b"<html>\n<title> - [H.A.S.C. No. 113-17] INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY ISSUES TO SUPPORT THE FUTURE FORCE</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n                         [H.A.S.C. No. 113-17] \n\n     INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND \n\n               POLICY ISSUES TO SUPPORT THE FUTURE FORCE \n\n                               __________\n\n                                HEARING\n\n                               BEFORE THE\n\n    SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES\n\n                                 OF THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                             MARCH 13, 2013\n\n                                     \n              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n80-187 PDF                       WASHINGTON : 2013 \n\n\n\n    SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES\n\n                    MAC THORNBERRY, Texas, Chairman\n\nJEFF MILLER, Florida                 JAMES R. LANGEVIN, Rhode Island\nJOHN KLINE, Minnesota                SUSAN A. DAVIS, California\nBILL SHUSTER, Pennsylvania           HENRY C. ``HANK'' JOHNSON, Jr., \nRICHARD B. NUGENT, Florida               Georgia\nTRENT FRANKS, Arizona                ANDRE CARSON, Indiana\nDUNCAN HUNTER, California            DANIEL B. MAFFEI, New York\nCHRISTOPHER P. GIBSON, New York      DEREK KILMER, Washington\nVICKY HARTZLER, Missouri             JOAQUIN CASTRO, Texas\nJOSEPH J. HECK, Nevada               SCOTT H. PETERS, California\n                 Kevin Gates, Professional Staff Member\n                 Tim McClees, Professional Staff Member\n                          Julie Herbert, Clerk\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                     CHRONOLOGICAL LIST OF HEARINGS\n                                  2013\n\n                                                                   Page\n\nHearing:\n\nWednesday, March 13, 2013, Information Technology and Cyber \n  Operations: Modernization and Policy Issues to Support the \n  Future Force...................................................     1\n\nAppendix:\n\nWednesday, March 13, 2013........................................    27\n                              ----------                              \n\n                       WEDNESDAY, MARCH 13, 2013\n INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY \n                   ISSUES TO SUPPORT THE FUTURE FORCE\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Ranking Member, Subcommittee on Intelligence, Emerging Threats \n  and Capabilities...............................................     1\nThornberry, Hon. Mac, a Representative from Texas, Chairman, \n  Subcommittee on Intelligence, Emerging Threats and Capabilities     1\n\n                               WITNESSES\n\nAlexander, GEN Keith B., USA, Commander, United States Cyber \n  Command........................................................     6\nMcGrath, Hon. Elizabeth A., Deputy Chief Management Officer, U.S. \n  Department of Defense..........................................     5\nTakai, Hon. Teresa M., Chief Information Officer, U.S. Department \n  of Defense.....................................................     3\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Alexander, GEN Keith B.......................................    62\n    Langevin, Hon. James R.......................................    31\n    McGrath, Hon. Elizabeth A....................................    54\n    Takai, Hon. Teresa M.........................................    33\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    Mr. Thornberry...............................................    77\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Franks...................................................    87\n    Mr. Langevin.................................................    84\n    Mr. Rogers...................................................    85\n    Mr. Thornberry...............................................    81\n INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY \n                   ISSUES TO SUPPORT THE FUTURE FORCE\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n            Subcommittee on Intelligence, Emerging Threats \n                                          and Capabilities,\n                         Washington, DC, Wednesday, March 13, 2013.\n    The subcommittee met, pursuant to call, at 3:46 p.m., in \nroom 2212, Rayburn House Office Building, Hon. Mac Thornberry \n(chairman of the subcommittee) presiding.\n\nOPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM \nTEXAS, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS \n                        AND CAPABILITIES\n\n    Mr. Thornberry. The subcommittee hearing will come to \norder. I appreciate our witnesses and guests and their \npatience. There are some days that just don't work very well, \nand this is certainly one of them.\n    I will ask unanimous consent to put my opening statement in \nthe record and yield to the gentleman from Rhode Island for any \ncomments he would like to make.\n\n  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM \n  RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE, \n               EMERGING THREATS AND CAPABILITIES\n\n    Mr. Langevin. Thank you, Mr. Chairman.\n    I want to thank our witnesses for appearing before the \nsubcommittee today. This is obviously an important hearing as \nour national security is dependent on our information systems, \nand those networks are critical to all aspects of our defense. \nYet, one only needs to look at recent headlines, even of the \nday, to understand the unrelenting and sophisticated threats \nthat we face in the cyber domain.\n    Now we continue to see just how vulnerable such networks \nare in other sectors of our society, at a potential cost of \nbillions lost to cybercrime, and we know our defense networks \nare at even greater risk. So obviously, though, they must be \nfail-proof and secure.\n    Now we are still waiting for this year's budget, but I \nbelieve it is safe to say that IT [information technology] \nrepresents a large piece, $33 billion last year for that \nmatter, and that is a significant figure. And we must be ever \nmindful of our responsibility to make the most effective use of \ntaxpayer's investments in these capabilities.\n    Now we are aware that the Department has experienced some \nchallenges in acquiring certain IT systems and services in the \npast. So today, I would like to hear what steps we are taking \nto tackle those challenges in order to get the connectivity we \nneed at a reasonable price.\n    DOD [Department of Defense] cyber operations are quite \nliterally a growth business, and it is one of the rare portions \nof the DOD that will be growing indefinitely into the future; \nand there have been significant developments in just one year \nsince our last posture hearing.\n    Now we are starting to get answers to some of the questions \nabout how and when the United States might conduct the full \nrange of military cyber activities, and I would like to discuss \nthat today to the extent that this forum allows.\n    And I understand that Cyber Command [CYBERCOM] is beginning \nto organize itself into mission teams, which is an exciting \nstep. But the manpower cost is enormous and the education and \ntraining requirement significant. This is going to take, \nobviously, a lot of work to get right.\n    I would be greatly interested to hear how, to hear our \npanelists' thoughts on how we refine the education, \nrecruitment, retention and training of the highly specialized \npersonnel that we need. And I would also like to hear how \nCYBERCOM is interfacing with combatant commanders to provide \nits unique capabilities wherever and whenever they are needed.\n    Lastly, there are two other areas of vulnerability that I \nwant to address today. The first is supply chain security for \nour IT systems. Now we could get IT functionality perfect and a \nrobust defense of networks in place and still be at risk of \ncompromise from counterfeit components as well as unknown \ndesign specifications within an approved component, \nparticularly, also looking at things like zero-day exploits \nwhich we know our adversaries make extensive use of.\n    So the second is the vulnerability of our critical \ninfrastructure to cyber attacks. DOD relies on these services \nbut they are defended by other Federal agencies or departments, \nor not at all. So I mention this frequently because I want to \nmake progress in the effort to close these gaps. And today is \nanother opportunity to see where we are on this matter.\n    So with that, again, I want to welcome our witnesses here \ntoday. Before turning it over to you--back to you, Mr. \nChairman, I just want to take this opportunity to congratulate \nGeneral Alexander in particular. This is grandchild number 15 \nwas born today. A grandson. And General, I just want to \ncongratulate you and your family on the addition to your \nfamily.\n    [The prepared statement of Mr. Langevin can be found in the \nAppendix on page 31.]\n    General Alexander. It is probably more than----\n    Mr. Langevin. Thank you. And congratulations again, \nGeneral. And I yield back, Mr. Chairman.\n    Mr. Thornberry. And then what State was he born?\n    General Alexander. Texas.\n    [Laughter.]\n    Mr. Thornberry. Thank you. I just want to get that on the \nrecord.\n    Mr. Langevin. Point well taken.\n    Mr. Thornberry. And I appreciate the gentleman's comments. \nAnd just as an administrative note, I want to remind members \nthat next week, we have our first quarterly cyber operations \nbriefing which is similar to the counterterrorism quarterly \nupdates that we have been receiving. This is a new provision in \nthe Defense Authorization Act, and we will have that classified \nbriefing next week.\n    Without objection, all of your statements will be made a \npart of the record. And we would appreciate your summarizing \nthem. We again appreciate our witnesses, the Honorable Teresa \n``Teri'' Takai, Chief Information Officer of the Department of \nDefense; the Honorable Elizabeth McGrath, Deputy Chief \nManagement Officer at the Department of Defense; and General \nKeith Alexander, Commander of USCYBERCOM.\n    Thank you all for being here. Ms. Takai, you may summarize \nyour statement.\n\n STATEMENT OF HON. TERESA M. TAKAI, CHIEF INFORMATION OFFICER, \n                   U.S. DEPARTMENT OF DEFENSE\n\n    Ms. Takai. Good afternoon, Mr. Chairman and distinguished \nmembers of the subcommittee. Thank you so much for giving us \nthe opportunity to testify today on the importance of \ninformation technology to the transformation of the Department \nof Defense.\n    I am responsible for ensuring the Department has access to \nthe information, the communication networks, and the decision \nsupport tools needed to successfully execute our warfighting \nand business support missions. The Department's IT investments \nsupport mission critical operations that must be delivered in \nboth an office environment and the tactical edge.\n    Just to give you some perspective on the size and scope of \nwhat we cover, we operate in over 6,000 locations worldwide. \nAnd we support the unique needs and missions of three military \ndepartments and over 40 defense agencies and field activities, \nand our services are used by 3.7 million people.\n    Included in the overall IT budget are the Department's \ncybersecurity activities and efforts that are designed to \nensure our information systems and networks are protected \nagainst the ever-increasing cyber threats the Department and \nthe Nation face.\n    We are undertaking an ambitious effort to realign and \nrestructure our ability to provide better access to \ninformation, improve our ability to defend and keep pace. This \neffort is the Joint Information Environment [JIE].\n    The Department is aligning its existing IT networks into a \nJoint Information Environment that will define how we are \nrestructuring not only our networks but our computer centers, \nour computing networks and cyber defenses to provide a singular \njoint cybersecurity approach that is common across the \nclassified, secret, and coalition networks. This is in contrast \nto today's networks in which each military department differs \nin its approach and design in cyber defense.\n    The ultimate beneficiary is the commander in the field. The \nconsistent network in IT and security architecture will enable \ninnovative information technologies that keep pace with today's \nfast-paced operational requirements.\n    Our standard security architecture will enable cyber \noperators at every level to see who is operating on our \nnetworks and what they are doing. This will enable a \nsynchronized cyber response. And I am sure General Alexander \nwill be speaking more to you about this in his words.\n    The consolidation of data centers, operations centers and \nhelp desks will enable timely and secure access to the \ninformation and services needed to accomplish their assigned \nmissions, regardless of the location.\n    As we have refined the JIE concept, we have concluded that \nwe can achieve all of the Department's cybersecurity goals but \njust as importantly, still have better joint warfighting \ndecision support, better operational and acquisition agility, \nand also importantly, better efficiency. On cybersecurity we \nare focused on ensuring that the essential DOD missions are \ndependable and resilient in the face of cyber warfare. The \nfirst of the efforts that we will embark on as I have mentioned \nis JIE. The second effort is our deployment and use of \ncybersecurity identity credentials for all users of our secret \nnetwork. We are currently deployed on our unclassified network \nand we will complete the classified network this year.\n    The next is continuous monitoring. This will allow us much \nfaster detection and remediation of mission vulnerability \nacross the millions of computers that are in our networks, give \nus a chain of command and accountability tool, and will give \nthe Cyber Command better ability to set remediation priorities.\n    The fourth effort as was mentioned is our supply chain risk \nmanagement. Globally sourced technology provides real benefits \nto the Department but it also provides the opportunity for \npotential adversaries to compromise our missions through \nsubversion of the supply chain. The Department recently issued \npolicy that makes permanent the Department's efforts to \nminimize the risk to DOD missions from this vulnerability.\n    And lastly is our successful voluntary cyber information-\nsharing efforts with the Defense Industrial Base. We have 78 \nparticipating companies which represent a majority of our \nacquisition spending in the Department.\n    We share classified and unclassified cyber threat \ninformation and companies that have been participating said \nthat the program has significantly improved their cybersecurity \nefforts. We are also partnering with security service \nproviders, for those companies that choose to use that service, \nthey will have additional classified threat information.\n    I would like to conclude by mentioning a few other efforts \nthat we are working on. We have a new focus on the development \nof secure communications for Presidential and senior leader \ncomms [communications], nuclear command and control, and \ncontinuity of government. We are working with other Federal \nagencies to ensure that we have the ability to communicate at \nall times. We are also working to ensure that the Department's \nposition, navigation and timing infrastructure is robust.\n    Next, my office recently issued the DOD commercial mobile \ndevice strategy and implementation plan which allows us to use \ncommercial mobile devices in both a classified and unclassified \nenvironment.