b"<html>\n<title> - [H.A.S.C. No. 114-117] HEARING ON NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2017 AND OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS BEFORE THE COMMITTEE ON ARMED SERVICES HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS SECOND SESSION</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n \n                         [H.A.S.C. No. 114-117]\n\n                                HEARING\n\n                                   ON\n\n                   NATIONAL DEFENSE AUTHORIZATION ACT\n\n                          FOR FISCAL YEAR 2017\n\n                                  AND\n\n              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS\n\n                               BEFORE THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING\n\n                                   ON\n\n                      FISCAL YEAR 2017 INFORMATION\n\n                     TECHNOLOGY AND CYBER PROGRAMS:\n\n              FOUNDATIONS FOR A SECURE WARFIGHTING NETWORK\n\n                               __________\n\n                              HEARING HELD\n                             MARCH 22, 2016\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n20-077                         WASHINGTON : 2017 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n                                     \n  \n\n\n           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES\n\n                  JOE WILSON, South Carolina, Chairman\n\nJOHN KLINE, Minnesota                JAMES R. LANGEVIN, Rhode Island\nBILL SHUSTER, Pennsylvania           JIM COOPER, Tennessee\nDUNCAN HUNTER, California            JOHN GARAMENDI, California\nRICHARD B. NUGENT, Florida           JOAQUIN CASTRO, Texas\nRYAN K. ZINKE, Montana               MARC A. VEASEY, Texas\nTRENT FRANKS, Arizona, Vice Chair    DONALD NORCROSS, New Jersey\nDOUG LAMBORN, Colorado               BRAD ASHFORD, Nebraska\nMO BROOKS, Alabama                   PETE AGUILAR, California\nBRADLEY BYRNE, Alabama\nELISE M. STEFANIK, New York\n                 Kevin Gates, Professional Staff Member\n              Lindsay Kavanaugh, Professional Staff Member\n                          Neve Schadler, Clerk\n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                          \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Ranking Member, Subcommittee on Emerging Threats and \n  Capabilities...................................................     2\nWilson, Hon. Joe, a Representative from South Carolina, Chairman, \n  Subcommittee on Emerging Threats and Capabilities..............     1\n\n                               WITNESSES\n\nHalvorsen, Hon. Terry, Chief Information Officer, Department of \n  Defense........................................................     3\nLevine, Hon. Peter, Deputy Chief Management Officer, Department \n  of Defense.....................................................     3\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Halvorsen, Hon. Terry........................................    26\n    Levine, Hon. Peter...........................................    35\n    Wilson, Hon. Joe.............................................    25\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    Mr. Ashford..................................................    44\n    Mr. Lamborn..................................................    44\n    Mr. Langevin.................................................    43\n    Ms. Stefanik.................................................    44\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Kline....................................................    52\n    Mr. Lamborn..................................................    53\n    Mr. Langevin.................................................    51\n    Mr. Wilson...................................................    49\n    \n    \n    \n    \n    \n    \n    \nFISCAL YEAR 2017 INFORMATION TECHNOLOGY AND CYBER PROGRAMS: FOUNDATIONS \n                    FOR A SECURE WARFIGHTING NETWORK\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n         Subcommittee on Emerging Threats and Capabilities,\n                           Washington, DC, Tuesday, March 22, 2016.\n    The subcommittee met, pursuant to call, at 3:43 p.m., in \nroom 2118, Rayburn House Office Building, Hon. Joe Wilson \n(chairman of the subcommittee) presiding.\n\n  OPENING STATEMENT OF HON. JOE WILSON, A REPRESENTATIVE FROM \nSOUTH CAROLINA, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND \n                          CAPABILITIES\n\n    Mr. Wilson. I call this hearing of the Emerging Threats and \nCapabilities Subcommittee of the House Armed Services Committee \nto order. I am pleased to welcome everyone here today for this \nhearing on the fiscal year 2017 budget request for information \ntechnology [IT] and cyber programs.\n    Lately the Secretary has been highlighting the need for \nincreased innovation in the Department of Defense [DOD] through \npublic-private partnerships--and I was grateful that Secretary \nAshton Carter was here yesterday on this issue, so it is right \non point--as well as the importance of generating new \ncapabilities to offset growing advantages of future potential \nadversaries.\n    I believe that information technology and cyber will both \nserve as key enablers and, at the same time, present key \nchallenges for the Department as it tries to realize its \nvision.\n    In this time of fiscal constraint, I also believe it is \nequally important to enforce management rigor to make sure that \nwe are squeezing the most out of every defense dollar where it \nmakes sense. We need to learn from industry and use the kinds \nof business analytics and business intelligence methods that \nwork so well in the commercial sphere. That also means using \ncommercial tools to the maximum extent, especially in areas \nlike business systems and cloud computing.\n    We need to find better ways to foster and maintain our own \nhuman capital to support the acquisition and management of \ninformation technology and cyber systems. In looking through \nthis most recent budget request, I want to make sure the \nDepartment is emphasizing these two complementary tracks--\nincreased innovation, as well as increased management \ndiscipline.\n    I would like to welcome my distinguished panel of witnesses \nand appreciate their perspectives on all of these issues. This \npanel includes the Honorable Terry Halvorsen, Chief Information \nOfficer [CIO], Department of Defense, the Honorable Peter \nLevine, the Deputy Chief Management Officer [DCMO], Department \nof Defense.\n    I would like now to turn to my friend and ranking member, \nMr. Jim Langevin from Rhode Island, for any comments he would \nlike to make.\n    [The prepared statement of Mr. Wilson can be found in the \nAppendix on page 25.]\n\n  STATEMENT OF JAMES R. LANGEVIN, A REPRESENTATIVE FROM RHODE \n ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS AND \n                          CAPABILITIES\n\n    Mr. Langevin. Thank you, Mr. Chairman. Thank you for \nconvening this hearing. And I want to thank you to our \nwitnesses for testifying today on the President's fiscal year \n2017 budget request for information technology and cyber \nprograms.\n    Last week, we heard about the cyber mission force build and \noperations from Admiral Rogers, and today we will hear about \nthe infrastructure our warfighters operate within and defend \nfor the enterprise. Cyber Command [CYBERCOM] has advocated for \nthe ability to see the network in order to provide better \ndefense. The joint information environment, or JIE, is the \nguiding effort for achieving this capability. And today I hope \nto hear about the progress made under the JIE umbrella, \ngovernance for this effort, and service contributions.\n    Another major undertaking I would like to discuss today is \nimplementing the Department's cloud strategy. The DOD's \nmigration to the cloud has slowed due to laborious \ncertification requirements and an acquisition system unable to \nkeep up with cloud services procurement. This also seems to \nhinder any efficiency or cost savings that could otherwise be \nachieved.\n    Finally, the DOD has been tasked with building and \nmaintaining the IT system for OPM's [Office of Personnel \nManagement's] new National Background Investigation Bureau. \nWhile it makes sense the Department provide expertise on \nbuilding a secure system, I am concerned the DOD is assuming \nall the risk by providing resources and assuming responsibility \nfor decisions made outside the Department.\n    As a long-term advocate for cybersecurity within this \nsubcommittee, I am glad we have taken the time to not only \ndiscuss the build and operations, but also the infrastructure \nour cyber warriors operate within every day over the last few \nweeks.\n    Again, thank you, Mr. Chairman, and I want to thank our \nwitnesses for being here today to discuss this important topic. \nAnd I yield back the balance of my time.\n    Mr. Wilson. Thank you, Mr. Langevin. And now welcome again \nto our witnesses. Your written statements will be submitted for \nthe record, so we ask that you summarize your comments in 5 \nminutes or less, and then after that, each of the persons on \nthe subcommittee will go through a 5-minutes process and Kevin \nGates will make sure it is done correctly.\n    So we now begin with Mr. Halvorsen.\n\n STATEMENT OF HON. TERRY HALVORSEN, CHIEF INFORMATION OFFICER, \n                     DEPARTMENT OF DEFENSE\n\n    Mr. Halvorsen. Good afternoon, Mr. Chairman, Ranking \nMember, and distinguished members of the subcommittee. Thank \nyou for this opportunity to testify before the subcommittee \ntoday on the Department's information technology budget \nrequest.\n    As the Department's CIO, I am the principal adviser to the \nSecretary of Defense for information management, IT, \ncybersecurity, communications, positioning, navigation, and \ntiming, spectrum management, senior leadership, nuclear command \ncontrol, and communications matters. Those latter \nresponsibilities are clearly unique to the DOD.\n    My imperative at the CIO in managing this broad and diverse \nset of functions is to ensure that the Department has the \ninformation and communications technology capabilities needed \nto support the broad set of Department missions. This includes \nsupporting our deployed forces and cyber mission forces, as \nwell as business and warfighting support functions.\n    As Secretary Carter has stated, DOD must address strategic \nchallenges across all domains, not just air, land, and sea, but \nincreasingly in cyberspace. The Department's budget includes \nfunding to address these challenges, including IT and cyber \ninvestments that are critical to the Department's warfighting, \nintelligence, and business missions.\n    As the CIO, I am driving cultural, business, technical \nimprovements, and innovation into DOD's IT and cyber to better \nsupport defense missions and operations. My written testimony \nprovides more detailed information on the Department's IT and \ncyberspace budget and priorities.\n    I want to emphasize that these efforts require teamwork and \npartnership within DOD, which includes DISA [Defense \nInformation Systems Agency], USD [Under Secretary of Defense] \nAT&L [Acquisition, Technology, and Logistics] and Policy, U.S. \nCYBERCOM, DCMO, and other partners.\n    External partnerships to DOD will also be critical, to \ninclude Congress, industry, and our allies. I strongly believe \nan expanded partnership with industry will be essential to \nexpanding and maintaining technology advantages, while \nimproving our fiscal accountability.\n    I thank you for your interest and support, and I look \nforward to your questions.\n    [The prepared statement of Mr. Halvorsen can be found in \nthe Appendix on page 26.]\n    Mr. Wilson. Thank you, Mr. Halvorsen. We now proceed to Mr. \nLevine.\n\n    STATEMENT OF HON. PETER LEVINE, DEPUTY CHIEF MANAGEMENT \n                 OFFICER, DEPARTMENT OF DEFENSE\n\n    Mr. Levine. Thank you, Chairman Wilson, Ranking Member \nLangevin, and members of the subcommittee.\n    I am Peter Levine, and I am the Deputy Chief Management \nOfficer of the Department of Defense. Two years ago, this \ncommittee enacted legislation which will merge the offices of \nthe DCMO and CIO. However, that legislation does not take \neffect until the beginning of the next administration, so until \nthat time, the CIO, Mr. Halvorsen, will remain the responsible \nofficial within OSD [Office of the Secretary of Defense] for \nIT, cybersecurity, and many of the other issues addressed in \nyour letter of invitation.