[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                                    

                         [H.A.S.C. No. 114-12]

                                HEARING

                                   ON

                   NATIONAL DEFENSE AUTHORIZATION ACT

                          FOR FISCAL YEAR 2016

                                  AND

              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS

                               BEFORE THE

                      COMMITTEE ON ARMED SERVICES

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

       SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING

                                   ON

                         INFORMATION TECHNOLOGY

                       INVESTMENTS AND PROGRAMS:

                     SUPPORTING CURRENT OPERATIONS

             AND PLANNING FOR THE FUTURE THREAT ENVIRONMENT

                               __________

                              HEARING HELD
                           FEBRUARY 25, 2015
                                     

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                                  ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

94-099                         WASHINGTON : 2015 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001

                                     
  


           SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES

                  JOE WILSON, South Carolina, Chairman

JOHN KLINE, Minnesota                JAMES R. LANGEVIN, Rhode Island
BILL SHUSTER, Pennsylvania           JIM COOPER, Tennessee
DUNCAN HUNTER, California            JOHN GARAMENDI, California
RICHARD B. NUGENT, Florida           JOAQUIN CASTRO, Texas
RYAN K. ZINKE, Montana               MARC A. VEASEY, Texas
TRENT FRANKS, Arizona, Vice Chair    DONALD NORCROSS, New Jersey
DOUG LAMBORN, Colorado               BRAD ASHFORD, Nebraska
MO BROOKS, Alabama                   PETE AGUILAR, California
BRADLEY BYRNE, Alabama
ELISE M. STEFANIK, New York
                 Kevin Gates, Professional Staff Member
              Lindsay Kavanaugh, Professional Staff Member
                          Julie Herbert, Clerk
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                            C O N T E N T S

                              ----------                              
                                                                   Page

              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS

Langevin, Hon. James R., a Representative from Rhode Island, 
  Ranking Member, Subcommittee on Emerging Threats and 
  Capabilities...................................................     2
Wilson, Hon. Joe, a Representative from South Carolina, Chairman, 
  Subcommittee on Emerging Threats and Capabilities..............     1

                               WITNESSES

Bender, Lt Gen William J., USAF, Chief, Information Dominance and 
  Chief Information Officer, United States Air Force.............     6
Ferrell, LTG Robert S., USA, Chief Information Officer/G-6, 
  United States Army.............................................     5
Halvorsen, Hon. Terry, Acting Department of Defense Chief 
  Information Officer............................................     3
Nally, BGen Kevin J.. USMC, Director, Command, Control, 
  Communications, and Computers (C4)/Chief Information Officer, 
  Headquarters United States Marine Corps........................    10
Zangardi, Dr. John, Acting Department of the Navy Chief 
  Information Officer, and Deputy Assistant Secretary of the Navy 
  for Command, Control, Communications, Computers, Intelligence, 
  Information Operations and Space...............................     8

                                APPENDIX

Prepared Statements:

    Bender, Lt Gen William J.....................................    53
    Ferrell, LTG Robert S........................................    36
    Halvorsen, Hon. Terry........................................    27
    Nally, BGen Kevin J..........................................    76
    Zangardi, Dr. John...........................................    62

Documents Submitted for the Record:

    Testimony for the record from Vice Admiral Ted Branch, Deputy 
      Chief of Naval Operations for Information Dominance........    87

Witness Responses to Questions Asked During the Hearing:

    [There were no Questions submitted during the hearing.]

Questions Submitted by Members Post Hearing:

    Mr. Hunter...................................................    97
 
INFORMATION TECHNOLOGY INVESTMENTS AND PROGRAMS: SUPPORTING CURRENT 
       OPERATIONS AND PLANNING FOR THE FUTURE THREAT ENVIRONMENT

                              ----------                              

                  House of Representatives,
                       Committee on Armed Services,
         Subcommittee on Emerging Threats and Capabilities,
                      Washington, DC, Wednesday, February 25, 2015.
    The subcommittee met, pursuant to call, at 4:11 p.m., in 
room 2118, Rayburn House Office Building, Hon. Joe Wilson 
(chairman of the subcommittee) presiding.

  OPENING STATEMENT OF HON. JOE WILSON, A REPRESENTATIVE FROM 
SOUTH CAROLINA, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND 
                          CAPABILITIES

    Mr. Wilson. Ladies and gentlemen, I call this hearing of 
the Emerging Threats and Capabilities Subcommittee to order. I 
am pleased to welcome everyone here today for the hearing on 
the fiscal year 2016 budget request for information technology 
[IT] programs for the Department of Defense [DOD].
    Information technology systems are critical enablers for 
our military, enhancing the performance of individuals and 
units by connecting people and weapon systems together in ways 
that make them more effective than the sum of their parts. As 
we look at the budget request, and as the witnesses describe 
their relevant portions, I would like to ask each of you to 
address the following questions.
    What systems are we investing in? How do these systems 
enhance the Department of Defense's ability to execute its 
missions, carry out business operations, and generally improve 
our ability to conduct warfighting operations? How do we 
prevent duplication between the services and agencies to make 
sure that the programs we pursue are deployed on time, on 
budget, and with the performance capabilities we originally 
planned?
    Today we have invited a panel of dedicated public servants 
to answer these questions. Our witnesses are, first, the 
Honorable Terry Halvorsen, acting Chief Information Officer of 
the Department of Defense; Lieutenant General Robert S. 
Ferrell, Chief Information Officer/G-6 of the United States 
Army; Lieutenant General William J. Bender, Chief of 
Information Dominance and Chief Information Officer of the 
United States Air Force; Dr. John Zangardi, the acting 
Department of Navy Chief Information Officer, Deputy Assistant 
Secretary of the Navy for Command, Control, Communications, 
Computers, Intelligence, Information Operations and Space--
quite a title; Brigadier General Kevin J. Nally, Director of 
Command, Control, Communications and Computers (C4), the Chief 
Information Officer of the Marine Corps.
    We also know that the Navy would like to submit additional 
testimony for the record for Vice Admiral Ted Branch, the 
Deputy Chief of Naval Operations for Information Dominance, who 
was unable to join us today.
    If there are no objections, we will include that in the 
record.
    [The statement of Admiral Branch can be found in the 
Appendix on page 87.]
    Mr. Wilson. I would like to turn now to my friend, Mr. 
James Langevin of Rhode Island, the ranking member, for any 
comments he would like to make.

  STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM 
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS 
                        AND CAPABILITIES

    Mr. Langevin. Thank you, Mr. Chairman.
    And I want to thank Mr. Halvorsen, General Ferrell, General 
Bender, and Dr. Zangardi, and also General Nally. Thank you all 
for appearing before the subcommittee today and all the work 
that you do to help our warfighters and the Pentagon be 
efficient and effective in the IT realm, and for all you do to 
serve our Nation.
    It is one thing that hasn't changed the world of technology 
since our hearing last year on this topic is the importance of 
information systems to everything that we do as a nation. IT 
consumes a massive portion of our defense investment, and cyber 
continues to be a very high priority for the Department, as 
well it should be.
    However, with this huge investment comes an equal 
responsibility to make sure that we are conducting proper 
oversight of those activities. And to that end, I look forward 
to hearing from the witnesses about the fiscal year 2016 budget 
request as it relates to our investment in cyberspace, and in 
securing and modernizing our information systems.
    Specifically, Mr. Halvorsen, I would appreciate hearing how 
the Joint Information Environment [JIE], described as the 
framework for IT modernization, has evolved and has been 
implemented. I would also like to hear from each of the 
services about their understanding and implementation of JIE, 
i.e., either unilaterally or in conjunction with their sister 
services, and specific programs associated with this concept.
    Conceptually, I support JIE, especially if it provides the 
ability to better defend the network against outside and 
insider threats. Yet there is still so much to understand about 
JIE.
    This includes obtaining a solid definition and placing 
policy guidance associated with implementation, building 
structures for oversight and management within the Department. 
And perhaps most relevant today, since it is not an official 
program of record, building an understanding of how we in 
Congress can conduct our overseer responsibilities.
    As part of this dialogue today, I also expect to hear how 
the Department will utilize the cloud for both classified and 
unclassified information, and leverage public, private, and 
government-owned structures.
    Cyber is an extensively, extremely personnel-dominated 
mission space, and thus is a serious concern when the DOD is 
confronted with difficulties in recruiting and retaining 
qualified personnel. I hope the witnesses will take this 
opportunity to articulate the recruiting and retention 
challenges in depth, and provide recommendations on how the 
subcommittee can provide new authorities or other assistance in 
a National Defense Authorization Act [NDAA] to ensure that we 
have the best and the brightest cyber IT workforce.
    Finally, under the leadership of Chairman Thornberry and 
Ranking Member Smith, the HASC [House Armed Services Committee] 
is taking up acquisition reform. Our goal is to take a 
cumbersome process and make it more agile and flexible, 
allowing for the finest capabilities to be delivered to our 
warfighters on time and on budget.
    An agile and flexible system is especially important for IT 
and cyber where technologies and enemy capabilities rapidly 
evolve and change, and multiple procurement cycles can exist 
within a single budget cycle. I hope our witnesses will speak 
to the authorities provided in last year's Defense 
Authorization Act and elaborate on what more we can do.
    With that, again, Mr. Chairman, I want to thank you for 
organizing this hearing, and to our witnesses for being here 
today. And I look forward to our discussion.
    Mr. Wilson. Thank you, Mr. Langevin.
    Before we begin I would like to remind the witnesses that 
your written statements will be submitted for the record. So we 
ask that you summarize your comments to 5 minutes or less. And 
additionally that will apply to the members of the 
subcommittee.
    And as questions are asked we will be limited to 5 minutes 
based on time of arrival and on either side. And we have a 
person who is above reproach. Kevin Gates, who will be keeping 
the time.
    And so we will proceed at this time. And we will begin with 
Mr. Halvorsen and proceed to the right.