\n    And finally, spectrum has become increasingly important not \nonly to the Department's mission but to consumers and the \neconomy of the Nation. While fully committed to the President's \n500 megahertz initiative, it is important that we balance the \nuse of our finite radio spectrum to meet national security \nrequirements as well.\n    Thank you so much for your interest in our efforts and I \nlook forward to taking your questions.\n    [The prepared statement of Ms. Takai can be found in the \nAppendix on page 33.]\n    Mr. Thornberry. Thank you, Ma'am.\n    Ms. McGrath.\n\nSTATEMENT OF HON. ELIZABETH A. MCGRATH, DEPUTY CHIEF MANAGEMENT \n              OFFICER, U.S. DEPARTMENT OF DEFENSE\n\n    Ms. McGrath. Thank you, Mr. Chairman. Good afternoon. We \nreally appreciate the opportunity to discuss with you the \nprogress that we have made in the defense business operations. \nWe feel they are critical enablers of our national security \nmission and our goal is to ensure we have effective, agile and \ninnovative business operations that support and enable our \nwarfighters.\n    This work spans every organization in all functional areas. \nOur goals are to optimize business processes and identify key \noutcome-based measures. Here, information technology is a key \nenabler. Over the past number of years, attention to this issue \nhas steadily increased and Congress has been instrumental in \nshaping the governance framework and supporting processes the \nDepartment uses to oversee these efforts. And we thank you for \nthat.\n    My written statement provides updates on our integrated \nbusiness environment framework; therein you will see evidence \nof the maturation of our Business Enterprise Architecture and \nsome of the recent successes and challenges in the \nimplementations of our largest IT systems.\n    I will take a few moments to highlight a few of the points. \nFirst, Section 901 of the 2012 National Defense Authorization \nAct included significant changes to the Department's investment \nmanagement process for defense business systems. We established \na single Investment Review Board which we execute through a \nDefense Business Council which replaced five separate \nfunctionally based boards.\n    It also significantly expanded the scope of the systems to \nbe reviewed by the board to include those in sustainment. \nPreviously, it was simply modernization and development. This \nnew investment process allows the Department for the first time \nto holistically manage the entire portfolio of business systems \nin a deliberate and organized manner.\n    This legislation is truly serving as a catalyst for \ndramatic improvements across the defense enterprise. We now \nhave functional strategies that articulate goals, outcomes, \nexpectations, standards, mandatory solution across business \nlines.\n    Military departments and defense agencies all must align \nwith execution plans to these imperatives across their IT \nportfolio. As an example of the Investment Review Board's \nvalue, we identified approximately 10 percent of the systems \nreviewed as legacy systems that will be retired over the next 3 \nyears. And we are using this process to both ensure \narchitectural compliance and business process reengineering.\n    Second, I would like to highlight the ongoing work to \nimprove the implementation of some of the Department's most \nvisible defense business systems, our Enterprise Resource \nPlanning systems or ERPs. The Department is committed to \nlearning from its successes and failures as well as learning \nfrom the findings from the Government Accountability Office and \nthe Inspector General.\n    In addition to a number of ongoing initiatives to improve \nspecific aspects of our implementations, I have over the last 6 \nmonths undertaken a substantial effort to work with industry \nleaders to fully understand and define the leading root causes \nof program successes and failures across the dimension of cost, \nschedule and performance.\n    Our findings reinforce the need to focus the Department on \nquality upfront work extremely early in a program's life cycle \nto include ensuring clarity of requirements, quantifiable \nbusiness cases. As a result of this work, I have directed a \nnumber of actions across the Department.\n    While we have certainly faced challenges, the Department is \nmaking steady progress in this area including having now \nsuccessfully fielded a number of Enterprise Resource Planning \nsystems.\n    In closing, the Department remains committed to improving \nthe management and acquisition of IT systems as well as our \noverarching business environment. These issues receive \nsignificant management attention and are a key part of our \nenterprise strategy to build better business processes that \nwill create lasting results for our men and women in uniform \nand the American taxpayer.\n    I look forward to your questions.\n    [The prepared statement of Ms. McGrath can be found in the \nAppendix on page 54.]\n    Mr. Thornberry. Thank you.\n    General Alexander.\n\n  STATEMENT OF GEN KEITH B. ALEXANDER, USA, COMMANDER, UNITED \n                      STATES CYBER COMMAND\n\n    General Alexander. Chairman, Ranking Member, I would read \nmy statement but you know I can't read so I am just going to \ngive you the highlights from that. And I know both Ms. Takai \nand Ms. McGrath can read really well. Perhaps you should read \nmy part.\n    What I want to hit is a few things that I think it is \nimportant for the committee to know. First, you all know we \nhave great people. We are getting great people both in our \nstaff and the service components that have--that are building \nthe teams that we need. And issues come up with sequester \nespecially for the civilian folks; having to furlough those \npeople that we are bringing in sends a wrong message.\n    Further, the continuing resolution compounds our ability to \nactually conduct the training missions that we need to bring \nthese teams on board. We talked a great deal about the threat. \nYou know what is going on in Wall Street, what has happened \nover the last 6 months. What happened in Saudi Arabia with \nSaudi Aramco, the threat is real and growing.\n    From our perspective, we need to be prepared for attacks \nagainst our Nation in cyberspace. In order to do this, we do it \nas a team. And that team includes DHS, Department of Homeland \nSecurity, FBI [Federal Bureau of Investigation] and, of course, \nDOD.\n    DHS has the resilience and recovery just like it would in a \nkinetic operation. And it is the public interface for our \nindustry. FBI would lead investigations, look at who is doing \nthis inside the United States; they are the domestic handler. \nAnd DOD has responsibility to defend our Nation from an attack, \nto support the combatant commands and their operations in \nplanning, defend the DOD networks and other networks as \nauthorized.\n    We have created roles and responsibilities between \nSecretary Napolitano, myself and Director Bob Mueller, we all \nagree on that, it has gone to the White House. I think that \nhelps lay out the plan for how we can work with you in \nestablishing legislation for the future. And I can talk to \nlegislation and questions if that comes up.\n    When is civil liberties and privacy upfront here? We know \nhow important that is. We can protect civil liberties and \nprivacy in our networks. This isn't one or the other, it is \nboth. And I think we can do both. And to understand that, I \nthink we need to get into technical details. I won't do that \nhere, but you know we have the capacity to do that.\n    And I just encourage you to look at the facts in this as we \ngo forward. Five things that we are looking at from my \nperspective in setting up Cyber Command and the teams that we \nhave. First and most important are people, building and \ntraining a ready workforce. The second thing, command and \ncontrol and doctrine, we are establishing that and how we work \nwith the combatant commands that I can answer more, Congressman \nLangevin, to your question later on about how we work with the \ncombatant commands. Situational awareness--how do you see what \nis going on in cyberspace and how do you react to it. A \ndefensible architecture, I think this is absolutely vital, \nespecially for the Defense Department. Today, we have 15,000 \nenclaves. It is very difficult to defend and get situational \nawareness around that. We need to go the Joint Information \nEnvironment, something that we work very closely with Ms. Takai \nand her folks. And finally the authorities, policies and \nstanding rules of engagement. Those are vital for the future \nand we need to work with you to get those right.\n    That is a quick summary of my 26-page written--and so, Mr. \nChairman, I turn it back to you.\n    [The prepared statement of General Alexander can be found \nin the Appendix on page 62.]\n    Mr. Thornberry. Thank you. I think that may be a record on \nshortness of your testimony.\n    Let me just start by asking about a couple of things. \nGeneral Alexander, I think the statements you just made that \nthere is a role for the military, especially Cyber Command, to \ndefend the country in cyberspace. I think that is a step beyond \nwhere we have been in previous years' hearings.\n    Can you tell us a little bit more about how that--where we \nare in that discussion? Exactly what should we expect the \nmilitary to defend us against and what sort of circumstances? \nAnd then what are the sort of circumstances that industries or \nus as individuals are required to defend ourselves?\n    General Alexander. So there is two parts to this, to your \nquestion. And I will give it to you as accurately as I can from \nmy perspective and then show you where the range of options \nthat the administration and the Defense Department have to look \nat.\n    First, I think it is reasonable that we the American people \nknow that when our Nation is under attack, whether it is \nphysical attack or cyber attack, that the Defense Department \nwill do its part to defend the country.\n    It is not going to just defend itself. Our job is to defend \nthe country. And the focus would be, obviously, on critical \ninfrastructure just as it would in kinetic and other things. \nThe issue becomes when does an exploit become an attack and \nwhen does an attack become something that we respond to?\n    Those are policy decisions and the red lines that goes to \nthose would be policy decisions. Our job would be to set up the \noptions that the President and the Secretary could do to stop \nthat. And as you may recall, both the former President and the \ncurrent President have both said that they would keep the \noptions open in this area.\n    I mean, I think that is reasonable, from using State \nDepartment to demarche all the way over to kinetic options or \ncyber. So they have that whole range. What we are building is \nthe cyber options that would fit that tool kit for the \nadministration and policymakers to determine exactly what to \ndo.\n    As an example, it is reasonable to expect that we would \nhave the ability to stop a distributed denial of service \nattack, and so creating the tools and capabilities of that, \nwhich would get into the classified area, you would expect that \nwe would actually go and work with our teams to do that. And \nthose are the kinds of things that we do. So how do we defend \nthe country in that? What kinds of capabilities that we need? \nWe have laid that out in great detail. And I think the training \non that is superb.\n    Mr. Thornberry. Just to make an editorial comment. I \nappreciate your point that the authorities, policies, rules of \nengagement are key to deciding how to use the tools that your \nfolks have evolved. My opinion is that the more the \nadministration consults with Congress, the more we can make \nthese decisions out in the open, the better result we will have \nand in addition, the more you will have the support of the \nAmerican people.\n    The more that is kept secret with some White House meeting \nor White House paper that is hard to access to, the more \nsuspicions there will be about what the government is really \ndoing. So I know that is kind of a different realm from yours \nbut I think the circumstances under which the government will \nact and how it will act and who will act are important to be as \npublic and transparent as we possibly can.\n    Finally, let me ask, Ms. Takai, I have got this Defense \nScience Board study that came out in January that basically \nconcludes, we cannot be confident that our critical information \ntechnology systems will work under attack from a sophisticated \nactor.\n    I mean, I am sure you have seen it. Can you just make a \ncomment about whether you think this Defense Science Board \nstudy got it right about our vulnerabilities?\n    Ms. Takai. Well, I think, first of all, any independent \nreport like that is useful because it does give us an \nindependent view of a way of looking at our vulnerabilities. \nThe report is a year old at this point in time and it really \nis--it does precede several of the actions that General \nAlexander has taken in terms of looking to remediate.\n    It also does not consider some of the actions that we have \nbeen taking to change our cyber defense approach from looking \nat how we protect the perimeter and how we just protect \nnetworks to actually how we look at it from a mission \nperspective.\n    So what we have done is ahead of actually the Defense \nScience Board report coming out, those are the same areas that \nwe have been looking at. Those are the same areas that we are \nlooking for remediation actions and some of the things that I \ndescribed in my testimony are really a step toward actually \nmoving forward to address some of those issues.\n    Now, the challenge is you are never 100 percent. And so, I \nthink the point around, really, looking at it from a mission \nperspective is important because we need to be sure that we are \nprioritizing from the standpoint of where we put our resources, \nlooking at it from the most critical areas and making sure they \nare secure.\n    Mr. Thornberry. If your folks look at this and think it \nappropriate, I would appreciate in a written answer some more \nupdates as to how far you think we have come in addressing the \nshortfalls that they identified here.\n    Ms. Takai. Yes, sir. Absolutely. General Alexander and I \nare actually working on that document, so we would be happy as \nwe get that developed to provide that to the committee.\n    [The information referred to can be found in the Appendix \nbeginning on page 77.]\n    Mr. Thornberry. Thank you.\n    Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman. Again, thank you to \nour witnesses. General Alexander, I would just start with you, \nif I could. More of a follow-on on to the chairman's question. \nCan you speak to the role of CYBERCOM as defender of last \nresort in the event upon civilian--in the event of an attack on \ncivilian critical infrastructure?\n    As we know, these attacks move at network speed. And what I \nwant to know is what the, you know, the processes that are put \nin place in terms of establishing rules of the road so that you \nknow how and when you can respond--if there is an attack on \ncritical infrastructure and CYBERCOM has to step in as the \ndefender of last resort?\n    General Alexander. So we are working with the Defense \nDepartment, the White House, and the interagency to set up \nthose standing rules of engagement, put forward what I will \ncall the way in which we would actually execute some of these.\n    Right now, those decisions would rest with the President, \nthe Secretary. And they would tell us to execute. I think as we \ngo down the road, we are going to have to look at what are the \nthings that you would automatically do, think of this as the \nmissile defense, but missiles in real time.\n    And I think that is an education and learning process that \nchanges fundamentally the way that we have defended the Nation \nfrom a kinetic perspective to how we are going to have to \ndefend the Nation in a cyber perspective.