\n    The DCMO's role, until such time as this merger takes \nplace, is limited to reviewing and approving of investments in \nIT business systems. We do thank you in that regard for last \nyear's NDAA [National Defense Authorization Act], in which you \nsubstantially streamlined and gave us more flexibility in the \nway we do this. We intend to use this flexibility in several \nways.\n    First, we intend to change our focus from the discrete \nreview of each individual small investment and focus more on \nportfolios, so we can be more forward-looking in our management \nof business systems. Second, we plan to focus much more on \nreturn on investment, so that we can ensure that when we invest \nin business systems, we actually realize the benefits that we \nshould be able to get out of them, that we actually turn off \nthe legacy systems and reduce manning, where we can develop \nmore efficient and less manpower-intensive processes.\n    And finally, we are going to work to develop a streamlined \nprocess for business systems where we can align our business \nsystems investment process, our CIO process, and our \nacquisition process into a single process so that we don't have \nto sequentially go through one after the other and put the \nprogram manager through recurring hoops as we go forward.\n    We are firmly committed to working with you as we try to \nmake the business systems process more efficient and to improve \nthe Department's investment process and look forward to your \nquestions.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Levine can be found in the \nAppendix on page 35.]\n    Mr. Wilson. Thank you very much. And we will now proceed \nwith a 5-minute round. I want to commend Lindsay Kavanaugh and \nJim Langevin for achieving an extraordinary turnout today. So, \ncongratulations. You did good.\n    And I will begin with myself. And this is for both of you. \nWhat do you see as the major budgetary challenges in this \nyear's President's budget request? Where are we accepting risk \nbased on current budget constraints?\n    Mr. Levine. I will give the gentle answer, which is not \nenough money. And I will defer to Mr. Halvorsen as to the IT \nbudget specifically.\n    Mr. Halvorsen. I certainly echo Peter's first comment about \nnot enough money. I think in the IT area, we are taking some \nrisk in modernization. Some of it will slow. We are trying to \nbalance that and make sure that we don't take that risk in the \nsecurity side.\n    The other I think challenge that we are going to have in IT \nmay not be exactly in the budget, and it is going to be the \nretention of the IT workforce. And frankly, that is going to \ncome down to an economic decision. I happened to be in the \nvalley [Silicon Valley] last week, and, you know, Google \nannounced they are raising the pay for cybersecurity by another \n20 percent. That is going to keep impacting our ability to \nattract talent.\n    If you ask me about the budget, what keeps me up more at \nnight, that is probably the answer, sir.\n    Mr. Wilson. And thank you very much. And, Mr. Halvorsen, \nChairman Mac Thornberry's most recent defense reform proposal \nemphasizes prototyping experimentation. Can you tell us what \nthe Department is doing with regard to information technology \nand cyber programs that highlight these approaches?\n    Mr. Halvorsen. Yes, thank you. I think a couple things that \nwe want to think about when we answer this question, much of \nthe innovation today being driven in the cyber and IT business \nis coming from the commercial sector. We want to be closer tied \nto the commercial sector, so thanks to some legislation last \nyear, I am able to now put people from DOD inside of business--\nand we are doing that today--and also have business people on \nmy staff, which we are also doing today.\n    I think that partnership that we continue to strengthen is \na key to us getting the right innovation and getting it on \ntime.\n    Within the DOD, I want to focus our S&T [science and \ntechnology] dollars around the areas the industry isn't going \nto focus on, and that is going to be on the weapons systems and \ntop-level security systems, where there is not yet much play in \nthe commercial sector, and I think our budget reflects that \nthat is where our emphasis is and also reflects where we are \ntaking risk is around innovation dollars that we would have \nthat were inside the budget for commercial areas that we have \ntaken some risk and are not spending that much.\n    Mr. Wilson. And, again, I am impressed with the efforts by \nSecretary Carter to work for public-private cooperation. \nAdditionally, Mr. Halvorsen, in the fiscal year 2017 budget \nrequest, the Defense Information Systems Agency, the primary IT \nprovider for the Department, eliminated the S&T funding it had \nto pursue innovation and technology demonstration. Please \nexplain the rationale for that decision and how this aligns \nwith the Secretary's emphasis on drawing in innovation from the \ncommercial sector.\n    Mr. Halvorsen. Yes, we certainly reduced DISA's S&T \nfunding. They still have some R&D [research and development] \nmoney. But in the area we reduced it is aligned exactly--I \nthink what we have said before--today, where we are going to \nget our information, and particularly true for most of DISA's \nactivities, which are supporting our business functions, is \nfrom industry and commercial.\n    So in a constrained budget, in my opinion, that was where \nwe chose to take some risk, because I think I can get that same \ninnovation affect by strengthening our relationships with \ncommercial industry.\n    Mr. Wilson. Additionally, Mr. Halvorsen, section 901 of the \nfiscal year 2015 NDAA mandated that the chief information \nofficer begin to exercise authority, direction, and control \nover the Information Assurances Directorate of the National \nSecurity Agency.\n    Recently, this subcommittee was made aware of a DOD \nproposal to place that authority, direction, and control back \nwith the Under Secretary for Intelligence. Do you support the \nDepartment's proposal? What are the pros and cons of keeping \nthat authority with the chief information officer?\n    Mr. Halvorsen. I don't know that the Department has made a \nformal proposal yet. I know that it is being discussed. \nCandidly, I would have some concerns about moving it away from \nthe DOD CIO, but more importantly what we are doing is working \nwith the intel side of the Department to form a governance \nstructure that will allow both CIO and intel equities in the IA \n[information assurances] money to be addressed.\n    Mr. Wilson. Well, with your background, we would all \nappreciate any input at any time as we consider these issues.\n    I now yield to Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman. Again, I want to \nthank both of our witnesses for being here and what you are \ndoing in the IT and cyber sphere.\n    So one of the questions I had--and, Terry, you talked about \nit just a minute ago in terms of, well, the private sector \nincreasing what they are paying their cybersecurity folks, and \nit is going to be particularly challenging now for us to \ncompete to get that top-end talent.\n    I know in the NDAA last year, we gave more flexibility to \nthe Department to try to take advantage of that IT talent. You \nknow, for example, allowing potentially--as I envision it--to \nsee private sector to be able to detail for maybe a year or two \nthese high-end individuals that, you know, it would be \nchallenging for us to both afford, attract, and keep for a long \nperiod of time.\n    But, you know, companies have an interest in patriotic duty \nand want to help secure the Nation in cyberspace. So we made \nsome progress in that with the NDAA, giving some flexibility to \nthe Department. Can you tell me, do you need additional \nauthorities to further take advantage of that talent so that we \nhave the cyber workforce that is as robust as possible and our \nnetworks are as secure and as robust as possible?\n    Mr. Halvorsen. First, I would thank you for the NDAA last \nyear. That is helping some of the work we are able to do, the \nexcepted workforce in cyber, being able to bring the people in \nfrom industry like we are doing now. I do think we will need \nsome legislation that probably changes slightly the rule sets \nabout what we are allowed to do with the industry people.\n    I think exactly what you stated. We really want to be able \nto bring them in and have them sit in a position for a year, \nbeing able to execute some decisions within the Department, and \nthen go back to industry, just like I think there is a market \nspace today for us to have some of our civilian employees go to \nindustry, and industry would like to have them--and I think we \nwill need to tweak some of the legislation so that could happen \nmore often.\n    I think we share the vision. In the end, we want more of an \nin and out, back and forth. And you could really see the career \npath in cyber IT changing so that it is not an all-civilian or \nall-government career path, but a much more combined career \npath. And I think that would serve the Nation well.\n    Mr. Langevin. Good. I mean, that is exactly where I hope \nthat we are going to be and that is what we want to get to. \nPlease, I hope you will work with us and tell us how we can be \nof help in terms of additional legislation and language that \nyou need to get to that point.\n    So as I mentioned in my opening statement, I find it \nappropriate the Department of Defense is involved in building a \nnew IT system for OPM's new National Background Investigation \nBureau [NBIB] that will house sensitive personnel information.\n    However, I am concerned that the DOD has been given \nguidance and deadlines that are not realistic and is assuming \nall responsibility for performance, when the decision-making \nauthority may be shared.\n    So my questions are, can you describe the Department of \nDefense's role in building and maintaining a new IT system? \nSpecifically, what is the amount requested for fiscal year \n2017, as well as in the out years? Was additional money added \nto the top line for DISA's role in this effort? Or is it coming \nout of hide?\n    What are the resources that are being provided for this \neffort? Is the current workforce sufficient to meet the demand \nor will additional personnel be billeted? Will the Department \nhave sole decision-making authority in building and maintaining \nthe system? Or is it shared with OPM and other communities? And \nwhat timelines have been established for delivering the system?\n    And, Mr. Levine, if I could--Levine, I am sorry--what role \nwill you have in doing business process re-engineering to \nchange the way NBIB does business so it fits the IT system, not \nthe other way around? And if you need me to repeat any part of \nthat, I will be glad to. Sorry it is such a long list.\n    Mr. Halvorsen. So, sir, what I would like to do, because I \ndo think that question deserves a lot of matter, is I will make \nsome comments on it, but I will also like to take that for the \nrecord and get back to you with some of the specific answers.\n    [The information referred to can be found in the Appendix \non page 43.]\n    Mr. Langevin. Fair enough.\n    Mr. Halvorsen. For 2017, it is $95 million. There was a \ntop-line increase to DOD for doing some of this. We will get \nyou the exact numbers across the FYDP [Future Years Defense \nProgram]. And then I would be foolish if I said there is not \nsome concern on DOD's part about how this is going to work, and \nwhat I would assure you is from a standpoint of the build, we \nare going to get the requirements from the group that is \nlooking at how we are going to redo the whole investigation \nprocess.\n    When I have those requirements--and that group starts next \nweek, and we have members on it--we will build a system that \nsupports those requirements that also ensures security. If at \nany time I think that that is not happening, I will be the \nfirst to let you know.\n    I am comfortable right now that we have worked out a \ngovernance process with OPM and OMB [Office of Management and \nBudget] that makes DOD the decision maker for all of the \ntechnical decisions and the security decisions, but I am still \nconcerned and we will have to see how that goes forward. And I \nwill get you more detail on the rest of the question.\n    Mr. Langevin. I would appreciate it, whatever additional \ndetail you could provide. And I would just assure we stand \nready to support you in this effort as you make the transition. \nAnd Mr. Levine?\n    Mr. Levine. With regard to the business process re-\nengineering, we definitely have less of a role in that than we \nwould have if the entire mission had been transferred to the \nDepartment of Defense. However, it was never going to be \nentirely the Department of Defense in any case because as you \nknow the DNI [Director of National Intelligence] establishes \nsecurity clearance policy, so we are always going to have to \nwork with outside agencies and reconcile differences with \noutside agencies.