[Senate Hearing 112-262]
[From the U.S. Government Publishing Office]






                                                        S. Hrg. 112-262

                    THE ROLE OF SMALL BUSINESSES IN
        STRENGTHENING CYBERSECURITY EFFORTS IN THE UNITED STATES

=======================================================================

                                HEARING

                               BEFORE THE

            COMMITTEE ON SMALL BUSINESS AND ENTREPRENEURSHIP
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION

                               __________

                             JULY 25, 2011

                               __________

    Printed for the Committee on Small Business and Entrepreneurship









         Available via the World Wide Web: http://www.fdsys.gov





                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
 71-267 PDF               WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001





            COMMITTEE ON SMALL BUSINESS AND ENTREPRENEURSHIP

                      ONE HUNDRED TWELFTH CONGRESS

                              ----------                              
                   MARY L. LANDRIEU, Louisiana, Chair
                OLYMPIA J. SNOWE, Maine, Ranking Member
CARL LEVIN, Michigan                 DAVID VITTER, Louisiana
TOM HARKIN, Iowa                     JAMES E. RISCH, Idaho
JOHN F. KERRY, Massachusetts         MARCO RUBIO, Florida
JOSEPH I. LIEBERMAN, Connecticut     RAND PAUL, Kentucky
MARIA CANTWELL, Washington           KELLY AYOTTE, New Hampshire
MARK L. PRYOR, Arkansas              MICHAEL B. ENZI, Wyoming
BENJAMIN L. CARDIN, Maryland         SCOTT P. BROWN, Massachusetts
JEANNE SHAHEEN, New Hampshire        JERRY MORAN, Kansas
KAY R. HAGAN, North Carolina
  Donald R. Cravins, Jr., Democratic Staff Director and Chief Counsel
              Wallace K. Hsueh, Republican Staff Director








                            C O N T E N T S

                              ----------                              

                           Opening Statements

                                                                   Page

Cardin, Hon. Benjamin L., Chairman, a United States Senator from 
  Maryland.......................................................     1
Mikulski, Hon. Barbara A., a United States Senator from Maryland.     3

                               Witnesses
                                Panel 1

Gallagher, Hon. Patrick D., Director, National Institute of 
  Standards and Technology, United States Department of Commerce.     5
Walsmith, Jennifer S., Senior Acquisition Executive, National 
  Security Agency, United States Department of Defense...........    17
Johansson, Hon. Christian S., Secretary, Department of Business 
  and Economic Development, State of Maryland....................    25

                                Panel 2

Iheagwara, Dr. Charles, Chief Marketing and Business Development 
  Officer, Unatek, Inc...........................................    44
Djamshidi, Sarah, Executive Director, Chesapeake Innovation 
  Center.........................................................    56
von Lehmen, Dr. Gregory, Provost, University of Maryland 
  University College.............................................    68

          Alphabetical Listing and Appendix Material Submitted

Cardin, Hon. Benjamin L.
    Testomony....................................................     1
Djamshidi, Sarah
    Testimony....................................................    56
    Prepared statement...........................................    59
    Responses to questions for the record from Mary L. Landrieu..    88
Gallagher, Hon. Patrick D.
    Testimony....................................................     5
    Prepared statement...........................................     7
    Responses to questions for the record from Mary L. Landrieu..    83
Iheagwara, Dr. Charles
    Testimony....................................................    44
    Prepared statement...........................................    48
Johansson, Hon. Christian S.
    Testimony....................................................    25
    Prepared statement...........................................    28
    Letter.......................................................    90
Mikulski, Hon. Barbara A.
    Testimony....................................................     3
von Lehmen, Dr. Gregory
    Testimony....................................................    68
    Prepared statement...........................................    71
    Responses to questions for the record from Mary L. Landrieu..    87
    Letter.......................................................    94
Walsmith, Jennifer S.
    Testimony....................................................    17
    Prepared statement...........................................    20
    Responses to questions for the record from Mary L. Landrieu..    85

 
                    THE ROLE OF SMALL BUSINESSES IN
        STRENGTHENING CYBERSECURITY EFFORTS IN THE UNITED STATES

                              ----------                              


                         MONDAY, JULY 25, 2011

                      United States Senate,
                        Committee on Small Business
                                       and Entrepreneurship
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:55 p.m., at the 
Laurel Municipal Center, City Council Chambers, 8103 Sandy 
Spring Road, Laurel, Maryland, Hon. Benjamin L. Cardin, 
presiding.
    Present: Senators Cardin and Mikulski.

OPENING STATEMENT OF THE HONORABLE BENJAMIN L. CARDIN, A UNITED 
                  STATES SENATOR FROM MARYLAND

    Senator Cardin. Good afternoon and welcome to the hearing 
of the Committee on Small Business of the United States Senate. 
I first want to thank Chairman Mary Landrieu, who is the 
Chairman of the Small Business Committee--I have the honor of 
serving on that Committee, for allowing me to conduct this 
hearing in Laurel, Maryland, on a very, very important subject 
to not only the small business community, but to our entire 
country, The Role of Small Businesses in Strengthening 
Cybersecurity Efforts in the United States.
    I want to thank my colleague and friend, Senator Barbara 
Mikulski, for joining us today. Senator Mikulski, as I am sure 
you all are aware, serves on three very important committees, 
but two that are directly related to cybersecurity. One is on 
the Senate Intelligence Committee, the other on the Senate 
Appropriations Committee. She also serves on the Committee on 
Health, Education, Labor, and Pensions, which obviously is also 
an important Committee as it relates to the training of people 
in the cybersecurity area. So, Senator Mikulski, thank you for 
joining me today in this hearing.
    I want to thank our friends from Laurel for allowing us to 
use this facility, Mayor Moe. Thank you very much. The Council 
people that are here. We very much appreciate your hospitality 
today. There could not be a better place for us to have this 
hearing. It is a growth area in Maryland and one that is very 
much connected to the cybersecurity issues.
    I also want to acknowledge Delegate Susan Lee who is here. 
She chairs the committee, along with Senator DeGrange, on 
cybersecurity issues, a committee that was established by 
legislation that she helped author. So it is very nice to have 
you here, Susan, and we look forward to working in partnership 
with our colleagues in the State Legislature.
    Cybersecurity is an issue that is of utmost importance to 
our country. In the last Congress, I had the opportunity to 
chair the Subcommittee on the Judiciary Committee that dealt 
with Homeland Security, cybersecurity issues. And I mention 
that, because during the course of that chairmanship, I had the 
opportunity to learn firsthand of the risks to our country.
    There are cyber criminals out there and I think we all know 
cyber criminals. But in addition, we also have cyber terrorists 
that are out there, people who are trying to do havoc to this 
nation through cyberspace to America. But there are also cyber 
soldiers, agents of other countries that are operating, that 
are trying to compromise America's security.
    They can do this through--cyber criminals can, of course, 
do it by bank robberies that make the old bank robbers look 
like they are pikers compared to the danger that can be 
attached to our financial system. In a matter of just a few 
hours, millions of dollars were stolen in several countries 
through the ATM machines. So we know that cyber criminals are 
out there.
    But cyber terrorists are really trying to cause havoc to 
this country. They are trying to compromise our security, 
trying to deal with our energy grids, trying to deal with our 
transportation grids. And we know that, other countries are 
interested in trying to compromise our defense strategies 
through cyber-attacks. So these are issues that are of utmost 
importance to our country.
    I authored a bill, S. 372, which is aimed at cybersecurity 
and Internet safety standards by having the Government work 
with the private sector to develop best practices for 
protecting us from our vulnerability against cyber-attacks. 
That legislation is moving forward as an effort to figure out 
how we can do things better, which really brings me to the 
current subject of how we and the small business community and 
in Maryland can help solve a national problem as well as 
growing our own economy.
    In Maryland, we are very proud as being what we call the 
Cyber Center for this nation. Governor O'Malley has called it 
Cyber Maryland, putting a strong focus on the cybersecurity 
issues in our State through the tools of the State government.
    We are proud of the Federal agencies that are located here 
and the new U.S. Cyber Command. Fifty key security and 
intelligence facilities located in the State of Maryland, 12 
major military installations in the State of Maryland, our 
colleges, our universities that have concentrated on 
cybersecurity issues.
    There is a great deal of energy here in Maryland and we 
want that energy, to a large extent, focused on the small 
business community. We know that job growth in America will be 
through our small businesses. We know that we will get more 
innovation through small companies. That is where the energy 
level starts, and we need to do a better job in energizing our 
small business community.
    In the Congress, we passed recently several bills to help 
small businesses. We know about the concerns, of those in 
Federal agencies, as to whether they are allocating fair 
dollars to the small business community. We know of the abuses 
of bundling small contracts into large contracts, making it 
virtually impossible for a small company to get the prime 
contract.
    We know of the frustration in a tough economy, as to 
whether the agencies have adequate staffing to be able to reach 
out beyond their current suppliers and contractors. We want to 
overcome those obstacles because we think it is critically 
important for job growth and innovation, to be able to make 
sure that the small business community is getting their fair 
share of the work, and we also understand the issues of credit.
    Secretary Johansson, I am glad that you are here, because 
we are going to talk a little bit today about the efforts being 
made by Congress. Congress made significant resources available 
to ease up credit. Part was direct through the Federal 
Government; part was through the States, and I would be 
interested to hear the experiences in Maryland as it relates to 
getting resources out to small businesses in order to move this 
agenda forward.
    At this time, let me yield to my colleague, Senator 
Mikulski, for her opening statement.