\n    So there is a lot to learn there. Most important on that, \none is the team that I talked about. But two is the partnership \nwith industry. And that is where the legislation is going to be \nimportant.\n    We cannot see attacks going against Wall Street today. \nSomebody has to tell us, and if we are going to be able to \nreact to it in time to have favorable results, we need to know \nthat at network speed so that we can react at network speed. So \nthose types of information-sharing and the liability of \nprotection that goes with them is key to this. The other part, \nyou know, you could put under building up standards and helping \npeople get to this, the executive order takes a great step in \nthat direction.\n    I think getting incentives would really help. So I think \nthere is a partnership here, one within the administration for \nhow we set this up and the rules of engagement, I take the \nchairman's comments that you put about working together in a \ntransparent way. And the second part is we have got to have \nthat same discussion with industry.\n    Mr. Langevin. And let me use this as an opportunity to talk \nabout the information-sharing, and give you an opportunity to \ntalk about the, you know, the concerns that people have in \nterms of information that would be shared with the government.\n    I understand--you and I understand that we are not actually \nlooking at information that would be shared, it is more the \nbits and bytes, the ones and zeros, the attack signatures that \nwe would be looking for.\n    But I would like to again give you the opportunity for the \npublic to reassure them of what this is, what information would \nbe shared.\n    General Alexander. Thank you, Congressman, because I do \nthink this a key point.\n    The issue would be if somebody were throwing an attack at \nWall Street, as an example, what we would want to know is the \nfact of the attack and the type of attack. We don't need to \nread people's email or see their communications to get that \ninformation.\n    The Internet service providers would actually see that. So \nwe could tell them the types of attacks, the types of exploits \nand those things that the government needs to know. That \nincludes DHS, FBI, NSA [National Security Agency] and the \nDefense Department, all together need to know that.\n    What we are talking about is, for example, I use the car \ngoing up the New Jersey Turnpike on its way to Rhode Island and \nit would go through an E-ZPass lane--well, in E-ZPass what \nhappens is the car is scanned. You don't read what is inside \nthe car. You just get the metadata.\n    In a similar way, if a packet were going forward, what the \nInternet service providers need to tell us is there was a \npacket, we saw bad software, malicious software in that packet, \nof the type you were looking for. We stopped that packet. It \nwas coming from this IP [Internet protocol] address, going to \nthis IP address.\n    And it would be up to FBI if it was domestic to work with \nthe courts to do that or to Cyber Command if it were coming \nfrom outside the United States. And so, the bottom line, there \nis a way to do this that ensures civil liberties and privacy \nand does ensure the protection of the country.\n    And I think we ought to work towards that and help educate \nthe American people on what we are trying to do here.\n    Mr. Langevin. I agree and I appreciate you getting that out \nthere.\n    General, if I could, I would also turn our discussion to \nthe new mission teams that are forming within your command. In \ntestimony before the Senate Armed Services Committee on \nTuesday, you noted the creation of 13 teams within--with an \noffensive focus. Can you lay out for us what authority these \nteams would be operating under and how will they interface with \ntheir Intelligence Community colleagues?\n    General Alexander. Sure, Congressman. The key is we \norganize the teams into groups. So the teams that you are \nreferencing, those 13 are what I will call the National Mission \nteams, that would have the mission to counter an adversary who \nis attacking our country.\n    They are the counter-cyber force. I call that offensive \nbecause their job is to stop--like a missile coming into the \ncountry, their job would be to stop that and provide options \nfor the White House and the President on what more to do.\n    So they are the folks that would counter any cyber \nadversary. We also are creating teams to support combatant \ncommanders and their missions and operations, and then we are \nbuilding teams to operate and defend our networks within DOD \nand work with DHS and FBI as required.\n    So those are the three sets of teams and the three general \nmissions that they have. And then, we have supporting them, \nwhat we call direct support teams that provide the analytic \nsupport that we would need for that.\n    All of this is integrated and works seamlessly with the \nIntelligence Community and with FBI to ensure we don't have \nduplication of effort and we are not all operating on the same \nplace in cyberspace so that that is deconflicted.\n    Mr. Langevin. My time is expired. I will have more \nquestions for the witnesses in round two. I yield back.\n    Mr. Thornberry. I thank the gentleman. And I think it is \nhelpful that explanation of what offensive means in this \ncontext because there is a variety of definitions that people \nuse for that.\n    Dr. Heck.\n    Dr. Heck. Thank you, Mr. Chairman. I thank all of you for \nbeing here.\n    General Alexander, there have been some discussions about \nthe roles of Cyber Command and protecting domestic critical \ninfrastructure. How would that role differ if the attack was \ncoming from OCONUS [outside the contiguous United States] \nversus CONUS [contiguous United States] and do you have the \nTitle 10 authorities necessary to respond to a domestic attack \nin real time since you are really the only entity that can \ndefend in real time.\n    General Alexander. Congressman, thanks, because I think for \nclarity, from my perspective, the domestic actor would be the \nFBI. And the FBI, we share our tools with the FBI.\n    They would work through the courts to have the authority to \ndo what they need to do in domestic space to withstand an \nattack. We have worked very closely together.\n    Director Mueller and his teams are absolutely superb to \nwork with. And we have come up with a way that he would do \ninside, we would do outside. Now, there may be points in time \nwhere you have different--you know, significant attacks where \nwe need to change parts of that.\n    But the key thing is to have him do inside the country. We \ncan support back and forth and do this at network speed. So we \nare practicing that. I think that is something that we can do.\n    He would work with the courts as appropriate to do his \nportion of the mission. Outside the country, that is where we \nwould operate.\n    Dr. Heck. So you would be comfortable if there was a Saudi \nAramco kind of attack that originated from within the United \nStates at U.S. infrastructure, that the FBI would be able to \nrespond and thwart that attack in real time?\n    General Alexander. Assuming that we could see it because \nthat kind of an attack is a whole different issue. And on that, \nwhere we would really depend is on working with the Internet \nservice providers. They would stop that packet initially by \nsome signature that we gave them.\n    And so, that is something that would go to a domain \ncontroller that we could stop. I think that is a different set \nof tactics that you would use versus the distributed denial of \nservice attack where you are trying to take out the bots and \nthe command and control infrastructure.\n    Dr. Heck. Okay. And then, how is the IC [Intelligence \nCommunity] supporting the cyber intelligence needs of DOD? I \nmean, beyond NSA, what IC organizations are the primary \nintelligence providers for CYBERCOM?\n    General Alexander. Well, there are several, of course, the \nCentral Intelligence Agency [CIA], the Defense Intelligence \nAgency [DIA] and NGA, the National Geospatial Agency. Tish Long \nand her folks have done a superb job, too.\n    It is kind of interesting. You say, ``Well, what can you \nsee from imagery?'' But there are some great things that you \ncan do by bringing the actual physical infrastructure and \noverlaying the cyber infrastructure--so all those work.\n    And within the military, DIA has, within our J2, people, at \nCyber Command that work at--and of course, NSA has a great \nfoundation of folks that really provide the best support that \nwe have across that technical layer.\n    Dr. Heck. Thank you, Mr. Chairman.\n    Mr. Thornberry. Thank you.\n    Mr. Kilmer.\n    Mr. Kilmer. Thank you, Mr. Chairman.\n    I am particularly interested in workforce issues and how we \nprepare the workforce to meet the needs within the cyberspace. \nAnd I have a number of questions in that regard.\n    And I guess, Ms. Takai, I will start with you. As CIO \n[Chief Information Officer] you oversee the Information \nTechnology Exchange Program that is set to expire on September \nthe 30th, which seems like a good opportunity to leverage \ntalent that is already in the workforce to bring industry and \nthe Federal Government together, to knowledge share and learn \nbest practices in cybersecurity.\n    I was hoping you would give a little update on that \nprogram's success and then I have a few specific questions \ntherein. Do you feel like enough private companies know about \nthe program and have been able to take part? Can you speak to \nthe advantages of extending and/or expanding the program?\n    Have there been any problems with any aspects of the \nprogram that you think, if we looked at continuing it, should \nbe addressed? And then, finally, I know to be eligible, an \nemployee must be a GS-11 or the equivalent or above. Do you \nthink that is an appropriate level or would you think there \nwould a value in adding additional--involving additional \nworkers in the mix?\n    Ms. Takai. Well, let me see if I can take all those \nquestions in turn.\n    First of all, I think, we probably do need to expand our \ncommunications on that program. The program has been, I think, \na great opportunity for us to bring industry technology experts \ninto DOD and likewise, be able to look at where DOD employees \ncan go out into industry to get experience.\n    But to date, we really do need to think about how we expand \nthe program and from a communication perspective. However, I \nthink it is important to note that right now, we have a key \nindividual who has just recently joined my department from \nCisco.\n    He is a very skilled, highly capable architect and one that \nis always difficult to grow. That kind of technical knowledge \nis something that just takes time. And so, the ability to bring \nthat individual in and have them take a look at the work we are \ndoing on the Joint Information Environment has really been \nvaluable.\n    So we are really seeing the benefit of the program and \ntherefore it is very important to us to continue the program. I \nthink in terms of some of the challenges that we have had in \nterms of moving the program forward, it has really been \nunderstanding how to get the companies to understand the \nsecurity requirements and for us to be able to get them in \nthrough our fairly long security process.\n    And I think some of that is just a part of it. But I think \nalso we need to be in a position where we can better educate \nthe companies on the kinds of security requirements that we are \ngoing to be asking about. And so, we are looking very much to \ntake the lessons learned from the program, to be able to expand \nit. I think from a level perspective, I think starting at the \nGS-15s is sort of the--you know, the first level is actually a \ngood place because it does give us the opportunity to go from \nthe GS-11 level up through various levels, you know, into \nactually an SES [Senior Executive Service] level, which is the \nmore highly skilled folks.\n    So I think starting there is a good place and the program \ndoes give us the flexibility then to bring people in at \ndifferent levels. So we are very excited about the program. As \nI say, we appreciate the industry participation we have had so \nfar and would very much like to continue the program past the \nsunset date in September.\n    Mr. Kilmer. Thank you. Maybe just in follow-up, I would \njust like to ask more generally what you feel collectively we \ncan do as Members of Congress to help you recruit an adequate \nnumber of workers in the cybersecurity realm?\n    Ms. McGrath. So I can say from a--again, I am more in the \nbusiness space within the Department and it is always \nchallenging to find skill sets even with the Enterprise \nResource Planning and the more modern technological capability.\n    So we are buying commercial-off-the-shelf. It is really \neducating the workforce to get there. The Congress has passed \nlegislation to enable us to hire highly qualified experts. I \nfeel the Department has not leveraged the opportunity that we \nhave so far, or to date, as much as we could have, really \nbringing folks in for a term.\n    It can be 1 to 5 years to work on some of these really sort \nof hard problems that we have, to ensure that our outcomes are \nwhat we need. But we do have actually a very good model in the \nSECDEF [Secretary of Defense] Corporate Fellows Program where \nwe take our military and send them out to industry for a year \nat some of the, I would say, best and brightest companies like \nCisco and Caterpillar and Google and--so we are not leaving \nanybody out, but I couldn't possibly mention them all.\n    Because they are already cleared, they have, I will say \nthose kinds of requirements already met and it seems to be an \neasier transition from within the Department for our military \nexternally, but I would wholeheartedly welcome, you know, \nanything we could do to advance the communication because I \nthink it helps certainly in the business space with the \nactivities we have under way.\n    Mr. Thornberry. Mr. Peters.\n    Mr. Peters. Thank you, Mr. Chairman.\n    Just maybe a follow-up on that. I think, General, it was \nyou who may have told us a few weeks ago about some of the \ndifficulties you were having recruiting talented individuals in \nlight of the budget uncertainty that we had.\n    That perhaps, people are coming to you and saying--I heard \nthis at one testimony I think it was you--saying, ``Gee, you \nknow we can't really depend on this for a career if we don't \nthink that Congress is behind it.''\n    Last week, we took an action to relieve some of the \npressure, perhaps, on the military side at the House level and \nthat is working its way through Congress. But, do you want to \nupdate us, just to follow on Mr. Kilmer's question, how is the \nuncertainty around the budget or how is the budgeting \ncontinuing to affect your ability to recruit the kind of people \nwe need to be our warriors?\n    General Alexander. So, you have hit it right on the head, \nCongressman, that what we are getting from some of our people \nespecially those who come from industry, they already take a \npay cut coming to the government. And they do this because they \nare patriots.\n    The issue is they have taken a pay cut and now we are \nsaying, ``Well, you might get a pay cut again and this pay cut \nwill be furlough and we are not sure how that is going to go, \nor where that is going to be.''\n    That uncertainty is something that truly complicates their \nwillingness to stay with us. And we don't--we should not do \nthis to them. You know, we are trying to get the great people \ninto cyber. These are technically qualified people.