\n    We are undertaking with the Under Secretary of Defense for \nIntelligence to re-engineer the DOD part of the process. We are \nlooking at continuous evaluation. We are looking at other \nmeasures to streamline our organization and streamline our part \nof the process. And we do still have a piece--significant \npieces of the process. It is the investigation piece that OPM \nhas, but not the entirety of the process.\n    As we do that, we will see places where we are going to \nwant help, we are going to want changes in the OPM piece of the \nprocess, and we will have to work that through the interagency, \nbecause we don't control it, but we will work it through the \ninteragency process.\n    Mr. Langevin. Very good. Thank you. I yield back.\n    Mr. Wilson. Thank you, Mr. Langevin. We now proceed to \nCongressman Doug Lamborn of Colorado.\n    Mr. Lamborn. Thank you. And I will get to the budget \nimplications of this in just a minute, but how active are we in \nworking with allies, NATO [North Atlantic Treaty Organization] \nallies, Israel, et cetera, in combating cyber threats and cyber \nattacks?\n    Mr. Halvorsen. Extremely active. A couple of the things \nthat we have done that I can talk about in this forum with the \nFive Eye community,<dagger> we actually established last year a \nCIO Five Eye group that meets physically every 6 months, \nvirtually every quarter. Our next meeting is in London, where \ncybersecurity is certainly one of the big topics. We have had \nvisits to Israel, exchanging data. That continues.\n---------------------------------------------------------------------------\n    <dagger> ``Five Eyes'' is an intelligence alliance involving \nAustralia, Canada, New Zealand, the United Kingdom, and the United \nStates.\n---------------------------------------------------------------------------\n    I just came back from Korea and Japan, where that was a \nmajor topic. I can tell you that the NATO partners, Korea, \nJapan, Germany, have all adopted the DOD cybersecurity \nscorecard as the basis for measuring how effective we are doing \ncybersecurity basics across the board, which I think is a big \nbreakthrough.\n    So we can probably give you some more detail, and we will \ntake that for the record, but they are the major things that we \nare doing to improve our information-sharing.\n    [The information referred to can be found in the Appendix \non page 44.]\n    Mr. Lamborn. Well, that is good to hear. And do you have \nany recommendations in the budget on maybe making that even \nstronger? Or, I mean, I know you have a good budget that you \nare defending right now, but do you see any room for \nimprovement in that area in particular?\n    Mr. Halvorsen. You know, I do see room for improvement, but \nI don't think right now that is a money issue for improvement. \nI think it is more of getting all of us aligned to the right \nprinciples and basics.\n    Today we have made good progress within NATO--and as I \nsaid, Japan and Korea and Germany--there is some other work we \nneed to do with other partners.\n    I will be in Estonia in June working some of those issues. \nAnd what I would like to do is when I come back from that, I \nwill have a better site picture, is maybe give you some more \nanswers on what I think we might need to do to go beyond some \nof our traditional allies.\n    Mr. Lamborn. Okay. I appreciate that. I would like to \nfollow up on this conversation at another time. Thank you, Mr. \nChairman.\n    I yield back.\n    Mr. Wilson. Thank you, Mr. Lamborn. We now proceed to \nCongressman Jim Cooper of Tennessee.\n    Mr. Cooper. Thank you, Mr. Chairman. First, the Santa Claus \nquestion. Both of you mentioned that you would like to have \nmore money. How much? And for what?\n    Mr. Levine. I would say that as the DCMO, my responsibility \nis finding efficiencies. I am not actually looking for more \nmoney. The Department is looking for more money. I am trying to \nidentify efficiencies within the Department where I can free up \nmoney so that we can invest more in the long-range science and \ntechnology programs and force structure and things that we need \nto keep our force ready to go today and ready to go in the \nfuture. That is where I need more money.\n    I would defer to Mr. Halvorsen as to specific IT \ninvestments.\n    Mr. Halvorsen. I think to upgrade some of our legacy \nsystems. And I can get back to you with a number on that. And \nto tie back with Peter, I think some investment in the legacy \nsystems--and particularly some of the larger both HR [human \nresources] personnel and pay systems--those investments would \ndo two things for us.\n    One, we would certainly improve security. There are some \nissues we need to fix there. Secondly, I think we could improve \nefficiency, and after we made those investments, I actually \nthink the return on investment would be pretty good. But I will \ncome back to you with a number, sir.\n    [The information referred to was not available at the time \nof printing.]\n    Mr. Cooper. Thank you. Now the Scrooge question. Pentagon \nis the least auditable of all government agencies. It has been \na risk factor for the GAO [Government Accountability Office] \nfor 20 years, the number one risk factor. Will your IT work \nhelp the Pentagon get audited faster?\n    Mr. Levine. The answer is yes. Improved business systems, \nimproved financial management systems definitely make an \nimpact. We are much closer today to being auditable than we \nwere 10 years ago. A significant part of that is because of the \nERP [Enterprise Resource Planning] investment. But there are \nmany, many hurdles we have to get over that are not IT, and IT \ncan't solve it by itself.\n    We have policy issues that we have been kicking down the \nroad 10 years that now that we are facing a 2017 deadline, we \nare finally getting people to be serious about and say, hey, \nyeah, we actually have to make those decisions, we have to \nfigure out how we are going to go about that.\n    So the DCMO co-chairs the governance board, the FIAR \n[Financial Improvement and Audit Readiness] governance board, \nwhich is responsible for trying to drive the Department toward \naudit with the Comptroller, with Mike McCord. And since I \narrived at the Department about 10 months ago, we have been \ntrying--we have set the Department on a program of identifying \nwhat our key interim milestones are that we need to hit in \norder to become auditable.\n    We have identified a lot of things that should have been \naddressed 5 years ago or 10 years ago, but we are trying to \nchip away at them one at a time, and we think that the deadline \nis extremely constructive in pushing us toward that objective.\n    The Department seems to have an infinite ability to kick \nthings down the stream and facing a deadline that is 2 years \naway really helps focus the attention.\n    Mr. Cooper. Well, some people would say 2017 is next year, \nnot 2 years away.\n    Mr. Levine. It is October 1, 2017. I guess we can--a year \nand a half is what that is, yes, sir.\n    Mr. Cooper. Doesn't sound like you are very optimistic \nabout meeting the deadline.\n    Mr. Levine. When I came before the Senate Armed Services \nCommittee for my nomination hearing about almost exactly a year \nago, I testified that I had never been confident the Department \nwas going to meet the deadline, and I couldn't change my \nposition just because I was testifying for confirmation.\n    So I can't change my story now. I am skeptical that we will \nhave done everything we need to do. But I am going to push as \nhard as I possibly can to get us there.\n    Mr. Cooper. Okay, now the long-awaited question of the \nghost of Christmas past. The Joint Chiefs hack, there was \napparently somebody who signed on to an e-mail, like the \nequivalent from the Nigerian prince or something. Has that \nperson been identified who opened that foolish e-mail? And \nwould it help if they were identified, if they not been \nidentified previously?\n    Mr. Levine. I will say that the people that opened the e-\nmail have been identified, and we have looked at the reasons \nwhy, and in some cases, we did some remediation. In other \ncases, they had followed the right procedures, up to a point, \nand we needed to do some more training. That has been put in \nplace to do that, but I would also say that was also one that \nwas caught very quickly.\n    We had very limited exposure--still would like to do \nbetter--but the system and when you look at the volume of e-\nmail traffic that comes into DOD, how many we get, and the \nnumber of people that click, great improvement. We are \ncertainly holding people accountable to a higher standard now.\n    We have signed out the cyber accountability culture \ndocument that was signed by DEPSECDEF [Deputy Secretary of \nDefense]. Myself, Frank Kendall, and Mike Rogers have signed \nout the accountability procedures document to make it down to \nthe individual and command level, so I think we have made \nprogress in that area.\n    I don't think identifying any more individuals at any more \nlevel would be helpful right now.\n    Mr. Cooper. I see my time has expired, Mr. Chairman.\n    Mr. Wilson. Thank you, Mr. Cooper. We now proceed to \nCongresswoman Elise Stefanik, of New York.\n    Ms. Stefanik. Thank you, Mr. Chairman, and thank you to the \npanelists for being here today. I have two questions. The first \none will be quite broad. The second one will be quite specific. \nAs you are well aware, the threats to the United States have \nevolved dramatically in the last 10 years. State and non-state \nadversaries have adapted to a new digital environment quite \nwell. And it is important that the United States invests in the \ntime, training, and infrastructure to counter the whole \nspectrum of cyber threats.\n    So as we see in the news, cyber provocation against the DOD \ninfrastructure continues to increase, what is your assessment \nof the DOD's ability to counter such intrusions today? And what \ncan I tell soldiers that I represent at Fort Drum in my \ndistrict what we are doing to ensure that they are protected? \nAnd what have we learned about the enemy? And how has that \nchanged our approach? That is the first broad question.\n    Mr. Halvorsen. Again, I will make some comments on it, but \nwe will take that for the record, because I think it is a good \nquestion and we owe you some better details on that.\n    [The information referred to can be found in the Appendix \non page 44.]\n    Mr. Halvorsen. We certainly have improved training across \nthe board in the cyber spectrum. The cybersecurity culture \nissue is one that is on top of the Secretary's desk. We meet \nevery month on the cybersecurity scorecard, and a part of that \ngets to what is the training of the individuals. The networks \nthemselves are much better today. They are not exactly where we \nwant them. We have got three major efforts to improve that.\n    The first one is, you are probably aware that the Secretary \nhas directed that this year we move as much of DOD as \npossible--the ones that are on Windows operating systems--to a \nWindows 10 baseline. I cannot stress the criticality of us \ngetting that done.\n    Right now, when you try to look at the visibility of the \nnetworks, while we are making improvements, you are doing that \nacross multiple operational systems, multiple baselines. It is \nimpossible to do, do well.\n    Getting to a single baseline for Windows--and that is about \n80 percent to 85 percent of the DOD--will give us the ability \nto have better visibility. Windows 10 is the first operating \nsystem that really thought about security right from the \nbeginning and has in-built features that we will take advantage \nof.\n    It will also allow us to go to the next step, which is how \ndo you then start taking and really using cloud computing \ntechnology to improve your security? So we are positioned to do \nthat. We have got things we have to get done, and the first one \nis to get the Windows 10 done.\n    The other big initiative is to complete the joint regional \nsecurity stacks. In its simplest forms, what that does is lower \nour footprint. Today, we have got 1,000 points that you can \ncome in. When the joint regional security stacks are done, we \nwill have less than 100 points. That is a lot easier to defend, \nand we can focus more on it.\n    It also stops us from doing our own self-denial attacks, \nwhich are also--happen when you are trying to keep aligned over \n1,000 different firewalls. We will reduce the firewalls, have \nbetter overall security and visibility into the networks. That \nis what we are doing at the big end.