OPENING STATEMENT OF HON. BARBARA A. MIKULSKI, A UNITED STATES 
                     SENATOR FROM MARYLAND

    Senator Mikulski. Well, Senator Cardin, I want to thank you 
for hosting this hearing. Your championship of small business 
is well-known, and your persistent advocacy is much 
appreciated.
    Like you, I join today to see how, in our effort to keep 
our country safe, particularly against the new enduring war of 
cyber war, we also want to build a safer and stronger economy 
by making sure that the money that we spend, both within 
Government and within the private sector, provides as much 
access as we can--not only to big business who often knows how 
to work the system, but to small- and medium-size businesses so 
that we can have a safer country--indeed, a stronger economy.
    I am so proud of where Maryland is in this new enduring 
war. It is here that we are on the battleground to protect 
America. The key critical assets in both military and civilian 
agencies are right here in Maryland.
    We truly are the epicenter of cybersecurity for the United 
States of America, and because of our unprecedented know-how in 
this area--particularly rested in the National Security Agency 
working with the National Institute of Standards and 
Technology--we are actually the epicenter, in many instances, 
for the world, at least for the free world that wants to remain 
free.
    Just to list a few, to list, actually, the basic ones, of 
course, is what I affectionately call the ``Mothership,'' the 
National Security Agency. That is the listening post for cyber 
and signals intelligence throughout the world, protecting our 
troops in Iraq and Afghanistan, whether it is a Navy Seal going 
to take down Bin Laden, or it is a plane over Libya, or whether 
it is keeping an eye on North Korea or any other bad guy whose 
name is even too unmentionable to bring up.
    They are on the job 24/7. The National Security Agency is 
also the home to the Cyber Command. It is the job of the Cyber 
Command to protect .mil for the entire United States of 
America, and also be linked with treasured allies in its 
protection.
    And then we have special agencies: DISA, the Defense 
Intelligence Service Agency. The 10th Fleet that is there right 
now--a fleet like no other fleet. It does not have aircraft 
carriers. It does not have submarines. But boy does it have the 
Navy-Marine spirit in which their job is to protect the entire 
critical Naval assets.
    And then, as we move out, because we always need new ideas 
in this new enduring war, there is IARPA, the Intelligence 
Advanced Research Projects Activity that is right next to 
College Park, for the synergistic effect with our intellectual 
capital at the universities, where they will develop the new 
ideas to protect not only .mil and .gov, but .com and 
individuals who are threatened every day.
    And then, in order to come up with the new ideas, you need 
new products. You can't have new products without standards, 
and it is the National Institute of Standards and Technology, 
working with both government and the private sector, that is 
creating the standards so that we have interoperable products 
that protect us, but also protect our economy.
    Well--you think I am a little excited about it?
    But, listen, I know the ``Mothership'' alone spends $2.5 
billion in contracts. So while I have extolled your virtues, I 
want you to tell me how you will open the doors of Government 
or you have them opened already, so that small business can 
compete on the basis of merit.
    Senator Cardin: We do not give people contracts. What we do 
do is fight for the opportunity for them to go after the 
contracts based on their know-how, their ability, and the value 
that they offer to the United States Government.
    So we look forward to hearing from you. But right now, I 
salute you because you are the front line warriors in this new 
and enduring war.
    Senator Cardin. Well, thank you very much, Senator 
Mikulski.
    We will now go to our first panel. Let me welcome all three 
of our panelists. Dr. Patrick Gallagher was confirmed as the 
14th Director of the U.S. Department of Commerce's National 
Institute of Standards and Technology, NIST, in 2009. He also 
serves as Under-Secretary of Commerce for Standards and 
Technology. Dr. Gallagher brings high level oversight and 
direction for NIST. The agency promotes U.S. innovation and 
industrial competitiveness by advancing measurements, science, 
standards, and technology. So we very much welcome you, Dr. 
Gallagher.
    We will then hear from Jennifer Walsmith. Jennifer Walsmith 
has served as the Senior Acquisition Executive for the National 
Security Agency since January, 2009. In this role, she is 
responsible for all procurement in support of NSA's signals, 
intelligence, and information assurance missions. While 
managing the agency's multibillion dollar budget, as Senator 
Mikulski has pointed out--and Senator Mikulski is very much 
aware of that as one of the appropriators----
    Senator Mikulski. That is open source, too.
    Senator Cardin. That is right. Ms. Walsmith has focused on 
balancing acquisition discipline with mission agility.
    And then we will hear from our own DBED Secretary, 
Christian Johansson. He was appointed Secretary by Governor 
Martin O'Malley in early 2009. He oversees Maryland's nearly 
250 employee business agency and its $25.6 million budget. 
During his tenure, he has helped the Governor craft strategic 
plans, and informed councils targeting Maryland's competitive 
business trends in a rapidly changing industry such as biotech, 
cybersecurity, IT, and foreign direct investment.
    All three of you, it is a pleasure to have you before the 
Committee and we will start with Mr. Gallagher.

                                PANEL 1

  STATEMENT OF HON. PATRICK D. GALLAGHER, DIRECTOR, NATIONAL 
INSTITUTE OF STANDARDS AND TECHNOLOGY, UNITED STATES DEPARTMENT 
                          OF COMMERCE

    Dr. Gallagher. Thank you very much, Senator Cardin and 
Senator Mikulski. It is a real pleasure to be here today to 
talk about cybersecurity in business. I want to start by 
thanking Team Maryland for your leadership on cybersecurity, 
for your recognition of its importance to the nation's 
security, and to its economic future, and for helping to make 
Maryland really the epicenter of this effort.
    Mr. Chairman, I will focus my testimony today on the 
important interplay between the small business community and 
this cybersecurity effort. In my written testimony, I have some 
more information about these efforts that I will not be able to 
get into in this time, particularly the National Initiative on 
Cybersecurity Education and the Proposed National Cybersecurity 
Center of Excellence championed by Senator Mikulski. Both of 
these efforts will also benefit the small business community.
    More than 99 percent of all U.S. businesses are small and 
medium size enterprises. Small businesses are the growth engine 
of our economy, and they account for most of the new job 
creation in this country. Information technology has brought 
huge advantages to these businesses, but they also face 
significant threats and unique vulnerabilities caused by their 
size and diverse organizations.
    In fact, it has been recently reported that data and 
identify theft are impacting small and medium size businesses 
at a rate greater than of individuals. Many of these businesses 
house very sensitive personal, health care related, or 
financial information. Many small businesses also provide 
direct services to our Federal, State, local, and tribal 
governments, and therefore, have access to government 
information or systems.
    In this interconnected environment, it is vital that small 
businesses be aware of the risks and take appropriate steps to 
ensure that their systems are secure. And given their critical 
role, a vulnerability common to the small business community 
could pose a significant overall threat to this nation's 
economy or national security.
    NIST programs work with industry to set the standards that 
protect businesses of all sizes, as well as the Federal 
Government, from cyber threats. Our efforts are broad and 
include cybersecurity research, standards, developing the tools 
and tests to demonstrate conformance with standards, guidance 
documents, and cybersecurity outreach and education.
    Today I would like to focus on just two areas of critical 
importance to the small business community, identify management 
through the National Strategy for Trusted Identifies in 
Cyberspace, or NSTIC, and cloud computing.
    So NSTIC was announced in April of this year at an event 
that I had the pleasure of joining Senator Mikulski with, and 
this program seeks to better protect consumers from fraud and 
identity theft, to enhance individuals' privacy, and to foster 
economic growth by enabling industry, both to move more 
services online and to create innovative new services.
    This strategy aims to make online transactions more 
trustworthy and give businesses and consumers both the 
confidence they need to work online. The Federal Government's 
efforts in this public/private effort will be led by NIST. Our 
job is to facilitate the development of interoperability 
technology standards and policies, and create an identity 
ecosystem where individuals, organizations, and the underlying 
infrastructure such as routers and servers, can be 
authoritatively authenticated.
    Small businesses will be able to use this infrastructure to 
avoid the cost of building their own cumbersome log-in systems 
and take their business online and reduce the cost to both 
themselves, and make the user experience more convenient for 
their consumers. It can also expand their ability to reach out 
to new consumers across the nation and around the world.
    Similarly, cloud computing and its growth offers a unique 
opportunity for small businesses in all sectors to make use of 
powerful computing resources without requiring up-front or 
long-term IT investment. Small businesses can contract and use 
computing services through the cloud computing model and only 
pay for those resources that they choose to use and actually 
consume, and the model is providing a path for small businesses 
and others to be able to easily move data systems from one 
cloud provider to another.
    It is for these very reasons that the Federal Chief 
Information Officer is determined that it helps the Government, 
too. And under the Cloud First Strategy, NIST has been tasked 
with working with the business community to develop the shared 
requirements, standards, and best practices to promote adoption 
of the cloud computing in a way that continues to ensure 
privacy, security of data in the cloud, and ensures that cloud 
services are interoperable, portable, and reliable.
    Small businesses play a special role in the NIST programs. 
This is because they provide the critical technical 
competencies that allow us to do our work. It is by harvesting 
their entrepreneurial spirit and innovative capacity that NIST 
is able to integrate cybersecurity standards and safeguards in 
a meaningful way into the technology that our nation depends 
on.
    In short, we cannot accomplish our mission at NIST without 
this community. So I want to thank you for the opportunity of 
appearing before this Committee and I am happy to answer any 
questions.
    [The prepared statement of Mr. Gallagher follows:]



    Senator Cardin. Thank you very much for your testimony. Ms. 
Walsmith.

     STATEMENT OF JENNIFER S. WALSMITH, SENIOR ACQUISITION 
 EXECUTIVE, NATIONAL SECURITY AGENCY, UNITED STATES DEPARTMENT 
                           OF DEFENSE