\n    You go out to Google, they are looking for people today. \nYou know, I sat down with the Google HR [human relations] \nfolks. They said, ``Look, we are paying, you know, probably \ntwice as much as you are paying folks'' and they are having \ntrouble getting them.\n    We get them because they want to do something good for the \nNation. So as a consequence, I do think we have to, one, give \nthem the certainty. I would just say, two, they are our most \nvaluable assets. You know, it is the people. That is the talent \nthat we need and we need to let them know we care about them, \nall of us, and we need your support in that.\n    Mr. Peters. Thank you.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Thornberry. Thank you.\n    Mrs. Davis.\n    Mrs. Davis. Thank you, Mr. Chairman.\n    And I would certainly appreciate that comment because \nsometimes we have a perception out there that somehow Federal \nworkers are not necessary to make everything work in this \ncountry. And I think that we know that that isn't true on just \nabout every level. And so, I appreciate your comments.\n    I wanted to ask about the electronic health records. I know \nthat is not exactly on the agenda right now. But I wonder if I \ncould do that because we know that recently it was announced \nthat the Department of Defense was going to--no longer are we \ngoing to have parallel efforts, I think, in trying to create an \ninteroperable system. And that the Department of Defense was \ngoing to try and work with the Veterans Administration [VA]. \nCan you talk a little bit about that and what is going on? We \nhad had that strategy articulated that they were going to do \nthat, and it is just not clear now, exactly, what we are going \nto do.\n    I know that the discussion was around trying to cut costs, \nthat we were going to create this common system, but in light \nof the fact that we are not going to do that, how are we going \nto create this interoperable system that is going to work?\n    Ms. McGrath. So I would be happy to take that question.\n    The Department of Defense and Veterans Affairs have been \nworking together over probably 10 years to enable greater \nsharing of information between the two organizations. So when \nour military members transition from defense to the VA, that \nall their information comes with them and we could get out of a \nmore paper-based approach to medical treatment and history.\n    And I think we have made significant progress in terms of \nsharing the information over big, I'll just say, pipes of \ninterfaces between the two organizations. Both DOD and VA were \nlooking to modernize their legacy environment.\n    And so, back in March of 2011, then Secretary of Defense \nGates and Secretary Shinseki of the VA decided to abandon, if \nyou will, either legacy system--so in VA it is VistA [Veterans \nHealth Information Systems and Technology Architecture] and DOD \nit is AHLTA [Armed Forces Health Longitudinal Technology \nApplication]--and move together jointly for sort of a common \nsystem, if you will, although it would probably be a family of \nsystems that enable this capability to happen.\n    And we moved out smartly and made sure that we were \napproaching the solution, if you will, with a common \narchitecture, a common data standard which is really key toward \ninteroperability.\n    VA has moved their systems into our DISA [Defense \nInformation Systems Agency], so that we are collocating as much \nas possible common business practices.\n    Because if you don't have all these things, you are still, \nI will just say, the IT will only get you so far.\n    And so, the foundational aspects of all these things we \nagreed to in 2011.\n    What you have heard recently, is the, in December of 2012 \nthe Interagency Program Office had completed an engineering-\nbased or bottoms-up, if you will, lifecycle cost estimate which \nreally put the approach, the affordability of the approach, in \nquestion.\n    So the question Secretary Panetta and Shinseki said to the \nteams was, is there a more economical way to still deliver an \ninnovative electronic health record to our military members and \nveterans, but it is done in a less risky way.\n    So you reduce the risk, decrease the cost and maintain the \nschedule that we are on. And that is when the Departments \ndecided to instead of build, if you will, the system piece by \npiece, to start from a core set of capabilities and build out \nfrom a core.\n    So the VA decided to go back to their legacy system, again, \nVistA. The DOD does not have, right now anyway, a desire to use \nits legacy system and want to ensure that we have explored all \nopportunities.\n    So when we are looking at what would our core capability--\nwould it be the VA's VistA core, VistA as our core? Would we \nlook at--would we have something commercial? The health space \nhas gone, has made tremendous leaps in terms of modernization \nover years. We want to ensure that we are assessing the \ncapabilities that commercial market brings.\n    And we are right now--we issued a request for information \nin February. We got all the answer, all the responses in. We \nare evaluating them through our Cost Assessment and Program \nEvaluation team has the lead for that and they will make a \ndetermination whether or not we will go with a COTS \n[commercial-off-the-shelf]-based solution or a government-based \nsolution by the end of March.\n    Mrs. Davis. Is it fair to say that we have kind of \nabandoned, though, the joint strategy?\n    Ms. McGrath. I think the joint strategy still exists from a \ndata interoperability and integration. If I talk about a \nmilitary member's health record, I am populating that record \nfrom data from different sources.\n    The change in the strategy is really the underlying IT \nsystem. We still want to do as much joint as we can from the \nvarious applications like immunization, lab, and all the other \nhealth-related stuff.\n    And I think that the architecture, again all the handshakes \nthat we made in the beginning in terms of architecture data, \nthose are all still absolutely at the forefront.\n    So there has been certainly a change with the approach to \nthe underlying IT. But there has been no change to our----\n    Mrs. Davis. I guess what would be helpful to know about \nthat is how is that going to affect the service member. And if \nthey are--it sounds like you are looking at a new acquisition \nstrategy perhaps. And I think we would certainly be concerned \nabout costs involved and kind of, what have we lost I guess, in \nthat time that we were working on all that.\n    So I just wonder maybe we can follow up with those \ndiscussions. But I appreciate it because I wanted to just take \nthis opportunity to try and understand better what has happened \nand how we can move forward.\n    Ms. McGrath. Yes, ma'am, I would be happy to----\n    Mrs. Davis. We have spent a lot of time on that.\n    Ms. McGrath. We have and I would just say that all the \ninfrastructure, the very foundational things that we have been \nworking on since the agreement in 2011, all will be carried \nforward. And so, we are not, I will just say, scrapping \nanything from that perspective; we continue to use those \nfoundational pieces because they are key irrespective of the \napplications that will ride on top of that infrastructure.\n    But I would be happy to give you more detail.\n    Mrs. Davis. Thank you. Thank you, Mr. Chairman.\n    Mr. Thornberry. I appreciate the gentlelady asking about \nthat because I remember very well the hearing we had in the \nfull committee with Secretary Panetta and Secretary Shinseki. \nAnd this was the key thing they trumpeted. Never before would \nwe have this kind of cooperation between the VA and the \nPentagon with one health record that would follow a service \nmember from the day he enlisted all the way through.\n    And it is discouraging that under the best case scenario it \nis going to be significantly delayed to have that available as \nyou all work through these various options. I don't understand \nor underestimate the technical difficulty in doing so.\n    I don't know. It is just frustrating I guess when this was \ntrumpeted as such an achievement; that at least, there is a \nchange in strategy.\n    Ms. McGrath, I am really not trying to pick on you but let \nme ask you about one other situation that maybe hadn't turned \nout so well.\n    The Air Force's Expeditionary Combat Support System [ECSS], \nwhat happened with that? And what have we learned from it?\n    Ms. McGrath. I would like to say--and I will very quickly \nmove to the ECSS question.\n    But the two things on the electronic health record. One is \nthe underlying system piece, and sort of the modernization.\n    What we are also focused on is accelerating data \ninteroperability. We have standard data in the Defense \nDepartment across the entire organization. Because of the \nmobility of our military members, the information must be \nwherever the military member is--that is theater, East Coast, \nWest Coast, does not matter.\n    The VA--we are mapping the DOD health data dictionary to \nthe VA data so that by the end of this year we will be using \nstandard data between the two organizations and we will be able \nto populate a military record, an integrated electronic health \nrecord, with DOD and VA information.\n    And so I don't want to--I understand the concerns. I have \nbeen----\n    Mr. Thornberry. That is helpful, I appreciate you \nclarifying that.\n    Ms. McGrath. And so, we do. We are moving very smartly \nforward.\n    With regard to the Air Force logistics transformation \nprogram, true, not as positive a story. It was a story that \nbegan in the 2005 timeframe, and it was laden with I will just \ncall them issues. We had a couple of protests along the way I \nthink that added at least a year-plus to the program. We \nrestructured it in 2009. They didn't meet a 5-year initial \noperational capability in the 2010 timeframe. So then we put I \nwill just say stronger fiscal controls on the program to make \nsure that we identified success criteria both from a government \nperspective and a vendor performance perspective.\n    We also restructured the contract to be more outcome-\noriented. And frankly, the program overall was not delivering. \nAnd, therefore, we cancelled it in the December timeframe of \nlast year.\n    We have this in terms of this program that has provided \nmany lessons learned as well as some of the other programs, \nboth--some successful--we still learn from these programs and \nsome not, in the area of size and scale this clearly was one of \nthose programs that was way too big.\n    We need to chunk these IT systems, if you will, into \nsmaller capability sets. And so, we are delivering and then \nadding as opposed to trying to deliver the whole thing at once.\n    Buy in leadership skill sets. And we talked a little bit \nabout cyber skills and I mentioned the skill sets. Data, data \nquality is huge. For any of these IT programs, you are really \ntrying to take really old data from old legacy systems, bring \nthem into the new modern, much more tightly controlled \nenvironment. We have learned a ton with regard to data.\n    The infrastructure also can't be understated. The work that \nMs. Takai is doing with the Joint Information Environment so \nthat we have a much more holistic perspective on the network. \nHow it runs, it is optimized. We find in every program I will \njust call it too much infrastructure, so it adds to latency and \nall of these kinds of issues. We have captured all of these, if \nyou will, lessons learned along with some standardization of \nleading indicators across programs; we weren't managing and \nmonitoring them in a similar way. And we have made those \nchanges so that the program office, us, and us together, can \nlook at really the health of each one of these programs as they \nmove throughout the life cycle.\n    Mr. Thornberry. Well, to state the obvious I realize, but \nunder the best case scenario we are going to have tight defense \nbudgets as far as the eye can see. And a large amount of money \ngoes to these various IT programs.\n    And obviously we have the same interest that you do, I \nknow, into making sure that the money we spend is spent well \nand you get something for it.\n    It is particularly--I mean I appreciate the lessons \nlearned, which are important absolutely. But it is frustrating \nalso to spend money and then not have a system that works at \nthe end of the day.\n    Hopefully, the lessons will improve others but it is \nsomething we are going to have to continue to get better about, \nno doubt.\n    Ms. McGrath. Excuse me, sir, may I add just very quickly?\n    Mr. Thornberry. Of course.\n    Ms. McGrath. Because I mean we do share both the desire to \nget it better and the frustration when it doesn't. And I am \nconstantly looking for ways in how you apply the lessons \nlearned from program A to program B or whatever the next one \nis.\n    But I would also say that I don't want to lose sight of \nsome of the capability that has been delivered.\n    And the only data point that I will give you is that in \n2009--and when we looked at the amount of money being spent on \nreally we have about 14 of these major business programs. We \nwere highly in a developmental stage.\n    The number of users in these main ERP [Enterprise Resource \nPlanning] programs was about 27,000. Today, those same \nprograms, we have 195,000 users. So we have delivered \ncapability without going through the--I will just say the [word \nunclear] we tend to talk about, those that are sort of really \nbig, expensive and not go so well. But there has been progress \nmade in terms of delivering supply chain capability, financial \ncapability, and also contracting. And I just don't want to lose \nthat--and I appreciate you allowing me to share that.\n    Mr. Thornberry. Yes, ma'am. I appreciate it.\n    Kind of continuing on a theme of trying to spend smarter or \nat least exploring ways, Ms. Takai, the Defense Business Board \nmade recommendations about satellite communications [SATCOM] \nand recommended that we could make some capital leases in \nmultiple increments of up to 10 years. It has also been \nsuggested that we could lease these satellite services for more \nthan 1 year at a time which is what we have been doing and \nprobably the most expensive way to do it.\n    Can you comment on that suggestion? And is that not \nsomething the Department should look at as a way of saving \nmoney for the commercial satellite services that we, that the \nDepartment depends so much on?\n    Ms. Takai. Yes, sir. We have seen the Defense Business \nBoard recommendations and we do believe that there is benefit \nin looking at the cost recovery model that we are using for \ncommercial SATCOM. And it is a requirement that we actually \nlook at that over a multi-year period because of the nature of \nthe industry.\n    So one of the things that we are doing is to actually put \ntogether a cost recovery model that takes into account a multi-\nyear acquisition, to look at what is the best approach so that \nwe can guide programs going forward.\n    We are implementing a converged SATCOM gateway architecture \nthat will help to standardize more on the way that we are \nbuying commercial SATCOM and actually our own SATCOM. We are \nlooking at a plan of action for our own nuclear voice \nconferencing integration and then looking at--we are actually \nconducting an analysis of alternative study as it relates to \nthat.\n    One of the challenges for us is that when we look at \ncommercial SATCOM, it is also important for us to look at the \nsecurity of that commercial SATCOM. And in many cases, we are \nasking those commercial SATCOM providers to actually provide us \ncapabilities that aren't necessarily the demand from the rest \nof their customers to the extent that we are looking at it.