b'<html>\n<title> - [H.A.S.C. No. 113-87]INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY ISSUES IN A CHANGING NATIONAL SECURITY ENVIRONMENT</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n                         [H.A.S.C. No. 113-87]\n\n                    INFORMATION TECHNOLOGY AND CYBER\n\n                     OPERATIONS: MODERNIZATION AND\n\n       POLICY ISSUES IN A CHANGING NATIONAL SECURITY ENVIRONMENT\n\n                               __________\n\n                                HEARING\n\n                               BEFORE THE\n\n    SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES\n\n                                 OF THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                             MARCH 12, 2014\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n\n\n                      U.S. GOVERNMENT PRINTING OFFICE\n\n  87-619                   WASHINGTON : 2014\n___________________________________________________________________________\nFor sale by the Superintendent of Documents, U.S. Government Printing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer \nContact Center, U.S. Government Printing Office. Phone 202-512-1800, or \n866-512-1800 (toll-free). E-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5235223d12312721263a373e227c313d3f7c">[email&#160;protected]</a>  \n\n\n\n\n\n\n\n\n\n\n\n\n\n    SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS AND CAPABILITIES\n\n                    MAC THORNBERRY, Texas, Chairman\n\nJEFF MILLER, Florida                 JAMES R. LANGEVIN, Rhode Island\nJOHN KLINE, Minnesota                SUSAN A. DAVIS, California\nBILL SHUSTER, Pennsylvania           HENRY C. ``HANK\'\' JOHNSON, Jr., \nRICHARD B. NUGENT, Florida               Georgia\nTRENT FRANKS, Arizona                ANDRE CARSON, Indiana\nDUNCAN HUNTER, California            DANIEL B. MAFFEI, New York\nCHRISTOPHER P. GIBSON, New York      DEREK KILMER, Washington\nVICKY HARTZLER, Missouri             JOAQUIN CASTRO, Texas\nJOSEPH J. HECK, Nevada               SCOTT H. PETERS, California\n                 Kevin Gates, Professional Staff Member\n                 Mark Lewis, Professional Staff Member\n                          Julie Herbert, Clerk\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                     CHRONOLOGICAL LIST OF HEARINGS\n                                  2014\n\n                                                                   Page\n\nHearing:\n\nWednesday, March 12, 2014, Information Technology and Cyber \n  Operations: Modernization and Policy Issues in a Changing \n  National Security Environment..................................     1\n\nAppendix:\n\nWednesday, March 12, 2014........................................    23\n                              ----------                              \n\n                       WEDNESDAY, MARCH 12, 2014\n INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY \n           ISSUES IN A CHANGING NATIONAL SECURITY ENVIRONMENT\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Ranking Member, Subcommittee on Intelligence, Emerging Threats \n  and Capabilities...............................................     2\nThornberry, Hon. Mac, a Representative from Texas, Chairman, \n  Subcommittee on Intelligence, Emerging Threats and Capabilities     1\n\n                               WITNESSES\n\nAlexander, GEN Keith B., USA, Commander, United States Cyber \n  Command........................................................     5\nTakai, Hon. Teresa M., Chief Information Officer, U.S. Department \n  of Defense.....................................................     3\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Alexander, GEN Keith B.......................................    39\n    Takai, Hon. Teresa M.........................................    27\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    [There were no Questions submitted during the hearing.]\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Carson...................................................    55\n    Mr. Kilmer...................................................    56\n    Mr. Peters...................................................    61\n    Mr. Thornberry...............................................    53\n \n INFORMATION TECHNOLOGY AND CYBER OPERATIONS: MODERNIZATION AND POLICY \n           ISSUES IN A CHANGING NATIONAL SECURITY ENVIRONMENT\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n                   Subcommittee on Intelligence, Emerging  \n                                  Threats and Capabilities,\n                         Washington, DC, Wednesday, March 12, 2014.\n    The subcommittee met, pursuant to call, at 3:30 p.m., in \nroom 2118, Rayburn House Office Building, Hon. Mac Thornberry \n(chairman of the subcommittee) presiding.\n\nOPENING STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM \nTEXAS, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE, EMERGING THREATS \n                        AND CAPABILITIES\n\n    Mr. Thornberry. The subcommittee will come to order.\n    The subcommittee meets today to examine issues related to \ninformation technology [IT] and cyber operations, both from a \npolicy and budget perspective.\n    We are glad to have both General Alexander and Ms. Takai \nback with us again this year.\n    These two issues are among the most challenging we face in \nnational security.\n    On the first, the full committee and all subcommittees have \nundertaken a 2-year effort to improve the acquisition practices \nof the Department of Defense [DOD]. While there are \nimprovements to be made in all areas of contracting and \nacquisition, there is particular concern about how the \nDepartment can put up-to-date technology in the hands of the \nwarfighter in a timely and cost-effective manner.\n    This subcommittee has tried to keep a close watch on these \nissues over the years, but this broader reform effort, which we \nare pursuing cooperatively with the Senate and the Pentagon and \nindustry, may give us opportunities to make improvements that \nhave not been seriously pursued before, and we should take \nadvantage of it.\n    The second issue, of course, is cyber operations. This \nsubcommittee has viewed as one of its primary responsibilities \nhelping ensure that the military is as prepared as it can be to \ndefend the Nation in cyberspace. It is one of the few areas of \nthe budget where there is widespread agreement that we need to \nspend more. But we also want to see that all taxpayer funds are \nspent carefully and effectively, and we want to help develop \npolicies and, frankly, the public education required to protect \nthe Nation in this new domain of warfare.\n    Finally, I want to offer, on behalf of the people I \nrepresent and especially on behalf of the service men and women \nI represent, our tremendous gratitude to General Alexander for \nhis service to the Nation. He retires at the end of this month, \nand this may well be his last or one of his last hearings. \nGeneral Alexander has led the National Security Agency [NSA] \nsince 2005 and then also Cyber Command [CYBERCOM] since its \ncreation in 2010.\n    These have been turbulent, challenging years, with a \nconstant yet evolving terrorist threat and an explosion of \ncyber threats, as well as other national security challenges. \nThrough it all, through terrorist plots, cyber intrusions of \nevery description, not to mention intentional illegal \ndisclosures of important national security information, he and \nthe folks at NSA made sure that support for our troops in the \nfield was a top priority. And we will never know how many of \ntheir lives were saved because of the professionalism, \ncommitment, and focus of the people at NSA and CYBERCOM--\nqualities reflected in their commander.\n    So, General, for all your service that has meant so much to \nthe Nation and for all your openness and candor with this and \nother committees in the Congress, we thank you.\n    I yield to the ranking member, Mr. Langevin.\n\n  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM \n  RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON INTELLIGENCE, \n               EMERGING THREATS AND CAPABILITIES\n\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Ms. Takai, it is a pleasure to welcome you back before the \nsubcommittee.\n    And, General Alexander, it is my duty to inform you that \nyou have to endure one last go-round through the wringer before \nyour well-earned retirement.\n    But we are grateful that you are both here today.\n    Information systems are obviously the lynchpin of \neverything that we do as a Nation, and the military is \ncertainly no exception. IT continues to be a massive portion of \nour defense enterprise investment, and cyber operations are one \nof the only growth areas in the DOD budget. In today\'s fiscal \nenvironment, there can be no higher validation of the \nimportance of these missions.\n    There is no shortage of critical discussion, of course, \nthat we need to have this afternoon, so I am going to keep my \ncomments pretty brief, but there are a few points I would \nlike--that I would appreciate both of you addressing to the \nextent possible in your opening remarks and possibly at greater \nlength in a classified session.\n    The first is the adjustments that you have made in your \nrespective jurisdiction with regard to the gravely damaging \nleaks of highly classified information by Edward Snowden. To \nthe extent possible, I know all of us would appreciate hearing \nhow the Department has shifted to protect and prevent such \ninsider threats in the future and especially how we are \nspreading those lessons learned.\n    And speaking of lessons learned, our recent unfortunate \nnews about a particular IT program that was unsecured for \nmonths as a result of contract confusion raises again the \ncomplexities of contracting for IT and related services. \nUnderstanding that this is a continuing saga, I would \nappreciate knowing what sort of lessons are being drawn from \nthis event and how you are working to prevent similar problems.\n    Also, I think the committee could also benefit from an \nupdate on the creation of the mission teams and how both of you \nare handling the challenges of personnel retention and growth. \nIn particular, General, how you are using the capabilities of \nthe Reserve Component and, Ms. Takai, how you are dealing with \nthe increased needs and challenges stemming from the Joint \nInformation Environment [JIE] and the cloud security model.\n    Given the proliferation of polymorphic malware and other \nadvanced methodologies aimed at defeating traditional cyber \ndefenses, I think we would be interested to know more about how \nthe Department is defending against these threats until the \nJoint Information Environment comes on line.\n    And, as both of you know, also I am very concerned about \nthe security of the information systems underpinning of our \ncritical infrastructure, especially those enterprises which \nsupport the Department of Defense. I would appreciate an update \non what the Department is doing to work with and better secure \nthose networks.\n    And, finally, before we go into your statements and Member \nquestions, I would just like to note for the record what an \nextraordinary career you have had, General Alexander. In your \n40 years of service, going back to West Point, class of 1974, \nyou have shown true dedication and commitment to America\'s men \nand women in harm\'s way. You have been a partner to this \ncommittee for the last 9 years, and I found your testimony \nalways to be very candid and forthcoming.\n    And I am sure that certainly there were times when it would \nhave been much easier just simply to probably just call it a \ncareer and move on to retirement, but you have persisted and \naccomplished truly remarkable things when it comes to \ninvestments in our cryptologic platform, standing up the \nNation\'s first sub-unified command for cyber while fighting for \nthe means to build our Nation\'s cyber force and the \ndevelopment--and developing the capability for our Nation to \ndefend itself in cyberspace, all done during very turbulent and \ntransformational times.\n    So, General, with that, a grateful Nation salutes you for \nyour inspired service. I echo the comments of the chairman. And \nI personally wish you the very best in your retirement, in this \nnext chapter in your life, and I hope that we will stay in \ntouch. Thank you.\n    I yield back, Mr. Chairman.\n    Mr. Thornberry. Thank you.\n    Ms. Takai, if you would like to summarize your opening \nstatement. And, without objection, your full statements will be \nmade part of the record.\n\n STATEMENT OF HON. TERESA M. TAKAI, CHIEF INFORMATION OFFICER, \n                   U.S. DEPARTMENT OF DEFENSE\n\n    Ms. Takai. Thank you very much. I appreciate it.\n    Well, first of all, Mr. Chairman and members of the \nsubcommittee, thank you for the opportunity to be here today. \nIt is a great honor to be here with my cyber team member. And \nGeneral Alexander and I have worked very closely, and I very \nmuch have appreciated all the support that he has provided to \nme and to my organization.\n    I would like to just touch on a few things, and I would \nlike to perhaps answer at least some subset of the questions \nthat were raised. I would like to give you an overview of where \nwe are on JIE and then certainly can address a couple of the \nitems that were discussed there. And I know we are going to \ntalk about those more.\n    I would just, as an opening, mention that we are submitting \nand you have our fiscal year 2014 IT budget request, which is \n$37.7 billion. With that, we are holding our cyber investment, \nand our cyber investment will be $5.2 billion of that. And I \nthink, as you know, that is a variety of both infrastructure \nand defense as well as other areas.\n    So let me just talk a minute about JIE. I think all of you \nknow that it is really an ambitious effort to realign and \nrestructure the way our networks are constructed, operated, and \ndefended. And it really is there to enable U.S. Cyber Command \nto be able to operate and defend on our networks.