    Ms. Walsmith. Good afternoon. Thank you, Senator Cardin and 
Senator Mikulski. Thank you. I appreciate the opportunity to 
talk with you both and the Committee on such a topic of vital 
importance, the role of small business and the role that they 
play in the success of our agency's mission.
    If there was one thing that I could leave you with is the 
importance that we place on outreach to small business and 
giving them the opportunities that Senator Mikulski referred to 
earlier that is vital to our success and vital to our 
partnerships that we set forth with those businesses.
    Cybersecurity, the protection and defense of our 
information systems, relies heavily, as you know, on 
technology. Small businesses play a role that no other can play 
in that regard. They have the agility and the innovation to 
create and deploy cyber products and services that are 
customized to NSA's missions needs through innovation and 
collaboration.
    NSA engages in a variety of activities to promote 
partnership opportunities with small businesses and networks 
with industrial organizations that focus on supporting our 
agency's missions. Some of these agencies or organizations that 
we network with include AFCEA, American Small Business 
Coalition, Chesapeake Innovation Center, Chesapeake Regional 
Tech Council, and the Fort Meade Alliance.
    NSA has developed an acquisition communication tool at our 
Acquisition Research Center that facilitates such communication 
between NSA and industry. Currently there are over 2,700 
Maryland businesses registered in the ARC of which over 82 
percent of them are small businesses. NSA uses the ARC to 
perform our market research and provide those opportunities to 
identify potential bidders for our efforts.
    Our Office of Small Business Programs ensures that small 
businesses, including service-disabled veterans owned 
businesses (SDVOB) and HUBZone, all have the opportunity to 
participate in our acquisitions. The Department of Defense 
small business performance goal for NSA is 25 percent of prime 
contract dollars. As of 30 June 2011, NSA's small business 
performance was just over 17 percent.
    We are working diligently to increase our small business 
utilization and NSA includes small business subcontracting 
requirements in our large contracts, of which we tie to award 
fee to ensure their utilization. This is very significant. It 
results in a significant amount of dollars to small businesses.
    For example, in FY10, one of our prime contractors 
subcontracted more than 60 percent of the work to small 
businesses. In that single contract alone, it represented over 
$100 million to small businesses. This is a consistent trend in 
our large contracts.
    There are many other positive trends within our small 
business area. Two that I want to mention briefly today are the 
utilization of our SDVOB and HUBZone small businesses. We put a 
particular effort on this in 2008 to grow these two vital areas 
of business.
    To just demonstrate the growth that we have seen in 2008, 
we had .3 percent in SDVOB. When we closed FY10, we had 1.53 
percent of our appropriated dollars were awarded to prime 
contracts with SDVOB companies. This represents a five times 
increase in those prime contracts.
    HUBZone is a similar story. We have increased that amount 
by 93 percent between FY09 and FY10. These trends demonstrate 
NSA's commitment to creating set-aside opportunities for small 
businesses. We have a variety of programs to increase the 
opportunity and the dialogue with small businesses.
    We all know the chicken and egg that comes with classified 
contracting. If you do not have a security clearance, then you 
are often unable to break those barriers to understand what our 
business is all about. With that, we introduced a program we 
call the Provisional Industrial Security Approval Program, and 
what it does is it allows us to clear a set number of 
individuals from companies that wish to do business with us to 
allow for the technical conversations and the business 
development opportunities, and later allow them to compete on 
our contracts.
    I'll take a moment to also talk to you about several other 
initiatives that we have specifically geared to small 
businesses. We have a large NSA set-aside called the NSETS 
Program, which enables us to competitively acquire agency 
requirements from a team of highly qualified small businesses. 
In the first three quarters of FY11, NSETS awarded over $133 
million to small businesses.
    NSA provides and participates in a number of outreach 
programs ranging from hosting large symposiums to small 
business interactions facilitating one-on-one capabilities 
briefings to promote their capabilities to individuals within 
our organization.
    In the first three quarters of this year, NSA hosted over 
28 technology expositions which demonstrated and allowed small 
businesses the opportunity to come directly into our spaces and 
share their capabilities with NSA personnel. Each event hosted 
over 20 to 25 companies and vendors had the opportunity to 
interact with over 300 to 400 agency personnel.
    While that is just a single way for them to interact and 
show their capabilities, we also hosted several niche events 
this year, focusing on cloud computing, cybersecurity, wireless 
technology, and many others.
    NSA offers a biweekly pathway to success and which is 
designed to educate small businesses on how to do business with 
NSA. We know that is a tough area. Getting to know us and 
knowing how to move into our market is not easy for a new 
business just getting started.
    In the first three quarters of FY11, more than 650 
businesses participated in our briefings. We hosted over four 
major events to promote activities that help them understand 
our upcoming competitive opportunities. These events 
collectively attracted over 1,700 businesses to interact with 
us.
    In addition, because it all is so much of how you get to 
know us, we participate with speakers and subject matter 
experts in many regional and national conferences all designed 
for people to begin to understand our agency better.
    Through the above-mentioned programs and our outreach 
events, NSA programs connect with thousands of small businesses 
a year in an effort to promote small business opportunities to 
partner with NSA. Without them, we could not achieve our 
agency's mission. I look forward to your questions and this 
opportunity to speak with you today.
    [The prepared statement of Ms. Walsmith follows:]



    
    Senator Cardin. Again, thank you for your testimony. Mr. 
Johansson.

 STATEMENT OF THE HONORABLE CHRISTIAN S. JOHANSSON, SECRETARY, 
   DEPARTMENT OF BUSINESS AND ECONOMIC DEVELOPMENT, STATE OF 
                            MARYLAND

    Mr. Johansson. Senator Cardin, Senator Mikulski, I greatly 
appreciate the opportunity to be here with you today at the 
Senate field hearing on Small Business and Entrepreneurship to 
really testify on the critical role that small businesses have 
and will continue to have in strengthening cybersecurity 
efforts in Maryland.
    I want to thank both Senator Mikulski and Senator Cardin 
for standing sentry to protect our nation at home, abroad, and 
in the clouds, as well as your laser-like focus on our nation's 
economic recovery. On behalf of Governor O'Malley, I also want 
to acknowledge your steadfast support for Cyber Maryland, our 
strategic effort to make Maryland the epicenter for 
cybersecurity.
    Let me also acknowledge Senator Mikulski's leadership in 
the Senate to create a National Center of Excellence at NIST, 
and we appreciate all of her efforts on that.
    My testimony today will outline some of the steps that we 
are taking in Maryland to support and create jobs in 
cybersecurity and preview planned business development 
activities in the months ahead.
    When President Obama first pledged to make securing the 
country's most vital computer networks a top economic and 
national security priority in 2009, he called for greater 
leadership and collaboration. Maryland answered that call with 
Cyber Maryland.
    As Senator Mikulski outlined before, our State is uniquely 
positioned to seize upon this opportunity through our assets in 
Federal, private, and academic strengths, including, as the 
Senator mentioned, U.S. Cyber Command, a National Security 
Agency, the National Institutes of Standards and Technology, 
and numerous military commands, including a renowned academic 
institution producing the next generation of innovators and 
inventors, a broad base of entrepreneurs, and established 
businesses and intellectual capital second to none.
    My agency engages stakeholders in Maryland's cybersecurity 
community to quantify and qualify the strengths of our state, 
identify business opportunities, and outline a strategic plan 
to capitalize on both. The results were unveiled 18 months ago 
by Governor O'Malley at NIST when Senators Mikulski and Cardin 
joined Dr. Gallagher and hundreds of business, academic, and 
federal leaders to launch this business development initiative.
    Additionally, with Delegate Susan Lee's vision and 
leadership, legislation was passed during the 2011 session to 
create the Commission on Maryland Cybersecurity Innovation and 
Excellence. Our strategic plan included ten major action steps 
and was organized around four key goals.
    First, support the creation and growth of innovative 
cybersecurity technology in Maryland. Second, develop an 
educational pipeline to train new cybersecurity talent and an 
advanced workforce development program like those being 
pioneered by institutions like UMUC, whom you will hear from 
shortly.
    Third, advance cybersecurity policies to position Maryland 
for enhanced national leadership. And lastly, ensure the 
sustained growth and future competitiveness in Maryland's 
cybersecurity industry. I am pleased to report to you today 
that by the steps we have taken in government, and with the 
private and academic sectors, are successfully moving Maryland 
forward and positioning the state for Federal leadership in 
business, workforce, technology, and economic development.
    In the interest of time and on behalf of my colleagues and 
other state agencies, I will touch upon three business 
development strategies we have successfully organized. The 
first one. We unified cybersecurity marketing under the Cyber 
Maryland brand to position our collective identity and enhance 
communication of the state's assets.
    To date, a uniform logo, comprehensive website, and an 
aggressive social marketing campaign have been launched. You 
might see the logo here that we have created. I have got a 
slide here for the Website that you can access as well.
    Next week, the Cyber Pulse will also debut that will 
communicate news about this growing IT sector. And you are 
seeing it before anybody else. In the coming months, we will 
launch a new strategic advertising campaign and target the 
markets and participate in a comprehensive outreach program of 
industry-based trade shows and conferences.
    Second, we have positioned new start-ups for growth for 
capital funding by passing Invest Maryland in the 2011 
legislative session to recapitalize the Maryland Venture Fund. 
And, Senator Cardin, also thank you to you for your leadership 
on the Senate Banking Committee when Congress passed the Small 
Business Credit Initiative. This is resulting in $23 million 
that is going to help Maryland's small emerging and minority 
companies secure access to credit.
    Both of these programs offer significant opportunities for 
cybersecurity companies, particularly, and software 
communications and IT security. For example, the Maryland 
Venture Fund has already invested in there cybersecurity 
companies, Tenable Security, Sourcefire, and Oculis Labs. We 
believe there are opportunities for further cybersecurity 
investments that are going to grow exponentially.
    With the federal and state tools, DBED will target early 
stage companies and products and collaborate with our partners 
to find vet and co-invest in early stage cybersecurity 
companies. These investments will be 50,000 to 250,000.
    Three, we have made real progress on academic workforce 
programs to teach, train, and attract talent. For example, the 
Department of Labor Licensing and Regulation created the 
pathways to Cybersecurity Careers Consortium, a three-year 
program to train 1,000 workers to fill cybersecurity jobs in 
Maryland. With the support of Senators Mikulski and Cardin, we 
received nearly $5 million in U.S. Department of Labor 
community-based job training grant funding.
    The Maryland Higher Education Commission provided BRAC 
higher education fund grants to community colleges, colleges 
and universities to develop cybersecurity curriculum. The 
University of Maryland College Park brought together all cyber-
related disciplines in the new Cyber Center, MC2, which is 
focused on cyber education, research, and testing.
    These initiatives and others, like the Governor's Workforce 
Investments Board and Cybersecurity Subcommittee, are preparing 
students, retraining employees, and fueling a pipeline of cyber 
warriors.
    In conclusion, cybersecurity offers business tremendous 
opportunities for collaboration with our universities; our 
incubators, including Chesapeake Innovation Center, the first 
dedicated to homeland and national security; our tech councils; 
our military commands; our Federal agencies.
    Cybersecurity offers entrepreneurs and innovators of the 
prospect of discovery, detection, and defense to protect our 
nation's digital infrastructure and our State tools, talents, 
and technologies to lift our economies. Cybersecurity offers 
Maryland the potential to protect the nation's digital 
infrastructure, to attract and expand Maryland businesses to 
provide jobs for our highly skilled and well-educated 
workforce, and to benefit all regions of the State.
    We see the innovation and job creation prospect of 
cybersecurity every day in entrepreneurs like Eric Fiterman, a 
former FBI special agent who founded Rogue Networks to provide 
protection to government Internet, protection to government and 
business clients, and Karl Gumtow who founded CyberPoint, and 
in just 18 months, created almost 100 jobs in Baltimore City.
    We thank you for your support of these efforts.
    [The prepared statement of Mr. Johansson follows:]