\n    So that requires some upfront investment for them, and if \nwe are not able to actually commit to a multi-year capability, \nthen we get into a couple of situations, neither of which is \ngood. One of which is we would ask them to take that on and yet \nat the point in time we want to use it, we no longer have the \nfunding in order to be able to do it.\n    On the other side, we fund it upfront and we aren't \nnecessarily using the capability. That is why we need to look \nat a different way of the cost recovery model from a multi-year \nperspective in order to be able to manage the issue that was \nraised by the Defense Business Bureau.\n    Mr. Thornberry. Well, if there are additional authorities \nthat you need to look at multi-year procurement of these \nservices, please come and talk to us because I don't see if you \nare a satellite company how you can meet the Defense Department \nneeds a year at a time particularly given what you just said \nabout enhanced security requirements as part of that. I don't \nsee how that can ever be done cost-efficiently without looking \nahead several years.\n    General Alexander, I am going to take the other side of the \nargument now. This is a brochure from one of your two hats \nabout commercial solutions for classified. And I guess it is \ninviting commercial companies to submit their products to see \nwhether it could be used in a classified environment.\n    I mean--and I guess in a general way, is this a new \nemphasis on making more use of commercial hardware and software \nin a classified environment? And can we do that in a secure \nway? Again, thinking back to the Defense Science Board saying \nwe got problems here.\n    General Alexander. Chairman, I think we can. A couple of \nareas. If you think about encryption capabilities, going out \nand getting commercial encryption and making sure that it meets \nthe standards, and we can set the standards based on different \nencryption levels. We can if we know the company and the way \nthey actually create the capabilities, the tokens. And you can \nlook at some of the DOD cards and stuff that we actually use. \nWe can ensure that it is done right, then there is a great \nopportunity for us to work with industry.\n    I think this is going to become hugely important as we grow \nmobile devices that, you know, our spouses will use for \nbanking, need to be secured at a comparable level to the way \nthat we would need to do classified and sensitive operations.\n    So ensuring that the devices have that capability not only \nhelps industry, it helps the government, and I think there are \ngreat ways to do it. We look at that in some of the encryption \nstuff we work with NATO [North Atlantic Treaty Organization] \nand elsewhere, so I do think it is a great step forward, and \nindustry does provide us some great capabilities.\n    Mr. Thornberry. Mr. Langevin.\n    Mr. Langevin. So maybe on that line of commercial, let's \ntalk a little bit about the cloud as where--we seem to be \nmoving more and more toward the cloud. You know, articles that \nI have been reading recently have diminished my confidence in \nthe security of the cloud, at least it has called it into \nquestion anyway.\n    There have been some high-profile thefts of information \nfrom that, in that realm. And yet I know that certainly is \nsomething that your operation, General, are looking at moving \nmore into, more in that direction.\n    Let's talk about the security of the cloud. And if we do \nmake a robust change in that direction, you know, what are we \ndoing about guaranteeing security? What is your level of \nconfidence in securing the cloud?\n    General Alexander. So this has several dimensions to answer \nthat question. I am going to try to hit each of those, and then \nif you want more information, we can come back.\n    First, when we talk about cloud security versus what we \ncall legacy architectures, the problem that we have with legacy \narchitectures is if you look at the Defense Department's 15,000 \nenclaves with administrators for each of those enclaves, the \nability to patch those networks and set vulnerabilities is at \nthe manual speed.\n    And the problem that that creates if you say that the time \na vulnerability is publicly identified until it is done in the \nDepartment, it takes way too long because it is done to those \n15,000 network parts.\n    We are using the host-based sensor systems to help speed \nthat up but it is not where it needs to be. And your ability to \nactually see into those enclaves is very difficult. So the \nfirst thing that a cloud can give you is the ability to patch \nthose systems almost in real time. You can reach out and patch \nthat network there.\n    Now there are some issues that we have had with the cloud. \nOne of the things that we saw is the cloud systems as we saw \nthem did not have data element-level security tagging \ncapabilities. So in the one that we created, Accumulo, we \nallowed it to have each element of data tagged and secured at \nthat level, and only accessible at that level.\n    And there are some exceptional things that we can do in \nthis area that I can go into more detail in another setting \nthat gives you how I think this is more securable than legacy \narchitectures. From our perspective, from our technical \nperspective, it is much better. It is not perfect. The issue is \nsomebody who hacks into your networks over here, you don't know \nwhere they are but they have free--they are free to roam around \nonce they are inside. You just don't know they are there.\n    As you may know, most companies that get hacked in the \nlegacy system don't know about it for 6 to 9 months. I think we \ncan go much further in the cloud and I think you will see that \nthat will far outstrip legacy architectures in security. Unless \nyou come up with an architecture that is completely \nindependent, nobody else can get into.\n    But for what we need it for the Defense Department, we need \nmobile secure comms [communications]. And when you think about \nit, think about our ships, our aircraft and our mobile teams \nout there, they have to talk to something in the mobile \nenvironment. They are going to end up talking to the cloud. So \nwe have to fix that cloud environment.\n    I will tell you that what Ms. Takai and her folks are doing \nwith the Joint Staff J6 and our folks on the JIE is a huge step \nin that direction. It will address all of those types of issues \nand there is more. You know, I feel like the Ginsu knife guy--\n``wait, wait, wait, there is more''--because, you know, think \nabout what you can do in a cloud that you can't do in a normal \nsystem, just to give you a couple of ideas.\n    You can jump your networks, you can jump your databases, \nlike frequency-hopping, that makes your ability to hack into \nthem very, very difficult; and each day down that can be \nencrypted with a different algorithm depending on the security \nlevels of the people who need access to that data. That is a \nhuge step forward. We are having tremendous success in that \narea. And I think you have seen some of the folks who are \nworking on that.\n    I think you may talked to some of them, Dave Hurry and some \nof the others that are really good at that.\n    Mr. Langevin. Well, thank you for the answer. That helps \nquite a bit. If I could, let me turn now to Ms. Takai. So \nobviously this is, you know, all of these great technologies \nthat we have ultimately come down to the people.\n    How well they are trained, do they know the capabilities of \nthe systems and so--I know you touched on this a little bit but \ncan you speak further to us about how you are developing the \npipeline of cyber and IT professionals in the Department and \nare there things that we can do better to support you? And I \nknow you have talked on this a little bit, I would like to give \nyou an opportunity to expand on this even further if you would.\n    Ms. Takai. Thank you very much. Well, first of all, let me \njust give you a synopsis of the actions that we are taking \naround growing the cyber workforce. The first steps are really \naround being able to support General Alexander and making sure \nthat as we are growing the cyber capabilities, we are doing it \nto the requirements of what he feels he needs from the cyber \nworkforce perspective.\n    So it is important that we recognize that the capabilities \nthat we are growing are going to be operational capabilities \nand we are really focused on that partnership and making it \nhappen. We are putting together that strategy today. The first \ngrouping will be individuals that we have inside DOD and we \nwill need to update our certifications, we are going to need to \nupgrade our capabilities.\n    And the other thing I think and General Alexander can speak \nto this even more. It isn't just necessarily technical people \nthat are going to be on these teams. It is going to be a \nbreadth of experience and it is going to really need several \ncapabilities. Now, just to speak to the technical side of it, \nwe are going to be bringing in and growing the resources from \nsome of the technical people that we have today.\n    The plan is through the Joint Information Environment \nreally as we begin to implement it, we will be able to free up \nindividuals who can then be trained with some of the technical \nbackground to be able to move into the cyber defense area much \nmore heavily than they are today. So that is one--number one.\n    And then secondly is we are going to step up our recruiting \nand with that we are going to have to be more definitive around \nthe career path for the civilians that we hire. Clearly, the \nmilitary and General Alexander is addressing how the military \nwill be moving folks through. But one of our challenges is we \naren't going to be able to rotate people in and out of jobs in \nthe same way, because the skill sets that are required here \nmeans we need to have a single career path for these \nindividuals to continue to grow.\n    And that will be an area that we will want to come back and \ntalk with you about because today the way that we do that \ncareer development doesn't necessarily allow us to keep people \nin a single path and move them up progressively, it tends to \nmove them around from position to position. So, that is an area \nthat we will be back to you.\n    The third area is that we are going to have to find a way \nto be able to recruit individuals at the more senior levels to \nbe able to supplement. We are not going to be able to grow \neverybody from within. And that is an area where we are going \nto have to look at our existing programs to see what we can do \nfrom a competitive salary perspective.\n    We can get a lot of good people because the national \nmission is important, but at the same time we are going to have \nto look at what those sources of individuals would be and that \nwould be as I say not only looking at our university systems \nand being able to grow them, but also what will it take to \nrecruit some of them from the outside.\n    Mr. Langevin. Thank you. Further, you know, to talk about \nthis issue of integration, how are you planning to integrate \nour total force capability such as those resident in the \nNational Guard cyber units into a comprehensive CYBERCOM \napproach, particularly with regard to command and control and \nauthorities?\n    Ms. Takai. Let me start and then ask General Alexander to \ncomment on this as well. We believe that the National Guard \ndoes provide a great opportunity to actually look at being able \nto look at other forces. So for instance, particularly in areas \nlike Washington, particularly around Redmond, and in the areas \nof Silicon Valley, we know already that we have individuals \nthat are in the National Guard that are highly capable.\n    The key thing I think is to make sure that as we utilize \nthe National Guard, we are doing it in not only a uniform way \nbut we are doing it in a way so that we have the advantage in \ntwo senses. One is that it is integrated with the entire cyber \napproach that General Alexander is going to speak to. But \nsecond of all, that as we are moving people through there and \nas we are actually utilizing them in different settings, that \nagain they are going to be operating in the same way, they are \ngoing to be able to be integrated rather than them having sort \nof a separate approach to the way they are doing the training \nand not be able to call them in when they are needed.\n    But General Alexander, let me have you also talk to how \nthey are going to fit within your teams.\n    General Alexander. Congressman, I would add also the great \nteams in Rhode Island, Texas and Nevada, just to get all three \nof them out.\n    Mr. Langevin. The 102nd in Rhode Island.\n    General Alexander. And of course, I know Ms. Takai wanted \nme to mention those. We sat down with the National Guard a \ncouple weeks ago. We have had our first Guard exercise last \nsummer. We will have another one this summer. As Ms. Takai \nsaid, we are training everybody to the same standard. My \ncomments to them is, look, your folks have to be trained and \ncertified to the same standards as the Active Force.\n    Our focus would initially be on the cyber protection teams \nthat they would create. And I think they will focus on regional \nteams. The 10 regions of the Guard, create those teams first, \ntrain them and operate them. See what their role and \nrelationship would be working with us, DHS, FBI and NORTHCOM \n[Northern Command] defense support to civil authorities. There \nare some great things that we can do.\n    We will also create some offensive teams and some of the \nGuard units are already doing that. I talked to General Grass \ntoday on this topic. He, General Jacobi and I will meet next \nTuesday and perhaps we are going to meet right now. That must \nbe him calling in.\n    We will meet next Tuesday to actually lay out a transparent \nprogram so the service chiefs see what we are buying. We want \nto make sure that this is a program the service chiefs sign up \nto because parts of this are going to be in their budget and we \nwant to make sure that everybody is transparent in what we are \ngetting here.\n    So that is the process. There is a Cyber Guard exercise \ncoming up. I think those are some of the things that you and \nsome of the other members may be very interested in; you are \nwelcome to attend parts of that.\n    Mr. Langevin. Thank you. I am very impressed with the work \nof the National Guard and as you have mentioned we have the \n102nd in Rhode Island that is actively working with various \naspects of cyber, particularly with the 24th Air Force. I have \nhad the ability to get down to the 24th Air Force in Texas and \nvisit with General Vautrinot there. And I know that they are \nworking very closely with our Rhode Island National Guard in \nthat respect.\n    General, as always, we thank you for--and your team. Please \npass on our appreciation to the extraordinary men and women \nunder your command and also, Ms. Takai, at the Pentagon, for \nthe work that they are doing, how dedicated they are, it is \nobviously very important. We want to do everything we can to \nsupport you and before I yield back I just want to thank the \nchairman for his partnership in this effort as well.\n    There are very few people in the Congress--not enough--that \nfocus on this issue of cybersecurity and I know, Chairman \nThornberry, how much you put a lot of time and effort into this \nissue and there is not another Member of the Congress that has \nworked as hard on this issue as you have, so thank you.\n    Mr. Thornberry. I appreciate it, Jim--obviously, the \ngentleman has been a leader in this for some time. Dr. Heck, do \nyou have other questions?\n    I just had two more things I wanted to ask about. General \nAlexander, to the extent you can talk about it in open session, \nthis subcommittee has been interested before on tactical use of \ncyber in military operations. And I noted that part of your \nteams, the teams you are creating in Cyber Command, are those \nteams--some teams to support combatant commanders.