\n    Ms. Stefanik. Okay, so the specific questions are actual \nfollow-ups to your answer. When you reference the cybersecurity \nscorecard process, what is the scorecard exactly? Can you get \ninto more specifics? Can this information and will this \ninformation be shared with Congress? Are there plans to expand \nscorecards beyond cybersecurity? And how does a negative \nscorecard rating of a DOD component, what is the consequence of \nthat?\n    Mr. Halvorsen. Again, we will give you some more details in \nwriting, but here is what I can tell you. The scorecard is \nlooking at what we have defined right now as basic areas that \nwe should be measuring. One of them is, is everybody using a \nsecure token to access DOD systems.\n    The advantage of that is, is immediate. If you are using \nthe token, A, we know exactly who logged in, when they logged \nin, where they are at, and it is a lot harder to fake that \naccess. So it is an immediate improvement.\n    Ms. Stefanik. Can that information be shared with Congress?\n    Mr. Halvorsen. Actually, I am happy to give it to you. We \nhave actually shared it with other committees, and I am happy \nto send one over when I get back, the current scorecard.\n    Ms. Stefanik. And the results of the scorecards that are \nshared?\n    Mr. Halvorsen. The results is right on it. It will show you \nwhere we are at. We are not where we want to be in all of the \nareas. We are measuring ourselves to extremely high standards. \nOne of the things that I just want to say upfront, when you \nlook at cyber, you could hit 80 percent and a lot of people \nwould think that would be good. In cyber, that is not good \nenough.\n    So when you see that we are in yellow and, in some cases, \nred, it is because we are trying to get above in almost every \ncategory 95 percent to be green.\n    Ms. Stefanik. And the last question is, you talked about \nthe Department's plans to move to the Windows 10 operating \nsystem with a mandate to so by a certain date. What is the cost \nof that transition?\n    Mr. Halvorsen. I don't know the exact cost yet. We will get \nthat to you. But what I could tell you, the cost not to do that \nwould be in the billions.\n    [The information referred to can be found in the Appendix \non page 45.]\n    Ms. Stefanik. Great, I would look forward to getting more \nof that in writing afterwards. I yield back.\n    Mr. Wilson. And thank you, Congresswoman Stefanik. We now \nproceed to Congressman Pete Aguilar of California.\n    Mr. Aguilar. Thank you, Mr. Chairman. Mr. Halvorsen, can \nyou talk to me broadly about in your testimony you talk about \ncloud computing. Where will cloud computing be in 5 years and \nin 10 years?\n    Mr. Halvorsen. In 5 years, I am hopeful that we will be in \nan almost complete virtual cloud environment, and cloud defined \nthis way. We will have private clouds, which are completely \nprivate within segments of DOD. We will have private clouds \nthat are just DOD, you know, inside it. And we will have \nprivate clouds that are DOD and other parts of the Federal \nGovernment. And then we will have hybrid public clouds.\n    Because of the size of DOD and the Federal Government, we \nought to be able to move into where we would have government \nhybrid clouds hosted in commercial centers as opposed to some \nof the things I talked about earlier, would be on premise, that \nwould give us the best combination of mission security and \nvalue.\n    Mr. Aguilar. Is that what you mean when you talk about in \npage 3 of your testimony mission partner environment, when you \nare talking about commercially accessible, reconfigurable, and \nsecured data that can be shared with commanders?\n    Mr. Halvorsen. A little broader than that. The mission \npartner environment would certainly use cloud technology, but \nin that part of the testimony what I am really talking about is \nhow we would be able to support our COCOM [combatant command] \ncommanders as they partner with both traditional and non-\ntraditional allies to support whatever mission it is, to be \nable to stand up virtual networks on the fly, to be able to do \nthat both at a secure level, at a speed level that we need, and \nthen to keep it fiscally responsible.\n    Mr. Aguilar. Can you talk a little bit about how you \nenvision that working and what our stakeholders and coalition \npartners, what their role in that would be?\n    Mr. Halvorsen. So as we can move to cloud technology, one \nof the things that we have got to recognize, we have got to \nget--our MPE [mission partner environment] is going to have to \nbe commercial-based. We are not going to be able to do this at, \nsay, a U.S.-only based system. A, other pieces of our allies \ncouldn't afford that, and it is not what they are going to \nagree to do.\n    So basing this on a commercial set of technology that also \nuses commercial classified technology, would allow us to, in \nthe cloud, put together a virtual network that--let's say we \nhad a--this is a really good example, and I think it is in the \ntestimony--and we have done this--let's say we had a natural \ndisaster that had allies now--like the Chinese, the Cubans, us, \nthey are not traditional allies. We could actually stand up a \nnetwork, once we get some of the technologies in place, that \nwould allow data to be shared.\n    And let's say we want to share data with China, we want to \nshare data with Cuba, but not exactly the same data. We could \ndo that on a network with the right protections to protect the \ndata that we need using almost commercially available \ntechnology today. There is a few pieces that have to be done, \nbut I am--no doubt they will be done by the end of this year.\n    Mr. Aguilar. Well, look forward to seeing that development \nand our discussion about that moving forward. Thank you so \nmuch.\n    I yield back, Mr. Chairman.\n    Mr. Wilson. Thank you, Congressman Aguilar. We now proceed \nto Congressman Brad Ashford, all the way from Nebraska.\n    Mr. Ashford. It is a long trip every morning. Thank you, \nMr. Chairman, being able to get here.\n    Congressman Langevin raised the issue that I am trying to \nunderstand further. And your answers were good. I want to \nfurther understand it, though, a little bit, because we talk a \nlot about employee exchanges with the private sector and the \nneed for additional authorities to do that.\n    It seems to me it is a critical part of the plan going \nforward and with the talent out there and the demands on the \nbudget and being able to bring people in. And you have, \nCongressman Langevin, hit it 100 percent, and you did, as well, \nin your answers.\n    What do we have to do in order to--I mean, it seems to me \nthat is something we should be able to move on. And what sort \nof authorities would we need in order to do that?\n    Mr. Halvorsen. Again, I would like to come back on record--\nhere is what I would tell you I think the first area. Today \nthere are some statutes that actually prohibit us from giving \ndecision authority to those type of positions. While we \ncertainly want to protect them and make sure that the \ngovernment is in the end responsible for the decision, if I \nhave got somebody industry--so let's take cloud.\n    The best cloud engineers today are not in the government. \nThey are not. We have some really good ones, but the best ones \ntoday are in industry. We ought to be able to get some of those \nin. I ought to be able to assign one of them, say, okay, you \nare the lead cloud engineer for this year that you are doing \nthis work with us, and give them the authority to make \ndecisions, and with some oversight, expend dollars.\n    Today, under the current authorities, that is hard to do. I \nneed to do some work to figure out what that should look like, \nand I will come back to you by the summer, if that is good, \nwith some recommendations.\n    [The information referred to can be found in the Appendix \non page 44.]\n    Mr. Ashford. That is really all I have. That is extremely \nhelpful. It seems to me that there are areas where, as you \nsuggest, the private sector or the nongovernmental sector have \nthose expertise. So thank you, Mr. Chairman. That is all I \nhave.\n    Mr. Wilson. And thank you, Congressman Ashford. And due to \nhow important these issues are, we will proceed with a second \nround.\n    And, Mr. Levine, DOD doesn't have a stellar track record in \ndeploying business IT systems. What recommendations would you \nhave to make to improve our abilities to deploy business \nsystems? And, secondly, how can we improve or shape the \nworkforce to better configure, deploy, and manage these \nbusiness systems?\n    Mr. Levine. First, we don't just not have a stellar record. \nWe have a horrendous record of deploying business systems. I \nthink that of all the things that we do badly, that is one of \nthe ones we do the worst.\n    So there are a number of things that we need to do on our \nside of the river to do better. One of the things that we need \nto do is to recognize the business systems themselves are not \ngoing to solve our problems, that what we need to look at is \nthe processes that we are automating, so that if you try to \nautomate an old process without looking at it and figuring out \nhow it works, you are doomed to failure.\n    We have tried many times to buy an off-the-shelf system and \nthen said to the users of the system--well, have the users of \nthe system come in and tell us, well, that is not exactly the \ndata we want. We want this other data, because that is what we \nhave actually used, and we start tearing apart the guts of an \noff-the-shelf system. And before you know it, we have spent \nfive times as much to re-engineer the system and to rebuild the \nsystem as the cost of the system itself.\n    We have to control our own appetite, and that is something \nthat we are working on within the Department. In terms of what \nyou could do to help us--so one thing that I would say that you \ncould do to help us, that I hope you will think about, is as we \nlook at the process that we have to go through for business \nsystems, right now, as I said, we are going to try to work with \nthe acquisition community to re-engineer that, because we have \na system where we go through an investment review process, we \nidentify a potential solution, and it may be like a $20 million \nfix to a problem where you do a tinker with an existing system.\n    We then have to throw it over the threshold, over the \ntransom to the acquisition community that may set up a program \noffice that in itself would cost $20 million, and they will \ncome to us with a solution which is, let's build a whole new \nsystem from scratch. Well, that is crazy.\n    So we are going to try to re-engineer that within the \nDepartment. There may be places where we come to you for \nassistance in doing that re-engineering. And there is one place \nin particular I would point to, which is right now for what I \npresume are historic reasons, we have one set of thresholds for \nwhat are called major defense acquisition programs [MDAPs].\n    We have another set of thresholds for what are called major \nautomated information systems [MAIS] programs. MDAPs and \nMAIS's. The MAIS thresholds are way, way lower, an order of--I \ndon't know, a couple of orders of magnitude lower than the \nthresholds for MDAPs, but we treat them as the same thing.\n    What that means is, that when we have an IT--a business \nsystem investment, we trigger a process on the acquisition side \nwhich is as big and as clumsy as the process we have on the \nacquisition side when we are buying an aircraft carrier or a \nfighter aircraft or something like that. And if you are buying \na business system, I am not sure that makes sense.\n    And so I think if you would look at where you treat MAIS \nsystems and MDAPs the same and whether you need to treat them \nin the same way in legislation, I think that is something \nconstructive that could help us in streamlining our own \ninternal processes.\n    Mr. Wilson. Well, thank you for being so candid. And \nadditionally, too, hey, technology changes overnight, and so I \nknow it is an extraordinary challenge, but we appreciate both \nof you on what you are doing. Also, I am grateful--Mr. \nHalvorsen, I notice your association with Rotary International, \nyour service as a Paul Harris fellow. I am happy to be with \nyou.\n    So a question, Mr. Halvorsen. Spectrum is a vital resource \nfor the Department. However, it is also one that we are in \nincreasing competition with the commercial sector. What \nchallenges do you see over the next 10 years when it comes to \nthe DOD's use of spectrum? What recommendations would you make \nto improve the responsiveness of the regulatory process to \nincluding national security concerns and economic priorities?