    
    Senator Cardin. Well, thank you all for your testimony. 
Secretary Johansson, let me first compliment the O'Malley 
Administration. The purpose of this hearing is to put a focus 
on cybersecurity and the role of small businesses, and I think 
under the leadership of Governor O'Malley, we have seen a 
Governor who has taken the advantages we have in Maryland 
through the Federal facilities that are there, the colleges and 
universities, and then put it together with the interest of the 
Governor, support of the Governor, to really provide the 
impetus for significant movement in our State with economic 
growth.
    We are here to talk about small businesses and you said 
something during your testimony I want you to talk a little bit 
more about. Part of the legislation we passed for the small 
business community was the deal with the availability of 
credit, which is one of the major concerns. Small businesses do 
not have deep pockets, and during these tough economic times, 
it is hard to get loans.
    So we made an extraordinary commitment of additional 
Federal resources. It was, quite frankly, all going to be 
managed at the national level through direct support to 
community banks. Then a Governor named O'Malley petitioned the 
Government to say, Look, the States can leverage a lot of this 
money. Give us part of those funds.
    And a very small part of those funds were allocated to the 
States as a result of the efforts of Governor O'Malley and 
other Governors, with the commitment that those funds would get 
out to help small businesses.
    We recently had a briefing from the SBA as to what was 
happening with the Federal portion. I must tell you, there was 
bipartisan concern the money was not getting out fast enough, 
that we needed to get it out quicker. And we are talking about 
$30 billion, a lot of money that could be leveraged.
    You mentioned in your testimony about three companies. Can 
you just tell us how the Governor has used these resources to 
try to get money out to small businesses, particularly in the 
cybersecurity area?
    Mr. Johansson. Sure. Here we go. First off, there was an 
application that all the States needed to complete. I believe 
Maryland was the third State in the union--maybe was the fourth 
State in the union to complete it and receive funds which we 
recently did. We are receiving $23 million. Out of that $23 
million, we intend to split it between different pools.
    Now, one pool will be going into our MIDFA program which 
helps guarantee small business loans. About $7 million, 
however, is going to our Maryland Venture Fund. Almost half of 
the opportunities that we have traditionally invested in have 
been technology opportunities, many of them in cybersecurity, 
and I just listed three examples of companies that we have 
invested in, in the past.
    Senator, I really thank you for your support of this 
because what this effectively means is, as a result of this, 
there is $7 million, and if history is any guide, probably 
about half of that is going to be invested directly into some 
of the more emerging, pioneering, small businesses here in 
Maryland that need equity capital to grow and to expand.
    Senator Cardin. If you could make that information 
available to our Committee, we would appreciate it very much 
for our record, because I think it would be helpful to share 
that with the other members of the Senate to show that we are 
getting the money out faster through the States and leveraging 
it for more economic activities. So it would be good to have 
the specific examples.
    Mr. Johansson. We will get you that, Senator.
    Senator Cardin. Director Gallagher, you mentioned a very 
important point about cloud computing, and when you think about 
it, if you are a small tech company, you are trying to compete, 
computer capacity is one area that is going to be raised by the 
contractor as to the capacity versus the large, traditional 
prime contractors that you normally selected.
    Can you just talk a little bit more about how you are 
working on cloud computing so that it does somewhat equalize 
the capacity of being able to use computer technologies for a 
small company that is using innovation and technology?
    Dr. Gallagher. Yes, thank you. I think that one way to 
think about the cloud model is it is an approach that turns IT 
resources from a built-in, capital-intensive enterprise that 
you need to build out within your company and turns it, 
frankly, into a commodity that you can purchase and scale up 
very quickly.
    So it is a great equalizer. In fact, I think it is poised 
to continue to make information technology even more of a 
commercial advantage than it has already proven to be. If you 
can imagine, the ability now to set up eCommerce sites, Web 
sites, and business systems through cloud services rather than 
having to build those servers and build that infrastructure 
within your own company and have the capacity inside to manage 
it, you can begin to see some of the tremendous advantage that 
it allows.
    It also is one of the few approaches that can rapidly 
scale. So if your company is really growing, if you are 
attached to your enterprise hardware, it is very difficult to 
keep up with the growth rate, perhaps, of a company. Whereas, 
through the cloud you can provision new resources almost 
immediately and scale very quickly.
    And I think that the business community faces the same 
challenges in the cloud that the Federal Government does, which 
is it is still a new area. These different cloud-type services 
do not work well together yet, and so we have concerns about 
making sure if you move something important in your business to 
the cloud, you do not have a proprietary lock-in. You have got 
the flexibility in the future to move your data and your 
services to somebody else so that the market works.
    You want to make sure the data that you put out in the 
cloud is secure. You want to make sure that the privacy of your 
customers is protected. And you want to make sure that it is 
available and reliable. And the fact that somebody else is now 
doing these things for you instead of you doing it yourself has 
changed the nature of the relationships.
    So we are working very closely with the business community 
to try to come up with that sort of collective behavior and 
those standards to drive that forward. And I have to say, the 
small business community plays two very important roles.
    One, they are going to be uniquely enabled by this 
infrastructure, but a lot of the innovation that Christian was 
talking about that is going to provide these solutions is going 
to come from that community as well. Their agility and their 
innovative capacity is going to play a key role, and we already 
see that in the NIST cloud efforts that the small business 
community are very active participants in this early effort.
    Senator Cardin. It is very exciting. I think NIST has a 
unique opportunity here, particularly as it relates to the 
portability and security and being able to make sure that you 
do not lose the proprietary information, which is one of the 
main problems for small businesses today. So I think it is 
extremely exciting, what you are doing there.
    Ms. Walsmith, I want to ask you a question about your 
problems in meeting goals on prime contracting. I know you have 
made tremendous efforts: 17 percent is a good number, but 25 
percent was the goal. So what are the challenges that you are 
confronting in getting more prime contract work to small 
companies under NSA?
    Ms. Walsmith. So we recognize that the goal is very 
critical that we meet. Some of our challenges are actually 
successes for the companies of which we do business with, and 
that is, often when we establish a relationship with an 
innovative small company, the first thing that happens, 
sometimes before I have even awarded the contract, they have 
been bought by a large company.
    And so, that is a positive in terms of the overall aspect 
of what we try to promote in the American economy. On the other 
hand, as soon as a small business is bought, then I no longer 
can take credit for that small business opportunity.
    But other things that we have to address, I do not want to 
say that it is that alone, is the growth of the small, small 
businesses. They do not always get represented in the first 
year. So let me explain a little bit further. So as we reach 
out to these really new tech innovative companies, generally it 
starts with a small dollar amount and then it grows over time.
    So you do not immediately see the benefit in literal dollar 
amounts, but it is the number of companies that we are doing 
business with that really creates that pipeline in the seed 
corn of the growth that we see in the long term. So that is 
another important facet that you do not always see directly in 
the number itself.
    The third area is to the challenges of just making those 
connections with the small businesses. It is a challenge for us 
to create enough time and opportunity for them to share their 
capabilities with us and for us to get to know them. That is 
where we have strengthened and grown our PISA program that I 
referred to earlier, our Provisional Industrial Security 
Accreditation Program, putting more in that pipeline this year 
than we have in any other year.
    So this year alone we have put another 153 businesses into 
that, clearing them and their technical representatives in 
advance of any contract. Statistically, over 50 percent of 
those companies that are participating in PISA do result in a 
prime contract or business with us and within three years.
    And so, those are the challenges that we face. We continue 
to push that further. We are very conscious of the large 
contracts and one that we need to take the time to do those 
small business set-asides. And so, I myself, as well as all of 
my leadership team within the Acquisition Directorate, have 
performance goals specifically within our performance reports 
that speak to having to meet and achieve those small business 
goals.
    But I would like to say one for a moment, it is not just 
about the numbers. It is really about our success. It is the 
thing that we need to be successful as an agency, so we do 
focus very much on bringing our numbers to the levels that you 
want and expect us to deliver against, but it is also about 
building that pipeline and the small set of businesses that we 
know are critical to our future success.
    Senator Cardin. Thank you. Senator Mikulski.
    Senator Mikulski. Senator Cardin, this is just a great, 
great hearing. I would like to go first to you, Dr. Gallagher. 
Senator Cardin, first of all, you know what a great asset NIST 
is. I mean, it is the agency that sets the standards for all 
private sector--anything that is a proprietary product, that is 
invented and sold in the United States of America, the 
standards are developed there.
    You would be interested to know that their total annual 
budget--under what I want to do, and what they consider 
adequate--is $1 billion. For $1 billion, we get a couple 
thousand people working in Gaithersburg, but also through what 
they do, we have millions of people working in the United 
States of America.
    You would also be interested to know that the House 
Appropriations Committee has reduced Dr. Gallagher's 
appropriation to $700 million. They just think they are 
government, they are just so expensive, let the private sector 
do it. The private sector does not institute standards. They 
cannot institute standards. [The private sector] develops 
products that have to have standards, so they can sell it here 
and around the world. Seven hundred million dollars, which I 
think will have a big effect. This is not an appropriations 
hearing by proxy, but when people talk about ``big government'' 
and how we are going to make it smaller, by making this 
Government smaller--we are going to make the private sector 
opportunities smaller. Government and the private sector cannot 
do this.
    Now, let us go to Dr. Gallagher. I wanted to, in last 
year's appropriation, put in $10 million for a National Cyber 
Center of Excellence to do tech transfer and some other things. 
Could you elaborate on what we wanted to do together? You have 
to know, in that awful CR shutdown situation that we went 
through, over which I am still prickly from that, let alone 
what we are facing now . . . so tell me what you thought it 
would do and what opportunities you think we have missed out 
on, or do we really need it? I am fighting, Senator Cardin, we 
are fighting for every nickel right this minute.
    Dr. Gallagher. Thank you. I have to say, I am tremendously 
excited about the idea of the Cyber Security Center of 
Excellence, and the reason for that touches on the point you 
just made about NIST being drawn very broadly and having to 
cover a lot of area. That is certainly true.
    The only way we have been able to preserve our 
effectiveness is to leverage what the American private sector 
can provide. It is really only in working in partnership with 
industry that we can even begin to approach some of these 
technology challenges.
    And the truth of the matter is that the innovation of the 
new technologies, whether they are going to be to solve 
identity management, whether it is to solve the use of the 
cloud, whether it is to solve cybersecurity, happens at this 
mixing zone between what the Government is doing and what the 
private sector is doing.
    Senator Mikulski. A mixing zone?
    Dr. Gallagher. A mixing zone.
    Senator Mikulski. Is that not a great phrase?
    Dr. Gallagher. And the President has been very vocal about 
this idea of creating economic opportunity by solving the 
country's core problems, whether it is looking at energy 
technologies or what have you, we can simultaneously create new 
opportunities when we focus on a key challenge. I think 
cybersecurity fits in that arena.
    By solving this big challenge, we are also opening up big 
opportunities for our businesses. And the concern we have had 
is, how do you provide an efficient forum for Government 
researchers and staff to work with basically, and that is 
really what the Cyber Security Center of Excellence was going 
to provide.
    It is a place where those two communities get together and 
work on shared problems. It is a place where the Government can 
benefit from the innovations and new ideas that are there in 
the private sector, and it is a place where the private sector 
can benefit from some of the research results that are coming 
out from the university.
    So it is almost more than tech transfer because we have 
information moving both ways, and I think a strong opportunity 
creates a mutual benefit for everybody. So we are continuing to 
work forward as much as we can with planning. We have been 
talking to our partners in the State. We have been talking with 
our partners in our other agencies to see how we can make this 
center create a focal point for business to work with the 
Government on these types of shared challenges.
    Senator Mikulski. Well, I am going to continue to fight for 
you because that is really fighting for our--quite frankly, 
fighting for our jobs for both tech transfer and for NIST to be 
NIST. And in the world of the cyber domain, I think, Ms. 
Walsmith, if General Alexander were here, he would say, ``Our 
weakest link is our strongest link.''
    In other words, wherever we are the weakest--and if small 
business does not protect itself, because we forget that some 
of the biggest bad guys against us are not foreign nationals, 
but organized crime, and they are going after small business in 
the identity theft area. So that is a hallmark. We could go on 
all day with you, and we look forward to working with you.
    But, Ms. Walsmith, I would like to go to you. First of all, 
what a great pamphlet. Is this the one that you give out 
anywhere and anywhere?
    Ms. Walsmith. Yes.
    Senator Mikulski. Now, if you could, Senator Cardin has 
already asked a couple other questions, but first of all, if 
you are a small business in Maryland, and I am thinking of the 
National Security Agency, do you give out--does NSA give out 
contracts to non-geek, non-security clearance agencies? Because 
many businesses do not even come to you because they think they 
have to be a geek company selling something in the world of 
signals and intelligence, and that they have to have a security 
clearance, which in and of itself can tie up a lot of capital 
in order to become certified.
    So do you help? Are there opportunities for the non-geek 
companies, and what would they be where you do not need a 
security clearance, or maybe you do?
    Ms. Walsmith. So that is frequently a myth about the 
National Security Agency, is that all our work is classified. 
But, in fact, nearly 40 percent of our work is unclassified, 
and that is something that most people do not realize. That 
business range to support an enterprise worldwide ranges from 
the guard dogs to the fences to snow removal to IT servers to 
more traditional, high-end cryptanalytic capability.
    But my point is that it crosses the spectrum of anything 
that you would need to run a large corporation worldwide. So 
we, in fact, have tremendous opportunities for businesses that 
are the non-technical organizations. In fact, when we look at 
our installation and logistics organization, if I looked at the 
statistics last month, over--let us see--of their appropriated 
budget, with the exception of the MilCon, they averaged around 
58 percent of their appropriated funds goes to small business 
awards.
    And so, there is tremendous opportunity for companies, 
other than those technology companies, to do business with us.
    Senator Mikulski. So as we troubadour these opportunities, 
we can essentially say to small business, Anything you do to 
support any large enterprise--it could be security at a 
community college--you could also look at agencies that are 
literally teaching lessons around the world to bad guys, so 
they should come to you.
    Now, walk me through. If you wanted to get started at the 
National Security Agency, what would you come to and where 
would you get started?--
    Ms. Walsmith. So the first thing----
    Senator Mikulski [continuing]. To get beyond the fence.
    Ms. Walsmith. So the first thing we would say is to come to 
one of our biweekly sessions that talks to you about how to do 
business with NSA. That is what I referred to that we had sent 
hundreds, literally thousands of companies through that process 
where we sit down and talk to you about the first steps of 
doing business with us.
    Senator Mikulski. So is that the gateway?
    Ms. Walsmith. That is the gateway. That is now housed 
within our fence line. It is actually at a location in Hanover, 
Maryland that does not have the----
    Senator Mikulski. So it is actually a disclosed location?
    Ms. Walsmith. It is a disclosed location, though I will be 
careful in that--but it is a location that you can come to and 
not have to go through the normal process coming inside.
    The second step is to register actually with our 
Acquisition Resource Center as we said. It is actually a 
mechanism to register companies and able to----
    Senator Mikulski. And that is the ARC?
    Ms. Walsmith. That is the ARC. So those are your first two 
steps. From that, that then puts you in the availability pool 
for us to--when we send out a market survey, if your key word, 
your business that you submitted, what capabilities you had, 
triggers that match within the database, then market surveys 
are automatically sent to you to provide you information on 
opportunities to do business with us.
    We further move on to do one-on-one capability discussions. 
So there certainly are those that need a security clearance, 
and so we then host those one-on-one capability discussions, 
and sometimes that will result in us sponsoring someone into 
the PISA program. That is another avenue for them to come and 
do business with us.
    We always host at least once annually, a forum which is 
specifically to unclassified companies to understand what it is 
like in terms of what it would take to get a clearance, how to 
do business with us, what is the ARC, what is the security 
process. And so, we are always trying to make it attainable.
    Senator Mikulski. We would like to know the date of the 
next one because offering the entire delegation on a bipartisan 
basis--I know Congressman Bartlett is keenly interested in 
this. I am not sure about Congressman Harris, but I know 
Bartlett really is. He is an inventor, a patent guy, and has 
Fort Detrick. We would like to know that.
    But your point to me is that each step leads to the next 
step, and so the gateway is at the Acquisition Resource Center 
and those first two biweekly meetings.
    Ms. Walsmith. Right.
    Senator Mikulski. You come to those and you get underway. 
Is that correct?
    Ms. Walsmith. Yes, that is correct.
    Senator Mikulski. Well, I would just like to say, 
Congressman--I have got the delegation on my mind now. Team 
Maryland. Mr. Johansson, again, we would like to thank Governor 
O'Malley for his leadership in making cybersecurity a top 
economic development issue. Again, safer country, stronger 
economy, and we all have to be smarter in how we do things.
    I think Senator Cardin covered my questions to you, but we 
would like to compliment you on your work, and let us keep the 
path going. I know Senator Cardin and I are going to have to go 
to the Capitol, so again, I could have 5,000 more questions for 
10,000 more small businesses, but I am going to stop because we 
are trying to avoid, literally, the collapse of our economy. So 
I think I have covered it.
    Senator Cardin. Well, let me thank Senator Mikulski again 
for being here. I know that she is going to have to leave 
shortly and I appreciate her joining the Committee for this 
period of time, and, of course, we appreciate her strong 
leadership in our delegation, to focus all of our resources of 
our delegation to support what the three of you are doing.
    I have one last question which has to do with SBIR that we 
were unable to get off the floor of the Senate, but we will 
come back to it. My question to you, Dr. Gallagher and Ms. 
Walsmith, is, the goal, 2.5 percent, how you all are doing in 
meeting that. This would increase it to 3.5 percent set aside 
for innovative funds to small businesses. Are you meeting those 
goals? Do we need to do something different than was in the 
reauthorization bill?
    Dr. Gallagher. So you are talking about the targets for the 
SBIR collection rate?
    Senator Cardin. Correct.
    Dr. Gallagher. So for NIST, we tend to meet those targets 
fairly readily. We are not a large grant-making organization so 
our SBIR program is fairly modest by comparison. But we have 
been fortunate to not having any difficulty meeting those 
requirements.
    Senator Cardin. NSA, are you involved in this?
    Ms. Walsmith. So we participate through DOD and we do very 
well with the SBIR program, but we are participating in through 
the DOD process.
    Senator Cardin. I thank you for that. One last point, Ms. 
Walsmith. Your point about the contract officers and reaching 
out to small businesses, you made a very good point about the 
smaller company being bought out by the larger company, which 
many times is exactly what they want to happen. Sometimes they 
have to do it by necessity because they need to be into a 
larger enterprise. That may not always be the best, but in most 
cases, it is.
    Just very quickly, does the current budget problems put an 
extra burden on your contract officers or directors as to 
whether they have the resources to be able to look beyond their 
current set of contractors?
    Ms. Walsmith. So certainly as we have been--the challenges 
this year with the continuing resolution and what it then 
results in for us executing our budget in very distinct 
increments puts an additional workload on our contracting 
officers. That does draw attention away from the outreach to 
bring in new businesses.
    We work to balance that very stridently to ensure that they 
are still spending the time, but the first thing that comes 
onto the plate is ensuring that we are appropriating the funds 
we have aggressively and to meet the needs that we submitted 
that budget for.
    Senator Cardin. Well, thank you. On behalf of Senator 
Mikulski and myself and the Committee, I want to thank all 
three of you for your time, for getting through the weather 
today. It started out just muggy and hot, then it just became 
wet and muggy. But we thank you very much and we look forward 
to working with all three of you.
    We will now turn to Panel 2.