STATEMENT OF HON. TERRY HALVORSEN, ACTING DEPARTMENT OF DEFENSE 
                   CHIEF INFORMATION OFFICER

    Mr. Halvorsen. Good afternoon, Mr. Chairman, Ranking 
Member, and distinguished members of the subcommittee. I am 
Terry Halvorsen, the acting Department of Defense Chief 
Information Officer. As such, I am the senior adviser to the 
Secretary of Defense for all IT matters.
    I am responsible for managing the DOD's IT spend so we get 
more out of each and every dollar, while making sure that the 
warfighter has the tools to do the mission. My written 
statement provides you specific numbers and details, but I 
would like only to highlight some key issues.
    One of my key priorities is implementation of the Joint 
Regional Security Stacks [JRSS]. That is the foundation of the 
Joint Information Environment. It replaces our current 
individualized and localized security architecture and systems 
with a set of servers, tools, and software that will provide 
better C2 [command and control], more security, and do this at 
a lower cost. JRSS is an operational and business imperative 
for the Department.
    I want to talk about how we are improving the alignment of 
our business processes and IT systems and investments. I 
partner with the Deputy Chief Management Officer, the revised 
Defense Business Council. We have been directed by the 
Secretary of Defense to conduct a complete review of all 
business processes and IT systems in the fourth estate.
    That is point one. We will then move into working with my 
colleagues to do the same review of the military departments.
    We are asking the question, what IT business should DOD be 
directly in, and at what level should we be in it? And I think 
that is a key question.
    We may need your help in changing the business model, 
particularly in certain areas. We need to look at how we can 
expand private-public partnership, particularly in the area of 
data distribution or data centers.
    How can I take, in my case, a maybe a DISA [Defense 
Information Systems Agency] data center, realign it into a more 
public-private partnership and get full value out of what can 
be commercial rate improvements? I think we will need to work 
some legislation to make that easier for all of us to get done.
    We are continuing to approve the accounting procedures and 
have more transparency in our dollars. For example, we have 
added codes inside the Department that actually show how much 
money is being spent on data centers and other key IT areas.
    We have contract benchmarked within my own organization 
that has saved $10 million this year, and within DISA $20 
[million], and we have seen comparable amounts of savings just 
by contract benchmarking against industry and other government 
sectors. I have directed DISA to create an unclassified 
commercial e-mail solution for the Department.
    You have asked about cloud. We put out some new cloud 
directive. And based on some recommendation from the Defense 
Business Board, we have changed the way we engage industry and 
publish our documentation.
    We have just published a joint cloud security and 
implementation guide. And when I mean joint, that was published 
with the complete cooperation and involvement of industry from 
the start. We have revised who can buy cloud, allowing the 
services now to go direct to the provider, not have to go 
through DISA, and put DISA in a role of being the security 
standards.
    We continue to involve critical areas in mobility with 
smartphones, wireless and electronic flight bags. I brought two 
today.
    This is the first dual persona unclassified Blackberry. We 
are now using this. This Android phone is capable of doing up 
to secret-level security work on it, and it is basically a 
modified commercial product. And the prices are coming down.
    We need to do a comprehensive review of the DOD cyber 
workforce. But again, I think this an area where we may need 
help. Somehow we have got to have better movement between 
government and private industry in the career fields.
    We ought to be able to wake up one day, be a private 
employee and the next day come in and be a government employee 
and keep that change. I think that expertise, particularly in 
the area of security we would gain, is vitally important.
    In conclusion, we are trying to drive cultural, business, 
and technical improvements, innovation into DOD's IT to better 
support our mission and business operations. That requires 
teamwork.
    I am happy to say I have good relations with General 
Hawkins, the director of DISA; Frank Kendall, who is a strong 
partner; Admiral Mike Rogers, who I have known for a long time 
as NSA [National Security Agency] and USCYBERCOM [United States 
Cyber Command]; Mr. Eric Rosenbach, principal security adviser; 
and of course my partner in crime, Dave Tillotson, the acting 
Deputy Chief Management Officer; my colleagues here to the 
left.
    We are expanding our relations with industry, and certainly 
we enjoy a great relationship with Congress. So I thank you for 
your interest and support, and I look forward to taking your 
questions.
    [The prepared statement of Mr. Halvorsen can be found in 
the Appendix on page 27.]
    Mr. Wilson. Thank you, Mr. Halvorsen.
    General Ferrell.

  STATEMENT OF LTG ROBERT S. FERRELL, USA, CHIEF INFORMATION 
                     OFFICER/G-6, U.S. ARMY

    General Ferrell. Thank you, Chairman Wilson, Ranking Member 
Langevin, and the other distinguished members of the committee 
for inviting me to testify today on the Army's network and 
information technology progress and requirements.
    The network and information technology are integral to 
everything the Army does. Our soldiers and unit training, and 
mission execution from combat to stability and support to 
peacekeeping and building, and even the other daily business 
operations all rely on the network and our information 
technology systems.
    To drive to make the Army more leaner, more agile, and more 
expeditionary means the network needs to be even more 
essential. This in turn makes the network and information 
technology a top modernization priorities for the Army.
    We must upgrade our network. In its current state the 
network remains open to too many threats. However, our future 
common architecture will enable a secure, joint global network 
that will provide essential services to our leaders and 
soldiers, Active, Guard, and Reserve.
    Our current network does not have the capacity or 
capability to do these things. We need sustained funding to 
upgrade our network.
    For the network to do everything that the Army needs, it 
must have a specific set of characteristics: worldwide reach, 
guaranteed availability, interoperability with our joint and 
mission partners, and the ability to accommodate all demands we 
place on it in a stringent security.
    The Army is aggressively implementing capabilities 
necessary to make this robust network a reality, while also 
converging multiple disparate networks into a single network.
    I recently put in place a comprehensive network campaign 
plan for the Army. I would like to give you just a brief 
snapshot of what we are doing to empower soldiers, commanders, 
and decision makers.
    The Army is expanding network capacity and creating an 
architecture that will allow future growth. Multiple 
initiatives are under way to strengthen the network security. 
As a proponent of the Joint Information Environment, the Army 
has partnered with the Air Force and the Defense Information 
Systems Agency to implement the Joint Regional Security Stacks, 
which will reduce the cyber attack surface.
    Increasingly effective and efficient network monitoring, 
management, and defense will address critical operational gaps 
and mitigate evolving threats. Our initial Joint Regional 
Security Stack site at Joint Base San Antonio is up and 
operating.
    The Army is also putting considerable effort into 
development and retention of a highly skilled civilian and 
military information technology workforce.
    Joint cloud computing will have a broad impact on the Army 
operations. It will enable reliable access to data, 
application, and services, regardless of the location and the 
device used. Cloud computing will also allow the Army to 
introduce innovative capabilities more quickly, and to better 
focus limited resources on meeting evolving missions' needs.
    The initiatives I just mentioned are taking place at the 
enterprise level, but they all feed directly into enabling the 
tactical force. The tactical forces we rely on to carry out the 
National Security Strategy.
    Most notably, they provide the foundation for expeditionary 
mission command, whose success depends on the efficient 
transition from home station to the deployed theater. Providing 
soldiers and decision makers a modernized network will require 
sustained investments, particularly during the modernization 
cycle that runs through fiscal year 2021.
    Additionally, the committee has asked about the impact of 
sequestration. Sequestration will slow network modernization. 
In fiscal year 2016 the Army will have to reduce spending on 
the network services and information assurance by almost $400 
million. This cut would impact every aspect of daily Army 
operations to include training and network security, which 
could degrade readiness and/or mission execution.
    I thank this committee for the opportunity to appear today. 
The Army and I are grateful for your interest in the network 
and the information technology needs. I look forward to your 
questions.
    [The prepared statement of General Ferrell can be found in 
the Appendix on page 36.]
    Mr. Wilson. General, thank you very much. And I 
particularly appreciate your efforts for network modernization. 
As an Army veteran myself who was trained on SINCGARS [Single 
Channel Ground and Airborne Radio System], you have come a long 
way.
    General Bender.