\n    Mr. Halvorsen. So I think today we are in a good spot, hard \nwork with spectrum. We did well with the last auction. And the \nmoney is there to change where DOD can move and share spectrum. \nWhat I worry about right now is that the private demand for \nspectrum is going to exceed our ability to keep pace. And we \ncould, if we are not careful, put some national systems at \nrisk.\n    Some of this takes time. And in this business, I get that \ntime is really valuable and it is money, but there is a \nphysical limitation to how fast we can move the DOD systems \neither into the ability to share spectrum or out of some \nspectrum. And I worry--maybe because we are victims of our own \nsuccess--we have done very well, and the legislation that has \nbeen written and the sharing has all worked to date.\n    But what I hear from industry right now is, well, we want \nto go faster. And I don't know that we can go much faster today \non how we look at spectrum, make the decisions where we can get \nout, and how we would share.\n    I would also tell you that while I think industry is \nstarting to look at making their own investments in helping us \nshare, they are just starting that.\n    And I think one of the things we need to look at is, I am \nhappy to be measured on how DOD is making investments to \nshare--and we ought to think about some measurements that we \nwould give industry to say, how are you doing in making the \ninvestments to--your contributions to helping us get to that \nstate?\n    Mr. Wilson. Well, thank you very much. And now Ranking \nMember Jim Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman. Again, thanks to our \nwitnesses for being here.\n    So yesterday I had the opportunity to have a sit-down with \nDeputy National Security Adviser Avril Haines and the Homeland \nSecurity Adviser, Lisa Monaco, to discuss the Comprehensive \nNational Cybersecurity Initiative [CNCI]. And I have certainly \nbeen an advocate for many of the proposals under the CNCI for \nsome time, and specifically the appointment of an individual at \nthe executive level to oversee Federal cybersecurity \nenterprise.\n    And it is one of the problems that I think previously on \nthe .gov side they really don't have anybody in charge with \nboth policy and budgetary authority that can reach across \ngovernment and compel departments and agencies to do what they \nneed to do in cyber. Hence, you have things like the OPM breach \nthat happened.\n    And I think DOD, by the way, is doing a much better job in \nterms of defending the .mil network. And all of that, as \ndifficult and challenging as it is, it is important. And they \nare doing good work. But can you describe how DOD fits into the \noverall CNAP [Cybersecurity National Action Plan], as it is \ncalled? And more specifically, how DOD will interact with the \nnew individual, the Federal Chief Information Security Officer \nwho will be appointed to coordinate cybersecurity policies and \nactivities?\n    Mr. Halvorsen. Today, and even before the legislation, we \npartner extensively with the Federal CIO, Tony Scott. I mean, \nTony when he came in brought some new ideas to the Federal \nside. We are certainly supportive of that, and we will continue \nto do so.\n    As the areas that the Federal Government is looking at are \napplicable to DOD, we will play, and we will play hard, and we \nwill support those. We will continue to advise Tony and the new \nindividual that is appointed on where we think there are things \nthat DOD is doing that should be applied to the rest of the \nFederal Government, and we will take those things that are \nreally working and apply them within DOD.\n    I think the establishment of an individual to do that is \nkey to success inside the rest of the Federal Government. And I \nthink there are some opportunities for us to really set that \ntone.\n    One of them is, as we rebuild the NBIB and we look at the \nlessons learned, I know Tony and I have agreed today that we \nought to take those lessons learned and apply them across the \nFederal Government at any place that we see that that is \napplicable, we will do that.\n    Mr. Langevin. Okay. What progress has DOD made on cloud \ncomputing, specifically integration of capabilities provided by \nessential service providers, and are there enough certified to \ncreate a competitive field? And how are security concerns being \naddressed?\n    Mr. Halvorsen. As for the progress, two things I think I \nwould like to point. We say a lot of times that DOD is behind \nin cloud. So I wanted to really know if that was true. So I \nhave asked my staff and some outside to take a look at, how \ndoes DOD compare in the use of cloud with other Fortune 50 or \npeer competitors?\n    We are actually slightly ahead of most of the Fortune 50 in \nthe use of cloud. We are now embarking on doing more, but I \ndon't think DOD is behind. If you look particularly at the \nfinancial industry, which has some very strong security \nsimilarities to us, they have done exactly what we have done. \nThey take some of their public-facing stuff and they put it \ninto cloud. We have done that with good success.\n    The next two things that we are doing--and we have now \ngotten certifications, enough of them, to start being \ncompetitive--is to look at how we bring industry into on-\npremise cloud offerings. We do that right now very limitedly \nthrough the NGEN [Next Generation Enterprise Network] contract \nthat the Navy put in place, where actually HP [Hewlett-Packard] \nis running Navy data centers, to include Navy data centers at \nthe secure level, on-prem [premises], for the Navy.\n    We are using that model, and we are going to expand that \nacross the rest of DOD.\n    I will have a couple RFIs [requests for information] out \nhere in the next month. We have a couple contracts that we are \ngoing to let that will allow four commercial entities to come \nin at the Level 4 level in certification, which is right below \nthe classified data. And we have some work being done to allow \nmore companies to partake in the classified space, too. So I \nactually think we are making good progress. We have got to stay \non top of that.\n    I hope this summer, if the Windows 10 thing goes well, the \nnext announcement that we will make will be that DOD has \ndecided to go to a more complete cloud environment, similar \nto--and I just used this as an example--this is not a \ndecision--but similar to what a Windows 365 cloud environment \nwould do. You have to get to that next phase to really take \nfull advantage of the cloud across the board.\n    Mr. Langevin. Thank you. I just--I know my time is expired, \nbut I will say, I hope along with all of this we are paying \nmaximum attention to the security of the cloud. It does still \nconcern me that, you know, we have the crown jewels in some \nways all in one place. And my colleague, Jim Cooper, likes to \nrefer to the cloud as the acronym for Chinese Love Our Uploaded \nData. And so security can't be tight enough, as far as I am \nconcerned.\n    Mr. Halvorsen. So, Mr. Chairman, can I take one more \nminute? We agree. And one of the reasons that we are where we \nare with cloud, it is the same reason the financial industry is \nwhere it is with cloud.\n    We do have some things we have to make sure, and security \nis right. And one of them is, how do you achieve virtual \nseparation so that you don't get the effect of everything being \nloaded in one spot and it can be exfiltrated? And if it does \nget penetrated, how do you quickly shut that off and isolate \nit? And we are spending a lot of time working with the industry \nexperts in how to do that.\n    Mr. Langevin. Thank you. Thank you very much.\n    Mr. Wilson. Thank you, Mr. Langevin, and thank you for your \nexpertise in acronyms. We now proceed to Congresswoman Elise \nStefanik, of New York.\n    Ms. Stefanik. Thanks, Mr. Chairman. My final question \nrelates to the personnel side of this issue. So one of the \nchallenges that I think we clearly face is ensuring that our \ncyber, technical, and workforce capabilities can scale \neconomically. And a significant issue for the industry is the \nclearance process.\n    Is there any thought being given to an approach for fast-\ntracking clearance processing for critical skills position, \nsuch as computer network operations programmers, to better \nenable effective support as your mission requirements expand?\n    Mr. Levine. We have a problem with security clearances \nacross the Department of Defense and across the industry. And \nthe problem with prioritizing is how many competing priorities \nwe have. So, yes, that would be a priority, but I can't look \nacross the Department of Defense and say we don't have a dozen \nother priorities that are at least equal to that. I mean, the \nnumber of priorities we have is extraordinary.\n    The security clearance problem is a problem not only for IT \nprofessionals, but also for contractors who are working on \nweapons systems. It is a problem for the hiring process within \nthe Department of Defense.\n    That is why we are working to re-engineer our internal \nprocesses and why we hope that we will be allowed to help re-\nengineer some of the OPM processes, as well, as we go forward \nwith this. One of the things that we are very hopeful for is \ncontinuous evaluation as a tool that will help speed things up \nand lower the burdens.\n    But I have got to say, right now we are runnning continuous \nevaluation as a pilot program, which means we are running it in \naddition to all the other requirements. And we are hoping that \nwe can prove it out so it can be a substitute for some of the \nrequirements that we are going to expedite. We are not there \nyet.\n    But it is a hard question, not just for this area, and I \ndon't think the Department can afford to solve it by carving \noff one universe and treating them better, because the other \nuniverses of people we need to get through the security \nclearance process are also vital to our national security.\n    Ms. Stefanik. Mr. Halvorsen, do you have anything to add?\n    Mr. Halvorsen. No, I think Peter summed that up very well.\n    Ms. Stefanik. Okay, thank you very much. I yield back.\n    Mr. Wilson. And thank you, Congresswoman Stefanik, for your \ninsight, too. There being no further, we are adjourned.\n    [Whereupon, at 4:38 p.m., the subcommittee was adjourned.]\n\n\n\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             March 22, 2016\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             March 22, 2016\n\n=======================================================================\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n \n      \n=======================================================================\n\n\n              WITNESS RESPONSES TO QUESTIONS ASKED DURING\n\n                              THE HEARING\n\n                             March 22, 2016\n\n=======================================================================\n\n      \n\n            RESPONSE TO QUESTIONS SUBMITTED BY MR. LANGEVIN\n\n    Mr. Halvorsen. The funds for NBIB in DISA's FY17 budget and out \nyear plans were a top line add. The FY17 President's Budget submission \nrequested $20M of O&M and $75M of RDT&E. The initial out year funding \nprofile is presented in the following table:\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    No additional funds from outside of this line are expected to \nbe spent on DOD's effort to support the new IT system. In FY16, OPM \nwill reimburse DOD for initial pre-acquisition prototyping efforts and \nlegacy system support. Funding for these efforts is in the range of \n$5M.\n    Forty additional FTEs were added to DISA for the Background \nInvestigations Information Technology (IT) System based on an analogous \nestimate of the number of FTEs required to architect, design, acquire, \nimplement and sustain a new start IT system. The estimate was generated \nusing a review and analysis of historical programs with the closest \nscopes and scales of capabilities, adjusted for the high level of \nconcurrency necessary for the rapid delivery of operational capability.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    The organization structure, specific job descriptions/role, and \nposition grades have not yet been determined and will be confirmed by \nJuly as we perform the pre-acquisition planning for the IT system.\n    The timeline for delivery of the IT system is in the planning \nphase. A schedule will be developed as part of the pre-Acquisition \nplanning that is currently underway with an expectation to be approved \nas part of an overall Acquisition Strategy in October 2017.