                                PANEL 2

    Senator Mikulski. Senator Cardin, I am going to have to go 
because of the situation and trying to organize the women of 
the Senate so we are not thrown under the bus.
    Senator Cardin. Again, I thank you.
    Senator Mikulski. So if I could be excused?
    Senator Cardin. I think everybody knows the current 
situation on Capitol Hill where we have eight days to a 
deadline to make the August 2nd on the budget. Senator Mikulski 
is in the middle of some of those negotiations. When I leave 
here this afternoon, I will be going back to Washington to join 
in that debate. Quite frankly, it is more enjoyable being here 
with you all, but that will require me to go back to Washington 
this evening.
    Let me welcome all three of our panelists on this panel. 
First let me welcome Dr. Charles Iheagwara who is the Chief 
Marketing and Business Development Officer at Unatek, a U.S. 
Government information technology contractor. He leads business 
development efforts with several notable successes, including 
positioning Unatek as a major U.S. Government prime contractor 
and expanding corporate business lines, contracting, and 
marketing services in the workforce.
    He has also previously worked for the District of Columbia 
Government and a number of other companies including Lockheed 
Martin. Unatek recently received the Homeland Security Company 
of the Year award from the State of Maryland. Congratulations 
on that.
    Next we will hear from Sarah Djamshidi. As the Executive 
Director, she oversees all of the Chesapeake Innovation 
Center's activities, coaches and mentors in the member 
companies. CIC is a unique venture accelerator that connects 
promising technology companies and emerging technologies with 
Government agencies, major government contractors, and private 
sector customers.
    Last we will hear from Dr. Gregory von Lehmen, who serves 
as Provost and Chief Academic Officer for UMUC, University of 
Maryland, University College. He joined UMUC as the Area 
Director for Japan in 2001 and worked for UMUC Asia as Area 
Director for Japan for four years.
    He returned to the United States in 2005 where he served as 
the Senior Associate Dean within the School of Undergraduate 
Studies and later as Senior Vice Provost. So with that, let me 
start first with Dr. Iheagwara and then we will move on to our 
other witnesses.

  STATEMENT OF CHARLES IHEAGWARA, Ph.D., CHIEF MARKETING AND 
           BUSINESS DEVELOPMENT OFFICER, UNATEK, INC.