STATEMENT OF LT GEN WILLIAM J. BENDER, USAF, CHIEF, INFORMATION 
    DOMINANCE AND CHIEF INFORMATION OFFICER, U.S. AIR FORCE

    General Bender. Good afternoon, Mr. Chairman, Ranking 
Member, and distinguished members of the subcommittee. I am 
Lieutenant General Bill Bender, the United States Air Force 
Chief Information Officer.
    In the first 5 months in this position, I have decided to 
act upon my responsibilities by focusing upon four major lines 
of effort: enhancing the service's cybersecurity efforts; 
advancing the Joint Information Environment; developing the IT 
and cyber workforce by transforming career field development; 
and finally, operationalizing chief information officer 
authorities in a way that adds greater value to headquarters 
Air Force.
    My lines of effort are relevant to the myriad of ongoing IT 
and cyber-related initiatives within the Air Force, and play a 
critical role in assuring the United States Air Force can 
accomplish its mission successfully.
    First it is important to note cyberspace is an operational 
domain. It affords us a wider range of operational 
opportunities, and conversely it exposes us to vulnerabilities 
and threats that place the Air Force's five core missions, air 
and space superiority, ISR [intelligence, surveillance, and 
reconnaissance], rapid global mobility, global strike, and 
command and control, at risk.
    Cybersecurity is at the forefront of my priorities for IT 
within the Air Force. We must understand and confront the 
reality that the vulnerabilities we face in cyberspace 
jeopardize our wartime capabilities, including our aircraft, 
space, and other weapons systems.
    Therefore I have convened under the direction of the Air 
Force chief of staff a cyber task force with the 
straightforward objectives of diagnosing the full extent of the 
cyber threat, developing an enterprise level risk management 
strategy, informing a better understanding of our priorities 
for investments.
    The momentum toward cybersecurity drives one of my other 
lines of effort, ensuring the Air Force is a full partner in 
achieving the Joint Information Environment with the DOD and 
the other services. We fully understand the imperative to move 
forward this environment with respect to both operational 
capability and efficiencies to be gained.
    My third line of effort addresses the need to completely 
transform our IT and cyberspace workforce. It is imperative 
that we recruit, train, and retain those with the necessary 
skills to meet IT and cyberspace challenges of the 21st 
century.
    With respect to IT and cyber budgets, the Air Force is 
partnering with DOD and Air Force acquisition leaders to 
streamline our acquisition processes. Our Information 
Technology Governance Executive Board aligns our IT investments 
and acquisition efforts to the Air Force corporate process.
    Additionally remain actively engaged with Air Force Space 
Command, which is the Air Force's lead major command, with 
responsibility for the IT and cyber portfolios. Together we are 
doing what we can to strengthen the investment reviews and 
requirements management processes.
    My office manages the IT Capital Planning and Investment 
Control process, and leads coordinated and regimented reviews 
of major investments that are mandated as Exhibit 300s. These 
reviews will provide greater accuracy on a daily basis, 
significantly aid the Air Force IT budget and Federal 
Information Technology Dashboard reporting process, and enable 
a process to validate IT requirements and follow our 
investments.
    The lines of effort I have outlined today, if executed 
well, will deliver the appropriate policies, personnel, 
capabilities, and resources needed to assure Air Force missions 
against a determined adversary. I thank you for the opportunity 
to address the subcommittee, and I also thank you for your 
interest in these critically important issues. And I look 
forward to your questions.
    [The prepared statement of General Bender can be found in 
the Appendix on page 53.]
    Mr. Wilson. Thank you very much, General.
    Dr. Zangardi.

 STATEMENT OF DR. JOHN ZANGARDI, ACTING DEPARTMENT OF THE NAVY 
 CHIEF INFORMATION OFFICER, AND DEPUTY ASSISTANT SECRETARY OF 
   THE NAVY FOR COMMAND, CONTROL, COMMUNICATIONS, COMPUTERS, 
         INTELLIGENCE, INFORMATION OPERATIONS AND SPACE