\n    The challenge is, it is an alignment of an existing vast \nset of networks. It is going to change the way we assemble, \nconfigure, and use new and legacy information technologies. It \nis actually going to change also our operations. It will \nconsist of enterprise-level network operation centers that will \nreduce the complexity and ambiguity of being able to actually \nsee our networks. Our core data centers--as you know, we are \nreducing our data centers over the FYDP [Future Years Defense \nProgram] to almost half of what we have today, and all of that \nwithin a standard single security architecture that will reduce \nthe plethora of tools and configurations that we have.\n    And the ultimate beneficiary of JIE is really the commander \nin the field. It is also going to allow for more innovative \nintegration of information technologies and, as a part of that, \nwill actually help, we believe, in the question that you raised \non the fit with the acquisition strategies. It will actually \nlay an infrastructure in place that we believe will actually \nhelp the speed of acquisition without necessarily meaning that \nwe have to change acquisition processes per se.\n    Again, all of this in light of our cybersecurity program. I \nwould just highlight a couple of other things. We are working \nwith our defense industrial base partners on a cybersecurity \ninformation-sharing program. I highlight that because I think \nit is an example of what is possible from an information-\nsharing perspective. And General Alexander has been a continued \nadvocate for it, and I think it does pave the way for other \nareas that we want to work on.\n    As it relates to the insider-threat question, we work very \nclosely with USD(I) [Under Secretary of Defense for \nIntelligence], the intelligence organization, they\'re really \nthe lead on insider threat. But I think as you have seen from \nsome of our actions, one of my roles has been to work with them \nto put out policy, very closely then followed by U.S. Cyber \nCommand putting out specific direction, in terms of reinforcing \nsome areas, you know, like the removable media, but also \nreinforcing policies in terms of who is on our network.\n    But, ultimately, for insider threat, it is really going to \nbe our Joint Information Environment and really tightening \ndown, being able to see on our network but also being able to \nsee who is there and, if in fact we have an issue, being able \nto catch it and contain it very quickly. So we are looking at a \nset of steps that is not only a single action but steps that \nwill take place over time.\n    Another item that I wanted to mention is that I think there \nis a perception that JIE is something that is out there in the \nfuture. In fact, we are implementing elements of JIE as we go. \nAnd we will certainly talk more about our data center \nconsolidation, our implementation of many elements of our \nsingle security architecture. And while this is going to take a \nperiod of time, I wouldn\'t want to leave the impression that \nthis is all in the future and that we are not working with it \nand working to that right now.\n    A couple of other items that I would mention if, in fact, \nwe have time to talk about them: I do have responsibility for a \nposition navigation and timing strategy, which I think is \nbecoming critically important, particularly as we look at it in \nlight of potential cybersecurity threats to that area of \ntechnology. And then, finally, I think as you know, we are \nresponsible for the Department\'s spectrum strategy, and there \nmay be some questions.\n    So, with that, I will leave you with that summary. And, \nagain, we appreciate the opportunity to be here.\n    [The prepared statement of Ms. Takai can be found in the \nAppendix on page 27.]\n    Mr. Thornberry. Great. Thank you.\n    General.\n\n  STATEMENT OF GEN KEITH B. ALEXANDER, USA, COMMANDER, UNITED \n                      STATES CYBER COMMAND\n\n    General Alexander. Chairman, Ranking Member, distinguished \nmembers of the committee, it is an honor and privilege to be \nhere for what we hope, or at least one of us hopes, is our last \nappearance before the committee in uniform.\n    I thought I would talk about two things: first, a little \nbit about the threat. Because I think it is important to couch \nwhat our country will face in a construct of the threat that we \nare going to face.\n    The target, exploitation, and theft of our personal data \nhighlights some of the threats that go on in industry every \nday. But our Defense Department systems are scanned by \nadversaries about 250,000 times an hour, on average, for \nvulnerabilities.\n    And when you look at it, look at the amount of disruptive \nattacks, exploitations, and now destructive attacks that have \nhit the world. In August of 2012, Saudi Aramco was hit with one \nof the first destructive attacks, where the data on over 30,000 \nsystems was destroyed. Since then, our financial networks have \nbeen hit with hundreds of disruptive distributed denial-of-\nservice attacks, we have seen South Korea hit with destructive \nattacks where data was wiped off their banks, and I believe \nthere are worse things to come.\n    It was interesting, out in RSA [annual cybersecurity \nconference], over the last couple weeks--we briefly talked \nabout it. How bad can cyber attacks get? How about burning the \ninternal components of a machine, whether PC or Mac, to a \ncrisp, setting it on fire? So they actually demonstrated that \nout there. So that you can go all the way from disrupting to \ndestroying the data to destroying the equipment itself.\n    From our perspective, there are a number of things that we \nhave to put in place to stop this. So we came up with five key \nthings to address this threat. And I believe we are going to \nhave to move on on that as a Nation. And this is where, \nChairman, I would really push the committee to help the \nDepartment and the rest of the government to move forward.\n    First, we have to get a defensible architecture. The \narchitecture that we have, our dependence on something we call \nJoint Information Environment, really gets us a step in that \ndirection.\n    And the reason that is so important, when you look at DOD\'s \nnetworks, we have 15,000 enclaves. It is very difficult to \nensure that one of those doesn\'t get penetrated. And if they \nget into one, they are free to roam around all of them, and \nthat creates a problem. Oftentimes, adversaries will get into a \nnetwork and be there for a while, on the civilian side up to 9 \nmonths, before they are detected. We can\'t afford to have that \nhappen in our government networks. More importantly, that is \nthe road in for more disruptive and destructive attacks. \nBecause once they get in, they can then do things to the \nnetwork, like disrupt and destroy it.\n    So, a defensible architecture.\n    Trained and ready force. One of the good parts about Cyber \nCommand being at NSA, I think the training of our forces is \ngoing extremely well. We have trained almost 900 people. We \nhave 900 more, roughly, in training right now. By the end of \nthis year, that means we will have 1,800 trained and ready \npersonnel in teams that cover from our Cyber Protection Teams \nall the way up to the National Mission Force.\n    And those personnel from across all the services are being \ntrained to the same standards that we set at NSA. It is \nimportant that people who operate in these networks are trained \nto that same standard; it is extremely important. And it is the \nsame for the Guard and the Reserve.\n    So just to take that off for a minute, so the exercises \nthat we do, CYBER FLAG and CYBER GUARD, are ways that we can \nhone our command and control and ensure that our teams, both in \nthe Active and Reserve, are being trained to those standards. \nSo one of the things we set up with the Reserve and the \nNational Guard is to train them to just that standard and then \ntry to set your teams up to match what the Active Component is \ndoing.\n    Authorities. Here is where we need your help. We need cyber \nlegislation. We need the ability to reach out and hear from \nindustry when they are being attacked at network speed--the \ngovernment, not just NSA and Cyber Command, but FBI [Federal \nBureau of Investigation] and DHS [Department of Homeland \nSecurity]. So we have to have cyber legislation that goes \nbeyond where the Electronic Communications Privacy Act, ECPA, \nand the Stored Communications Act prevent some of those \nsharings from going on, and we have to have that.\n    Command and control. We have to have the right command and \ncontrol structure, seamless command and control, from the \nPresident all the way down through the SecDef [Secretary of \nDefense], DNI [Director of National Intelligence]; everybody \nunderstands how we are going to do this in time of crisis. That \nhas to be set up ahead of time.\n    And, finally, you have to be able to see what is going on \nin cyberspace. If you are going to use forces to defend this \nNation, they have to have a common picture of how they are \ngoing to do it. If you ask anybody to draw a diagram of what \nthe attack looks like, get four different people, have them sit \nat different desks, you will get four different pictures. That \nmeans you have no coherent defense. We have to have a common \npicture that people can see to defend it.\n    Finally, I would just end by saying it has been a privilege \nand honor to work with Ms. Teri Takai as the DOD CIO [Chief \nInformation Officer]. She has been a great partner, always \nthere to help us and always helpful.\n    So, Chairman, thank you very much.\n    Thanks, Teri.\n    [The prepared statement of General Alexander can be found \nin the Appendix on page 39.]\n    Mr. Thornberry. Thank you. I appreciate the comments that \nboth of you made.\n    We will go as far as we can with the questions until the \nvotes are called. And we will do everybody on the 5-minute \nrule, starting now.\n    General Alexander, I think this is the fourth time that you \nhave testified before this subcommittee, because we rearranged \njurisdiction and concentrated cyber in one subcommittee in \n2011. So just give me a rough comparison between now and 4 \nyears ago, how the threat has changed and how our capabilities \nhave changed. You know, which has grown the fastest--you know, \njust kind of a rough, for the American people, what has changed \nin the last 4 years on the threat and our capability.\n    General Alexander. Chairman, I think the----\n    Mr. Thornberry. Get the microphone a little closer. Thank \nyou.\n    General Alexander. Or I could move up.\n    I think the capabilities that have changed the most are the \ntechnical capabilities for the threat to attack and for us to \ndefend. What is lagging is the authorities.\n    So, to be specific, back in 2011, we pushed a memo up that \nsaid, here is what we think is going to happen, and, in fact, \nthat did happen. So we actually were pretty close in defining \nthe disruptive attacks that were to come. And we went to \nSecretary Panetta and said, here is what we think we need to do \nto defend against these.\n    I now think we need to be ready for destructive attacks. \nAnd we have tools that can be used to defend against it, but we \ndon\'t have the authorities to see it, which means those tools \nwould be useless.\n    Think of this as a radar system. What we have is missiles \nthat are coming in, cyber missiles that are coming in, and no \nway to see where they are going, so you have no way to shoot \nthem down. You can see them land in civilian infrastructure and \nsay, well, we could have stopped that one if we had only seen \nit.\n    So we have to have a way of seeing so that the Defense \nDepartment, FBI, and Homeland Security can act in the interest \nof the Nation. That is where I think that the biggest gap is.\n    There are some tools and training that we are doing, but, \nactually, I think that is going pretty good. I think they are \nup--they are up where we would want them to be, in terms of \nbeing prepared to respond if authorized to do so.\n    Mr. Thornberry. Okay.\n    And just to be clear, when you say ``destructive attack,\'\' \nyou mean data gets destroyed or the computer literally melts \ndown, like happened at RSA?\n    General Alexander. Both.\n    Mr. Thornberry. Yeah. Okay.\n    Briefly, Ms. Takai, you talked a lot, which I appreciate, \nabout the Joint Information Environment. One of my questions \nis, it has all the characteristics of a major program, yet it \nis a little vague on who is in charge. Who is in charge?\n    Ms. Takai. Well, sir, I can answer that. I am in charge. \nThe Secretary has signed out two memos actually directing me to \nimplement JIE.\n    Now, as part of that, though, clearly, our requirements in \nterms of what is necessary from JIE come from Cyber Command and \nthe component cyber commanders to ensure that we are meeting \ntheir needs. We are taking it through our processes in the \nbuilding, so it does have--and go through the Joint Staff \nprocesses to ensure that we have what we call validated \nrequirements.\n    And so, while it may not be a program of record, per se--\nand I will come back to that--it very much is using all of the \nprocesses in the building to make sure that, again, whether it \nis the size and scope of DOD, we have to make sure that we have \na sustained program that isn\'t dependent upon one person but, \nagain, is a part of all the programs.\n    Let me come back to why it is not a program of record. It \nis not a program of record because we are not seeking to look \nat a funding for the program, per se. Because, largely, today, \nabout 50 percent of our overall IT spend is in sustainment \ndollars, effectively in our infrastructure and what it takes \nfor that infrastructure to move forward.\n    It is important that we take those moneys and direct those \nto the Joint Information Environment. And so, by doing that, we \ncan ensure that we are not just adding technology, we are \nactually changing the underlying infrastructure.\n    Second thing is that it is a long-term program. It involves \nnot only the services but all the components. And each of them \nhas to do it within their existing architecture. They have to \ncome up with their own implementation plans. And, in fact, that \nis what they have submitted to me as of this month.\n    Mr. Thornberry. Can you order a service to make a change? I \nmean, if you are in charge, do you have that authority?\n    Ms. Takai. Yes, sir.