\n    The DOD CIO is solely responsible for building and maintaining the \nIT system based on NBIB requirements. The CIO is advised by the \nDirector of OPM and the Federal CIO as part of the NBIB IT Governance \nCouncil.   [See page 7.]\n                                 ______\n                                 \n             RESPONSE TO QUESTION SUBMITTED BY MR. ASHFORD\n    Mr. Halvorsen. The Department believes the NDAA FY17 House & Senate \nprovisions related to private industry exchanges and ITEP provide the \nDepartment the flexibilities needed. We appreciate the support of \nCongress on this matter.   [See page 14.]\n                                 ______\n                                 \n             RESPONSE TO QUESTION SUBMITTED BY MR. LAMBORN\n    Mr. Halvorsen. The DOD CIO International engagement efforts have \ngrown exponentially in the last several years as cyber has emerged as a \ndomain. These objectives align with regional cooperation, information \nsharing, and interoperability initiatives. Working closely with \nOUSD(P), the Joint Staff, NSA, DISA, US STRATCOM, US CYBERCOM and \nRegional Combatant Commands, and the interagency, DOD CIO has \nestablished enduring and lasting relationships focused on increased \ninformation sharing, promoting foreign disclosure and release, and \nenhancing communication and collaboration with our allies and partners. \nDOD CIO led efforts to continue key relationships with the Five Eye \n(FVEY) partners through the establishment of coordination groups such \nas the Defense CIO Forum, sharing information and developing \nmitigations on key cyber issues such as access control, identity \nmanagement, supply chain security, and secure mobility. Successes in \nother FVEY fora include information sharing at the classified and \nunclassified level through the use of U.S. issued FVEY PKI \ncertificates, and exercising incident response information sharing. DOD \nCIO continues the critical work of fostering objectives of regional \ncooperation, information sharing, and interoperability across North \nAtlantic Treaty Organization (NATO), Allies, and Partners. Additional \nkey focus areas include:\n    <bullet>  Cybersecurity Posture of NATO: Align security initiatives \nwith NATO mission objectives; ensure that NATO information assets, \ntechnologies and data are adequately protected and that NATO's CS \nworkforce is highly skilled and capable.\n    <bullet>  Secure Interoperability in Coalition Operations: Ensure \nthe secure interoperability of shared systems between and among the \nU.S. DOD and coalition partners; identify shared systems and apply the \nNIST RMF, including developing baselines. Continue development of the \nMission Partner Environment (MPE) and continue exercising federated \nenvironments with partners.\n    <bullet>  Cyberspace Workforce Development: Engage in security \ncooperation activities that assist coalition partners in developing \nstrategies and policies to build skilled and capable CS workforces. For \nexample recently extended training and exercise participation to \npartners.\n    <bullet>  Cybersecurity Posture of Critical Infrastructure owned by \nPartner Nations: Engage in activities that assist collation partners in \ndeveloping strong CS postures of their national critical infrastructure \non which DOD missions may depend, including identifying critical \nsystems and applying the security policies.\n    <bullet>  Asia Pacific Engagements: Longstanding regular senior \nallied and partner nation consultations with DOD CIO counterparts in \nJapan, the Republic of Korea, and Singapore to promote a wide range of \ninformation exchange, sharing of best practices, and technical \ndiscussions on improving interoperability.   [See page 8.]\n                                 ______\n                                 \n            RESPONSES TO QUESTIONS SUBMITTED BY MS. STEFANIK\n    Q1. What is your assessment of the DOD's ability to counter cyber \nthreats?\n    Mr. Halvorsen. The DOD continues to improve its ability to secure \nits information systems and networks from adversarial activity. In \naddition to initiating the Cybersecurity Scorecard, transitioning to \nWindows 10, and implementing the Joint Regional Security Stacks, the \nDepartment is also engaged in protecting our Internet-facing systems, \nidentifying key terrain, and integrating cybersecurity into our \nevaluation of readiness. In order to ensure the protection of our \nservice members, civilians, contractors, and other DOD personnel, the \nDepartment is also engaged in an effort to secure all of its systems \nthat store personally identifiable information. In combination with \nother ongoing orders and directives, the Department will continue to \nassess and engage in any areas where we can improve our cybersecurity.   \n[See page 11.]\n    Q2. What can she tell Fort Drum Soldiers what the Department is \ndoing to ensure that are protected?\n    Mr. Halvorsen. As noted above, the Department of Defense is engaged \nin multiple enterprise-wide efforts to counter cyberspace adversaries. \nThe interconnected nature of DOD systems means that we aim to enhance \nthe cybersecurity of the Department as a whole. We recognize that the \nsecurity of information systems at one DOD component may rely on the \nsecurity of information systems at another. Cybersecurity orders, \ndirectives, and policies apply across the Department, including the \ninformation systems at Fort Drum. The Department will continue to \nensure the protection of their information, as well as the information \nof all our other personnel.   [See page 11.]\n    Q3. What have we learned about the enemy?\n    Mr. Halvorsen. The DOD faces a number of cyberspace adversaries \nranging from malicious individuals, terrorist organizations, and \nnation-states with a wide variety of skill levels, capabilities, and \nresources. These adversaries aim to penetrate our information systems \nand networks for a number of reasons, including to steal sensitive data \nor to affect our ability to operate. We have learned that many of these \nsame actors also target a range of other organizations, including the \nFederal Government, the Defense Industrial Base, and private sector \nbusinesses.   [See page 11.]\n    Q4. How has that changed our approach?\n    Mr. Halvorsen. The Department actively understands the types of \ncyber actors that target the DOD. The DOD Cyber Strategy released in \nApril 2015 is driving how the Department is adapting its cyber forces \nto respond to ever-evolving threats. The strategy guides multiple \ncybersecurity lines of effort across the Department, including the \ndevelopment of 133 cyber mission force teams by 2018 to strengthen our \ncyber defense and deterrence postures. The DOD also recognizes the \ncritical need to maintain and improve its proactive, progressive, and \ncoordinated approach for detecting and responding to cyber events and \nincidents. The DOD's Cyber Incident Handling Program ensures an \nintegrated capability to continually improve the DOD's ability to \nrapidly identify and respond to cyber incidents that adversely affect \nthe DOD Information Network. It does so in a way that is consistent, \nrepeatable, quality driven, measureable, and understood across DOD \norganizations. Lastly, to protect the interests of national security, \ncyber incidents must be coordinated among and across DOD organizations \nand sources outside the Department, including law enforcement, the \nintelligence community, and critical infrastructure partners. For \nexample, the DOD interfaces with the Department of Homeland Security on \nmajor cyber vulnerabilities via the Cyber Collaboration, Assessment, \nand Response inter-agency sessions led by the National Cybersecurity \nand Communications Integration Center. The Department also works \nclosely with the Defense Industrial Base to enhance their cybersecurity \ncapabilities by sharing unclassified and classified information on \ncyber threats.   [See page 11.]\n    Mr. Halvorsen. DOD Components maintain ``software assurance'' (SA) \non licenses for the Microsoft Windows operating system. In addition to \nthe product support and client access licenses that SA provides, SA \nalso includes the right to upgrade to the latest software versions at \nno additional cost. Therefore, it is expected that DOD Components will \nbe able to upgrade to the Windows 10 operating system with little or no \nadditional expenditures for the operating system software.   [See page \n12.]\n\n?\n\n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             March 22, 2016\n\n=======================================================================\n\n      \n\n                   QUESTIONS SUBMITTED BY MR. WILSON\n\n    Mr. Wilson. What is the Defense Department strategy for increasing \nuse of mobility tools, as well as increasing mobile security? What does \nthe DOD intend to do with regard to Bring Your Own Device (BYOD) and \nBYOD policy?\n    Mr. Halvorsen. DOD is already integrating mobility tools in several \nareas including developing Geospatial Intelligence logistics, and \ntargeting applications. In addition, DOD is establishing Wi-Fi networks \nto improve coverage and performance. These investments enable improved \nmobility capabilities for deployment across DOD's enterprise.\n    DOD is increasing mobile security by migrating to Secure Hash \nAlgorithm 2 (SHA-2), developing a mobile credentialing solution that \nderives certificates from a DOD user's Common Access Card (CAC), and \nstreamlining the security approval process for devices and software. \nFollowing nationally recognized practices enhances security, commercial \nmobile products must be validated in accordance with National \nInformation Assurance Partnership (NIAP) Protection Profiles (PP) for \nall parts of the mobile ecosystem (e.g., mobile devices, mobile device \nmanagement (MDM), mobile apps, wireless infrastructure). Commercial \nmobile products that process classified information must be approved by \nthe NSA's Commercial Solutions for Classified (CSfC) program.\n    DOD is continuing to evaluate different private sector proposals to \ndetermine if they satisfy Federal security and legal requirements. \nInitially, a low risk approach of a BYOD implementation would make the \nmost sense for low threat unclassified environments where there would \nbe minimal impact if a data compromise did occur, such as training and \nstudent environments. The Department of Navy is currently piloting \nBYOD. DOD will evaluate lessons learned to determine adoption across \nthe Department.\n    Mr. Wilson. What activities does the Department have underway to \nimprove the agility of its spectrum-dependent systems? Do you see \ncommensurate activity in the commercial sector?\n    Mr. Halvorsen. The complex spectrum environment and evolving \nthreats that warfighters face compel DOD to constantly evaluate a broad \narray of technology advancements to meet mission requirements. The \nDepartment continues to foster efforts, throughout the Military \nDepartments, DARPA, and OSD, that improve agility for DOD's spectrum-\ndependent systems, which also help military users share better with \nother spectrum users.\n    The Department's continued investment in its Electromagnetic \nSpectrum Strategy is geared toward addressing these needs. The \nDepartment's leadership in other efforts such as the National Advanced \nSpectrum and Communications Test Network, under the auspices of the \nCommerce Department, its own new Spectrum Access Research and \nDevelopment Program, as well as the collaborative effort via the \nNational Spectrum Consortium are enabling complementary initiatives to \nidentify and foster development of innovative technologies and \ntechniques for greater agility and flexibility of DOD capabilities, but \nalso improve spectrum sharing and access.\n    With regard to commensurate activity in the commercial sector, DOD \nbelieves that industry is starting to look at making investments to \nhelp in their own ability to share with DOD, but they are just at the \nbeginning of that process. As expected of DOD, industry would also need \nto be held accountable for their own investments in spectrum sharing \ntechnologies and how they are contributing toward improved spectrum \naccess. The Department is hopeful that with balanced investment and \ncommitment by agencies and the commercial sector, these efforts will \nbear lasting results in enabling flexible access to all users in all \nspectrum bands.\n    Mr. Wilson. What suggestions do you have to improve coordination \nand deconfliction for sharing spectrum bands with commercial entities?