    Mr. Iheagwara. Thank you, Senator Cardin and members of the 
Committee for inviting me to testify on this very, very 
important topic, that is the Role of Small Businesses in 
Strengthening Cybersecurity Efforts in the United States, and 
if I may, to a large extent, the cybersecurity portion of the 
entire planet.
    As I stated in my written submission, my experience is one 
of ten years of both field practice and the academic work, and 
as you mentioned earlier, I worked with a couple of companies, 
including Edgar Online, Lockheed Martin, and the D.C. 
Government eight years.
    On the academic side, also, I have been fortunate somehow 
to have written two topics on cybersecurity. My Ph.D. 
dissertation in Cardiff, Wales was on cybersecurity, and in 
particular, the effectiveness of intrusion detection systems. I 
also wrote a thesis recently at MIT on cybersecurity.
    Having said that, Senator, I want to now focus--direct a 
few points that the role of small businesses play in 
strengthening cybersecurity in the United States. And in my 
written submission there are six key areas, one of which is 
talent, the second is capacity creation, the third is 
incubation, and the fourth is innovation, both of course of new 
technologies, processes, and practices. The sixth obviously is 
providing new services that are not always readily available 
from the large firms.
    Now, all of these are important for the reason that in 
seeking a solution to, of course, America's cybersecurity 
problems, it will be hard to think of any group closer to the 
action than small businesses. Small businesses in this case 
carry an extraordinary burden of leadership in both addressing 
the current threats and also, by the way, by way of their 
innovativeness, charting a course for developing cybersecurity 
to process these technologies, et cetera.
    By most accounts, one would really agree that in times of 
job creation, the significant impact here is that small 
businesses overall add the net growth in all jobs created. For 
example, economists with the Kaufman Foundation have determined 
that companies that produce most jobs are the new ones and that 
since 1980, nearly all net job creation has come from companies 
less than five years old.
    I do know this firsthand, having graduated recently from 
MIT, that this is true. The President of MIT, Susan Hockfield, 
stated--gave the statistics last week, and in the statistics 
she mentioned that each year MIT alone creates 900 companies a 
year. Well, if we go by the statistics readily available, 90 
percent of them would fail. That means that 10 percent of them 
will succeed, and that is 90 companies each year singularly.
    Now, when we multiply this by dozens of other schools, who 
alone launch small businesses, then obviously we have a 
multiplied effect here. That is very, very important. And why 
is this important to mention? It is very, very important to see 
small businesses not just as businesses that have been formed 
within the legal confine of what we typically call a corporate 
structure.
    Yes, these small businesses are independent consultants. 
These small businesses have been graduate assistants who have 
been incorporated legally. Some were doing business with the 
government or the state. So it is very, very important to say 
that.
    And by extension, the talent tool provided by small 
businesses is overwhelming, for the mere fact that small 
businesses are in the front line of solving problems, 
addressing security problems, and to a larger extent, in the 
growth economy, confronting also some of our problems. By 
certain, they are able to develop talents which are not readily 
available or acquired from the universities, so this is one 
significant area where small businesses contribute greatly to 
the economy.
    We want to also state that capacity creation is one of the 
six main areas that small businesses are actively engaged in, 
in strengthening the cybersecurity of the nation. Many of the 
initiatives at the Federal and State levels spur, as we know, 
capacity creation. A case in point is the recent DFAR changes 
proposed by the DoD that will affect the entire DoD supply 
chain. This in itself is going to have a multiplier effect by 
creating different capabilities that will affect job creation, 
not just within small business establishments, but also for 
large businesses as well.
    And, of course, we know that the most talked about efforts 
on incubation and innovation of technologies of two processes 
and all sorts of innovations come from small businesses. This 
is very, very correct. For example, in our own Maryland here, 
State of Maryland, Sourcefire, Inc. created the SNORT. The 
SNORT is one of the intrusion detection system tools that is 
out there today. It is assumed to be the informal baseline. It 
was created by a small business and has expanded today all over 
the world. Somehow the SNORT is used as the standard.
    We also have, as Secretary Johansson mentioned, Tenable 
Security, a software company located also in Columbia, Maryland 
here. It is still the--the scanning tools, software scanning 
tools that it created also have set standards.
    So we can go on mentioning countless small businesses 
throughout the United States of America that have come up with 
new technologies that have incubated them and that have 
innovated existing technologies or that have somehow incubated 
new ones outside the traditional confines of large institution-
based or Government-based research and development labs. Very, 
very important.
    And lastly, Senator, I will also submit that niche services 
is an area where we think small businesses have overwhelming 
governance. For example, in the field of cybersecurity, we do 
know that the hacking skill is very, very important in the fact 
that folks that have these skills are able to assist in what we 
call penetration testing.
    We have often heard about the Tiger Teams, Red Teams, et 
cetera, that are called in from small consulting firms or 
consultancies to help big companies and Government agencies 
that test the health of the security devices that they have 
mounted or employed.
    Such niche services are never incubated by large 
businesses, but small businesses provide them, and, of course, 
we have heard about the celebrated case by one of the famous 
hackers, Kevin Mitnick. He had great hacking skills and there 
are thousands of more like him today. So it is very, very 
important to say that niche services is an area where small 
businesses have overwhelming dominance.
    But let me conclude my brief presentation by saying that 
these contributions by small businesses, there are enormous 
obstacles, as you have noted, and also Senator Barbara 
Mikulski. But I do want to suggest that it will be good for us 
to recognize that growing new ideas take money. Capitalization 
is very, very important.
    We are aware of the fact that Congress has passed different 
legislation to help small businesses secure loans, but the 
banks are not lending. Recently my company, despite of our 
resources or in spite of our resources, I do not know which is 
best to describe here, approached a bank to get $200,000 in a 
loan and we were declined because we have maxed out, and we 
have a niche service that was tested that is very, very 
successful. So this is one of the challenges.
    So one way that small businesses can actually capitalize 
fast is for them to get contracts as primes or subcontractors. 
We do note that the big companies are good at what they do, 
but, of course, it is also the fact that they are greedy. They 
go after $50 contracts head to head with small businesses.
    So I think one of my first recommendations is that Congress 
probably should consider mandating a certain percentage of all 
Federal contracts to go to small businesses. Then secondly, I 
think in furtherance of the different loan programs out there, 
it might be good for also Congress to consider ways of granting 
low-interest loans to support small business innovations such 
as I have described, the one of growing the company.
    And also, we have heard that Cyber Maryland has an 
initiative that falls outside cybersecurity in the State, but 
it will also be good if small businesses are included in such 
initiatives both at the Federal and State level. Oftentimes the 
impression is that they are included, but obviously if you look 
around, you do not know who is included.
    So, Senator Cardin, I want to thank you and the Committee 
for giving me the opportunity to testify here today, 
representing thousands of small businesses. I would be glad to 
answer your questions.
    [The prepared statement of Mr. Iheagwara follows:]



    Senator Cardin. Well, thank you very much. Ms. Djamshidi.

 STATEMENT OF SARAH DJAMSHIDI, EXECUTIVE DIRECTOR, CHESAPEAKE 
                       INNOVATION CENTER

    Ms. Djamshidi. Senator Cardin, thank you so much for 
holding this very important hearing on the role of small 
business in the cybersecurity area and----
    [Discussion regarding microphone.]
    Ms. Djamshidi. So thank you for holding this very important 
hearing on the role of small business and in the area of 
cybersecurity. I am delighted to be here and provide a voice to 
thousands of small businesses that are working and innovating 
in this particular area.
    By way of background, CIC is a unique business accelerator 
and incubator that is focused on the role of small business in 
the area of----
    [Discussion regarding microphone.]
    Ms. Djamshidi. Okay, much better.
    Senator Cardin. Much better. Let us start all over again. 
Well, not all over again.
    Ms. Djamshidi. So let me begin by providing background 
information on CIC. Many speaker members here referenced 
Chesapeake Innovation Center, and so I am delighted to provide 
a little bit more background, and also offer a perspective from 
the small business side of the equation.
    So by way of background, CIC is a unique business 
accelerator that is specifically focused on serving as a direct 
connection between users of technology, and that would be 
government agencies and system integrators, as well as the 
creator of those technology and innovation areas, so small 
businesses are leading the way in innovation in the areas of 
homeland, national, and cybersecurity areas.
    CIC was formed in 2003 and is located in Anne Arundel 
County and has served as the nation's first business 
accelerator focused on homeland and national and cybersecurity 
areas. Since then, we have worked with more than 50 technology 
companies. These are all small businesses. We have incubated 
and accelerate them through various programs that we have.
    And then the other program that I have provided more 
information in my written testimony on, which is basically a 
program called Tech Bridge, we have worked with more than 170 
technology companies from across the country, as well as 
globally, and we have brought them here to the State of 
Maryland and we have showcased their innovative technologies in 
the area of homeland defense and cybersecurity in front of some 
of the system integrators and Government agencies, particularly 
major security stakeholders around the Fort Meade area. So I 
would be more than happy to provide more information on that.
    CIC is a Anne Arundel Economic Development Corporation and 
we have shared great success since 2003. Our companies have 
raised more than $100 million in private capital. Our companies 
have also won more than $300 million in Government contracts. A 
number of them have been acquired along the way, and more 
importantly, one of them in particular, in the area of 
biodefense and homeland security has gone public, and that is 
PharmAthene. So we are very proud of them.
    So today we spent a lot of time talking about the fact that 
we live in a digitized society. We enjoy many good things like 
Facebook and iPad, but we also talked about the importance of 
cybersecurity in this new era, in protecting our data, and how 
it is more important than anything else, and also it has 
serious impacts in our socioeconomic and national security 
areas.
    One of the keys things I wanted to highlight is that more 
than 90 percent of Government critical infrastructure is built 
and supported by the private sector. Mission critical systems 
are built by defense contractors, and increasingly, Government 
agencies are relying on the private sector-built networks and 
systems and solutions.
    So the question is, where does small business come into 
that? With small business, the majority of the private sector, 
which is comprised of, as we talked about earlier, by small 
businesses, are developing these innovative cyber technologies 
and tools to be able to support and basically secure this 
critical infrastructure.
    So we think that in this new era, innovative small 
businesses play a very key and important role in this whole 
dynamic, and organizations, public/private partnership 
organizations like CIC, that is a partnership between the 
county, the State, and Federal agencies, is a key component in 
that whole mix.
    At CIC, we spent a lot of time understanding the market and 
looking at some of the issues that small businesses face, some 
of the things that are important to you and we have talked 
about already here today. We understand there are a number of 
gaps in the marketplace, and so we have created a number of 
programs specifically designed to help small businesses 
navigate through those issues. And again, I have provided more 
detailed information in my written testimony.
    Some of the programs to highlight include, for example, 
number one, we provide hands-on support and access to funding 
and Government opportunities. We have created a three-year long 
rigorous company building process where we navigate some of 
these small businesses. Again, the ones that are working on, as 
Senator Mikulski remarked, the geek companies, the technology 
companies that are developing unique innovative technologies in 
the areas of homeland and national and cybersecurity and 
helping them cross the chasm, if you will.
    It is a difficult task to do and we serve through our 
partnerships. We bring in a lot of resources to be able to do 
that, and we partner with a lot of organizations across the 
State of Maryland in order to provide that.
    Second, again, in partnership with various academic 
institutions that includes the community colleges, it includes 
the major academic institutions around the State, and various 
other organizations like Workforce Development Corporation, we 
bring in some of this training and education so that we can 
create those next generation cyber warriors and fuel the 
innovation inside some of these technology companies.
    And then third, we have created various programs to bring 
the public and private together and showcase some of these 
innovative technologies. Today some can argue there are no 
effective, or there are not that many effective, ways of 
bringing some of these innovations to the marketplace. So they 
can actually see the light of the day and go solve tough 
problems.
    We have created specific programs to do that, and that is 
the program that I referenced earlier as Tech Bridge, and 
through that, we look across the country. We have screened and 
vetted hundreds and hundreds of companies. And then we bring in 
more than--we have brought in more than 180 companies to date 
to the State of Maryland, showcased their innovative 
technologies to major stakeholders such as the National 
Security Agency and other agencies, and we have brought those 
innovations here to the State of Maryland.
    We think that is a great attraction tool. We hope that some 
of these companies will think of the State of Maryland as 
either their expansion area or their home, for example.
    Finally, in support of the entrepreneurship culture around 
the region, we think that is an important thing to do and we 
play a key component in that. And so, we have launched several 
programs, one of which, for example, is the Business-to-
Government CEO Roundtable which is meant to put our finger on 
the pulse of small business issues and understand that and 
create value-added services in partnership and help with others 
and bring those to the small businesses.
    One of the key things I wanted to highlight is that I 
talked about our companies historically have raised or brought 
hundreds of millions of dollars in private capital and 
Government contracts. But I want to share with you one very 
recent example.
    One of our current companies in our portfolio, Inovex 
Information Systems, is a small company headed by three first-
time entrepreneurs who serve Fort Meade, works in the area of 
cybersecurity and support in that region, and this company came 
to us in 2009 with 13 employees. Today they have not only 
quadrupled their revenues, but they also employ more than 43 
highly-skilled workers.
    So that is a great example that is very close to home. It 
is probably one of the best kept secrets, and I definitely 
wanted to share that with you. Is that all, enough, to your 
point? We think there is more work that can be done. And are we 
doing it all? I do not think so. And so, with that, I think a 
lot of people touched on it, and you also mentioned it.
    We think that access to capital is absolutely huge and 
crucial toward continuing the innovation and bringing these 
technologies to the marketplace. We also think support for 
public/private partnership organizations also is important in 
support of the small businesses because this is a huge task 
that is going on.
    And finally, I think in observation of what is going on, I 
think it is crucially important for various counties, agencies, 
Federal, State, what have you, to work in close collaboration 
with each other so that we can continue this innovation in the 
area of cybersecurity that is so important to us. And then I 
will take any questions.
    [The prepared statement of Ms. Djamshidi follows:]