\n    Mr. Thornberry. If you have a validated requirement from \nthe Joint--you can say, Air Force, Army, whoever, you do that.\n    Ms. Takai. Yes, sir.\n    Mr. Thornberry. Okay.\n    I want to go back to some of those legacy issues in a \nminute, but, at this point, I would yield back to Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman.\n    Along that same line, I guess, you know, I do have some \nconcerns there, because, you know, how is the Congress and the \nDepartment, how are we expected to really have oversight \nvisibility across this massive undertaking and, you know, the \nJIE, how will it interface with other ongoing initiatives?\n    So I want to know, will the Department provide standard \nprogrammatic guidance, such as baselines, capabilities \ndocuments, cost estimates, and schedules?\n    Ms. Takai. Yes, sir. We certainly can provide all of the \nunderlying architecture documents, for instance, just to give \nyou an example of the kinds of direction that we are giving to \nthe services and the components in terms of the technical \nactions they are expected to take, number one.\n    Number two, we do have an overall plan that takes us to the \npoint that we are today. But by about the middle of next month, \nI will be taking the implementation plans that are coming in \nfrom the services and creating an overall master plan. And we \nare more than happy to share that with the subcommittee so that \nyou can see what our direction is. And then, on a periodic \nbasis, we can certainly come back in and show you the status of \neach of the components in terms of the progress that they are \nmaking.\n    Mr. Langevin. Okay. I think that would be important so this \ndoesn\'t get away from us and we are providing the level of \nsupport that you need, as well, to make it effective.\n    So as the areas like electronic warfare [EW] and cyber \nconverge, are you satisfied with your level of coordination \nwith the EW community in the Department? And how does that \ncoordination take place?\n    Ms. Takai. Well, sir, I am satisfied with the level of \ncoordination, but I am--I do feel we are challenged to really \nkeep up with being able to think through and meet the threat. \nThat is something that we are continuing to work on.\n    And from an EW standpoint, I think there are a number of \nareas that are going to converge, in terms of what we are doing \nfrom a cybersecurity standpoint and what we are doing from a \nJIE perspective.\n    One of the things that we have just done, the Secretary has \nreally directed me to set up a much stronger IT governance \nprocess that includes not only JIE but it includes all of the \nareas of technology. And one of things that we have recently \ndone in our governance process is to restructure it. And in \nthat restructuring, we have combined C2 [command and control] \nand cyber into a single governance process to try to drive the \nconvergence that you are speaking of much closer than it is \ntoday.\n    Mr. Langevin. Thank you.\n    General, do you have any thoughts on that?\n    General Alexander. Congressman, I think the one key thing \nis we do see electronic warfare and cyber coming closer \ntogether technically. You can see this because of the--our \nwireless environment is very much akin to what you have in \nterms of the early-warning radars, radio direction and ranging \ncapabilities, going digital with that, the ability to go over \none link or the other, the jamming that goes on. You can \nactually jam, now, a distributed denial-of-service attack. You \ncan do that in cyberspace; you can do that in EW. And I think \nwe are going to have to push those together, because those \neffects are overlapping already, and we see that.\n    And in dealing with the services, it was our assessment in \n2010 that you would start to bring all of these together into \none domain. And I think we actually are going towards that and \nneed to do that.\n    Mr. Langevin. Probably a good segue, then, to my next \nquestion. Giving the increasing role of cyber, are you still \nsatisfied with CYBERCOM as a sub-unified command? And what \nwould be the benefits and drawbacks of elevation as a full \ncombatant command, as you see them?\n    General Alexander. So I think, as we have added on more \nteams, the requirement to go from sub-unified to unified is \ngrowing. And I think over the next year we have reached a \ntipping point where we are going to need to shift to a unified \ncommand.\n    In 2007, we set out a framework of four options for the \nSecretary of what you should/could do for building a cyber \ncommand of some sorts. It started out with a sub-unified \ncommand, went to a unified command with two options: a SOCOM \n[Special Operations Command]-like model or a generic COCOM \n[combatant command]. We believe that the SOCOM-like model is \nwhere you need to go, which gives you the training and some of \nthe acquisition authorities over the cyber lane specifics. So \nit is a SOCOM-like.\n    And the fourth option was going to a service itself. I \nthink it would be premature to consider doing that. I think you \nwould really want to stop at a unified command and then say, so \nwhere to go?\n    Why a unified command? Command and control from the \nPresident and the Secretary directly to that commander. In \ncyberspace, that speed is going to be absolutely important. And \nI think, as we add more teams and more complexity, STRATCOM\'s \n[Strategic Command\'s] ability to actually play in this will \ncontinue to go down.\n    Now, to be completely candid, General Bob Kehler and now \nAdmiral Haney, Cecil Haney, have been wonderful to work with. \nSo there is no difference between us, and we both actually said \nthe same thing at the Armed Services--the Senate Armed Services \nCommittee hearing, as well.\n    Mr. Langevin. Very good.\n    So, with that, I would yield back. I know I at least have a \nfew seconds left.\n    Thank you both.\n    And again, General, thank you for your service, and wish \nyou well. Thank you.\n    Mr. Thornberry. Ms. Davis.\n    Mrs. Davis. Thank you, Mr. Chairman.\n    And to you, General Alexander, we wish you the very best. \nThank you so much for your extraordinary service.\n    And, Ms. Takai, thank you for being here, as well.\n    You know, you talked about the need for legislation and \nauthorities. And some of that relates, of course, to the \nprivate sector and the willingness of the private sector to \nwork together.\n    What problems do you see in relation to that? We obviously \nknow there is already a history that we need to deal with. You \nknow, what does this look like, in your estimation? What do we \nneed to do?\n    General Alexander. So the issue that we are wrestling with, \nI think, with the private sector is on two parts: How do we \nshare data? I think that one we can actually resolve. And the \nnext question is liability protection. And I think this is \nreally the hard part. How do you set up the right liability \nprotection framework? I know the Senate is actually working \nthat one issue.\n    I believe you are going to have to set up some liability \nprotection for when the government and others share, in good \nfaith, signatures that people employ that perhaps don\'t act as \nthey should have. So if I make a mistake giving industry a \nsignature to protect them from malicious software and it also \nstops some other flow of traffic for a small period of time, \nthe company that did what we asked them in good faith shouldn\'t \nbe sued for that. So I think those kinds of things have to be \nthought through.\n    We have to have, though, a way for understanding when Wall \nStreet, for example, is under attack. Right now, we get it \nafter the fact or we get called up; it is not realtime. And, as \na consequence, we can\'t defend them. So that is the operational \nrequirement, from my perspective.\n    Mrs. Davis. Uh-huh. Will it take a major educational effort \nto do this? I guess I am trying to figure out how we get from A \nto B.\n    General Alexander. Well, I think the--my understanding is \nthe House has pushed forward a bill on that already, at least \ndid last year, and now----\n    Mrs. Davis. Yeah.\n    General Alexander [continuing]. The Senate needs to do the \nsame. And I think the Senate has stated their intent to try to \ndo that. So both the Intelligence Committee and the Armed \nServices Committee both have said that they want to do this. We \nhad discussions with both of them, and all the Members say \nthere is an imperative and a reason for doing this, we just \nhave to go do it. They don\'t want to wait for something bad to \nhappen to say, I wish we had done that last week.\n    Mrs. Davis. Right. Yeah. Okay, well, we are certainly going \nto be working on it, but I wondered if there is--if you have \nany more thoughts about, you know, really, how--I think there \nis so much concern in the public sector today that it makes it \na little more difficult to move forward, and we all have to \nwork on that.\n    Did you have a comment, Ms. Takai?\n    Ms. Takai. Yes. The one thing I would add is, again, back \nto some experience levels--and perhaps we can provide, you \nknow, as this continues to unfold. I think one of the things, \nfor instance, that we have been asked to do, in fact, as part \nof last year\'s NDAA [National Defense Authorization Act], was \nto begin to collect information from all of the defense \nindustrial base, not only those that are participating in our \ninformation-sharing program.\n    I think that is going to start to help. I mean, we are \ngetting a lot of concern from the defense industrial base \ncompanies today, but I think, as we roll that out, as they \nunderstand how this information is going to be used, that they \nsee the benefit. If it is anything like the program that we are \nrunning today, we are finding that the companies, once they get \ninto it, are very enthusiastic about it. They see what they can \ngain by talking to each other, not necessarily just by talking \nto us.\n    And so I know it is a small number, but, by the same token, \nour industrial base is fairly large. And, you know, perhaps we \ncan use some of that information to sort of ease some of the \nconcerns.\n    Mrs. Davis. General Alexander.\n    General Alexander. Could I add? We have the technical \nability today to apply signatures that defend the Department\'s \nnetworks through our systems right now that we can push out in \nessentially realtime. That defends us at the gateway and \nprovides us incredible defense against evolving threats.\n    We see those evolving threats, we are protected. And we \nlook over, and industry is not, and they get hit with that same \nthreat. So by the time we get it to them, it is too late; they \nhave already been impacted by it.\n    Mrs. Davis. Uh-huh. Yeah.\n    General Alexander. So we have to have a way of sharing that \nat network speed. I think that is critical, especially when \nthey go from exploit to disruptive attacks. We are going to \nhave to have something like that.\n    Mrs. Davis. Thank you.\n    I was pleased to hear you say that the teams seem to be at \nleast coming together in terms of the kind of training that is \nrequired. Because one of the concerns that we certainly have \nhad in the last few years is how we really bring that kind of \ntraining to the front.\n    And when we look at the Guard and Reserve, how do you see \nthat? Because we know that budget constraints are going to mean \nthat we may not be tapping the Guard and Reserve in the same \nway, certainly not in terms of ground troops, perhaps. But is \nthis an area that--really, the States can be very helpful in \nthe Guard and Reserve, as well, but it depends on the way it \nmoves forward. How do you see that?\n    General Alexander. So we have sat down with NORTHCOM \n[Northern Command] Commander General Jacoby, with the head of \nthe Reserves and National Guard, General Grass, Frank Grass, \nmyself, and a number of the TAGs [The Adjutants General] and \nsaid, here is what we need to do as a starting. We have Cyber \nProtection Teams; here is the starting point and here is what \nyou need for training.\n    We do need to leverage the Guard and Reserve, form them in \nthe same way we are so that we can use them as we need that and \ntrain them to that same standard. The reason I think it is \nimportant is many of these have tremendous skills that we \nshould leverage----\n    Mrs. Davis. Absolutely.\n    General Alexander [continuing]. Especially when you look \nout around the country. Places like Washington and California \nhave people with tremendous skills--and Texas, of course, and \nRhode Island. I didn\'t want to miss those. Whew, that was \nclose.\n    Mr. Langevin. I am listening.\n    Mrs. Davis. Thank you.\n    Mr. Thornberry. I thank the gentlewoman. And, actually, I \nthink we may have some further discussion on that.\n    Ms. Hartzler, do you have something right quick, or would \nyou rather come back? We are down--let\'s see. Only about 60 \npeople have voted, but the clock shows 4 minutes, so we can--do \nyou want to come back?\n    Mrs. Hartzler. If that is okay.\n    Mr. Thornberry. Okay.\n    Mrs. Hartzler. Can I just ask----\n    Mr. Thornberry. Oh, yeah. Yeah, sure. Recognize the \ngentlelady.\n    Mrs. Hartzler. I just came from reading the Edward Snowden \nreport, and I am sorry I was a little late, but I wanted to \nfinish it.\n    Are we going to have, are you aware of, a classified \nbriefing just on that where I could ask specific questions \nfollowing up, if you are aware?\n    Mr. Thornberry. If I could respond, this hearing is focused \non Cyber Command. This subcommittee will have an intelligence \nbriefing that will have a closed portion, where we can go \ndeeply into the damage done to our national security, having \nnothing to do with NSA, that Mr. Snowden has done. So we will \ndefinitely go into more detail on that.\n    Mrs. Hartzler. Yeah. I will hold my questions.\n    Mr. Thornberry. Okay, great. Thank you.\n    With that, if you all will excuse us, we have to run and \nvote. If you all will come with me, we will look for a place \nfor you to at least try to use the phone and computer so you \ncan make use of the time when we are away.\n    And, with that, the subcommittee stands in recess.\n    [Recess.]\n    Mr. Thornberry. The subcommittee will come back to order. \nAnd, again, let me thank everybody for their patience during \nthat long series of votes.