\n    Mr. Halvorsen. It is important to recognize the existing spectrum \nmanagement and governance mechanisms through the national regulators, \ni.e., NTIA and the FCC regulatory processes, continue to effectively \nfacilitate shared use of spectrum among Federal users as well as \nsharing between Federal and non-Federal users (i.e., including \ncommercial entities). Streamlined coordination and deconfliction \nprocesses are critical for successful sharing once a national policy \ndecision is made to implement sharing in a band, noting that sharing \nrequirements differ depending on the band and use scenarios. \nTechnology, sound engineering, balanced policy and regulation, and \nenforcement are keys tenets that enable successful sharing. Automated \ncoordination and deconfliction capabilities play a critical role, among \nother necessary tools (e.g., direct human coordination for continued or \niterative risk and tradeoff evaluation) for sharing spectrum bands with \ncommercial entities. Continued investment and improvements to \nautomation capabilities would contribute to improved coordination and \ndeconfliction.\n    Mr. Wilson. You stated in your testimony that DOD shares the same \nconcerns with security in a commercial cloud environment as the \nfinancial industry and that the challenge with off-premise commercial \ncloud is ``how do you achieve virtual separation in the cloud so that \nyou don't get the effect of everything loaded in the one spot where it \ncan be removed, and if it does get infiltrated, how do we immediately \nshut that off and isolate it?'' How have you worked with the leading \ncommercial cloud providers to better understand the security mechanisms \nthey use to achieve virtual isolation or physical separation in their \ncommercial offerings?\n    Mr. Halvorsen. DOD CIO continues to collaborate with industry \nthrough the on-going updates to the DOD Cloud Computing Security \nRequirements Guide and cybersecurity assessments in support of DOD and \nFedRAMP provisional authorizations.\n    Identifying and understanding the threats in a multi-tenant cloud \nenvironment remain an on-going challenge. Virtual separations rely on \nthe vendor's software to protect one customer from both malicious \nattacks and unintentional impacts from other customers. While some \nvendors have been willing to share information on their mechanism \nsupporting virtual separation, other vendors have been reluctant to \nshare detailed information as it represents the vendor's sensitive \nintellectual property. Even when the details are shared, fully \nevaluating these solutions is a significant challenge as each vendor \nimplements their own, proprietary solutions.\n    In addition to the software itself, weaknesses in the software's \nconfiguration and on-going management can also create vulnerabilities. \nWhen evaluating multi-tenant cloud services, the Department closely \nevaluates the vendor's processes for configuration and operations \nmanagement. All of these factors are taken into account when issuing a \nprovisional authorization at a particular impact-level. Through the \nCloud Computing Security Requirements Guide, the Department has \nimplemented a risk management approach that allows Components to match \nthe security and cost of specific cloud services to their specific \ncybersecurity needs.\n    Mr. Wilson. We understand that the Marine Corps has implemented a \nsuccessful ``Comply-to-Connect'' program that has helped it increase \nits compliance during network inspection reviews. a. How are those \nlessons being applied throughout the Department? b. Are requirements \nfor this Marine Corps system reflected in enterprise requirements for \nnetwork security? c. Are those requirements being integrated into \nexisting programs, like the Host Based Security System, or planned \nfuture network defense tools?\n    Mr. Halvorsen. Comply-to-Connect (C2C) is a framework addressing \nseveral key functions: network access control, deliberate and secure \norchestration with other cybersecurity tools (such as vulnerability \nscanners, software patching tools, and trouble-ticket generation tools) \nand continuous reporting for the purpose of managing risk. C2C \nsatisfies the asset management/asset detection problem and increases \nthe efficiency by which technical personnel are able to make decisions \nas to whether an asset has `complied' with the local enclave/network's \nsecurity policy to initially connect and remained connect to the \nnetwork. C2C closes the asset management/asset detection gap in the \nDepartment's Information Security Continuous Monitoring (ISCM) Program.\n    The US Marine Corps has successfully implemented C2C as part of a \nthree-year regional effort covering 3,000 end-points at Camp Lejeune \nNC. During that period, the effort enabled USMC to meet the objectives \nof DOD Command Cyber Readiness Inspections (CCRI) with a 90% compliance \nrate when Marine Corps White Teams conducted a `no notice' pre-CCRI \ninspection; and, 93% compliance rate during regularly scheduled \ninspections executed by DISA. The Marine Corps has successfully enabled \nthe orchestration features of the C2C tools to automate the on-boarding \nprocess of new assets ``out of the box,'' to scan and remediate \nvulnerabilities upon discovery, harden the asset through integration \nwith the Host Based Security System, and register systems into the \nnetwork security information and event management tool (SIEM). These \nmajor muscle movements, in most cases, were executed with minimal touch \nlabor.\n    The Marine Corps has recently formally validated C2C as a Service-\nwide requirement and will implement a wider-pilot across Marine Corps \nassets in the National Capitol Region in FY16. Eventually, the Marine \nCorps will implement C2C globally on all Service assets. Comply-to-\nConnect is endorsed by the Enterprise Cybersecurity Computer Network \nDefense Senior Steering Group (ESSG). The ESSG is tracking C2C \nimplementation across several Combatant Command, Service and Agency \ncomponents. The ESSG has directed the development of a Comply-to-\nConnect concept of operations with a guideline to standardize \nimplementation across component C2C implementations. Department \ndiscussions consider C2C as an enhancement to overall cybersecurity \nacross DOD enclaves and networks. The full scope of C2C capabilities \nhave not yet been decomposed into an operational set of requirements. \nC2C requirements will be considered as part of the Next Generation End \nPoint security strategy and future network defense tools as the \nDepartment moves toward assisted automation.\n    Mr. Wilson. What do you see as the major challenges to improving \nthe management of the Department of Defense? Do you have the business \nintelligence and business analytics capabilities to provide the same \ntype of support to the Secretary and Deputy Secretary that any CEO in \nthe private sector would have access to?\n    Mr. Levine. The major challenges to improving management of the \nDepartment of Defense are threefold. First, the Department is working \ntoward getting the employees at all levels from senior management to \nworker to understand that there remain ample opportunities for shared, \nstandard processes and procedures that cut across component boundaries. \nThis is particularly true for support activities within the Department. \nSecond, the Department must continue to work with external stakeholders \nsuch as veteran support organizations; unions; the White House; and \nCongress to allow new approaches to these support activities, even if \nit means changing the structures and processes those stakeholders \ncurrently understand and are comfortable with. Finally, in order to \nprovide a basis for both the internal and external engagements, the \nDepartment must have a reasonable set of performance measures that show \nboth how the job is being performed today, but also shows at what cost \nthe job is accomplished.\n    The assessment above leads directly to the answer to the second \nquestion. The Department has a robust set of performance information \nthat it can draw upon to make decisions. The DCMO is working with the \nstaff to make this information more readily visible to the senior \nleadership. For example, the DCMO just provided a detailed progress \nreport on the various efficiency initiatives that Secretary Carter \napproved in our plans for FY17-20. The DCMO also supported a detailed, \nperformance-based report on how the Department is doing on making \nprogress toward audit readiness. Both these reviews were done with \nmilitary department Under Secretaries; service vice chiefs of staff; \nthe OSD Under Secretaries; commanders of combatant commands; and the \nDeputy Secretary of Defense and Vice Chairman, Joint Chiefs of Staff. \nComparing to what a CEO in private sector has accesss to, the \nDepartment needs to improve these measures by providing a better means \nto measure how much it costs the Department to achieve the performance \noutcomes. The Department is working to that end. In fact, achieving an \nauditable condition will help us move in the direction of measures that \nshow outcomes per dollar spent or per person involved.\n    Mr. Wilson. What are you doing to improve the quality of data \nsenior leaders have and use for management of the Department?\n    Mr. Levine. The DCMO has been working with the Joint Staff and OSD \ncomponents to identify performance measures that better describe the \nmajor initiatives the Secretary and Deputy Secretary have set for the \nDepartment. The DCMO will then use the Deputy's Management Advisory \nGroup (DMAG) to present focused progress reports based on those \nmeasures to the military department Under Secretaries and Vice Chiefs; \nthe OSD Under Secretaries; and the Deputy Secretary of Defense and Vice \nChairman, Joint Chiefs of Staff. The DCMO and CIO just presented \ndetailed progress status on the various efficiency initiatives approved \nby Secretary Carter for the FY17-20 period, including measured updates \non major headquarters efficiencies; services contracts efficiencies; \ndefense retail; and information technology efficiencies. Working with \nthe OSD Comptroller, we also provided data on Departmental progress \ntoward achieving audit readiness. DCMO is still working with Joint \nStaff to ensure that progress on readiness is presented and reviewed \nregularly to the same group.\n                                 ______\n                                 \n                  QUESTIONS SUBMITTED BY MR. LANGEVIN\n    Mr. Langevin. Mr. Halverson, the Defense Threat Reduction Agency is \nconducting research & development and prototyping for a Countering \nWeapons of Mass Destruction (CWMD) Situational Awareness Information \nSystem utilizing a cloud-based architecture called Constellation. \nConstellation is intended to provide an information sharing platform \nfor the Department of Defense, interagency and international users to \nbe deployed on NIPRNET, SIPRNET, SUN NET and JWICS networks using \ncross-domain solutions to transfer data across security domains.\n    What is the role of the Chief Information Officer and Defense \nInformation Systems Agency in Constellation research, development and \nprototyping? Specifically, what was the role in establishing a security \nplan to achieve an accredited cross-domain solution, including security \nmilestones and review of proposed security architecture? Has this \neffort been reviewed in order to determine if architecture elements and \napplications could be met with existing capabilities, to include \ncomputing tools and architectures, or those already being developed? If \nso, please describe the review and unique capability gaps identified.\n    Mr. Halvorsen. The Constellation program is presently in the \nformative stages of development and prototyping activities needed to \nidentify and mature information technology capabilities to meet CWMD \nSituational Awareness requirements\n    DISA and the DTRA Constellation program office are collaborating \nvia the TCRI (Tactical Cloud Reference Implementation) community since \nthe core of Constellation's architecture is DISA's Big Data Platform \n(BDP), a component of the TCRI.\n    The Constellation program will eventually require the capability to \nmove data across multiple security domains and DTRA intends to use \nexisting, accredited cross-domain solutions to meet this requirements. \nDTRA will not develop a new cross-domain solution. The DTRA program \noffice is collaborating with the Defense Intelligence Agency (DIA) \nEnterprise Cross Domain Services (ECDS) to meet DOD Instruction 8540.01 \n``Cross Domain (CD) Policy'' requirements. Using an ECDS provider \nallows Constellation to rely upon existing and proven computing tools \nand architectures, while reducing initial cost and deployment time. The \nprogram expects DIA's ECDS to meet Constellation's requirements to pass \ninformation between NIPRNet, SIPRNet, and JWICS. Regarding the cross-\ndomain requirement between the public network (SUNet) and our NIPR DOD \nnetwork, DTRA expects to use Commercial Off the Shelf (COTS) products \nto perform deep-content filtering and sanitization of public data prior \nto ingestion into Constellation on the DOD networks.