    Senator Cardin. Well, thank you very much for that 
testimony. Dr. von Lehmen.

STATEMENT OF GREGORY VON LEHMEN, Ph.D., PROVOST, UNIVERSITY OF 
                  MARYLAND UNIVERSITY COLLEGE

    Dr. von Lehmen. Thank you, Senator Cardin. On behalf of the 
University of Maryland University College, I thank you for the 
opportunity to appear in this field hearing of the Senate 
Committee on Small Business and Entrepreneurship. Both you and 
Senator Mikulski have alluded to the threat in this area of 
cybersecurity.
    I have been invited here to talk about how the University 
of Maryland University College is working to meet the workforce 
need in this area, particularly in educating cybersecurity 
professionals, many of whom we believe will use their knowledge 
to further small business expansion, both here in Maryland and 
throughout the United States.
    In my capacity as Provost, I led a very talented academic 
team, starting about 18 months ago, to launch three 
cybersecurity degree programs in collaboration with an advisory 
board of public and private sector industry leaders, many of 
whom had a long background and distinguished career in the 
Department of Defense and the military services.
    Thanks to their tremendous input, our programs are 
specifically mapped to professional expectations in industry 
and government, which is an important distinction when it comes 
to effectively meeting critical State and national workforce 
needs.
    As the largest public university in the United States, by 
head count, and one of the 11 degree-granting institutions 
within the University system of Maryland, UMUC was created 64 
years ago to meet the unique academic needs of working adults, 
most of whom return to college for professional advancement.
    Today we serve 94,000 students in all 50 States, 28 
countries, including some 40,000 active duty members, veterans, 
and their families. We do this face-to-face at more than 150 
locations around the world, and also, online through our award-
winning virtual campus.
    We are supportive of opportunities for both emerging and 
established small business owners through our association with 
the Minority Business Enterprise, whose award ceremony UMUC 
hosts each and every year, and our NBE-endowed scholarship fund 
which was established last year with awards to be made this 
coming academic year.
    In responding to the urgent needs for tens of thousands of 
cybersecurity professionals nationwide, the University of 
Maryland University College stepped forward to meet the 
challenge, becoming a key player in Governor Martin O'Malley's 
plan to position Maryland as the country's epicenter for 
cybersecurity, and to be sure our university is exceptionally 
well-positioned to shape the course of cyber education going 
forward, given its healthy track record and IT program 
development, its ongoing relationships with the Department of 
Defense, Federal agencies, and contractors, and its large 
contingent of clearance-ready students.
    What is more, UMC is one of 147 colleges and universities 
in the United States to be designated as an NSA DHS Center of 
Academic Excellence in Information Assurance Education, and 
more recently, we have begun working with the National 
Institute of Standards and Technology on its NICE initiative 
which is to create a taxonomy of cyber work roles and then to 
map curricula to those work roles. We think this is a very 
important effort to create a common reference point for 
academic programs in cybersecurity.
    Consequently, in developing its cyber initiative, the 
university created two master degree programs, one in 
cybersecurity and one in cybersecurity policy. And 
additionally, the university offers a bachelor's programs in 
cybersecurity and a number of graduate and undergraduate 
certificates. All three degrees and these certificates offer a 
market-driven curriculum and are furnished primarily online.
    We have also recruited an exceptional group of faculty 
members. We have built a remote access cyber virtual lab which 
can accommodate up to 800 concurrent users. We have raised $1.2 
million for cybersecurity scholarships, and we have signed 
articulation agreements with community colleges in Maryland and 
Louisiana that offer associate degree programs in cybersecurity 
to help create this pipeline of educated professionals.
    In less than a year--in less than a year, we have enrolled 
close to 2,200 cybersecurity students, nearly half of whom are 
completing one of two graduate degree programs that I 
mentioned, or one of the certificates in this field.
    The vast majority of our graduate students, about 89 
percent according to a recent survey of our students that we 
conducted, around 89 percent have at least five years 
professional experience in IT Information Assurance or computer 
security in Government or across sectors of the economy, while 
61 percent of them hold security clearances.
    Moreover, a significant number of these enterprising 
students will undoubtedly use their new skills to launch 
businesses of their own. And I close with two examples. One of 
our graduate students in the technical track are MS in 
cybersecurity, wants to start his own cybersecurity consulting 
firm working with private corporations.
    He is currently employed as an executive at a large firm, 
but he plans to start his own consulting practice. And having 
more than 27 years experience in military intelligence, he is 
now acquiring the additional technical skills through our 
program that he needs to launch his new business.
    And another of our graduate students, which I just happened 
to meet by chance last week at an AFCEA conference, is in our 
master's of cybersecurity policy. He started his own 
communications firm in 2006, focusing on public relations, 
corporate and social responsibility planning, and digital 
content strategies.
    His firm is not a cyber company yet, but as he says, and I 
will quote, a comment that he makes, his vision is to focus on 
the prevention, policy, and people side of cyber. Policy 
development, implementation, and communications, he notes, are 
so critical to the success of any organization, end quote.
    These two students in their maturity and in their drive 
well represent our student population as a whole, and I believe 
will make a significant contribution to small business 
development in this State. So once again, Mr. Chairman, I 
appreciate this opportunity to speak before the Committee and I 
am happy to answer any questions that you might have.
    [The prepared testimony of Dr. von Lehmen follows:]