\n    Let me ask a few questions as other Members are coming \nback.\n    General Alexander, I was interested in your answer to Mr. \nLangevin\'s question about elevating Cyber Command. Admiral Jim \nStavridis, retired, who is now the dean at the Fletcher School, \nsomebody I respect a great deal, has written an article that \nsays cyber is at a place where the Air Force was in 1947; it \nneeds to be its own service. It is similar to SOCOM, but it is \ndifferent, in that it all takes place in one domain, whereas \nSOCOM draws from different domains and, therefore, has to have \nelements from all the other services.\n    And so his argument is this is the new domain of warfare \nand we need to treat it as such, with the seriousness, with the \npromotion, with the dedication that we decided to do with the \nAir Force in 1947. What do you say to that?\n    General Alexander. Well, I think that is one of the options \nthat we actually looked at. I think, for the current period, \nfor now, for the next several years, that we need to have an \nintegrated cyber capability that goes into the services.\n    And the reason that I am not yet where he, Petraeus, and a \ncouple others are is I think that, in places like Iraq, if we \nwere to imbed cyber capabilities at the brigade level, which we \nwill need to do, you need to have service participation in \nthat, not a separate service as an external person coming in, \nbut an imbedded, organic capability to that brigade itself.\n    So I think, as we go forward--but they need to be trained \nto a standard. They need to know how that force works. So it is \nanalogous to the way the cryptologic system works. We have \ncryptologists who go down to the brigade who are trained to a \ncertain level. We have them in the air, and we have them at \nsea. All of them are trained together and they act as one \nsystem, but they have them by service.\n    So I think the next correct step would be go to a unified, \npause, and then see if it makes sense to take the step beyond \nthere. And I think that kind of a deliberate approach, make \nsure we don\'t go too far and then have to collapse back.\n    Mr. Thornberry. Okay. I appreciate it.\n    Ms. Takai, I want to go back to some discussions you were \nhaving, I think, with Mr. Langevin. One of the things I hear \nfrom folks who are IT providers to the Department of Defense is \nthey have to take into account all these legacy systems. And \nnobody else in the world, you know, has some of the systems DOD \nstill operates, but they have to make sure that whatever they \nprovide to DOD is compatible with or works with these legacy \nsystems.\n    Everybody agrees, someday you move beyond that. But, to me, \nthe hard question is, when do you force moving beyond the \nlegacy systems and when do you, kind of, Band-Aid and incur the \nextra cost to deal with the legacy systems? How do you deal \nwith that?\n    Ms. Takai. Well, there are two answers to that question, \none of which is about the actual operation of the legacy \nsystems, and the second, which is about the data-sharing \nimplications of the legacy systems.\n    Well, one of the things that we are doing is each of the \nservices, just by virtue of their efficiencies effort, is going \nthrough to eliminate some of these redundant legacy systems. \nAnd they have, in fact, made significant progress in cutting \nthe number down.\n    But one of the things that we will be continuing to do, \nparticularly with some of the new direction that the \nSecretaries directed out, in terms of my role with business \nsystems, is to continue to reduce the number of redundant \nlegacy systems so that we cut the complexity down.\n    The second piece, however, which is particularly a \nchallenge for anyone needing to come in, is the interfaces and \nthe need to be able to use data that is in the legacy systems, \nand it means you have to deal with the old technology. And one \nof the things that we are looking at is how to get the data \nfrom the legacy systems in a way that you can, in fact, \ninformation-share and yet not have to deal with all the old \ntechnology.\n    So the solution is really a combination of those two--\nreally, those two steps forward.\n    Mr. Thornberry. Let me ask you the same question I asked \nyou before. Can you make those things happen? If the services \nare dragging their feet and they say, oh, we are comfortable \nwith this system, it is what we have always used, we don\'t want \nto go through retraining our people, can you make it happen?\n    Ms. Takai. Well, yes, sir. I have to impose some fairly \ndraconian measures, in some cases. And we have not had to go to \nthat point; the services are actually moving in that direction. \nBecause, as I say, they have a challenge right now with being \nable to, from an IT perspective, maintain all of that \ntechnology going forward.\n    So, fortunately, we haven\'t had to go to those kinds of \nmeasures. By basically organizing and also putting the \nauthority in the hands of all of the CIOs, including the \nservice CIOs, we have been able to make progress.\n    Mr. Thornberry. Okay. Thank you.\n    Mr. Kilmer.\n    Mr. Kilmer. Thank you, Mr. Chairman.\n    And thank you both for being here.\n    General Alexander, thanks for your service.\n    And, Ms. Takai, thank you and your staff. We have been in \ntouch about a number of issues, and I sure appreciate your \nstaff\'s hard work in answering our questions.\n    I thought I would start by asking a little bit about cloud \ncomputing. In the President\'s budget, he includes investments \nthat are focused on transforming the government IT portfolio \nthrough cloud computing.\n    I was hoping you could speak a little bit about what DOD is \ndoing and what NSA is doing today to expand the use of \ncommercial cloud computing. And how are commercial cloud \nservice providers, who are giving the ability to agencies to \npurchase IT services in more of a utility-based model and, \nthus, cutting costs significantly, being leveraged?\n    General Alexander. Sure. So, a few years ago, NSA leveraged \nGoogle\'s Hadoop, MapReduce, BigTable cloud architecture and \nadded to it a security layer and a realtime tipping and queuing \ncapability, which is now in the openware Accumulo. So, given \nthat, we actually have implemented that throughout much of NSA. \nI think that is a huge step forward.\n    And the reason I go to those two key points is you have to \nhave the security layer for us to encrypt data, ensure that you \nprotect it. All the things that we are going to talk about, \ninsider threats and securing your data, all depend on that. \nAnd, as we go forward, it is the heart of what we would do \nunder the Joint Information Environment. You have to have that \nas a security kernel, if you will, to start off.\n    Over to you.\n    Ms. Takai. So let me pick up from General Alexander\'s \ncomments and talk about how those comments are really \napplicable across DOD.\n    First of all, we have an aggressive process to move forward \non utilization of commercial cloud services. It is a part of \nJIE. And one of the things we are working at now is \nunderstanding how, in fact, we use commercial cloud services. \nSo let me talk about that.\n    What General Alexander was talking about is the importance \nof ensuring that, as we move to commercial cloud providers, \nthat they have both the ability to be secure and meet what our \nsecurity requirements are; secondly, that we can operationalize \nthem in a way that we don\'t lose those clouds from Cyber \nCommand\'s visibility because they will be on our networks; and \nthen, again, that from a contractual perspective, all of that \nis built in.\n    So, right now, we have four cloud providers that have been, \nif you will, through our security clearance. We have nine that \nare pending that we believe will pass that. And, I think as you \nknow, one of the things that we work with is the Federal \nprogram, so that some of these providers will be through the \nFederal program; some of them will be us pushing them through \nthe Federal program. And then we have another nine pilots of \ndifferent types of services, where before we put them through \nthe process we really want to see how they are going to operate \nin our environment.\n    The other thing that we are doing is, to General \nAlexander\'s point, is to put a model in place around security. \nSo, for instance, in unclassified information, the bar isn\'t as \nhigh, if you will, to pass from a security perspective. And \nthen when you get into classified information and then, \nobviously, into higher levels of classification, the bar will \nbe a little higher. The service providers will need to actually \nlook at the way that their cloud offering would fit within our \narchitecture. But then they would be certified to come in and \ncould be used by any component in DOD.\n    Mr. Kilmer. I was hoping to ask also about cyber ranges. \nAnd, General Alexander, I was hoping you could speak to what \nsort of capabilities do we need to invest in for cyber ranges.\n    And then, also, if you could speak to, you know, is there \ncurrently a coordinating entity within the DOD to coordinate \nthe use and policy of IT cyber ranges and test beds and \nsystems? And if so, who is it, and how are they doing it? And \nif there is not, do you think that is a mission that would be \nbest suited for CYBERCOM?\n    General Alexander. So, if I could answer the last part of \nthat----\n    Mr. Kilmer. Sure.\n    General Alexander [continuing]. First, I agree with the way \nyou pushed that. I do think, as we get more teams, we want \nthese teams to be trained in a joint environment. And so I do \nthink at some point you are going to need to transition that. \nWe have it under four different places right now. Bring them \nall together. And you are going to have to build the capacity \nto handle the number of teams that we have in an interactive \nway, dynamically.\n    So I think consolidation, going to a single provider, and \ngrowing the capacity so that you can do this in a full-up set \nof war games that will keep people trained. The best training, \nfrom my perspective, is really doing this on the network, \nactually doing it. So there is a combination of both.\n    I don\'t know if you had a chance to go out to the CYBER \nFLAG exercise. They actually ran a very large exercise in \ncyber, and I think it might be worth your while to see that so \nyou can see where we are actually trying to take the ranges in \nthe future.\n    But I do agree with the thrust of what you are saying; we \nneed to consolidate. I actually would push it under the J-7 of \nCyber Command, as they are doing all the training, they are \ndoing the exercises. And I think, in this case, they could also \nrun those ranges. We just need to make sure that they are \nresourced for that.\n    Mr. Kilmer. Thanks, Mr. Chairman. I yield back.\n    Mr. Thornberry. Mr. Langevin.\n    Mr. Langevin. Thanks.\n    What is the average time it has taken for cloud providers \nto be granted approval to operate?\n    Ms. Takai. I don\'t know that we have an average time, but \nthe time right now is actually in several months.\n    And part of the challenge there has been that, when we talk \nabout cloud providers, they generally have a broad range of \nofferings. And so, even for the Federal program, in order to \nmeet our security requirements, for instance, they have to \ncontinually monitor their cloud in order to ensure that they \nhave all the security provisions.\n    They end up--that time is not so much in the approval \nprocess, but it is in the actual companies setting up to meet \nthe security requirements that the Federal Government requires. \nAnd then, once that happens, they can be quickly certified.\n    Mr. Langevin. Okay. Thank you.\n    Let me turn to another area. Are you both satisfied with \nyour current authorities to identify, recruit, and retain \nqualified cyber personnel?\n    And, General, could you provide your assessment of how the \nDepartment is leveraging the unique ability of the Guard and \nReserve to attract personnel who might otherwise be \ninaccessible to the Department?\n    I know you have talked about the Guard and Reserve and \ntraining them to the same standards and such, but being able to \nleverage the unique ability of the Guard and Reserve to, again, \nattract personnel that perhaps, you know, we wouldn\'t be able \nto afford, per se, on a long-term basis, which is obviously a \nchallenge, I know, for us to be able to attract and retain and \nrecruit the best and the brightest. Yet we recognize, in the \nGuard and Reserve, these folks are doing their day job at some \nvery well-known and high-level IT companies, and yet they are \ndoing their Guard and Reserve duty, and we have the ability to \nleverage their talents.\n    So if you could talk about those areas.\n    General Alexander. So, Congressman, first, with respect to \npersonnel, I think we need to come up with a personnel system \nthat puts all of our cyber team in one personnel construct, \nespecially for the NSA-CYBERCOM team.\n    Right now, we have the CCP [Consolidated Cryptologic \nProgram], which covers about 85 percent; ISSP [Information \nSystem Security Program], which covers another 12, roughly, \npercent; then you have the MIP [Military Intelligence Program] \nand Air Force personnel, with another 3 percent. What this \nmeans is, when personnel actions come, you deal with four \ndifferent folks. And for promotions and for raises and for \neverything you are dealing with, you are dealing on four \ndifferent programs. You don\'t have an equal setting and an \nequal footing.\n    So, step one, we need to do that. That is something I have \nto push back to the Department, and we are doing that. I just \nthink, as that comes forward, we would need your support on it. \nBecause I do think, either as a test or something, it gets us \nto where we want to be, to have one cyber team.\n    This really came through on the furloughs. It was a big \nissue, because half the force is in, or 85 percent is in, the \nrest are out. Nobody wants to then go over to one of those \nother billets feeling they will be at risk. That is not a way \nto set up a team. So I think we need to fix that.