\n    Mr. Langevin. Can you provide an update on DOD's process for \ncompleting the instruction manual for DOD Directive 8140 and when this \nprocess might be completed? How is it being accepted by the services?\n    Mr. Halvorsen. DOD Directive 8140.01 will be supplemented by an \nInstruction and at least one Manual. The Instruction will establish \npolicy and procedures and assign responsibilities for the DOD \nComponents to identify, code, track, and report on their respective \ncyber workforces. A draft of the Instruction completed a first round of \ninformal coordination with DOD Components in December 2015. In the \ninterim, the Department will publish policy guidance to implement the \nidentification and coding requirements of the Cybersecurity Workforce \nAssessment Act of 2015. The Instruction is scheduled to be completed in \n2017 and will incorporate the interim policy guidance.\n    The Manual(s) will establish procedures, standards, and \nrequirements for qualifications of the DOD cyber workforce, as required \nby DOD Directive 8140. In 2015, the Department commissioned a study to \nidentify the standards for qualification criteria across cyber work \nroles. The study, completed in March 2016, provides an analysis of \ncurrent government, academia, and industry best practices in \nrecruiting, developing, professionalizing, and retaining cyber \npersonnel. In May 2016, the DOD CIO will convene subject matter expert \npanels to develop specific qualification criteria for each respective \ninformation technology and cybersecurity work role. The Manual(s) are \nscheduled to be completed in 2018.\n    The Services and Defense Agencies have been involved in the \nDepartment's transition to a holistic view of cyber from the onset and \ncontinue to play an important role in shaping the policies and DOD \nCyber Workforce Framework that will govern and shape the Department's \ncyber forces into the future.\n                                 ______\n                                 \n                    QUESTIONS SUBMITTED BY MR. KLINE\n    Mr. Kline. What is your assessment of the impact of one service \nacquiring commercial satellite communications on behalf of the \nDepartment of Defense as required under section 1610 of the FY16 NDAA?\n    Mr. Halvorsen. In the past two years, the Department has realized \nsuccesses in the commercial satellite communications (COMSATCOM) domain \nas a result of improved COMSATCOM planning, acquisition and management \nreforms discussed in the responses to Senate Report 113-44, page 167, \naccompanying S. 1197 of the NDAA for FY 2014 and Sections 1603 and 1605 \nof the FY 15 NDAA. Specifically, the cost of COMSATCOM services has \nbeen declining, DISA's operational responsiveness has improved, and \nDISA's SATCOM pathfinders are yielding efficiencies in the use of the \nacquired services. Likewise, the Air Force pathfinders are providing \nvaluable lessons related to investments in COMSATCOM solutions that \nwill further drive acquisition and utilization efficiencies as part of \nour Wideband SATCOM Plan. To the extent they can, these lessons learned \nwill be folded into the Wideband SATCOM Analysis of Alternatives \ndirected by Section 1611 of the FY 16 NDAA.\n    With that in mind, the Department is concerned that restructuring \nthis approach by assigning a single agent for acquisition of COMSATCOM \nservices and investment in COMSATCOM capability may ultimately result \nin increased cost and decreased operational responsiveness for DOD \ncustomers with no noticeable improvement in DOD's overall SATCOM \n``planning, acquisition, and management'' processes and governance. To \nthat end and in response to Section 1610 of the FY 16 NDAA, my office \nhas tasked the Air Force to evaluate, and provide the cost estimates to \nimplement, alternative courses of action to satisfy the intent of \nSection 1610. These plans and cost estimates will be evaluated and \ncoordinated with the Services and Combatant Commands with their inputs \nincorporated in the DOD response to Section 1610.\n    Mr. Kline. Section 1610 of the FY16 NDAA requires the Department of \nDefense to designate a single acquisition agent to acquire commercial \nsatellite communications. Have the major users (services and combatant \ncommanders) of commercial satellite communications provided input to \nthe Chief Information Officer regarding changes to commercial satellite \nacquisition and management required in the FY16 NDAA?\n    Mr. Halvorsen. In response to Section 1610 of the FY 16 NDAA, DOD \nCIO has tasked Air Force to evaluate, and provide the cost estimates to \nimplement, alternative courses of action to satisfy the intent of \nSection 1610. These plans and cost estimates will be evaluated and \ncoordinated with the Services and COCOMs with their inputs incorporated \nin the DOD response to Section 1610.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. LAMBORN\n    Mr. Lamborn. What is the status of the DOD Commercial Partnership \nData Distribution Center you mentioned in last year's testimony, and \nwhen will you have a secure commercial cloud capability operating from \nwithin a DOD data center facility?\n    Mr. Halvorsen. IBM's Cloud Managed Services for Government (IBM-\nCMSG) is an Infrastructure as a Service cloud provided from the Navy's \nAllegany Ballistics Laboratory (ABL) in West Virginia. It was granted a \nDOD provisional authorization at level 5 (Unclassified-FOUO) for use by \nthe Defense Logistics Agency and Naval Sea Systems Command in February \n2016.\n    Two additional acquisitions of a secure, on-premise clouds are \ncurrently underway in the Army and the Defense Information Systems \nAgency:\n    The Army's effort will assess the feasibility and value of an on-\npremises, commercially owned/commercially operated cloud service \noffering at Redstone Army Arsenal. The Army is taking a ``statement of \nobjectives'' approach to obtaining this capability in order to fully \npartner with industry, learn from its experts and implement commercial \nbest practices for cloud migration and security. The intent of the \npilot is to produce a secure, commercial cloud capability by fiscal \nyear 2017 that meets all requirements for hosting sensitive National \nSecurity Systems at information security impact levels 5 (FOUO) and 6 \n(Secret). The Army released a request for information in November 2015 \nand held an industry day on 21 January 2016 with interested parties.\n    DISA is also exploring the use of commercial infrastructure \nservices residing in DOD facilities to implement an ``on-premises \nprivate'' infrastructure service for the DOD community and mission \npartners. The initial phase of this effort is referred to as milCloud \n2.0 Phase 1 (M2P1). DISA released an RFI (PL83220028) on February 12, \n2016, to assess the marketplace's interest in providing on-premises \ninfrastructure services from within DOD data center facilities and to \nget advice on refining the businesses model process. DISA is currently \nreviewing RFI responses and refining their approach for a planned award \nin first quarter FY17.\n    Mr. Lamborn. The DOD has access to a vast amount of data generated \nby its own IT devices, networks, and equipment. How is the Department \nleveraging this data to reduce costs, improve operations, and \nstrengthen cybersecurity?\n    Mr. Halvorsen. DOD leverages data from a wide array of DOD IT \ndevices, networks, and equipment to guide it in reducing costs, \nimproving operations and strengthening cybersecurity (CS) across the \ndepartment in support of warfighting and business mission areas. DOD is \ncommitted to constant improvement in its data collection and analytic \nefforts to ensure the best possible mission outcomes for our \nwarfighters and the most efficient use of taxpayer dollars.\n    DOD CIO led the development of the SECDEF Cybersecurity Scorecard \npopulated with internal DOD data against 11 key cyber measures. The \nmeasures were informed by our understanding of how we are vulnerable to \nadversary attacks as described in the 2015 DOD Cybersecurity Discipline \nImplementation Plan. This management tool therefore allows the \nSecretary to assess progress against goals which will tangibly reduce \nvulnerability. Further, it focuses each of the Department's 46 \ncomponent organizations and the Department as a whole on assessing and \naddressing vulnerabilities. Most of the Scorecard data is pulled from \nautomated cybersecurity tools currently deployed across the Department \nand we are actively working to build on this momentum to improve how \ndata is automatically collected, integrated, analyzed and reported \nacross the Department.\n    The SECDEF Cybersecurity Scorecard is one very visible element of \nthe Department's overall effort to use data to reduce costs, improve \noperations, and strengthen cybersecurity. The Defense Information \nSystems Agency (DISA), working with the Military Departments and \nUSCYBERCOM, is leading the effort to build a joint interoperable \n(common) platform to collect and visualize vast amounts of data. This \ncapability is called the Big Data Platform (BDP).\n    The BDP's value is three-fold:\n    First, it is a computing information system infrastructure \n(software) that can be easily shared. Sharing this infrastructure \nenables the ability to create common visualization analytics that can \nthen be distributed across operational centers, ultimately reducing \nwork efforts, re-work and overall costs. Moreover, it leads to a common \nway of operating, strengthening Tactics, Techniques and Procedures \n(TTPs) to aid in the cybersecurity mission.\n    Second, the BDP is data agnostic. The platform can collect vast \namounts of data in any mission area (cyber, business, personnel, etc.). \nThe concept is that the data can be collected and queried (correlating \nanalytics) to answer an infinite amount of operational questions (use \ncases/scenarios). Data drives situational awareness and an operational \nuse case drives what data should be collected and visualized. The BDP \ninherently drives the DOD toward the development and implementation of \ndata standards. An example would be the Structured Threat Information \neXpression and Trusted Automated eXchange of Indicator Information \n(STIX)/TAXII) efforts.\n    Third, the BDP is a critical part of an information ecosystem that \nincludes cybersecurity sensors, information sharing systems and \nsecurity and incident management (SIEM) capabilities. As the DOD \ncollectively consolidates security architectures and TTP's, the BDP is \nbeing architected to support this consolidation. An example is the \ndesign and implementation of the Joint Regional Security Stack (JRSS) \nwithin Joint Information Environment (JIE) Framework.\n    Mr. Lamborn. Recently, the Secretary of the Air Force stated that \nover time, the AF wants to transition more and more of network \noperations and maintenance to the private sector. You also spoke of \nleveraging the private sector as well, specifically as it relates the \nuse of cloud computing capabilities. Currently these potentially \noutsourced functions are performed by military personnel as well as DOD \ncivilians. What happens to the thousands of civilians when this occurs? \nWill they all get re-rolled to defensive operations? Do current legal \nauthorities permit the use of title 5 civilian personnel in title 10 \ndefensive cyber activities? If not, what authorities would the Congress \nneed to change or add within the U.S. Code?\n    Mr. Halvorsen. The Air Force, like all DOD Components, is \nresponsible for deploying capabilities and aligning their workforce to \nmeet mission needs. Any military personnel or DOD Civilian efficiencies \nrealized as a result of transitioning network operations and \nmaintenance functions to the private sector will be available for the \nServices and Agencies to repurpose. At the Department-level, DOD \nDirective 8140.01 unites the management of all cyber skill areas under \na single governance construct. This construct is bolstered through the \nuse of the DOD Cyber Workforce Framework, which will be used to develop \nqualification criteria for all cyber work roles. These qualification \ncriteria will provide the Components with the training requirements for \nmilitary and civilian personnel who will remain in cyber work roles. \nDOD civilians currently serve across the Cyber Mission Forces (CMF) and \ncan, consistent with law and policy, participate in the CMF's Title 10 \nactivities.\n\n                                  [all]\n</pre></body></html>\n"