    Dr. Zangardi. Good afternoon, Chairman Wilson and Ranking 
Member Langevin and distinguished members. Thank you for the 
privilege to speak before you today on the Department of Navy's 
information technology budget. I will keep my comments brief.
    There has been an astounding increase in IT capability over 
the last few decades. It has important implications for the 
Department of Navy.
    However, unlike traditional weapons systems acquisitions, 
the Department is not driving the pace of innovation. It is 
industry. The question is how do we leverage what industry is 
doing now?
    Last week I visited forward-deployed naval forces in both 
Japan and Guam. I met with marines and sailors. I will briefly 
share with you different perspectives I gained from those 
interactions.
    I met a young aerographer's mate at the Naval Oceanographic 
Antisubmarine Warfare Command in Yokosuka, Japan. She was in 
the top three of her A-school class. Most impressively, she 
advanced from an E1 to E5 in less than 2 years.
    She is reliant on the Navy's overseas network to access 
tactical applications such as the Naval Integrated Tactical 
Environmental System, or NITES program. Without access to the 
network and tactical applications such as NITES, she cannot 
fully support the warfighter mission with meteorological and 
mission-planning data, despite all her training.
    I also met with senior-level leadership in the Western 
Pacific. Providing mobile, secure command and control, or C2, 
over forces is an important concern of the fleet, strike group, 
and unit commanders. Our overseas expeditionary and afloat 
networks must be able to respond to this demand signal and 
deliver capability.
    The expectations from the Navy and Marine Corps warfighter 
are high. The reason we need to harness the industry trends of 
lower cost and more readily available capability is because 
information technology provides the means to enable better 
decision making.
    For example, if the Department never improves the network 
or the tactical applications used by the aerographer's mate, 
she will not be able to provide the fleet the knowledge 
products they need to perform their mission or execute it.
    Information technology has become the thread that weaves 
together platforms, tactics, and personnel to execute our 
strategy. This drives home just how important it is to move 
forward with transitioning ONE-NET [Outside the Continental 
United States Navy Enterprise Network] to NMCI [Navy-Marine 
Corps Intranet], and continuing with installation of 
Consolidated Afloat Networks and Enterprise Services [CANES] 
program. Both are absolutely critical in our support of our 
forward-deployed forces.
    Department of Navy programs such as Marine Corps Enterprise 
Network, Navy Multiband Terminal, Automated Digital Network 
System, and Mobile User Objective System need your continued 
support to provide connectivity to the warfighter and afloat 
and expeditionary warfighter.
    In an era of constrained budgets, we need to learn and 
leverage lessons from industry. It is incumbent on us to reduce 
redundancy, drive out costs, and deliver innovation.
    How we buy more smartly and put technology in the hands of 
the warfighter? NGEN [Next Generation Enterprise Network]. Our 
ashore network contract, NGEN, is a true success story that is 
providing capability now. The NGEN contract delivered $1.2 
billion in real savings across the FYDP [Future Years Defense 
Plan] as a result of competitive market forces.
    I believe that we bought smartly. The NGEN contract 
provides for an enterprise network for both Navy and Marines. 
NGEN is also how we will deliver JIE and JRSS. We are engaged 
in the development of JIE and implementation of JRSS.
    Data center consolidation and application rationalization 
are another effort. They are not easy tasks. Industry will tell 
you that while these are challenging, they are critical 
components to drive out costs and drive in security.
    We are making progress. The desired end state is a single 
integrated global ashore infrastructure service delivering, 
leveraging Navy data centers, application hosting, and 
commercial cloud services. The objective is to drive out cost 
while still providing the warfighter the information they need 
when they need it.
    Providing increased mobility options to the warfighter is 
paramount. Putting new industry standard devices that deliver 
consistent security by separating business data from employee 
personal information is just starting up, and should be 
complete by year's end for about 30,000 devices across the 
Navy.
    The Department is focused on innovation. We increasingly 
realize that information is an asset. The Department's 
information systems provide an opportunity, and can enable 
innovation areas of business intelligence and the cloud. We 
need to rethink how we value and share information. We have to 
ensure that our processes move at the speed necessary in the 
information age.
    Lastly, Vice Admiral Branch couldn't attend, but wishes to 
have his statement added to the record. And I would appreciate 
your consideration there, sir.
    The Department of Navy is very proud of our efforts in IT. 
I am standing by for your questions.
    [The prepared statement of Dr. Zangardi can be found in the 
Appendix on page 62.]
    Mr. Wilson. Thank you very much, doctor.
    And now we proceed to General Nally.

  STATEMENT OF BGEN KEVIN J. NALLY, USMC, DIRECTOR, COMMAND, 
 CONTROL, COMMUNICATIONS, AND COMPUTERS (C4)/CHIEF INFORMATION 
            OFFICER, HEADQUARTERS U.S. MARINE CORPS