\n    With respect to Reserve personnel, you have hit the key \nthings. Actually, we are getting good participation, from my \nperspective, into the Reserves. They want to be in this area, \nand they are very good and very helpful. And they come from \nsome of the best and brightest amongst industry.\n    The key will be getting them the training so that they have \nthose same level of skills that the rest of the team--so if \nthey operate in the network we don\'t make mistakes. And that is \nimportant, and I think we can do that.\n    So we are headed in the right direction. I think General \nGrass and others have agreed that we need to do this. I think \nwe need to organize them the same. States will have similar \nrequirements, so you can have them working for State things, \nand then when you need the Federal, we know we can employ these \nas teams, not as individuals. I think that will be very \nhelpful.\n    Ms. Takai. Sir, I would just add on to speak to the \ncivilian side, and I think General Alexander has spoken to the \nmilitary side.\n    One of the challenges that we have on the civilian side is \nactually to the point--the next level of detail is really \nclassifications and standardization of classifications for \ncivilian employees, as well as the way that we are able to \nactually move them through the promotional opportunities such \nthat they stay in the area of expertise and, you know, can \ncontinue to progress.\n    We are always going to have the problem with challenges of \npeople moving outside into industry and some of the challenges \nwith pay, but one of the things I think we need to do is to \nreally work--DHS has put a framework together, and we are all \nworking to it. But one of the things we need to do is to really \nget not only the job classifications solidified and through OPM \n[Office of Personnel Management], but then also to make sure \nthat we have the right career path and we are moving people \nalong.\n    Mr. Langevin. Thank you.\n    Do you anticipate right now the additional authorities that \nyou need to make that more seamless?\n    Ms. Takai. Well, we are pursuing that right now, sir. I \ncouldn\'t tell you that we have or we have not. We are putting \nproposals together, certainly within DOD, for what we feel we \nneed. And then I think both on--we are working on the civilian \nside, we are working with General Alexander on the military \nside to get that standardization. So I think that is something \nthat we will watch it and then, if it looks like we have an \nissue, come back and give you an update.\n    Mr. Langevin. And, Chairman, I had one last question if you \nare okay with that.\n    So where are your research and development [R&D] priorities \nover the FYDP and beyond? And what is your role in setting \nrequirements for R&D?\n    General Alexander. Within Cyber Command, it is on building \nout our infrastructure and our tools. Those are the two things \nthat we are really doing our research and development on.\n    So when we say ``tools,\'\' there are some sensitive things \nthat we do, and to fully answer that I would like to show you a \nclassified briefing, perhaps sometime when you come up, so you \ncan see, because they have done some great things there. I \nthink it is important to see what those tools are and what that \nmeans. It actually goes back to some of your earlier questions, \nand I think it would be well worth your time to see some.\n    Mr. Langevin. Fair enough. Will do. Thank you.\n    Ms. Takai. Just to add on to what General Alexander is \nsaying, our main priorities are not only in the defense of the \nnetwork but also looking at tools around the detection of \ninsider threat. I think that is a big area.\n    We actually work with AT&L [Acquisition, Technology and \nLogistics] on their S&T [science and technology] budget, and we \nco-chair the group that works with both the AT&L S&T budget but \nalso the Investment Review Board that Mr. Kendall chairs that \nlooks at the overall investment. Cyber Command is a part of \nthat so that we are sure that the investment is aligned with \nwhat their priorities are.\n    Mr. Langevin. Very good.\n    Well, I thank you for your answers. I thank you for the \nwork that you all are doing.\n    And, General, again, congratulations. Job well done. And \nthank you.\n    I yield back.\n    Mr. Thornberry. General, I want to just go back and make \nsure, as we look at the administration\'s budget request for \nthis year on information assurance, in the cyber environment \nyou described--threats increasing, complexity increasing, talk \nabout destructive, et cetera--are we spending enough money and \nmoney the right way to assure that our own networks are secure?\n    General Alexander. This is an area that I have put forward \nto the Department and others that I have some concerns that we \ndon\'t have adequate funding over the years, especially as we go \nforward in securing the networks. And there are two sets of \nissues that come up with that.\n    When we look at it, we have had to cut back across all \nparts of the Department, but in this area, especially, it is \ndifficult because there aren\'t any service champions. The two \nchampions happen to be Ms. Takai and I. And so the real issue \ncomes down to, that is something that is very difficult to push \nforward and very hard to explain what you are buying with it. \nWhat you are buying is additional security.\n    So I am concerned that we don\'t have enough funds in those \nareas, and we are pushing that back to the Department. We have \nworked that with the USD(I), with the Department, and also to \nthe DNI so they understand our concerns there.\n    Going forward, I think investment is going to have to \nincrease in that area because of the complexity of encryption \nand the systems that are coming that our adversaries will have, \nwithout going into classified.\n    Mr. Thornberry. Yeah.\n    Ms. Takai, do you share the same concerns, at least about \nfuture years?\n    Ms. Takai. Yes, sir, I do.\n    I think the other item that I would add to what General \nAlexander is saying is that, as we are moving to the Joint \nInformation Environment, back to your point about what do you \ndo about legacy systems----\n    Mr. Thornberry. Uh-huh.\n    Ms. Takai [continuing]. There are times where, in fact, you \ncan actually get more efficiency, but there are times where you \nneed an upfront investment to do that.\n    So the challenge is, when we do an annual budget, it \ndoesn\'t really give us an opportunity to have upfront funding \nin order to be able to get not only the security aspects but to \nbe able to get the efficiencies in the later years. It is a \nchallenge with the budgeting process, and it makes it very \ndifficult, again, because for he and I, you know, we are \npushing into the budgeting process, which is service by service \ntoday.\n    Mr. Thornberry. Yeah. Well, I would just say, for me \npersonally, I think that is an area we want to help you with as \nwe can. I mean, we are all constrained by these tight budgets, \nbut it makes sense to me that sometimes you are going to have \nto spend more money up front to make this transition to a more \nsecure and efficient place. But protecting our networks has got \nto be near the top of our list.\n    Okay. It wouldn\'t be a hearing without asking spectrum. \nTell me where we are. I would hate to rob you of the \nopportunity to not talk about spectrum.\n    Ms. Takai. Well, sir, thank you for the opportunity.\n    We actually think that we are making good progress on \nspectrum. I think as you know, we have submitted our transition \nplans for the 1695 to 1710 and then also the very controversial \n1755 to 1780.\n    I hope that the committee has been informed that we really \npushed very hard for what we believe are some very innovative \nsharing solutions in the 1755 to 1780 in order to move it \nforward. And we believe that our transition plans, you know, \nare in discussion right now, but we believe that they will go \nthrough, so there will be that opportunity.\n    Going forward, thank you for the question, because I \nactually did bring a copy of our just newly released \nelectromagnetic spectrum strategy that really addresses where \nwe believe DOD needs to go in the longer term, because this \nisn\'t something that we can do in the short term.\n    But, lastly, we appreciate all of your support. And the \nlast thing is, I think the challenge for us is to really figure \nout how to balance our growing needs for spectrum with, \nclearly, what the Nation\'s growing need is for spectrum. And I \nthink that is going to require innovative solutions, not only \non the government side, but it is also going to require \ninnovative solutions on industry\'s side. And, you know, I think \nbetween the two is what is really going to bring it together.\n    So thank you for the question.\n    Mr. Thornberry. Yeah. Well, I hope your new long-term \nstrategy is useful, because I do--I get the feeling a lot of \ntimes we make these decisions ad hoc, and we do need that long-\nterm vision, because we have these competing demands from the \nDepartment and the rest of the country, and it is not a good \nsituation to be able to just, kind of, take them one at a time.\n    On the spectrum you mentioned, can you meet the auction \ndeadlines?\n    Ms. Takai. Yes, sir. They are accelerated deadlines, but we \nhave--the team has worked very hard, and we will be able to \nmeet the timing.\n    Mr. Thornberry. Okay.\n    I just had one other thing right quick.\n    General Alexander, in your five things, number three was \nauthorization. And I just want to be sure I understand what \nsort of legal authorization you were talking about when it \ncomes to cyber, because that is in our bailiwick.\n    General Alexander. So the authorities----\n    Mr. Thornberry. Authorities, yeah.\n    General Alexander. Yeah. And so the authorities really \ndealt with--the principal there is cyber legislation, the \nability for us to deal with industry. The rest----\n    Mr. Thornberry. So you are talking about the information \nsharing----\n    General Alexander. That is right.\n    Mr. Thornberry. Okay. And that is the sort of authorities.\n    As far as authorities related to Cyber Command\'s ability to \ndefend the country in cyberspace, you feel comfortable where \nthe legal authorities are, even though you mentioned command \nand control and a variety of other challenges?\n    General Alexander. I do. I think we have the authorities \nwithin the administration, within the Department, to do what we \nneed. Now, the question is, okay, where do we set the limits \nand stuff? But they are working their way through that.\n    Mr. Thornberry. Yeah. Okay. I just wanted to clarify.\n    Okay, great. Again, thank you all for your patience, for \nyour work in these very important areas. And we will look \nforward to seeing you both again in one capacity or another.\n    With that, the hearing stands adjourned.\n    [Whereupon, at 5:35 p.m., the subcommittee was adjourned.]\n\n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             March 12, 2014\n\n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             March 12, 2014\n\n=======================================================================\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             March 12, 2014\n\n=======================================================================\n\n      \n                 QUESTIONS SUBMITTED BY MR. THORNBERRY\n\n    Mr. Thornberry. Can you describe how the recommendations from the \nreview by former Secretary of the Air Force Donley affect the \ngovernance and acquisition of IT and cyber systems for DOD? What \nactions have been taken to date to implement those recommendations?\n    Ms. Takai. I am working closely with the Deputy Chief Management \nOfficer and the Under Secretary of Defense for Acquisition, Technology \nand Logistics on the recommendations of former Secretary Donley. As \npart of this effort, we are reviewing existing IT governance processes \nto ensure they enable more rapid delivery and sustainment of \ninformation technology and cyber capabilities. We will ensure that \nCongress is kept apprised of our efforts throughout this process.\n    Mr. Thornberry. How are we instrumenting and architecting our \ninfrastructure so as to better detect, mitigate, and recover from deep \ninsider threats? How are you ensuring that such investments are \nefficient (effective and economical)?\n    Ms. Takai. The cybersecurity of our networks is one of our top \nmissions and we are giving it the serious attention it deserves. Our \nInsider Threat efforts are in alignment with guidance from the White \nHouse\'s Senior Information Sharing and Safeguarding Steering Committee \nand the President\'s National Insider Threat Policy and Minimum \nStandards. The Department has made good progress in implementing the \nSteering Committee\'s priority efforts.\n    There are two examples of specific architectural efforts we have \nimplemented to better detect, mitigate and recover from insider \nthreats. First, we have completed deployment of the Host Based Security \nSystem (HBSS) which enables monitoring of networks for suspicious user \nbehavior. Second, we are also near 90% complete in implementing use of \nPublic Key Infrastructure (PKI) hard-token certificates for our Secret \nnetwork user authentication. PKI use is the cornerstone to eliminating \nanonymity, so that user actions can be monitored and irrefutably \nattributed to the individual users, thus helping to detect and deter \nmalicious insiders.\n    Based on the most recent unauthorized disclosures of classified \ninformation, in July 2013, the Undersecretary of Defense for \nIntelligence and I issued a memorandum directing stronger mitigations \nfor insider threat, including: two-person controls over use of \nremovable media and the requirement to revalidate the need for \nprivileged users, such as system administrators, in order to reduce the \npotential risk these users may pose. We are about to issue additional \nguidance which includes oversight of privileged users and stronger \naccess controls over our most sensitive information to restrict access \nto those with a ``need to know\'\'.\n    In order to ensure that our IT investments to counter insider \nthreats are efficient (effective and economical), all our investments \nare vetted and validated through our existing governance processes. \nThis is especially true now due to our constrained budget environment.