal Government, what \nhas been your greatest challenge?\n    Mr. Iheagwara. Thank you, Senator, for the congratulations \nand the good wishes. I have heard it two or three times today, \nso we are grateful that we won the award. But I must tell you \nthat it has been a grueling fight. I am a fighter, generally \nspeaking, and you cannot be a small business without being a \ngood fighter.\n    The legislation, most of them are in place, but they have \nnot been implemented, and where they are, not well-implemented. \nI listened to the testimony of Ms.--the lady from NSA, right? \nTalking about how easy it is to get 40 percent unclassified \ncontracts, but that is not our experience.\n    We have attended the issues, we have registered. It is not \neasy. We tried very hard. We pushed. At some point, they \nrequested for our capability statement. We went a step ahead by \ngiving them our past performance record, which shows clearly in \nno unmistakable terms what we have done over 15 years, prime on \neight Federal contracts and knocking out 20 other contracts \nwith KPMG who was our mentor initially. That did not get any \nbuy-in.\n    But we are on their database, and we keep receiving notices \nto attend and attend and attend. We are a small business. We do \nnot have the resources. But look, here is the deal. We have \nproven that we can perform. We bid on contracts. It is \ndifficult to win. The big boys are locked in. One is Xerox \nthrough the ACS, even in our State of Maryland here. I took \nissues with even Secretary--not Johansson--for Minority \nAffairs, Landau Jenkins.\n    I told her, we have submitted upwards of 50 solicitations \nto our own State of Maryland. We incorporated here 15 years \nago. Not even a single contract from here. Yet, we have knocked \nout more than 20 contracts nationwide, all the way from Lines, \nIllinois to Honolulu, Hawaii for the U.S. Marine Corps, to \nBoston, Massachusetts for the U.S. Smithsonian, prime.\n    So you cannot tell us that we do not write good proposals \nor we do not have the past performance. So the animal we are \ndealing with here in Maryland is completely different. The \nFederal sector, the agencies there, is more about marketing \nmoney. We are a small business. It is not always to compete \nwith IBM and all the big companies that have all the agents \nthere deployed going after you.\n    Even as we speak now, if I give you a trajectory of our \npath, you will be impressed. I can tell you that, Senator. Look \nat it. So with eight Federal contracts, I state again, it is \ndifficult for us to win. So what they do, as you identified \nearlier on, is that they bundle all the contracts to add-ons \nand full-ons. Even when they advertise on bay for contracts, \nwork, $25,000, the big boys will still compete and they will \nwin.\n    So it is tough. So to sum it up, capitalization is very, \nvery important for any small business. There are one of several \nways to capitalize, one of which is the easy way, perhaps. Win \ncontracts, hire new people, deploy them there, send money, and \nlaunch new initiatives, or you go for new markets or you go for \nventure markets, which is heavily tilted towards products and \nnot services.\n    So I think capitalization is the toughest constraint, and \nif you can help us by making it a legislative mandate that all \nFederal dollars or State dollars, in the case of the State of \nMaryland, spent on cybersecurity, a certain percentage should \ngo to small businesses, and, of course, request proof at the \nend of each fiscal year of delivery.\n    Senator Cardin. That is good advice. I appreciate your \nsuggestions and the points that you are highlighting are \ncertainly ones that the Small Business Committee has made our \ntop priority. So we are doing oversight hearings on that this \nyear.\n    Ms. Djamshidi, let me ask you one additional question on \nthis. Could you just share with me your observations of what \nthe current budget situation has done in regards to these \nissues from two points of view? One, as we know, there has been \nreduced expectations as to what the Federal Government will be \ndoing this year and the foreseeable future?\n    And number two, there is the unpredictability of whether we \nare going to have a shut-down, but whether we would have had a \nshut-down earlier this Congress or whether there was going to \nbe a problem--whether we will have a problem on August 2nd \npaying any bills. What impact is that having on your work?\n    Ms. Djamshidi. I tell you, it makes it more interesting and \nchallenging at the same time. We feel that this whole \ncircumstance that is going on, it hits us in multiple ways, and \nus I mean by the small businesses and us as an organization \nthat represents the small business.