    General Nally. Chairman Wilson, Ranking Member Langevin, 
distinguished members of the committee.
    First and foremost I would like to start off my oral 
statement by stating my number one priority is now and has been 
for the past 5 years, people, which includes marines and our 
civilians supporting marines, and are providing support to our 
forward-deployed forces, which includes marines and sailors. It 
is my number one priority.
    Today, as always, your Marine Corps is committed to 
remaining the Nation's force in readiness, a force truly 
capable of responding to a crisis anywhere around the globe at 
a moment's notice. As we gather here today, 32,000 marines are 
forward-deployed around the world, promoting peace, protecting 
our Nation's interests, and securing our defense.
    We have marines currently conducting security cooperation 
activities in 29 countries across the globe and continue to 
make a difference. All these marines remain trained, well-
equipped, and at the highest state of readiness.
    Information technology is a key enabler to the Marine Corps 
being able to fight and win our Nation's battles. As we align 
our information technology with our Commandants' Planning 
Guidance and Expeditionary Force 21, we take the approach from 
the furthest deployed marine and move back to the Pentagon.
    This approach, fighting hole to flagpole, allows us to best 
understand our command and control, and information demands, 
and to build our networks and programs to support the Marine 
Corps broad range of missions.
    As we look to the future, Expeditionary Force 21 is our 
corps capstone concept that will increase our enduring presence 
around the globe. We employ tailored, regionally oriented 
forces that can rapidly respond to emergencies and crises.
    Having the capability to rapidly deploy command and control 
packages provides a fully joint capable force that can operate 
as part of a more integrated naval force to better fight and 
win complex conflicts throughout the littorals.
    A key tenet to support Expeditionary Force 21 is the Marine 
Corps moving towards a single network, the Marine Corps 
Enterprise Network. The Marine Corps Enterprise Network 
unification plan provides the Marine Corps path to the Joint 
Information Environment, or JIE.
    We are unifying multiple networks to ensure effective use 
of our resources, and more importantly to allow reliable access 
to information for all our forces. Information assurance 
remains a key component of our Marine Corps Enterprise Network. 
We have established the Marine Corps Cyber Range to enable the 
development and testing of information systems, support 
cyberspace training, and conduct operational planning and 
realistic exercise support.
    Finally, our workforce, the marines and civilian marines 
who operate and defend the network 24 hours a day, 365 days a 
year, are our most critical asset. This workforce enables the 
Commandant's Planning Guidance and Expeditionary 21, and most 
importantly, supports those deployed marines in accomplishing 
their mission.
    I want to thank the chairman and the committee for the 
opportunity to appear here today to discuss Marine Corps 
information technology matters. Thank you for the opportunity 
to appear before you today. I look forward to answering your 
questions.
    [The prepared statement of General Nally can be found in 
the Appendix on page 76.]
    Mr. Wilson. Thank you, General Nally. And as you cited, 
32,000 Marines in 29 countries around the world.
    Actually, Congresswoman Stefanik and myself last week saw 
firsthand at embassies throughout the Middle East and Central 
Asia the extraordinary young marines providing security. And it 
would make any and every American very proud. So thank you very 
much for your service.
    General Nally. Thank you.
    Mr. Wilson. As we proceed, and we will be on the 5 minutes 
for each of us, including myself.
    And so first of all, with General Ferrell, because the 
civilian part of the workforce is so integral when it comes to 
information technology and cyber, what are we doing to better 
manage that part of the workforce?
    In your testimony you have made some recommendations. Can 
you please elaborate on some of the things that you would 
recommend as we should be doing? Do any of the others on the 
panel have any other and additional recommendations?
    General Ferrell.
    General Ferrell. Congressman, thank you for that question. 
The Army is doing an awful lot to increase the capacity, both 
on our cyber workforce and as well as in our IT workforce.
    We have over 11,000 civilian IT workforce that we currently 
have on the books. And we are implementing a holistic strategy 
to transform information technology and the cyber workforce, 
from recruiting to training to training critical parts of the 
information technology.
    From a recruiting side of the house, we have an extensive 
outreach program that is aligned with STEM [science, 
technology, engineering, and mathematics] into the high school 
from K-12, as well as putting on demonstrations to encourage--
technical demonstration to encourage the high school students 
to pursue a career in the STEM world.
    We also have the opportunity where we have an internship 
program where we take high school students as well as college 
students, about 50 annually a year, and then include them as 
part of the Presidential Management Fellows. We have about 
currently three that are on hand working with the Army.
    So again, we have the STEM program, outreach with the K-12. 
And we also have an internship program that we work with the 
high school students as well as the college students.
    On the retaining side of the house, we are also exploring 
additional incentive pay to promote retention and remain 
competitive with the industry partner.
    And the last piece that--on the training side of the house, 
the technical programs that we have in place is both from the 
military side that we offer to advance more technology in the 
cyber world as well as intel world. And we will offer some 
civilian opportunities as well. These are some of the programs 
that we have within the Army.
    Mr. Wilson. Thank you very much.
    Does anyone else have any to add? Dr. Zangardi.
    Dr. Zangardi. Yes, sir. Thank you.
    Very briefly, on the civilian side from 2012 to 2014 we 
have seen our attrition rate of civilians drop from 9.7 to 5.1. 
That may be due to the economy. But I also think it reflects 
the unique work that we do at locations and SPAWAR [Space and 
Naval Warfare] Systems Command out in California.
    It is a unique opportunity to work on some cutting-edge 
technology, or also to serve your country. I agree with the 
general that things like STEM and outreach to schools and other 
industries to bring in uniquely qualified personnel are very 
helpful to our ability to keep and retain highly qualified 
civilians.
    On the military side, our rates for accession and retention 
are being met. We utilize selective retention bonuses and we 
provide increased training opportunities at the 12- to 14-year 
mark, which is a mark at which most people will not leave after 
they get the training.
    Mr. Wilson. Thank you very much.
    And the next question for me, General Nally, each of you 
have talked about the personnel challenges related to finding, 
hiring, and training information technology professionals, both 
military and civilian. I would like to hear your thoughts on a 
couple of points. One is leveraging commercial certifications 
or commercial training.
    General Nally. Thank you, sir. We don't have a problem 
recruiting and retaining if we are talking to the military 
first for entry-level Marines. Whether they are enlisted or 
officers, the training is conducted out at Twentynine Palms, 
California, at our Marine Corps communications and electronic 
schools.
    The cyber network operators, they actually at the entry-
level first formal school, upon graduation they actually 
receive commercial certifications in four various commercial 
companies equal to what they would offer for certifications. 
For example, Microsoft, they depart the school and they have 
commercial Microsoft certifications.
    As they progress in their careers if they decide to stay in 
they receive additional certifications, i.e., through Cisco, 
VMware, NetApp are a few of the companies. And all that 
training is conducted in Twentynine Palms. So we have a formal 
working relationship with those companies where they actually 
receive those company certifications.