\n    Mr. Thornberry. What activities does DOD have underway, or is \ncontemplating beginning this year, related to making its systems more \nspectrum efficient?\n    Ms. Takai. Successful implementation of the DOD Alternative \nProposal for the 1755-1780 MHz band is based on making systems more \nspectrum efficient. As such, a number of the proposals in the 1755-1780 \nMHz band Transition Plans are planned to do exactly that.\n    In addition, DOD recently released an Electromagnetic Spectrum \nStrategy that identifies goals to improve spectrum access \nopportunities, including developing systems that are efficient, \nflexible, and adaptable in their spectrum use and increasing our \noperational agility in use of the spectrum. To implement the Strategy, \nDOD is developing a roadmap and action plan over the next six months \nthat will lay out near- to long-term milestones, including those \nrelated to sharing opportunities.\n    Mr. Thornberry. What opportunities do you see for the commercial \nsector to be more spectrally efficient with the spectrum bands it \nalready has?\n    Ms. Takai. The Department of Defense is working closely with the \nNational Telecommunications and Information Administration, Federal \nCommunications Commission, Office of Science and Technology Policy and \nwireless industry stakeholders to evaluate and identify ways to share \nspectrum with commercial users, when possible. At the same time, the \ncommercial sector could equally be more efficient in its use of non-\nFederal bands by providing opportunities for Department of Defense and \nother Federal government users to share spectrum, when possible, to \nmeet growing mission requirements.\n    Specifically as a first step to facilitate the opportunity for bi-\ndirection sharing, the Department of Defense, National \nTelecommunications and Information Administration, and the National \nScience Foundation are working together to pursue an Other Transaction \nAgreement with an eligible entity to develop and mature technologies \nand related policy changes to enable advanced approaches to spectrum \nuse. The intent is to explore the creation of a forum that facilitates \ncollaboration across government, industry and academia on spectrum \ntechnology development, including for shared uses between Federal and \nprivate sector operations. Industry support of this and similar efforts \nis critical in order to support the nation\'s growing economic and \nnational security demands on spectrum.\n    Mr. Thornberry. How are we instrumenting and architecting our \ninfrastructure so as to better detect, mitigate, and recover from deep \ninsider threats? How are you ensuring that such investments are \nefficient (effective and economical)?\n    General Alexander. In July 2013 the Commander, USCYBERCOM, \norganized a working group dedicated to insider threat mitigation. The \nworking group comprised representatives from USCYBERCOM, NSA, DISA, DOD \nCIO, DIA, DSS, and the Service Cyber components. The team synchronized \nits efforts with the release of the USD(I) and DOD CIO memorandum \n``Insider Threat Mitigation\'\' on 12 July 2013, which provided the \nopportunity to further operationalize current policies and expand \nguidance in accordance with USCYBERCOM\'s authorities. Understanding \nthat there is no ``silver bullet\'\' to mitigate the insider threat, the \nmitigation strategy depended on a combination of technical solutions, \npolicy, legal and cultural adjustments. A constant throughout all \nefforts is eventual alignment with the security architecture under the \nJoint Information Environment (JIE). The initial quick look study, \nwhich was presented to the DepSecDef, leveraged several previous \nassessments, studies and policies to identify ``best of breed\'\' \ntactics, techniques and procedures for immediate implementation with \nfollow on development to institutionalize mid-term and long-term tasks. \nThe study resulted in an order from USCYBERCOM to the DOD enterprise to \nmitigate common vulnerabilities associated with insider threat. \nCompliance with this order was achieved by 30 October 2013. CYBERCOM \nbriefed the OpsDepsTank and the Chairman\'s Tank in December 2013. As a \nresult, a SecDef memo, Task Force to Review Compromise of Classified \nInformation, was signed out on 7 March 2014. Based on that memo four \ndistinct lines of effort are under development:\n  a. Two-person integrity controls for the SIPRNET\n  b. A tiered non-compliance consequence matrix, which is being written \n            and tested by the Marine Corps\n  c. Patch and Security Technical Implementation Guidance (STIG) for \n            Programs of Record\n  d. An order to the DOD enterprise directing a number of technical \n            changes, which will include tasks directed by the 11 Feb 14 \n            White House memo, Near Term Measures to Reduce the Risk of \n            High Impact Unauthorized Disclosures, and mid-term \n            mitigations that will take a longer period of time to \n            implement.\n    Among the tasks to be directed, the following concepts will be \noperationalized:\n  a. Increased scrutiny on the separation of duties among privileged \n            users\n  b. Isolation of logged privileged user activities, storing logs out \n            of reach of privileged users\n  c. Privileged user log review conducted by an Insider Threat team or \n            other external entity\n  d. Reduced reliance on removable media by requiring use of cross \n            domain solutions when practicable\n  e. Continued fine tuning of the Host Based Security System to \n            identify unauthorized attempts to use removable media\n    Other pending efforts include a planned brief to CAPE, \nincorporating the new efforts into inspection programs and continued \nsupport to the Mitigation Oversight Task Force (MOTF), which is run by \nthe Joint Staff.\n    Since these new requirements are unfunded, the timeliness of \ncompliance may be an issue and implementation will most likely occur \nduring regularly scheduled upgrades or as part of an overarching \nprogram implementation such as JIE.\n    Mr. Thornberry. To what extent has U.S. Cyber Command collected \nmeasures of performance or measures of effectiveness to demonstrate \nthat the dual-hatted position is the most effective and most efficient \napproach to both agencies missions?\n    General Alexander. While measures of performance and measures of \neffectiveness have utility in specific operations and processes we \ncarry out at the tactical level, none have yet been defined for the \nCommander, USCYBERCOM and Director, National Security Agency dual hat \nrelationship. The dual hat relationship is prompted not just by a drive \nfor efficiencies but also by operational necessity and the need for \nunity of effort in cyberspace. The lack of historical data on \nalternative relationships for command in cyberspace and the difficulty \nof empirically measuring concepts like ``unity of command\'\' would make \nderiving and evaluating measures of performance or effectiveness for \nthe dual hat problematic.\n    Mr. Thornberry. Could you please describe the command and control \nrelationships between U.S. Cyber Command and the other combatant \ncommands and the degree to which the new rules of engagement have had \nany impact on this.\n    General Alexander. [The information is for official use only and \nretained in the committee files.]\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. CARSON\n    Mr. Carson. How has the NSA/DHS Centers of Academic Excellence in \nInformation Assurance program impacted your access to qualified \ncandidates for cybersecurity positions? What lessons have been learned \nfrom this program? And are there opportunities to share these lessons, \neither in curriculum recommendations or some other format, with \nuniversities and colleges that are not Centers of Excellence so they \ncan provide consistent education?\n    Ms. Takai. The NSA/DHS Centers of Academic Excellence in \nInformation Assurance program has facilitated development of the \npipeline of educated candidates for cybersecurity positions. Since 2001 \nthe National Centers of Academic Excellence (CAE) in Information \nAssurance have employed 593 Information Assurance Scholarship Program \n(IASP)/CAE graduates (a 97% completion rate from the 608 scholarships \nawarded) and sponsored 216 capacity building grants with CAEs. The IASP \nprovides DOD both new hires upon graduation (recruiting) and \nopportunities for current DOD IA Workforce members to advance their \neducation (retention).\n    With the publication of the National Initiative for Cybersecurity \nEducation (NICE) workforce framework and the evolutionary nature of the \ncyberspace workforce, now is the time to evaluate the CAE program. My \noffice is currently leading a study and analysis of the CAE process, on \nbehalf of DOD, in response to the FY14 National Defense Authorization \nAct direction. As part of this analysis, an assessment of lessons \nlearned is being conducted. A report with the overall assessment of the \nCAE program and our recommendations will be generated and shared.\n    Additionally, there are public venues (e.g., Colloquium for \nInformation Systems Security Education (CISSE) and the National \nInitiative for Cybersecurity Education (NICE) conference) which allow \nparticipants to partner and mentor fellow CAE institutions and those \naspiring to become CAEs. Workshops are held on mapping courses, \npartnership and scholarship opportunities, ultimately discussing what\'s \nworking and not working; and collecting feedback on improvement of CAE \nprocesses.\n    Mr. Carson. How has the NSA/DHS Centers of Academic Excellence in \nInformation Assurance program impacted your access to qualified \ncandidates for cybersecurity positions? What lessons have been learned \nfrom this program? And are there opportunities to share these lessons, \neither in curriculum recommendations or some other format, with \nuniversities and colleges that are not Centers of Excellence so they \ncan provide consistent education?\n    General Alexander. The National Centers of Academic Excellence in \nInformation Assurance (CAE) have provided outstanding and highly sought \ncandidates for DOD Information Assurance/Cybersecurity positions. NSA \nRecruiters actively recruit from the 181 National Centers of Academic \nExcellence (CAE) to hire qualified candidates into our IA/Cyber \npositions. In addition, our Components actively seek students from CAEs \napplying for the DOD Information Assurance Scholarship Program (IASP). \nThe IASP provides both new DOD hires upon graduation (recruiting) and \nopportunities for current DOD IA Workforce members to advance their \neducation (retention). Some specific advantages of the IASP are:\n    <bullet>  Scholarships are tied to a DOD position and are awarded \nto students attending CAEs\n    <bullet>  Continuous flow of top IA talent meeting DOD requirements\n    <bullet>  Students participate in internship programs during \nacademic breaks within the community to learn DOD systems and \nprocedures\n    <bullet>  Graduates have a commitment to serve in the DOD for a \nspecified time after graduation (dependent on length of scholarship)\n    Since 2001, DOD has employed 503 IASP/CAE graduates with a 97% \ncompletion rate (a total of 608 scholarships have been awarded) and \nsponsored 216 capacity building grants with CAEs. DOD works with CAEs \nto award grants to conduct curriculum development and research of \ninterest to both the schools and DOD. CAE students and faculty \nparticipate in these grant projects. Through these grants, CAEs are \nencouraged to share their results with other CAEs, minority \ninstitutions, and institutions that may be seeking CAE designation. \nMany CAEs have held train-the-trainer and faculty development sessions \nat various conferences and events. NSA and DHS will conduct further \nresearch to determine the direct relationship between CAE alumni hiring \nand employment partnerships. Studies will also be conducted to \ndetermine whether CAE alumni are hired by government at a greater rate \nthan non-CAE-graduates. NSA and DHS work with government, industry and \nacademia throughout the year to identify skill gaps between education \nand job qualification/skills to ensure that CAE graduates are prepared \nto perform technical mission-critical Cybersecurity jobs. These gaps \nare then communicated to the CAEs with recommendations. NSA and DHS \nalso utilize lessons learned to update the CAE program as required to \nmeet the changing IA/Cybersecurity standards and the national demands \nin cyber defense. As a result of the most recent study, the CAE program \nwas updated in 2013 and now includes Cyber Defense (CD) education. \nAcademic institutions are now required to meet Core Knowledge Units \n(KU) and can apply for optional Focus Areas (FAs). Government, industry \nand the CAEs were involved in the update of the CAE program and will \ncontinue to evolve the program as national IA/Cybersecurity needs \nchange. In the future, a NSA/DHS Advisory Council consisting of CAEs, \nindustry and government partners will discuss potential changes to the \nCASE requirements. Updates to the requirements will allow the schools \nto keep up-to-date on curriculum and teaching methods within the \nCybersecurity field. Under the 2014 National Defense Authorization Act \n(NDAA), DOD/CIO in partnership with NSA and DHS, is conducting an \nassessment of the NSA/DHS CAE program. The assessment will identify the \nCAE Program\'s strengths and weaknesses; processes and criteria; \nmaturity of IA as an academic discipline; the government\'s role in the \nfuture development of the CAE curricula and criteria; advantages and \ndisadvantages of broadening the governance structure of CAEs; and the \nalignment of CAE curricula/criteria to the National Initiative for \nCybersecurity Education (NICE). NSA and DHS along with other government \nagencies, industry and academia speak at several venues during the year \nto brief the CAE program, lessons learned and to convey the national \nIA/Cybersecurity requirements. Annually, NSA and DHS attend the \nColloquium for Information Systems Security Education (CISSE), the NICE \nconference and the CAE Principal\'s meeting. These venues allow \nparticipants to partner and mentor fellow CAE institutions and those \naspiring to become CAEs. Workshops are held for aspirants on mapping \ncourses to the CAE Criteria, along with partnership and scholarship \nopportunities. The National Science Foundation (NSF) Advanced \nTechnological Education (ATE) centers reach out to potential 2-year \ninstitutions through curriculum sharing and mentoring by 4-year \nschools. For example, one of the STE centers--CyberWatch--has hosted \nseveral webinars to educate interested CAEs and non-CAEs on the new \nInformation Assurance/Cyber Defense criteria. Webinars were selected \nfor the collaboration amongst attendees.