    Senator Cardin. Well, once again, let me thank all three of 
you for your testimony and your contribution to this hearing.
    Dr. von Lehmen, I found your presentation concerning the 
demographics of your student body as it relates to 
cybersecurity programs to be very interesting. You have the 
largest program in our country from the point of view of a 
public university and your student body.
    Can you share some more information? That 61 percent seemed 
like a high number. Is that an increase? That is who had 
clearance, I think you used that.
    Dr. von Lehmen. That is correct, sir.
    Senator Cardin. Has that been running? Have you done 
studies about that in previous years? Is that a number you 
think is increasing or decreasing?
    Dr. von Lehmen. Our cybersecurity programs were launched 
the fall of last year, and so, this is the first survey of that 
student population. We do not have historical comparative data.
    Senator Cardin. Did that number surprise you or did you 
expect that it would be that high?
    Dr. von Lehmen. I must say we were surprised that we had 
such a large number of individuals already cleared, but we 
attribute that to the mix of military students who are in our 
program, as well as those civilians who are working in the 
information assurance field for the Government or for 
contractors.
    Senator Cardin. And, of course, these are students that are 
enrolling in both undergraduate and post-graduate programs?
    Dr. von Lehmen. Our baccalaureate program and our master's 
programs.
    Senator Cardin. Right. Can you tell us more about the 
demographics or can you supply them to the Committee, like age, 
employment background?
    Dr. von Lehmen. I would be happy to provide that 
information about our cybersecurity students, in particular, 
but I am fairly confident in saying that the profile of that 
student body probably matches very closely with the general 
profile of our student body.
    The average age is 32; they are more likely to be married 
than not, more likely to have children than not, more likely to 
already be employed than not. And so, these are students who 
want to advance their career in some way, either within their 
current employment or by changing their employment, and who 
have made a very serious decision to go back to school.
    One of the things we tell corporations, and we meet with 
many of them in the cybersecurity sector, is that our students 
are very special. They made a decision to get into this field 
because they see a future in it, because they see the threat to 
our nation and they are committed to making a difference.
    It is more likely that if they are employed by one of these 
firms, they are not going to be leaving, but will make a 
commitment to their work in that firm.
    Senator Cardin. I think it is very encouraging, and, of 
course, there is a great advantage to us here in Maryland, 
although I know your program is international, that your 
student body is global, basically.
    Let me change gears a little bit to Dr. Iheagwara and to 
Ms. Djamshidi. You all put a face on this issue. You started 
talking about specific companies and, of course, your company 
which I think is very helpful because we hear more about the 
statistical information so it is good to see the specific 
companies that you talk about.
    And you talked about, Ms. Djamshidi, about the importance 
of the public/private partnership, which I found very 
interesting. And I am wondering if the two of you could sort of 
share with us, maybe in priority order, what is the greatest 
concerns you have in dealing with the Federal Government, or 
dealing with the State or local government?
    I am sure the problems are different, but if you could sort 
of tell us where you think the greatest concern would be for a 
small company trying to advance in the cybersecurity area, 
working with the Federal Government, what do you see are the 
major areas that we should be paying attention to, and then if 
you could, help our State our, the State of Maryland.
    Ms. Djamshidi. Sure. Did you want to take this?
    Mr. Iheagwara. Ladies first.
    Ms. Djamshidi. Oh, okay. Sure. So in us working in a hands-
on way with our companies, quite often we find these technology 
companies have dual purpose technologies. It applies in the 
area of cyber homeland security to the Federal space, but it 
also applies to various other commercial sectors.
    So one of the key challenges that we try to work with our 
companies is essentially staying alive enough to be able to 
provide these innovations to the market. And so, quite often, 
that encompasses a number of activities. One is going after 
different markets; second is trying to help them get financed 
along the way, technology development takes capital; and in a 
very smart way, putting a capital strategy together is actually 
number one of the things that we work with our companies on 
that.
    Senator Cardin. But on capital, we are going through a very 
tough economic period.
    Ms. Djamshidi. Exactly, right.
    Senator Cardin. It is tough for anyone to get capital. Have 
you seen any of the tools that have been made available showing 
any improvement in the availability of capital?
    Ms. Djamshidi. I think so. I think I have seen some--it is 
definitely helpful, and with industry, we are lucky to have a 
DBED, we are lucky to have TEDCO. We have the MIPS program and 
various other programs that are available for financing the 
companies, and I think those are very helpful. Two of our 
companies most recently got TEDCO awards. That has been very 
helpful. We always work with our companies to try to look at 
all of these resources that are available.
    But I have to say, there is still a lot more to be done. 
And so, we are sometimes having to go to Boston or go to 
California to get some companies financed. And so, more of 
that, I think, would be helpful. I think you also mentioned 
earlier that the capital to the companies, even though the 
banks say that they do have the capital, but they are not 
lending fast enough, is one of those key things that we are 
trying to tackle every day.
    And we are trying to do everything we possibly can. For 
example, in the last two years, specifically it has been very 
difficult. One of the things that we have rolled into our 
services is aggressive business development for our companies. 
We are trying to get them faster and faster to their customers 
as a way of trying to bridge that gap. So we are trying to do 
everything that we possibly can to try to help expedite the 
companies so that companies do not fall sideways in the process 
as they are trying to bring some of these innovations out.
    Senator Cardin. Thank you. Dr. Iheagwara, you are to be 
congratulated, first, for being selected by DBED as Maryland 
Homeland Security Company of the Year, so I know you are going 
to say nice things about the State of Maryland. But could you 
perhaps tell us, in dealing with the Federal Government, what 
has been your greatest challenge?
    Mr. Iheagwara. Thank you, Senator, for the congratulations 
and the good wishes. I have heard it two or three times today, 
so we are grateful that we won the award. But I must tell you 
that it has been a grueling fight. I am a fighter, generally 
speaking, and you cannot be a small business without being a 
good fighter.
    The legislation, most of them are in place, but they have 
not been implemented, and where they are, not well-implemented. 
I listened to the testimony of Ms.--the lady from NSA, right? 
Talking about how easy it is to get 40 percent unclassified 
contracts, but that is not our experience.
    We have attended the issues, we have registered. It is not 
easy. We tried very hard. We pushed. At some point, they 
requested for our capability statement. We went a step ahead by 
giving them our past performance record, which shows clearly in 
no unmistakable terms what we have done over 15 years, prime on 
eight Federal contracts and knocking out 20 other contracts 
with KPMG who was our mentor initially. That did not get any 
buy-in.
    But we are on their database, and we keep receiving notices 
to attend and attend and attend. We are a small business. We do 
not have the resources. But look, here is the deal. We have 
proven that we can perform. We bid on contracts. It is 
difficult to win. The big boys are locked in. One is Xerox 
through the ACS, even in our State of Maryland here. I took 
issues with even Secretary--not Johansson--for Minority 
Affairs, Landau Jenkins.
    I told her, we have submitted upwards of 50 solicitations 
to our own State of Maryland. We incorporated here 15 years 
ago. Not even a single contract from here. Yet, we have knocked 
out more than 20 contracts nationwide, all the way from Lines, 
Illinois to Honolulu, Hawaii for the U.S. Marine Corps, to 
Boston, Massachusetts for the U.S. Smithsonian, prime.
    So you cannot tell us that we do not write good proposals 
or we do not have the past performance. So the animal we are 
dealing with here in Maryland is completely different. The 
Federal sector, the agencies there, is more about marketing 
money. We are a small business. It is not always to compete 
with IBM and all the big companies that have all the agents 
there deployed going after you.
    Even as we speak now, if I give you a trajectory of our 
path, you will be impressed. I can tell you that, Senator. Look 
at it. So with eight Federal contracts, I state again, it is 
difficult for us to win. So what they do, as you identified 
earlier on, is that they bundle all the contracts to add-ons 
and full-ons. Even when they advertise on bay for contracts, 
work, $25,000, the big boys will still compete and they will 
win.
    So it is tough. So to sum it up, capitalization is very, 
very important for any small business. There are one of several 
ways to capitalize, one of which is the easy way, perhaps. Win 
contracts, hire new people, deploy them there, send money, and 
launch new initiatives, or you go for new markets or you go for 
venture markets, which is heavily tilted towards products and 
not services.
    So I think capitalization is the toughest constraint, and 
if you can help us by making it a legislative mandate that all 
Federal dollars or State dollars, in the case of the State of 
Maryland, spent on cybersecurity, a certain percentage should 
go to small businesses, and, of course, request proof at the 
end of each fiscal year of delivery.
    Senator Cardin. That is good advice. I appreciate your 
suggestions and the points that you are highlighting are 
certainly ones that the Small Business Committee has made our 
top priority. So we are doing oversight hearings on that this 
year.
    Ms. Djamshidi, let me ask you one additional question on 
this. Could you just share with me your observations of what 
the current budget situation has done in regards to these 
issues from two points of view? One, as we know, there has been 
reduced expectations as to what the Federal Government will be 
doing this year and the foreseeable future?
    And number two, there is the unpredictability of whether we 
are going to have a shut-down, but whether we would have had a 
shut-down earlier this Congress or whether there was going to 
be a problem--whether we will have a problem on August 2nd 
paying any bills. What impact is that having on your work?
    Ms. Djamshidi. I tell you, it makes it more interesting and 
challenging at the same time. We feel that this whole 
circumstance that is going on, it hits us in multiple ways, and 
us I mean by the small businesses and us as an organization 
that represents the small business.
    We find Federal agencies are quite often, a lot of the 
procurement vehicles are on hold, and so therefore, the buying 
decision has been dragged on for a longer period of time. And 
so, therefore, the small businesses are, therefore, affected.
    And as we talked about, some of the vehicles for small 
businesses to get into some of the agencies quite often, 
because priming is very difficult, is to work in subcontract 
areas and to prove themselves by working with one of the system 
integrators. And there is a second wave of that.
    The system integrators are, therefore, affected, and 
therefore, are not making those decisions and therefore, again, 
small business is affected by not being able to participate in 
some of those areas. So this delayed process is definitely 
affecting the companies. They still have to keep the lights on. 
They need to have revenues come through the door to pay for 
their employees, and it is very difficult to hold on to the 
employees in this current environment.
    And so, it relates and it comes back to the small business 
in multiple ripples effects, and therefore, it makes it even 
more challenging. And I can provide more anecdotes.
    Senator Cardin. That would be helpful, thank you.
    Dr. von Lehmen, could you respond also, too? The last three 
or four years have been tough years. Is it affecting the type 
of students that you are getting or their interest areas as 
they see the expectations, particularly at the Federal level of 
government, being diminished?
    Dr. von Lehmen. The experience of institutions that serve 
working adults is that when the economy goes into a recession, 
enrollments pick up.
    Senator Cardin. Right.
    Dr. von Lehmen. And that is because individuals are either 
out of work and seeking to recapitalize themselves through 
additional education or they still have a job but are concerned 
to maintain their positions by also getting additional 
education.
    So what we have seen over the last three-plus years is 
actually growth from year to year in our student population. 
The majority of our students are in the programs that you would 
think they would be in. If you look at any college or 
university across the United States, it is typically business-
related programs, programs that are related to information 
systems or computing, technology in general that experience the 
interest and the growth, and that has certainly been true for 
us.
    And, of course, the leading example for us are our graduate 
programs in cybersecurity. Those programs were launched just 
last fall and are the cleanest measure of this growth. Today we 
have nearly 1,000 graduate students in those programs.
    Senator Cardin. Well, thank you. Again, let me thank this 
panel and thank all of those who were responsible for helping 
to put on this hearing here in Laurel. As I said in the 
beginning, this is a hearing of the Senate Committee on Small 
Business and Entrepreneurship. The information that has been 
obtained, the testimonies and the questioning, will be made 
available to all the members of our Committee and will be 
helpful in our role in oversight, as well as to try to plan 
appropriate policies to expand opportunities for small 
business.
    Chairman Landrieu, Ranking Member Snowe, are both very much 
interested in these cybersecurity issues as it relates to 
business growth for small companies. And we are very interested 
in how the tools that we have already made available to deal 
with bundling--and we know the problems are there. Do not get 
me wrong. Our Committee is very focused on trying to deal with 
bundling abuses and, by the way, abuses between prime 
contractors and sub-contractors with the small business 
community.
    We also are monitoring very closely the availability of 
credit through the mechanisms that were made available through 
the Small Business Jobs bill, and we will continue to monitor 
that. So your testimonies and the full record will be very 
helpful to the Committee, and I thank you all for 
participating.
    The hearing record will remain open for two weeks for 
additional questions that could be asked by members of the 
Committee. In that case, if such are asked, we would ask that 
you try to get back your answers as quickly as possible so that 
the Committee record will be completed in a timely way.
    And with that, the Committee will stand adjourned. Thank 
you all very much.
    [Whereupon, at 4:42 p.m., the hearing was adjourned.]




                                  