    For civilians I have a budget to train and educate the 
civilian IT cyber workforce so we ensure that they receive the 
training, education, and certifications that they require for 
the appropriate billets that they hold.
    Mr. Wilson. Well, I would like to congratulate you because 
I would have thought our retention would be very difficult in 
the 9.7 to 5.1, doctor. That is incredible because you are 
dealing with such talented people. Thank you all for your 
extraordinary efforts to maintain your personnel.
    Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. Again I want to 
thank our witnesses for your testimony today.
    Mr. Halvorsen, in 2011 the commander of U.S. Cyber Command 
briefed the Joint Chiefs of Staff on the inability to see the 
entire DOD networks, and the risks associated with the 
limitation. In addition to providing more efficient and 
effective networks, the Joint Information Enterprise, JIE, 
initiative is intended to enable U.S. Cyber Command the 
visibility of the network required to defend it.
    In your opinion, is the initiative moving towards that end 
state? Why or why not? And what official guidance has been 
provided to the services to ensure that end state?
    Mr. Halvorsen. Sir, thank you.
    Yes, we are making good progress on that. The JRSS, as we 
implemented the first set of software, already exposes more of 
the network than we had exposed before from CYBERCOM and from 
the new stood-up DODIN [Department of Defense Information 
Networks] headquarters which is at DISA, which is now 
responsible for overseeing that under the operational control 
of Admiral Rogers.
    The services have all been provided guidance, both 
operational guidance from Mike Rogers, policy guidance from my 
office, that says we will implement the JRSS. We have laid out 
the timelines. They are all committed, all team members. You 
have heard them all testify to that.
    We have figured out the funding on how to do this. The next 
version of the software, which is version 2.0, will complete 
that picture so that all of the services can see the same 
picture as CYBERCOM. That is funded.
    One of the ways we were able to do that is by looking at 
some of the business processes in DISA, taking that money and 
applying it inside of DISA to fund the software. That is step 
one. And I want to point out that JRSS is the first step.
    The next step--and you have heard all of the services talk 
about how they collapse their enterprise networks. Each of the 
service entered at a different spot with regard to enterprise 
networks. They are all working to collapse that.
    As we collapse the networks, that will also give us a 
better picture. It is a little physics. It is less for us to 
look at. So in addition to putting up the JRSS, we are working 
with all the services to collapse the total number of networks 
that frankly Mike has to look at and to make sure that are 
secure.
    Mr. Langevin. And, Mr. Halvorsen, the Joint Chiefs of 
Staff, Cyber Command, the acquisition community, the services, 
and many other entities have a stake in JIE. What office, and 
who, is in charge of this mission?
    Mr. Halvorsen. I own JIE and making sure that that is 
complete to everybody's satisfaction. Mike Rogers owns it from 
an operational standpoint. The single point to make sure that 
it gets done from funding operations is my office.
    Mr. Langevin. Okay.
    And you described the Joint Regional Security Stack, JRSS, 
as the foundation of JIE. General Ferrell, you mentioned moving 
forward with JRSS with the Air Force and DISA, and Dr. Zangardi 
and General Nally, when will the Navy and Marine Corps move out 
with JRSS?
    And Mr. Halvorsen, what is your view of the different 
services' timelines? What is each service's programmed 
investment through the next 5 years in JRSS? And is it 
equitable and a strategy allowing for the best bang for the 
buck?
    Mr. Halvorsen. Sir, if you permit me I will first answer 
that. All of the services are completely committed to this and 
have funded.
    And when we look at what the current condition is, the 
Department of Navy, and for truth in advertising my previous 
job was the Department of Navy's Chief Information Officer, 
collapsed its systems first around NGEN and previous NMCI. They 
are in some cases better positioned because of that to do and 
see their network better.
    The Air Force and Army are moving very rapidly in that 
direction. The reason they are moving first behind JRSS is that 
will give them the same level of capability that the Marine 
Corps and Navy enjoy now. When the Navy and the Marine Corps, 
we go to JRSS 2.0, that gives everybody increased capability 
and everybody will move on that.
    The Army and the Air Force will be completed in 2017 
migration. The Navy and Marine Corps complete in 2018. That is 
an aggressive schedule to get all of the networks and the 
complexity done, but I think it is the right schedule and one 
that I do not think we can let slip. That is the goal.
    You mentioned the ``Tank'' [Joint Chiefs of Staff 
conference room]. I briefed the ``Tank'' two weeks ago. All of 
the service chiefs are 100 percent behind that and committed to 
making sure that we do not slip that date.
    Mr. Langevin. Anybody else got a comment?
    Dr. Zangardi. Yes, sir. I concur with Mr. Halvorsen's 
statement since he had my job previously.
    NGEN, the NGEN contract is our path forward to JIE. It--
specifically, the technical refresh or modernization dollars 
within the program will be channeled to JIE activities or 
acquisitions as the standards are defined.
    We are engaged now in engineering, planning, and budgeting 
on the JIE team. We have engineers involved. We have our SPAWAR 
folks playing in there. We plan to be part of the definition of 
JIE and JRSS.
    As Mr. Halvorsen said, we will be complete in 2018. We 
align with that schedule. We are also working closely with 
PACOM [Pacific Command] J6 on what JIE increment 2.0 is. So we 
are very involved in the whole effort of JIE and JRSS, and have 
the mechanisms in place in NGEN to move forward.
    General Bender. Sir, if I could clarify for the Air Force. 
We are actually at an end-of-life condition. We are on a single 
security architecture since 2011 with 16 gateways. And this is 
the next evolution. So JIE, JRSS, is the right way for the Air 
Force to go.
    General Ferrell. And sir, I would like to give you a good 
news story on the progress of the JRSS, specifically at Joint 
Base San Antonio where there is a partnership between the Army 
and the Air Force and Defense Information System Agency.
    When we started this journey about a year ago of again 
taking the JRSS capability, as well as expanding the capacity 
at Joint Base San Antonio, put it in place and worked through 
the technical challenges of how do we collapse the network.
    I am very pleased to tell you to date that we have expanded 
the capacity there at Joint Base San Antonio. We have installed 
the JRSS devices. And we have also passed traffic, both Air 
Force and Army traffic, over the same network between Joint 
Base San Antonio as well as Montgomery, Alabama.
    So again, that is the first step toward progress, physical 
progress with this effort. We have taken lessons learned from 
that initial site and we are going to incorporate that on all 
the follow-on sites, both CONUS [continental United States] and 
OCONUS [outside the continental United States].
    Mr. Langevin. Thank you.
    Mr. Wilson. Thank you, Mr. Langevin.
    We now proceed to Congressman Rich Nugent, of Florida.
    Mr. Nugent. Thank you, Mr. Chairman. And I appreciate this 
panel being here today.
    You know one of the things that I always get nervous about 
when I was over an agency that had computers and every time you 
have a gateway, a way in, how that opens up. But it is even 
more troubling as to when you look back at the Snowden incident 
2 years ago.
    How are we protecting ourselves against an insider attack 
that could obviously cripple us if that information got out to 
our adversaries? And I will let anyone take a stab at that one.
    Mr. Halvorsen. Doing a couple things. I mean we have 
implemented all the directives. And you can see in all of our 
written testimony, we have complied with all the directives. 
And we will be implementing a deep insider threat.
    But a couple things that I think illustrate what we have 
done is the biggest insider threat is from systems 
administrators, the guys that have complete access. We have 
strengthened the security requirements on those.
    We will be in conjunction with Mike Rogers shortly, putting 