\n    And can you in this forum describe how that will work, to \nwhom they will answer, how it will be decided what operations \nto carry out and whatnot, that sort of thing?\n    General Alexander. Chairman, broadly speaking they are \ngoing to work at the strategic level, those combatant command \n[COCOM] mission teams will be directly focused on the COCOM \nrequirements and answer to those requirements.\n    We will have a deconfliction process that that combatant \ncommander and myself will work together to make sure that if \nsomebody else is working in that space we deconflict it, and \nthat is logical so that you don't have two people working in \nthe same space.\n    That is different than the tactical service teams that we \nwould create. So if you go into Iraq like in the past 10 years \nand look at what we did for our intelligence teams that support \nbrigade combat teams, that was a huge success.\n    In the future, you can imagine that we will eventually \ngrow, at the tactical level, cyber teams that are part of those \nintelligence teams or working together with them to provide \nlocal cyber effects. They would have to be trained to the same \nstandard, deconflict through a theater and others, just as we \ndo other areas. But I think it would provide that.\n    And then you can see that the Air Force and Navy would have \ntactical and operational level that would nest into what we are \nbuilding at the combatant command level. So I think they will \nwork as a team, think of that as a cryptologic architecture now \nfor cyber going all the way down. And I think this provides us \ntremendous capability at the tactical edge.\n    Mr. Thornberry. I fully agree, it does. I guess, what I \nhaven't quite got my mind around is how you deconflict what you \nthink is a tactical operation when there really is not \ngeography in cyberspace. And so the equities that--part of \nour--my concern has been that if you want to have a tactical \ncyber operation, you basically have to have a full complement \nof all the agencies in Washington to hash it all out. And that \nis not very time efficient for cyberspace and just how that \nwould work on a practical basis. I think we got to work our way \nthrough it. It is just something that I have been interested in \nand we have worked on from time to time. Do you have one----\n    Ms. Takai, we could not have a hearing without me asking a \nquestion about spectrum, because it is such an important part \nof what goes on. I know there was a recommendation for sharing \nspectrum as a possible, I don't know solution, but as a \npossible step that could increase spectrum for anybody. Do you \nhave any comments on that recommendation?\n    Ms. Takai. Yes, sir, and I was wondering whether we would \nget to the spectrum question or not, so here we are. We \nactually feel very strongly that it is important that we look \nat spectrum-sharing as a possibility.\n    I think the report that you are referring to is probably \nthe President's PCAST [President's Council of Advisers on \nScience and Technology] report that suggested that we have to \nlook at spectrum-sharing going forward. We are participating \nnow in five different working groups that are being led by the \nNTIA [National Telecommunications and Information \nAdministration] to look at different areas of spectrum-sharing.\n    And we actually have had success in spectrum-sharing. We \nhave had an instance where we have been able to actually use \nand be able to share with a medical device, a medical alert \ndevice for some of the areas. So we do believe that there are \nopportunities.\n    But with that, spectrum-sharing has its challenges. It \nisn't a new concept; it is certainly just coming to light now \nbecause of the severe pressure on spectrum. There are several \ndifferent ways to do it. One of them is geographic, where you \nlook at exclusion zones.\n    The difficulty for us in certain bands, like the 1755 to \n1850 band, is that the exclusion zones would actually be in the \nsame areas that the commercial providers are interested in. So \nwe have to look at that. The second thing is whether we could \ndo it from a time standpoint.\n    But again in 1755 to 1850 which we use very heavily for \ntraining in CONUS, that becomes difficult because we can't \npredict where in fact we are going to be in the timeframe we \nare going to be using it.\n    So I think it is--there are great opportunities. I think we \ndo need to explore and we are working and have signed some of \nthe first ever MOUs [memorandums of understanding] with the \nsome of the commercial companies to actually do some \nexperimentation in certain geographic locations.\n    But I think it is a step beyond where we can, you know, \nnecessarily say we can go to say that spectrum-sharing is going \nto solve the problem. It is really a combination of where do we \nhave to vacate, where will we need comparable spectrum, and \nthen where are the areas that we can share now and then going \ninto the future.\n    Mr. Thornberry. Thank you. And thank you all again for your \npatience and for your brevity. We hit on a wide variety of \ntopics today and that was very helpful. And as the gentleman \nfrom Rhode Island said, we appreciate each of you and the folks \nwho work with you and what they do for the country.\n    With that the hearing stands adjourned.\n    [Whereupon, at 5:05 p.m., the subcommittee was adjourned.]\n      \n=======================================================================\n\n                            A P P E N D I X\n\n                             March 13, 2013\n\n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             March 13, 2013\n\n=======================================================================\n      \n      \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n      \n=======================================================================\n\n              WITNESS RESPONSES TO QUESTIONS ASKED DURING\n\n                              THE HEARING\n\n                             March 13, 2013\n\n=======================================================================\n      \n            RESPONSE TO QUESTION SUBMITTED BY MR. THORNBERRY\n\n    Ms. Takai. Response to DSB Report on Resiliency:\n    The Defense Science Board (DSB) report entitled, ``Resilient \nMilitary Systems and the Advanced Cyber Threat'' makes a series of \nrecommendations. There is significant effort in the CIO, USCYBERCOM, \nand NSA mission spaces already happening or planned in each \nrecommendation area. Below are short summaries of the major DSB \nrecommendations, and examples of ongoing and planned work to meet them. \nThis list does not include efforts outside of the CIO/USCYBERCOM/NSA \narea of responsibility.\n\n    DSB Recommendation #1: Determine the Mix of Cyber, Protected-\nConventional, and Nuclear Capabilities Necessary for Assured Operation \nin the Face of a Full-Spectrum Adversary (DSB report page 7).\n    Secretary of Defense assign United States Strategic Command the \ntask to ensure the availability of Nuclear Command, Control and \nCommunications ([N]C3) and the Triad delivery platforms in the face of \na full-spectrum Tier V-VI attack--including cyber (supply chain, \ninsiders, communications, etc.)\n    Examples of ongoing efforts\n    <bullet>  Multi-level human intervention and off-line launch code \nauthentications\n    <bullet>  NSA-produced NC3 Information Assurance (IA) materials\n    <bullet>  Stood up the Strategic and National C3 and Intelligence \n(SNC3I) Joint Systems Engineering & Integration Office (JSEIO) to do \nend-to-end engineering of NC3\n    <bullet>  CIO & USD(AT&L) signed DODI 5200.44 which \ninstitutionalizes supply chain risk management in acquisition and \nsustainment\n    <bullet>  CIO & USD(AT&L) assisting STRATCOM in application of \nsupply chain risk management (SCRM) to its key programs\n\n    DSB Recommendation #2: Determine the Mix of Cyber, Protected-\nConventional, and Nuclear Capabilities Necessary for Assured Operation \nin the Face of a Full-Spectrum Adversary (DSB report page 7).\n    SECDEF and Chairman, Joint Chiefs of Staff (CJCS) designate a mix \nof forces necessary for assured operation . . . . Segment Sufficient \nForces to Assure Mission Execution in a Cyber Environment\n    Examples of ongoing efforts\n    <bullet>  Established Cyber National Mission Force-trained and \ncertified teams\n    <bullet>  Implementing the Joint Information Environment (JIE) to \nimprove cyber defense and resilience of unclassified and secret \nnetworks for better protected conventional capabilities\n    <bullet>  Increased funding for cyber capability development (on-\nhold for sequestration and Continuing Resolution)\n    <bullet>  NSA collection and analysis critical to understanding \nadversary\n\n    DSB Recommendation #3: Refocus Intelligence Collection and Analysis \nto Understand Adversarial Cyber Capabilities, Plans and Intentions, and \nto Enable Counterstrategies (DSB report page 8). SECDEF in coordination \nwith the Directors of CIA, FBI, and DHS, should require the Director of \nNational Intelligence (DNI) to support enhanced intelligence collection \nand analysis on high-end cyber threats\n    Examples of ongoing efforts\n    <bullet>  Improving threat information sharing in real-time across \nUSG\n    <bullet>  Increased Intelligence Community (IC)/NSA focus on \ncyberspace operations support\n    <bullet>  Increased ``hunting'' on blue networks\n    <bullet>  Cyber integrees from NSA/USCYBERCOM at FBI, CIA, and DHS; \nand vice versa\n\n    DSB Recommendation #4: Build and Maintain World-Class Cyber \nOffensive Capabilities (with appropriate authorities) (DSB report page \n9).\n    United States Cyber Command (USCYBERCOM) develop capability to \nmodel, game and train for full-scale cyber warfare.\n    Under Secretary of Defense for Personnel and Readiness (USD(P&R)) \nestablish a formal career path for civilian and military personnel \nengaged in offensive cyber actions.\n    Examples of ongoing efforts\n    <bullet>  Established Cyber National Mission Force (Cyber National \nMission Teams and Combatant Command Mission Teams)\n    <bullet>  Cyberspace operations-focused training exercises (Cyber \nFlag, Cyber Guard, and Cyber Knight)\n    <bullet>  CJCS cyber emergency action conferences\n\n    DSB Recommendation #5: Enhance Defenses to Protect Against Low and \nMid-Tier Threats (DSB report page 9).\n    The DOD should establish an enterprise security architecture, \nincluding appropriate ``Building Codes and Standards'', that ensure the \navailability of enabling enterprise missions . . . . The DOD should \nleverage commercial technologies to automate portions of network \nmaintenance and ``real-time'' mitigation of detected malware . . . . \nUSD(P&R), in Collaboration with the DOD CIO and the Service Chiefs \nEstablish a Formal Career Path for DOD Civilian and Military Personnel \nEngaged in Cyber Defense\n    Examples of ongoing efforts\n    <bullet>  Developed JIE enterprise security architecture for \nunclassified, secret, and coalition networks\n    <bullet>  Migrating all internet-facing servers into a separate \nzone to isolate and contain attacks\n    <bullet>  Improving SIPRNET/Coalition/Federal gateways and NIPRNET/\nInternet boundary defenses\n    <bullet>  Developing a Department-wide Cyber Workforce Strategy \nthat includes military and civilian qualifications and career paths\n    <bullet>  Automating continuous monitoring of cyber vulnerability \nvia use of the already deployed Host-Based Security System (HBSS)\n\n    DSB Recommendation #6: Change DOD's Culture Regarding Cyber and \nCyber Security (DSB report page 10). Commander, USCYBERCOM and the DOD \nCIO establish a plan with measurable milestones and flow down to all \norganization elements.\n    Examples of ongoing efforts\n    <bullet>  Creating a capstone Cyber Defense strategy document, \ndescribing strategic imperatives that will change behavior, culture, \noperations, and intelligence support (e.g., Defending DOD Networks, \nSystems, and Data: Strategic Choices for 2020)\n    <bullet>  Conducting annual IA training across the DOD\n    <bullet>  Simulating ``Phish-me'' exercises and other real life \nexercises\n    <bullet>  Providing each organization and its chain of command an \nautomated cyber risk score via continuous monitoring\n\n    DSB Recommendation #7: Build a Cyber Resilient Force (DSB report \npage 11). DEPSECDEF should direct specific actions to introduce cyber \nresiliency requirements throughout DOD force structure.\n    For programs not part of the segmented force, provide a cyber \nstandard set of requirements (expected to be a subset of the critical \nprogram requirements list) to be applied to all DOD programs \n(USD(AT&L), DOD CIO, SAEs))\n    Develop DOD-wide cyber technical workforce to support the build out \nof the cyber critical survivable mission capability and rolled out to \nDOD force structure (USD(AT&L), CIO, SAEs, DOT&E, USD(I), USD(P&R)).\n    Examples of ongoing efforts\n    <bullet>  DOD CIO and USCYBERCOM identifying key cyber terrain and \ninfrastructure that supports critical C4 systems and assets in order to \nassure mission execution while under degraded cyber conditions\n    <bullet>  Developing Resiliency Framework criteria that helps \ndelineate requirements for contracts and that can be used in the \nacquisition process\n    <bullet>  Creating Cyber security Implementation Guidebook to \nassist acquisition program managers in successfully implementing cyber \nsecurity requirements (with AT&L)\n    <bullet>  Use of Cyber Ranges for simulated live fire cyber \nsecurity exercises with active Red Team participation\n[See page 9.]\n?\n\n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             March 13, 2013\n\n=======================================================================\n\n      \n                 QUESTIONS SUBMITTED BY MR. THORNBERRY\n\n    Mr. Thornberry. Will you comment on requirements and guidelines \nbeing generated by CYBERCOM with respect to an insider threat program? \nHow do you prevent implementation of this policy devolving into a mere \n``check the box'' requirement that does little to enhance our security? \nThe FY13 NDAA included language on next generation host-based security \nsolutions and mentioned insider threat mitigation as one of those \ncapabilities that needed to be addressed in this context. Are \nCYBERCOM's guidelines going to specify that established host-based \nsolutions are required to satisfy the enterprise monitoring and audit \nrequirements? As a part of your overall risk mitigation strategy, which \nnetworks will your requirements cover in terms of Insider Threat \nMonitoring?\n    General Alexander. USCYBERCOM has developed requirements for \nimplementation of insider threat capabilities on DOD networks in \ncoordination with the National Insider Threat Task Force (NITTF) and \nthe Comprehensive National Cybersecurity Initiative to develop and \nimplement a government-wide Cyber Counterintelligence Plan (CNCI 6) to \nachieve the objectives described in the FY13 NDAA. These insider threat \nrequirements include auditing and monitoring, insider threat awareness \nand training, foreign travel and contact reporting, polygraphs, \npersonnel security, evaluation, analysis, and reporting and security \nincident reporting and evaluation. This provides a comprehensive \ndefense-in-depth strategy for the detection of and protection from the \ninsider threat. In addition, these capabilities will deter malicious \ninsider activity. The comprehensiveness of this approach prevents the \npolicy from becoming a ``check the box'' requirement. USCYBERCOM \ndirectives as spelled out in OPORD 12-106 specify that host-based \nsolutions are required to satisfy the enterprise monitoring and audit \nrequirements. All U.S. owned and operated DOD Non-secure Internet \nProtocol Router Network (NIPRNET) and Secret Internet Protocol Router \nNetwork (SIPRNET) networks are covered by these requirements for host-\nbased security and insider threat monitoring.