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. KILMER\n    Mr. Kilmer. The Department is looking to consolidate into a one \nsize fits all desktop solution in the cloud run through DISA, known as \nvirtual desktop infrastructure. Currently, each Service is running on \nvarious desktop solutions. Can you explain how the Department is \nincorporating the unique needs of the user from each Service into this \ninfrastructure?\n    Ms. Takai. The Defense Information Systems Agency (DISA) recently \nconcluded a virtual desktop infrastructure (VDI) proof-of-concept that \nexamined the value of VDI for DISA\'s desktop computing requirements. \nDISA is currently analyzing the outcomes of this initial proof-of-\nconcept to inform decisions on the future approach to desktop computing \nwithin the DISA organization, but no decision has been made to \nconsolidate into a one size fits all desktop solution in the cloud. \nSimilar efforts are underway across the DOD Components, but each is \nlooking at the specific desktop computing needs within that Component.\n    While the Department will look into the feasibility and \neffectiveness of providing a VDI solution, currently, there are no \nenterprise efforts underway. Such an effort, if undertaken, would need \nto address the challenge of supporting any unique user or organization \nneeds.\n    Mr. Kilmer. Defense Information Systems Agency (DISA) appears to be \nleading IT centralization efforts in the Department. A cornerstone of \nthis effort is the highly publicized but not widely understood Joint \nInformation Environment (JIE). Can you discuss JIE\'s and DISA\'s role in \nthe future of IT in DOD?\n    Ms. Takai. My office is overseeing the implementation of JIE, which \nis being implemented by and through the DOD Components, including DISA \nas a key player. The primary goals of the JIE are to make the \nDepartment more effective and more secure against cyber threats, to \nreduce cost associated with the Department\'s overall information \ntechnology infrastructure by simplifying, standardizing, centralizing, \nand automating infrastructure at the enterprise level.\n    The JIE will improve mission effectiveness by ensuring timely and \nsecure access to data and services regardless of location or device; \nmaintaining access to information/services in the face of network \ndisruption, degradation, or damage; and enabling rapid and dynamic \ncapability evolution to meet mission needs across all operational \nscenarios. JIE will enhance the Department\'s cybersecurity by providing \na consistent IT architecture that improves network resiliency and \ndefensibility, and network operators and defenders with shared \nsituation awareness. Finally, JIE enables more efficient use of \nresources by reducing duplication of effort across Components, reducing \ntotal IT operating costs, and supporting more rapid fielding of new IT \ncapabilities within a standardized IT architecture.\n    DISA is a key player in the development, implementation and \noperation of the IT infrastructure that enables JIE for the Department. \nThey specifically support the JIE effort by developing technical \narchitectures; developing, implementing and operating many of the JIE \nrelated capabilities such as networking, security, computing services, \nenterprise services, and network operations centers; and providing \nengineering expertise needed to enable the Department to leverage \ncommercial technologies and to integrate new technologies into the JIE \narchitecture.\n    Mr. Kilmer. The Department of Defense has entered into numerous \ncross-Service contracts and has increased the utilization of enterprise \nlicense agreements. Can you outline the future of these contracts, how \nthe offices responsible for negotiating these contracts are designated, \nand how these offices gather regular input from the Services for their \nunique requirements?\n    Ms. Takai. The Department of Defense is conducting a DOD-wide \ninventory of selected software licenses inventory in accordance with \nfiscal year 2013 National Defense Authorization Act direction. The \nselected software list was established from an analysis of acquisition \ndata that identified publishers with high IT spend across DOD. The \nselected inventory will help identify future targets for enterprise \nlicense agreements.\n    The DOD Enterprise Software Initiative (ESI) Working Group is the \nprimary method of setting the strategic sourcing opportunities for the \nDepartment. DOD ESI coordinates and manages enterprise software \nagreements to leverage DOD spend for volume discounts and optimize \nlicense use and contract terms and conditions. My office, with support \nfrom the Defense Information Systems Agency (DISA) and DOD Components, \nis pursuing Department-wide Enterprise License Agreements (ELA\'s) that \nwill improve operational efficiencies and enhance cybersecurity and \ninteroperability across DOD while lowering the total cost of ownership \nfor software. Currently we are pursuing ELA\'s with CISCO and VMware \nwhile working the business case analysis with Components.\n    Given their expertise and role in contracting and procurement of \ninformation technology, DISA is leading the Department\'s efforts for \ncoordinating and negotiating DOD-wide ELAs, with the Components \nproviding their specific requirements and funding. DISA works with the \nComponents to establish licensing models and associated transition \nplans to achieve effective DOD-wide ELAs for software that is selected \nbased on sound business case analyses (BCAs) which document the cost \nsavings, cost efficiencies and other benefits and risks of establishing \nDOD-wide ELAs.\n    In addition, several Components have created large Joint Enterprise \nLicense Agreements (JELAs) that we plan to leverage and incorporate \ninto DOD-wide ELAs in the future.\n    Mr. Kilmer. The Department of Defense is looking to adopt more \ncloud computing capabilities but also has a unique set of security \nrequirements that not all vendors will be able to comply. How do you \ndrive competition into the cloud market and ensure a level playing \nfield for competitors so the Department can ensure best value for the \nservice?\n    Ms. Takai. The Department gains significant benefit from commercial \ninnovations and ongoing competition. To ensure a level playing field \nand increased completion, the Department is making significant \ninvestments to promote the use of commercial cloud services, categorize \nour cybersecurity requirements, and speed-up our assessment and \napproval processes.\n    My office designated the Defense Information Systems Agency (DISA) \nas the Enterprise Cloud Service Broker (ECSB) to promote the access and \nuse of cloud service providers (CSPs), to consolidate enterprise demand \nto maximize the Department\'s buying power, and facilitate and optimize \nthe DOD\'s access and use of commercial cloud services that can meet our \nsecurity and interoperability requirements.\n    The DOD has developed a Cloud Security Model that defines six \nsecurity impact levels (public release through and including Secret) \nand the requirements the CSP needs to meet (at each level) in order to \nintegrate with the Department\'s cybersecurity processes and \narchitecture without requiring each prospective CSP to operate at the \nhighest level. The Federal Risk and Authorization Management Program \n(FedRAMP) is a government-wide program providing a standardized \napproach to security assessment, authorization, and continuous \nmonitoring for cloud services and uses a ``do once, use many times\'\' \nassessment process to reduce cost, time, and staff for both the CSP and \nthe government. OMB policy requires Federal departments and agencies to \ncomply with FedRAMP guidelines by June 2014.\n    The ECSB leverages FedRAMP packages and considers commercial \nequivalencies to DOD-specific security requirements throughout its \nassessment process. In this way, a CSP can work towards FedRAMP \ncompliance and target a specific DOD Cloud Security Model security \nimpact level for their service knowing that other CSPs need to meet the \nsame set of requirements. The CSP is then free to compete, on a level \nplaying field, for DOD business in a manner that meets the Department\'s \nsecurity requirements and provides best overall value.\n    Mr. Kilmer. The FBI issued a consumer alter this summer regarding \nthe growing threat of malware in pirated software. What is the \nDepartment of Defense doing to with its contractors and subcontractors \nto ensure its supply chain does not procure pirated software, thereby \nopening up a potential side door cyber security threat for the \nDepartment of Defense?\n    Ms. Takai. DOD is actively working to improve its software \nassurance practices internally through a Software Assurance Community \nof Practice (SwA COP), as well as working on standards and best \npractices in concert with public-private groups (e.g., The Open Group, \nConsortium of IT Software Quality. DOD is incorporating best practices, \nsuch as buying from authorized channels whenever possible and \nidentifying purchase options for sustainment procurements to ensure \nproduct authenticity and identification of trusted sources. There are \nalso on-going efforts within DOD and across the inter-agency and \ncommercial communities to develop standardized contract language for \nproduct integrity expectations and associated liabilities, as well as \nmutually recognized product or organizational certifications. DOD and \nthe National Security Agency are monitoring development of the Software \nIdentification Tag Standard (ISO/IEC 19770). Though not fully adopted \nby the private sector or government, there is growing interest and \nsupport to adopt this standard, and it could be very useful in securing \nthe software supply chain.\n    Additionally, DOD is working with General Services Administration \n(GSA) and other interagency partners on ways to implement \nrecommendations in the DOD and GSA Report, ``Improving Cybersecurity \nand Resilience through the Acquisition Process,\'\' (January 23, 2014).\n    Mr. Kilmer. In the past year, the Department of Defense has \ninitiated several rulemakings focused on stronger procurement policies \nand supply chain controls [DFARS 2012-D055, DFARS 2012-D050, etc]. \nGiven the growing body of data demonstrating that counterfeit software \noften comes bundled with malware that can cause cybersecurity risks, \nthis is a growing area of concern for the Department. What is the path \nforward on these policies and how else is the Department considering \nexplicitly addressing the risks associated with contractors\' use of \ncounterfeit software?\n    Ms. Takai. As part of DOD\'s larger Cybersecurity and Trusted \nSystems and Networks strategies, the Department recognizes the \nimportance of purchasing information technology with adequate \ncybersecurity built in. As such, DOD is updating its procurement policy \nto reflect the global, commercial marketplace from which DOD procures \ntechnology to implement critical missions. These procurement policies \nrepresent one set of mitigation tools in the cybersecurity toolbox.\n    <bullet>  DFARS Case 2012-D055, Requirements Relating to Supply \nChain Risk, implements Section 806 of the National Defense \nAuthorization Act of 2011. Defense Procurement and Acquisition Policy \nand the DOD CIO are in the process of modifying the interim rule based \non comments received from industry and Congress. In addition, DOD is \nidentifying pilot programs to exercise the new policy, once revised.\n    <bullet>  DFARS Case 2012-D055, Detection and Avoidance of \nCounterfeit Electronic Parts. The draft final rule is at the Office of \nManagement and Budget\'s Office of Information and Regulatory Affairs \nfor clearance to be published in the Federal Register.\n    <bullet>  DFARS Case 2014-D005, Detection and Avoidance of \nCounterfeit Electronic Parts--Further Implementation. The draft \nproposed rule is in the initial drafting phase.\n    <bullet>  DOD continues to work with GSA and other interagency \npartners to develop an implementation plan supporting the final report \nof the Department of Defense (DOD) and General Services Administration \n(GSA) Joint Working Group on Improving Cybersecurity and Resilience \nthrough Acquisition, signed by the Secretary of Defense and the \nAdministrator of General Services on January 23, 2014.\n    My office is also leading or co-leading several internal efforts to \nshare information and develop best practices in this area. A few \nexamples are:\n    <bullet>  The DOD Software Assurance (SwA) Community of Practice, a \ngroup of DOD SwA practitioners, share information on software assurance \nbest practices to be leveraged in improving guidance to the \nDepartment\'s Program Protection processes.\n    <bullet>  DOD is also involved in industry-government information \nsharing effort to flag potential counterfeit issues through the \nGovernment-Industry Data Exchange Program (GIDEP).\n    <bullet>  DOD is exploring ``track and trace\'\' technologies that \nmay afford manufacturers, distributors, and acquirers the capability to \nbetter validate authenticity of parts and components.\n    Mr. Kilmer. The current DOD Certification and Accreditation (C&A) \nof software is a fragmented process between DOD Service components and \nis often not standardized for all vendors. This often results in \ndelayed and inconsistent certification and accreditation of IT \nproducts, as well as delays the customers\' deployment and subsequent \ntime to value for software acquisition. In the past, this process has \ntaken over a year which has fostered inefficient deployment of systems \nprocured and incentivizes DOD organizations to procure redundant \nsystems. What is the Department doing to streamline and standardize the \nC&A process?