\n    We find Federal agencies are quite often, a lot of the \nprocurement vehicles are on hold, and so therefore, the buying \ndecision has been dragged on for a longer period of time. And \nso, therefore, the small businesses are, therefore, affected.\n    And as we talked about, some of the vehicles for small \nbusinesses to get into some of the agencies quite often, \nbecause priming is very difficult, is to work in subcontract \nareas and to prove themselves by working with one of the system \nintegrators. And there is a second wave of that.\n    The system integrators are, therefore, affected, and \ntherefore, are not making those decisions and therefore, again, \nsmall business is affected by not being able to participate in \nsome of those areas. So this delayed process is definitely \naffecting the companies. They still have to keep the lights on. \nThey need to have revenues come through the door to pay for \ntheir employees, and it is very difficult to hold on to the \nemployees in this current environment.\n    And so, it relates and it comes back to the small business \nin multiple ripples effects, and therefore, it makes it even \nmore challenging. And I can provide more anecdotes.\n    Senator Cardin. That would be helpful, thank you.\n    Dr. von Lehmen, could you respond also, too? The last three \nor four years have been tough years. Is it affecting the type \nof students that you are getting or their interest areas as \nthey see the expectations, particularly at the Federal level of \ngovernment, being diminished?\n    Dr. von Lehmen. The experience of institutions that serve \nworking adults is that when the economy goes into a recession, \nenrollments pick up.\n    Senator Cardin. Right.\n    Dr. von Lehmen. And that is because individuals are either \nout of work and seeking to recapitalize themselves through \nadditional education or they still have a job but are concerned \nto maintain their positions by also getting additional \neducation.\n    So what we have seen over the last three-plus years is \nactually growth from year to year in our student population. \nThe majority of our students are in the programs that you would \nthink they would be in. If you look at any college or \nuniversity across the United States, it is typically business-\nrelated programs, programs that are related to information \nsystems or computing, technology in general that experience the \ninterest and the growth, and that has certainly been true for \nus.\n    And, of course, the leading example for us are our graduate \nprograms in cybersecurity. Those programs were launched just \nlast fall and are the cleanest measure of this growth. Today we \nhave nearly 1,000 graduate students in those programs.\n    Senator Cardin. Well, thank you. Again, let me thank this \npanel and thank all of those who were responsible for helping \nto put on this hearing here in Laurel. As I said in the \nbeginning, this is a hearing of the Senate Committee on Small \nBusiness and Entrepreneurship. The information that has been \nobtained, the testimonies and the questioning, will be made \navailable to all the members of our Committee and will be \nhelpful in our role in oversight, as well as to try to plan \nappropriate policies to expand opportunities for small \nbusiness.\n    Chairman Landrieu, Ranking Member Snowe, are both very much \ninterested in these cybersecurity issues as it relates to \nbusiness growth for small companies. And we are very interested \nin how the tools that we have already made available to deal \nwith bundling--and we know the problems are there. Do not get \nme wrong. Our Committee is very focused on trying to deal with \nbundling abuses and, by the way, abuses between prime \ncontractors and sub-contractors with the small business \ncommunity.\n    We also are monitoring very closely the availability of \ncredit through the mechanisms that were made available through \nthe Small Business Jobs bill, and we will continue to monitor \nthat. So your testimonies and the full record will be very \nhelpful to the Committee, and I thank you all for \nparticipating.\n    The hearing record will remain open for two weeks for \nadditional questions that could be asked by members of the \nCommittee. In that case, if such are asked, we would ask that \nyou try to get back your answers as quickly as possible so that \nthe Committee record will be completed in a timely way.\n    And with that, the Committee will stand adjourned. Thank \nyou all very much.\n    [Whereupon, at 4:42 p.m., the hearing was adjourned.]\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n\n                                  <all>\n\x1a\n</pre></body></html>\n"