\n    Mr. Thornberry. What progress has DOD made in improving the agility \nand flexibility of the IT acquisition process?\n    Ms. McGrath. DOD has taken a number of important steps to improve \nthe agility and flexibility of our IT acquisition processes both \nthrough policy and through proactive involvement with active IT \nacquisition programs. A common theme of these efforts has been to \ntailor the processes to the unique attributes of IT in a way that \nspeeds delivery of capability into the hands of our users.\n    One important development has been the adoption of an acquisition \nmodel tailored for defense business systems. This alternative \nacquisition model provides a comprehensive process that aligns \nrequirements, investment, and acquisition processes for defense \nbusiness systems under an integrated governance framework and focuses \non incremental delivery of capability, within eighteen months of \nprogram initiation. This incremental approach improves control over \ncost, schedule and performance requirements.\n    The Under Secretary of Defense (Acquisition, Technology & \nLogistics) issued implementing policy for this model in the summer of \n2011 and the guidance was incorporated into the Defense Acquisition \nGuidebook in the fall of 2012. This policy is being incorporated into \nthe next update of the DOD 5000.02 acquisition instruction. The Defense \nEnterprise Accounting and Management System (DEAMS), an Air Force \nfinancial management program, was the first program to achieve an \nacquisition decision under this new policy and we are in the process of \ntransitioning several other major IT programs to this new approach as \nwell.\n    Through the use of this approach, DEAMS has integrated \ntraditionally stove-piped processes and enabled tight integration \nbetween the functional sponsor and the program office. We continue to \nconduct targeted outreach with Program Managers, Functional Sponsors, \nand Program Executive Officers on this new policy, and are working with \nthe Defense Acquisition University to embed the new process into \nappropriate curriculum.\n    Mr. Thornberry. In the FY12 NDAA, this committee directed the \nestablishment of an insider threat detection program. Can you please \ndescribe the current status of this effort, which is supposed to \nachieve full operational capability later this year?\n    Ms. Takai. DOD has been actively participating in National Insider \nThreat Task Force (NITTF) addressing government-wide insider threat \nissue--consistent with EO 13587, ``Structural Reforms to Improve the \nSecurity of Classified Networks and the Responsible Sharing and \nSafeguarding of Classified Information.'' The NITTF issued \nimplementation guidance of EO 13587 via Presidential memo on Nov 21, \n2012.\n    Internally, DOD has:\n    <bullet>  instituted read/write controls for external secret \ncomputer access ports and restrictions and audits of removable media \n(USBs, etc.,);\n    <bullet>  driven out anonymity and instituted access control \nthrough public key infrastructure (PKI) implementation; and\n    <bullet>  improved our ability to detect anomalous or malicious \nbehavior on the DOD's secret network.\n        o  Provides limited ability to discern data access that signal \n        exceptions to normal data access.\n        o  Provides full packet capture in order to discern patterns of \n        malicious activity and allow for the investigation of \n        incidents.\n    Mr. Thornberry. How will the Joint Information Enterprise (JIE) \ninteract with other major IT related initiatives, like the Defense \nIntelligence Information Enterprise or electronic health records \ninteroperability? Will it be interoperable with the networks of the \nIntelligence Community?\n    Ms. Takai. The DOD CIO is leading the DOD's IT effectiveness effort \nto achieve the Joint Information Environment (JIE) and the Director of \nNational Intelligence CIO is leading a similar effort of the \nIntelligence Community Information Technology Enterprise. Both CIO's \nshare common objectives and end-states, and actively participate on \neach other's governance boards, standards and architect forums, and \nIdentity Management and data framework forums. Both CIO's recently \nestablished a Joint Information Standards Committee (JESC), and a \ndirected policy governing the reuse of standards and specifications \nbetween the two communities to ensure interoperability and information \nsharing.\n    The Defense Intelligence Information Enterprise (DI2E) is a \nunifying construct between the Department of Defense, the Intelligence \nCommunity (IC), and coalition Intelligence Information Enterprises, and \naligns with the Intelligence Community IT Enterprise (ICITE) and DOD \nJoint Information Enterprise (JIE) policy and strategy.\n    The DI2E Governance Council oversees development and implementation \nof a DI2E that is standardized, secure, optimized and interoperable, \nthat aligns with DOD, IC and Coalition IT Enterprises. The Council \ncoordinates on similar efforts by the IC Chief Information Officer \n(CIO), the DOD CIO, and the Defense Information Systems Agency (DISA) \nto ensure intelligence information integration across all security \ndomains, including top secret, secret, unclassified, and various \ncoalition fabrics. It enables seamless theater intelligence \narchitectures and achieves efficiencies across the Defense Intelligence \nenterprise by recommending cost saving measures.\n    With respect to electronic health records interoperability, DOD is \nestablishing a Medical Community of Interest (Med-COI) virtual network, \nunder the auspices of JIE and its single security architecture. The \nMed-COI, using the JIE architectural construct, will provide enterprise \nservices and operate within the secure and protected DOD Global \nInformation Grid (GIG). This capability will support unhindered and \ntimely data access of patient records for DOD and VA clinicians and \nadjudication of VA Benefit claims.\n    Mr. Thornberry. What role does the Cyber Investment Management \nBoard (CIMB) play in decisions related to the JIE, especially with \ndecisions related to service-specific system and network acquisitions?\n    Ms. Takai. The CIMB is an advisory and management body, established \nto facilitate cohesion across S&T, requirements, acquisition, R&D, T&E, \nand sustainment efforts to ensure that cyber warfare investments are \neffectively coordinated across the Department. In this capacity, the \nCIMB is intended to provide a framework to make resourcing \nprioritization recommendations consistent with established JIE \nmilestones.\n    Mr. Thornberry. In discussing the Joint Information Environment \n(JIE), there seems to be a lot that is aspirational with this \nconstruct, but you will be limited by the current network environment \nthat you have. How does DOD plan to get from the current ``as-is'' \nstate to the ideal ``to-be'' state?\n    Ms. Takai. DOD is continually modernizing its IT infrastructure and \nsystems, and has several ``network'' initiatives on-going (i.e., \nLANDWARNET, AFNET, NGEN, etc.) that are focused on achieving the same \nobjectives as JIE for the individual Military Services. JIE effort will \nleverage their already planned activities and technology refresh cycles \nto optimize the current network environment to our desired ``to-be'' \nstate from an enterprise perspective. At the enterprise level, DISA has \nplanned upgrades of the Defense Information Systems Network (DISN) \nconsistent with the target architecture for the JIE, to include the \nreplacement of circuit-based switches with IP-enabled technologies, and \nreplacement of legacy transport routing to Multiprotocol Label \nSwitching (MPLS). The detailed solution architectures for the JIE are \nscheduled for completion in June 2013, and are being incorporated into \nComponent programming activities for FY15 and beyond. The Department's \nJIE Technical Synchronization Office (JTSO) is developing a \nconsolidated synchronization plan in conjunction with other DOD \nComponents.\n    Mr. Thornberry. Last year, the House Oversight and Government \nReform committee introduced the Federal Information Technology \nAcquisition Reform Act (FITARA). Are you familiar with this proposed \nlegislation? If so, what thoughts do you have on how this might affect \nDOD equities?\n    Ms. Takai. I am aware of the some of the provisions of last year's \ndraft bill, as well as the current version that was introduced earlier \nthis year. I believe because of the complexity of the Department's \nmissions, we will need to examine the legislation carefully to ensure \nthat it does not undo important relationships we have developed between \nthe Office of the Secretary of Defense and the Services and Agencies as \nwell as introduce new or overlapping requirements for the Department \nfor its IT investments.\n    Mr. Thornberry. Following the termination of the Net-Enabled \nCommand Capability (NECC), what is the Department doing to modernize \nits command and control capabilities?\n    Ms. Takai. The Department is executing a sustainment and \nmodernization plan to evolve the current Global Command and Control \nSystem (GCCS) family of systems and related command and control \nprograms to improve mission effectiveness, achieve efficiencies, and \nprovide required command and control capabilities to the joint \nwarfighter. Our sustainment and modernization efforts will ensure \nsupport to current operational priorities while migrating to objective \ncapabilities described in the recently updated Joint C2 Capability \nDevelopment Document (CDD).\n    Mr. Thornberry. How do you plan to address ``Bring-Your-Own-\nDevice'' (BYOD) policy and the use of cloud technologies? Also, how can \nDOD keep up with the rate of technological change while using the DFAR? \nAre current acquisition reform efforts sufficient?\n    Ms. Takai. Bring Your Own Device (BYOD) and portable cloud services \nare emerging trends in commercial industry. Many issues must be \naddressed before the DOD can embrace these technologies, such as \novercoming existing DOD policy constraints, understanding the various \noperational use scenarios, examining potential security \nvulnerabilities, and avoiding potential legal issues that surround BYOD \nsolutions. My office published the DOD Mobile Device Strategy on June \n8, 2012, and the DOD Commercial Mobile Device Implementation Plan on \nFebruary 15, 2013, with the focus on improving three areas that are \ncritical to mobility: 1) the networking infrastructure to support \nwireless mobile devices, 2) mobile applications, and 3) a framework \nthat will allow the Department to sustain a commercial mobile solution \nthat is reliable, secure, and flexible enough to keep pace with fast-\nchanging technology. The DOD CIO will continue to monitor BYOD efforts \nacross our Federal Government and, in conjunction with the Digital \nGovernment Strategy, will continue to evaluate BYOD options.\n    Cloud Computing is becoming a critical component of the Joint \nInformation Environment (JIE) and the Department's Information \nTechnology (IT) modernization efforts and will enable users the access \nto data anywhere, anytime on any approved device. One key objective is \nto drive the delivery and adoption of a secure, dependable, resilient \nmulti-provider enterprise cloud computing environment that will enhance \nmission effectiveness and improve IT efficiencies. Cloud services will \nenhance warfighter mobility by providing secure access to mission data \nand enterprise services regardless of where the user is located and \nwhat device he or she uses.\n    My office recently issued the DOD Cloud Computing Strategy to \nprovide an approach to move the Department to an end state that is an \nagile, secure, and cost effective service environment that can rapidly \nrespond to changing mission needs. There are two key components of the \nDepartment's cloud strategy. The first component is the establishment \nof a private enterprise cloud infrastructure that supports the full \nrange of DOD activities in unclassified and classified environments and \noptimizes data center consolidation efforts. The second is the \nDepartment's adoption of commercial cloud services that can meet the \nDepartment's cybersecurity and other IT needs while providing \ncapabilities that are at least as effective and efficient as those \nprovided internally.\n    The Defense Information Systems Agency (DISA) is designated the DOD \nEnterprise Cloud Service Broker to facilitate and optimize access and \nuse of commercial cloud services that can meet DOD's security and \ninteroperability requirements, and ensure that new services are not \nduplicative of others within the Department while consolidating cloud \nservice demand at an enterprise level. In addition, DISA, as the DOD \nbroker, will leverage the Federal Risk Authorization and Management \nProgram (FedRAMP) standardized security authorization process, \nincluding the accepted minimum security baseline for low and moderate \ninformation security categorizations, and ongoing continuous monitoring \nto ensure that appropriate security controls remain in place and are \nfunctioning properly.\n    Current acquisition reform efforts offer opportunities to \naccelerate the adoption of commercial technologies. In many respects, \ndespite their rapid evolution, mobility solutions are much like other \ntraditional IT systems that empower users and managers with the tools \nand information they need to execute their missions. Our strategy of \nintegrating well-orchestrated limited deployment pilot implementations \nallows users and managers to rapidly innovate, mature critical \ntechnologies, and resolve integration challenges to swiftly address \nmission challenges. The Implementation Plan incorporates many of the \nServices technology development efforts in a spiral approach with an \n18-month acquisition cycle. The Implementation Plan streamlines the \ncertification and accreditation (C&A) process for mobile devices, \noperating systems, and applications. Sharing the workload with industry \nwill bring the timeline for C&A down from over 18 months to about 30 \ndays with no reduction in security posture. Though the platforms will \ncontinue to evolve, we have the same commitment to systematic \nacquisition practices that serve the defense community most \neffectively. We continue to review the mobility acquisition lifecycle \nfor efficiency opportunities.\n    Mr. Thornberry. Would you tell us how much funding has been set \naside to assist DOD organizations in establishing Insider Threat \nPrograms in accordance with the recent Presidential Mandate, Memo, and \nNational Insider Threat Standards? Further, who will be the \norganization responsible for identifying and distributing the necessary \nfunding to each DOD entity? Who will be on point from your office to \nensure the funding is being appropriately spent on the Insider Threat \nMission within each DOD entity? Are there additional monies coming from \nthe ODNI or the Office of the National Counterintelligence Executive \n(NCIX) for Enterprise Audit and Insider Threat missions?\n    Ms. Takai. The Department initially programmed $162M, FY12-16, in \norder to satisfy the Executive Order 13587 requirements. The Department \nis assessing the need for additional resources to address the insider \nthreat as part of our FY 15 budget deliberations. The Defense \nInformation Systems Agency (DISA) and the Defense Manpower Data Center \n(DMDC) are the responsible implementing agencies for the initial $162M. \nMy office is overseeing implementation of the budgeted and programmed \nfunds provided to date. The Department is developing the necessary \npolicy and responsibilities required under the Presidential mandate \nissued November 21, 2012. Regarding additional monies, there has been \nlimited funding provided to a number of our Title 50 elements by ODNI \nand NCIX in FY 11 and 12. We don't anticipate any additional funding \nfrom ODNI or NCIX.