\n    Ms. Takai. My office recently published DODI 8500.01 \n``Cybersecurity,\'\' and DODI 8510.01 ``Risk Management Framework for DOD \nIT\'\' which transitions the Department from the DOD-specific Defense \nInformation Assurance Certification and Accreditation Process (DIACAP) \nto the National Institute of Standards and Technology (NIST) Risk \nManagement Framework (RMF) and the NIST security controls, which are \nalready in use by the rest of the Federal Government. Vendors may now \nbuild products once according to NIST guidelines and then more readily \ndeploy them government-wide.\n    DOD\'s alignment with the Civil and Intelligence Community on NIST \nguidelines creates one standard that will streamline interagency \ninformation system interconnectivity and promote information sharing. \nThe policies also stress incorporation of cybersecurity early and \nrobustly in the acquisition and system development lifecycle, reducing \ntime and money spent bolting security on late in system development, \nand producing material with cyber security that can keep up with an \nevolving threat. The policies also establish NIST\'s concept of ``common \ncontrols,\'\' allowing information systems to inherit existing controls \nfrom hosting organizations, reducing the number of controls that must \nbe implemented by individual information systems. Additionally, \nindividual software ``products\'\' are not subject to the full RMF \nprocess an information system undergoes. Products are securely \nconfigured in accordance with security controls applicable to that \nparticular product, and then undergo assessment prior to incorporation \ninto an information system. With the adoption of the common NIST \nguidelines, product vendors will be able to better understand \ncybersecurity requirements before they begin development, ensuring \nstreamlined approval by DOD.\n    Mr. Kilmer. The DNI and CIA recognized that they could not afford \nto build a community, multi-tenant cloud with the innovations, scale \nand capabilities that already exist via the leading commercial cloud \nproviders, and that is was faster, cheaper, and better to leverage \nindustry. My understanding is DISA is attempting to build their own \ncloud solution called milCloud which would likely be directly \ncompetitive to Commercial Cloud Providers (CSPs)? How much are you \nspending to build this solution, and more importantly, why are you not \nfollowing the same logic the intelligence community is using, even for \nclassified data?\n    Ms. Takai. Under the Intelligence Community Information Technology \nEnterprise (IC ITE) effort, DNI is pursuing both commercially provided \nand Government provided private cloud capabilities. While the large \npublic cloud vendors have certainly captured everyone\'s attention, \nother commercial companies have made significant investments to provide \nproducts that enable organizations to implement their own private cloud \nenvironments. These products have matured to a point where establishing \na private cloud environment is no longer the difficult undertaking that \nit once was. In fact, many of these products build on an organizations \nexisting infrastructure to provide cloud capabilities.\n    The genesis of milCloud stemmed from actions to drive efficiencies \nand automation into an enterprise computing service. Today, milCloud\'s \nIaaS capability is implemented using commercial products that build on \nDISA\'s existing, commercially-provided and competitively acquired \ncomputing infrastructure, and enabled DISA to achieve an initial \ncapability with minimal risk. The lessons learned in providing this \ninitial capability are providing valuable information that is informing \nthe Department\'s long term approach to achieving cloud capabilities.\n    The approach taken by the CIA is one of the models under \nconsideration by the Department. One of the most interesting aspects of \nthe CIA cloud is that they were able to attract a large public cloud \nvendor to provide a private cloud capability for the IC. Prior to this \ncontract, Amazon had never provided this type of private cloud. The \nscope of the CIA contract created enough incentive to convince Amazon \nto entertain a new business model that they previously had not \nsupported. Compared with the CIA\'s $80.6 million investment, DOD has \ninvested approximately $4.7 million to establish the initial milCloud\'s \nIaaS capability.\n    Today, the Department is making small investments that are \nimproving our understanding of which of the cloud acquisition models \nwill deliver best value solutions to the Department\'s IT requirements. \nThese investments are enabling us to develop a standard approach for \nintegrating CSPs with our wide area network defenses and for conducting \ncoordinated responses to cyber attacks. With these procedures and \ntechnologies, the Department will be able to scale to multiple \ncommercial providers and gain efficiencies through competition and \ncommercial innovation.\n    As we learn from our initial cloud efforts, define the appropriate \ncybersecurity constructs, and continue our collaboration with industry, \nthe Department will be able to effectively expand our use of both \npublic clouds and commercially-hosted private clouds.\n    Mr. Kilmer. Why is DOD classifying all sensitive data/workloads \nthat would run in a Commercial CSP as National Security Systems (NSS) \nand be subject to additional security controls, when very few of them \nare actually classified as NSS by definition?\n    Ms. Takai. The Department is not classifying all sensitive data and \nworkloads as NSS. In our cybersecurity policies we do not differentiate \nbetween NSS and non-NSS. Rather, we have a single set of cybersecurity \ncontrols that is then tailored to a particular system based on the \neffect that system has on the Department\'s ability to perform its \nassigned mission, protect its assets, and fulfill its responsibilities.\n    The Department uses the standard cybersecurity controls defined in \nNIST Special Publication 800-53, Security and Privacy Controls for \nFederal Information Systems and Organizations. Building on the NIST \nstandards, the Department worked with the Intelligence Community and \nDHS to develop additional guidance on control selection for evaluating \nIT systems within the NIST Risk Management Framework. This guidance was \npublished through the Committee for National Security Systems, but it \nis used for all DOD systems not just NSS.\n    Mr. Kilmer. The Office of the CIO recently issued Supplemental \nGuidance for the Department of Defense\'s Acquisition and Secure Use of \nCommercial Cloud Services. This Guidance adds additional security \ncontrols and processes that Commercial CSPs have to go through in order \nto provide cloud services to DOD components. Will DOD data centers run \nby DISA be put through the same level of third party scrutiny and \naccreditation as commercial CSPs are required to complete? If not, why?\n    Ms. Takai. DOD data centers are evaluated using the same \ncybersecurity controls, but are held to a higher standard than is being \nused by the DOD Enterprise Cloud Service Broker (ECSB). Currently, the \nECSB is using the standard profiles for hosting systems that processes \nunclassified information and whose loss would not have a significant \neffect on the Department\'s mission. DOD data centers are evaluated \nagainst the requirements for hosting all DOD workloads, including \nclassified systems, and systems whose loss would have a catastrophic \nimpact on the Department\'s mission. In addition, the DOD data centers \nare required to follow additional cybersecurity guidance defined in the \nDISA Security Technical Implementation Guides (STIG).\n    The additional requirements that are identified in the DOD Cloud \nSecurity Model address the need and approach for integrating Commercial \nCSPs with the Department\'s cybersecurity defenses and cybersecurity \noperations. DOD data centers are fully integrated with these network \nprotections and operations.\n    Mr. Kilmer. The CIA is moving swiftly to field the Commercial Cloud \nSolution (C2S) to take advantage of the rapid agility and innovation of \ncommercial cloud. My understanding is this community cloud will service \nthe entire intelligence community and significantly reduce the costs of \ncomputing and infrastructure as well as enhance security and \noperational effectiveness. What are your plans to begin transitioning \nyour investment from the NSA IC cloud to C2S to further reduce costs \nand take advantage of the investment the DNI/CIA is making in this \ncommunity cloud based on commercial cloud services?\n    General Alexander. Having an IC Cloud with two diverse, but \ncomplementary, implementations--one commercial and one government--is \npart of the IC ITE architecture established by the ODNI. NSA is working \nwith CIA bi-weekly to ensure that NSA\'s IC-GOVCLOUD and CIA\'s C2S \nmaximize all resources available for IC ITE users. With C2S becoming \navailable in the later summer of 2014, we will have more opportunity to \nmeet a customer\'s needs. NSA and CIA have developed the Joint Store \nFront which is the front door for an agency to request cloud services. \nThe Joint Store Front will align the requests with resources to ensure \nthat a customer\'s needs are validated and met. NSA and CIA have agreed \nto assess the right mix of cloud services provided by both GOVCLOUD and \nC2S after C2S has been operational for 6 months. This would give us \nbetter metrics to make an informed decision of the roadmaps ahead and \ncapacity needed for both. The assessment is due to ODNI February 2015. \nFor its part as a consumer of the IC Cloud, NSA will be a consumer of \nC2S capabilities where the economies so indicate. We expect that the \nprimary focus of the IC-GOVCLOUD will remain data access, integration, \nand analytics, and our roadmap includes converging the functionality of \nthe internal NSA Major System Acquisition clouds (MDR1 and MDR2) with \nthe IC-GOVCLOUD to maximize the potential for integrating data across \nthe IC.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. PETERS\n    Mr. Peters. The Federal Information Technology Acquisition Reform \nAct of 2014 (FITARA) (HR 1232) passed the House on February 25 and has \nbeen referred to both the Senate Armed Services Committee and the \nSenate Homeland Security and Governmental Affairs Committee, With or \nwithout FITARA, how will the DOD ensure that solicitations are based on \nopen standards, technical requirements, and without brand name \nreferences? What is the DOD doing to ensure that fair and open \npractices are being followed to avoid the ``lock-in\'\' of a single \nvendor?\n    Ms. Takai. Independent of the Federal Information Technology \nAcquisition Reform Act, the Department has recently issued the Interim \nDOD Instruction 5000.02, acquisition policy, that establishes a policy \nframework by which DOD will acquire IT. The updated policy includes \nguidance on creating and sustaining a competitive environment that \nencourages improved performance and cost control for DOD systems. The \npolicy also addresses the issue of the government maintaining rights to \ndata associated with a delivered capability to ensure that proprietary \ndata formats and exchanges do not lead to ``lock-in\'\'.\n    In addition to the updated acquisition policy mentioned above, the \nDepartment has promoted the use of open systems and open systems \narchitecture by issuing guidance, such as the ``DOD Open Systems \nArchitecture Contract Guidebook for Program Managers\'\', and \n``Clarifying Guidance Regarding Open Source Software (OSS)\'\'. \nFurthermore, these guidelines for open systems architecture have been \nincorporated into the curriculum of the Defense Acquisition University.\n    With regard to open standards, the Department has had a long-\nstanding requirement for programs to follow IT standards that are \nlisted in the DOD IT Standards Registry (DISR). The standards listed in \nthe DISR are managed through a rigorous governance process in which \nopen commercial standards are considered for adoption first and \nforemost. My office will continue to work closely with the office of \nthe Under Secretary of Defense for Acquisition, Technology and \nLogistics to ensure IT investments are based on performance and value \nwhile meeting the Department\'s mission and business requirements.\n    Mr. Peters. Many industry stakeholders believe that DOD sole source \njustifications are provided without adequate market research or include \narguments favoring the need to maintain a single vendor network. Are \nyou aware of instances where sole source justification was provided \nwithout adequate market research or in favor of a single vendor? Please \ndescribe the steps DOD is taking to introduce alternative network \nvendors into DOD network infrastructure environment.\n    Ms. Takai. I am not aware of any instance where a sole source \njustification was provided without adequate market research.\n    DOD procurement officials are required to follow the procedures \noutlined in the Federal Acquisition Regulation (FAR) and the Defense \nFAR Supplement (DFARS), Part 10--Market Research, which requires market \nresearch for all procurement levels but the level of detail will vary \nbased on the dollar amount and complexity of the procurement. In \naccordance with FAR Subpart 10.002, acquisitions begin with a \ndescription of the Government\'s needs stated in terms sufficient to \nallow conduct of market research. Market research is then conducted to \ndetermine if commercial items or nondevelopmental items are available \nto meet the Government\'s needs or could be modified to meet the \nGovernment\'s needs.\n    In accordance with FAR Subpart 6.302-1(c)--Only One Responsible \nSource and No Other Supplies or Services Will Satisfy Agency \nRequirements--Application for brand name descriptions, there may be \ncases where the use of a particular brand-name, product, or feature of \na product, peculiar to one manufacturer is essential to the \nGovernment\'s requirements, thereby precluding consideration of a \nproduct manufactured by another company. In these cases, a \njustification and approval must be executed and posted with the \nsolicitation.\n\n                                  [all]\n\x1a\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'