\n    Mr. Thornberry. Does the Department have a strategy to leverage \ncommercial cyber security solutions to enable it to benefit from such \ncapabilities as real time, global threat intelligence that has been \noptimized to work in highly sensitive environments? Who in the \nDepartment is responsible for the operational requirements, technical \nrequirements, funding and acquisition? When does the Department plan to \nstart executing against each of these requirements?\n    Ms. Takai. Yes, for instance, initial funding was secured beginning \nin FY 14, under the program name ``Zero day Network Defense'' (ZND) \nwhich consists of commercial tools to be acquired and deployed in \npartnership between the Defense Information Systems Agency (DISA) and \nNSA to provide this defensive capability at the DOD perimeter, and on \nclassified end point systems.\n    While unclassified systems are just beginning to use this \ntechnology from commercial vendors, we are currently seeking funding to \nexpand the ZND capability to unclassified networks and develop a Global \nReputation Service that will be capable of ingesting information from \ncommercial vendors, as well as government sources.\n    The requirements for this capability were derived from multiple \nsources, including the Cyber Situational Awareness Initial Capabilities \nDocument with input from all DOD components and agencies.\n                                 ______\n                                 \n                  QUESTIONS SUBMITTED BY MR. LANGEVIN\n    Mr. Langevin. General Alexander, in testimony before the Senate \nArmed Services Committee on Tuesday, you noted the creation of 13 teams \nwith an offensive focus. Given that cyber in many cases requires \npreparatory work in order to access the full range of capabilities, how \nforward-leaning will these teams be?\n    What training will you be providing to the identified mission teams \nand to other personnel who are being assigned to cyber work? Do you \nrequire additional authorities or resources in order to fully train the \nmen and women under your command, particularly with regard to language \nskills, emulation and red-teaming?\n    General Alexander. USCYBERCOM identified 42 specific work roles and \nthe standards and skills required for planning and executing cyberspace \noperations. We worked with the National Security Agency, Service \nDepartments, academia, and the private sector to leverage existing \ntraining solutions and created new ones, as appropriate, to train the \npersonnel assigned to those work roles (see Exhibit A for additional \ndetail.) Over the next three years we will train the Cyber Mission \nForces that will perform world-class offensive and defensive cyber \noperations as part of our Cyber National Mission Teams, Cyber Combat \nMission Teams and Cyber Protection Forces. We do not require additional \nauthorities or resources to train the currently identified cyber \nprofessionals.\n    [Exhibit A is For Official Use Only and is retained in the \ncommittee files.]\n    Mr. Langevin. Ms. Takai, what progress has DOD made in improving \nthe agility and flexibility of the IT acquisition process, and is there \nadditional Congressional action needed?\n    Ms. Takai. There are unique characteristics associated with the \nacquisition of information systems that require the use of acquisition \napproaches different from those normally used by the Department for \nacquiring weapons systems. All acquisition approaches should be \ntailored to the nature of the product being acquired. For example, \ninformation systems (e.g. business systems) do not require significant \ntechnology development like many weapons systems and they do not have \nthe long term operations and support challenges facing most weapons \nsystems. The Department has made steady progress in implementing \nseveral of the key approaches for improving the agility and flexibility \nof the IT acquisition process in the areas of requirements, \nacquisition, testing and certification and human capital. Many of these \nefforts will be captured in the next release of DODI 5000.02, \n``Operation of the Defense Acquisition System'' including:\n    <bullet>  Requirements: The Joint Staff has updated the \nrequirements management process (Joint Capability Integration and \nDevelopment System (JCIDS) to include a more streamlined requirements \nmanagement and approval process for acquisition of information systems.\n    <bullet>  Acquisition: On June 23, 2011, a Directive-Type \nMemorandum (DTM) on Business Capability Lifecycle (BCL) was signed and \nissued by USD (AT&L). The BCL provides a framework for implementing \nmore flexible and streamlined processes for the acquisition of these \nbusiness information systems and has been incorporated into the next \nrelease of DOD 5000.2.\n    <bullet>  Test and Certification: The Department's testing \ncommunity has been working in collaboration with USD (AT&L) to \nincorporate an integrated testing, evaluation, and certification \napproach into the DODI 5000.02, to reduce redundancies in system \ntesting activities and improve the efficiency and effectiveness of \ntesting the Department's information systems.\n    <bullet>  Human Capital: A comprehensive review of IT acquisition \ncompetencies is also currently being conducted by the Department's \nChief Information Officer. This review will update the IT acquisition \ncompetencies to better define DOD critical skill sets and assist in the \nupdate of curricula at the Defense Acquisition University and the \nInformation Resources Management College.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. ROGERS\n    Mr. Rogers. Ms. Takai, could you please explain the Department's \ndecisionmaking process for when to use ``sole source'' and ``brand name \nonly'' solicitations, such as those run under the Air Force's NETCENTS-\n1 and NETCENTS-2 contracts?\n    Ms. Takai. The vast majority of procurements through the NETCENTS \nvehicles are accomplished via a competitive process. In the rare event \nthat a sole source or specific brand name is required, appropriate \nJustification and Approval documentation is prepared and approved at a \nlevel commensurate with the dollar value of the proposed procurement.\n    Mr. Rogers. What steps does DOD take to meet the statutory \nrequirements of FAR sec. 6.303 and/or FAR sec. 16.505, as applicable, \nthat are the prerequisites for a sole source and/or brand name product \nprocurement, single name product procurement, including the necessity \nto conduct open procurements, determine minimum needs, and solicit the \ninterest of manufacturers or prospective offerors?\n    Ms. Takai. All DOD requiring officials must follow and adhere to \napplicable procurement policies in accordance with the Defense Federal \nAcquisition Regulation Supplement (DFARS), which is regularly revised \nto ensure alignment with the Federal Acquisition Regulations (FAR) as \nwell as other regulations and statutes. DFARS subpart 216.5 requires \nthat all orders for supplies or services exceeding $150,000 that are \nplaced under multiple award contracts be awarded on a competitive basis \nwith fair notice given to vendors of the intent to purchase, and an \nopportunity for all vendors to submit offers and receive fair \nconsideration. There are allowable exceptions that must be based on \njustifications and/or determinations written and approved in accordance \nwith FAR 8.405-6; if a statute requires the purchase be made from a \nparticular source, or if one of the circumstances described in FAR \n16.505 (b) (2) (i) through (iv) applies. DOD contracting officers must \nalways consider price or cost as factors when selecting a vendor for \naward, and should also consider past performance of potential vendors. \nAs an overview, the steps followed to award in DOD include: 1) system \nengineering analysis to determine requirements, 2) market research to \ndetermine what products are available to satisfy those requirements, \nand 3) written documentation via a determination or Justification and \nApproval of anything less than full and open competition (including \nspecification of a particular brand name product). Even when a \nparticular brand name product is required and justified, there is an \nexpectation of competition if there are multiple competing resellers of \nthat same brand name product.\n    Mr. Rogers. When the requirements of FAR sec. 6.303 and/or FAR sec. \n16.505, as applicable, are determined not to have been met, what \nremedial steps are in place to make sure these requirements are \nconsidered?\n    Ms. Takai. There are many stages at which such a determination \nmight be made, such as: by the program manager after market research \nactivities, by the contracting officer or the contracting activity's \nCompetition Advocate prior to solicitation and/or award or by the \nGovernment Accountability Office after an unsuccessful vendor files an \nappeal. There are different remedial steps for each scenario. Standard \nDOD acquisition and procurement procedures contain safeguards and \ncheckpoints at multiple levels to ensure that any proposed exceptions \nto the competition rules are fully vetted and adequately justified. DOD \ncontracting officers must make public the justification(s) required by \nFAR 6.303-1 in accordance with FAR 5.3 and as required by law. If a \nprospective (or unsuccessful) offeror believes that the procedures \ndescribed in the FAR and/or DFARS have not been followed, they will \ngenerally contact the contracting officer who has responsibility for \nthe acquisition, or the contracting activity's parent organization. If \nwarranted, the contracting officer can then cancel the procurement \nactivity--or issue a ``stop work'' order to study the situation (if the \ncontract has already been awarded). In order to meet the requirements \nof the requesting office, the contracting officer may reshape the \nprocurement into a competition among multiple vendors under a pre-\nexisting contract vehicle, or pursue full and open competition among \nall vendors of a particular type/class of capability.\n    Mr. Rogers. What process does DOD use in deciding to standardize on \nparticular technology, and how does such standardization further the \ngoal of maintaining a competitive procurement process which is \nessential to reducing costs in government procurements? Does that \nprocess flow down to how the Services make similar decisions?\n    Ms. Takai. When there are clearly definable minimum functional/\ntechnical standards that are available and necessary to attain a \nrequired capability, the DOD CIO will assemble a cross-Component \n``tiger team'' (including Acquisition personnel) to translate those \nstandards into requirements suitable for release of an Request for \nQuotes (RFQ) or a Request for Proposals (RFP) to industry. For example, \nwhen data-at-rest (DAR) software was initially identified as an urgent \nrequirement for all DOD laptops and portable computers, the Defense-\nWide Information Assurance Program (DIAP) assembled such a tiger team \nto flesh out the applicable required specifications. Then they \npartnered with the DOD ESI Software Product Manager team from USAF to \ntranslate these specifications into an industry solicitation that \nresulted in the creation of DOD ESI Blanket Purchase Agreements from 10 \ndifferent publishers of DAR software. By DOD CIO policy, all DOD buyers \nof DAR software were required to buy DAR software only through one of \nthese agreements. Competition among the resellers generally resulted in \nlower prices, and the DIAP certified that all purchased products met \nboth the functional & technical standards.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. FRANKS\n    Mr. Franks. General Alexander, I want to thank you for your service \nand leading such important missions with USCYBERCOM and the NSA. I am a \nstrong believer that our military is, and should always be, better than \nthe rest of the world's armed forces, and that we should never be \nentering fair fights. With that in mind, and the introduction of these \nnew offensive cyber teams, and the fact that cyber threats are a \nrelatively new phenomenon, how much better are we on offense, and \ndefense in the cyber realm as compared to our enemies.\n    General Alexander. We believe our offense is the best in the world. \nCyber offense requires a deep, persistent and pervasive presence on \nadversary networks in order to precisely deliver effects. We maintain \nthat access, gain deep understanding of the adversary, and develop \noffensive capabilities through the advanced skills and tradecraft of \nour analysts, operators and developers. When authorized to deliver \noffensive cyber effects, our technological and operational superiority \ndelivers unparalleled effects against our adversaries systems.\n    Team Cyber is constantly increasing its operational and analytic \ndefensive capabilities through the adoption and use of standards to \nfacilitate domain knowledge representation and information sharing \nacross the community. In addition, the use of standards ensures \ncompatibility with technologies commonly available in the public domain \nand allows for the rapid integration of new functional capabilities to \navoid long-term engineering and development cycles.\n    Potential adversaries are demonstrating a rapidly increasing level \nof sophistication in their offensive cyber capabilities and tactics. In \norder for the Department of Defense to deny these adversaries an \nasymmetric advantage, it is essential that we continue the rapid \ndevelopment and resourcing of our Cyber Mission Forces.\n    Mr. Franks. General Alexander, last year I asked you a question: \nHow prepared are we to carry out your mission if the power grid or \nsubstantial part of it were to go down for an extended period of time? \nFor example, two weeks or longer due to severe space weather or a \nmanmade electromagnetic pulse.\n    Your answer included that fact that much of DOD's cyberspace is \nserved through commercial providers. Do you feel that the power and \nelectricity needed to carry out your mission is important enough to \nrequire those commercial providers of the power grid to successfully \nharden their grid from severe space weather or manmade electromagnetic \npulse? Can the DOD require that of commercial providers of the grid? Do \nyou feel that this issue is important enough that legislation is needed \nto force the hand of industry to act?\n    General Alexander. While I absolutely agree with the criticality of \ncyber hardening the power grid, I also believe any legislative solution \nhas to take into account the prohibitive costs associated with doing so \ngiven its antiquated state. I believe the activities underway through \nthe President's EO 13636 ``Improving Critical Infrastructure \nCybersecurity'' and PPD-21 ``Critical Infrastructure Security and \nResilience'' are a good first step. Legislation which builds upon these \nactivities by providing the right set of incentives would be \ninvaluable.\n    From an NSA and CYBERCOM perspective, it is also critical that \nCongress pass information sharing legislation that enables effective \ntwo-way sharing of cyber threat information and countermeasures between \nthe private sector and the USG. By effective two-way sharing, I mean \nthat the government needs to know, in real time, when there are \nindications of cyber intrusions or attacks against the nation's \ncritical infrastructure, and the government needs to be able to share \nin real time, indications and warnings of attacks and associated \ncountermeasures that the private sector needs to protect their \nnetworks. Given the authority to share information, the ISPs could act \nas a domestic radar that can see cyber threats and tip and queue the \ngovernment to respond in real time.\n\n                                  <all>\n\x1a\n</pre></body></html>\n"