out some more detail on that. It requires them to be token-
enabled on our way to making that completely CAC [Common Access 
Card]-enabled so you will have a visible identity of every 
system administrator.
    We have put in place under Mike's direction, and we could 
go deeper in a different venue, the ability to see what system 
administrators are doing and some ability to monitor, I won't 
say abnormal behavior, but different behavior. When you are in 
a computer business it is hard.
    So if they route traffic differently or if they are seeing 
some--if we are seeing them move things around differently, 
that ability is expanding within the Department in addition to 
all of the things that were directed in the NDAA, which we are 
on schedule to comply with.
    General Ferrell. Congressman, in addition to what my 
colleague to my right has shared, we are also implementing an 
extensive educational program to educate our users on 
identifying the types of malisons that will occur on the 
network and how to mitigate that.
    So again, we are really reaching out to--as well as putting 
the protection from the software on the computers, as well as 
monitoring the activities of the administrators, we are also 
doing the educational aspect as well.
    Mr. Nugent. I know there was a GAO [Government 
Accountability Office] report out a while back, particularly as 
it relates to DISA, but as it relates to JIE that it is so 
broad that there is no one program administrator. Were they 
correct in that assumption? Or was----
    Mr. Halvorsen. I think there was certainly some truth that 
we were a little fractured in what we had defined JIE. So with 
the help of my colleagues over the last year what we did was 
take a look at what is JIE.
    JIE is a concept. We are not going to ever implement JIE. 
What we will implement is the steps that get us to a Joint 
Information Environment.
    So what I can now tell you, and I think you have heard 
today, the first step of that is to get to the Joint Regional 
Security Stacks, phase one. Phase two is for us to then--how do 
we implement and take that into our mission and coalition 
partners. So they are the first two key, very physical, very 
visible, measurable.
    You can put metrics on them, steps that we have to do with 
JIE. And I think we had not clarified that really, simply, 
until the last year. And that is--that may be what was the 
single biggest driver is that we really did clarify. Those are 
the key points that have to happen in that sequence.
    Mr. Nugent. All right. It makes sense because obviously if 
you have one agency or one group that is in charge of all of 
the IT for all the services there are some real gaps that would 
occur. Things the Air Force would be important to would not be 
as important to the Army or vice versa.
    So I think that your concept is great. And I think that you 
have--through the services you have some great folks that are 
very talented that can move this forward.
    You know IT is always something changing. I can remember my 
past life it always seemed like you know we just upgraded our 
servers and then it wasn't 2 years later saying hey, boss, the 
stuff is no good. We got to get new stuff.
    And I am sure you face that same type of environment. But 
how do you guard against that, I mean constant change over what 
you need, equipment? And I don't know if you can.
    Mr. Halvorsen. I think you have to do two things. I mean 
one of the things that this group has done is decide about some 
ways that we will all look at certain investments.
    So we now have within this group a standardized business 
case analysis process. And when I say business case, our 
business is war.
    So it also looks at the operational pieces, too. It is not 
just on the business systems. That is one way that we can all 
look and make sure that we are looking at things and measuring 
the same way.
    It is okay for things to be different, particularly in the 
physical properties, different equipment, as long as it will 
perform to the same standards. It measures up to the same 
money, accountability, and all the other measures. We are doing 
better at that.
    We are also looking at what is our current inventory of not 
just things but software and applications. One of the things 
that we are looking at now is how do our applications line up? 
I will give you an example.
    When we look at logistics, about 80 percent of our 
logistics applications share a large majority of data elements 
that are the same. And I think that is the other change.
    You really have to go to the data level. If those data 
elements are the same, maybe the first thing that we can do is 
start shrinking the number of systems, let the applications 
that the services need, because they do need to be distinct in 
some areas.
    You pointed out right the Air Force, the Army, the Marine 
Corps they have different requirements on some of this. We can 
combine the data elements and wrap that. That is not a great 
term.
    Wrap that around the different parts of the applications 
that each of the services need, share common data, protect it 
in one location. And it both reduces costs and improves your 
operational capability. We are looking hard at how we expand 
that effort.
    Mr. Nugent. I appreciate that.
    And, Chairman, thank you for indulging me----
    Mr. Wilson. Here, here.
    Mr. Nugent. Thank you.
    Mr. Wilson. Thank you very much, Sheriff Nugent.
    We now proceed to Congressman Jim Cooper, of Tennessee.
    Mr. Cooper. Thank you.
    I am worried we are already in a cyber war, we are just not 
admitting it. I don't remember from history a time in history 
of warfare when more eggs have been put in one basket, 
basically.
    Virtually every chip in the world being made in one country 
that is not here. And the software is so unimaginably complex 
it is almost impossible for human beings to figure it out. So I 
am worried that the acronym ``CLOUD'' really stands for the 
``Chinese Love Our Uploaded Data.''
    I worry that none of the witnesses that I have ever heard 
calls for a change in the UCMJ, the Uniform Code of Military 
Justice, so that computer security becomes a value to be 
preserved because computer hygiene is staggeringly important. 
And perhaps there has been testimony to that effect. I haven't 
heard it.
    I am worried that our troops would be incapable of working 
if the Net went down and things go dark. I don't know anybody 
knows the degree of Internet of Things when facilities could be 
shut down, as relatively unprotected.
    And I don't know. Maybe you have been red-teaming all this. 
But to me the vulnerability is amazing when virtually every 
major U.S. company has already been taken down to some extent. 
Entire countries like Estonia were almost put out of commission 
years ago by hackers.
    I just worry there is more vulnerability here than perhaps 
this hearing has indicated so far.
    Mr. Halvorsen. Sir, I don't think we could tell you that we 
are perfectly secure. I think that would be a bit ridiculous 
statement to make. What I can tell you is that we are doing the 
things you talked about.
    And you talked about accountability. And I will get you a 
copy of the recent memo. But we did working together have the 
Deputy Secretary of Defense for the sign out a recent memo that 
improved accountability in how we hold individuals, both 
civilian and military, more accountable for their cyber 
actions. That is working.
    We have had recent discussions about how do we raise the 
bar on cyber hygiene. As we have had our discussion with the 
cloud, I will tell you that the most contentious issue with 
industry--we are not dodging the hard question of how they will 
meet our requirements, and then frankly how will they respond 
when they have a penetration and lose our data?
    What is the accountability that they are going to have. It 
is one of the things right now that is slowing the higher level 
cloud movement because we have not worked that out.
    Industry has not yet said that they will abide by some of 
those rules. We are certainly open to them showing us different 
technology to do that. But they still have to show us that they 
are doing it. So we are having that dialogue.
    We are looking at what it means to be cloud. So maybe I 
should expand just a minute on that. We are not going to just 
use commercial cloud. We will use every hybrid there.
    DISA has the milCloud. And to their credit, they have 
dropped the rates so it is more competitive with commercial. 
But what it does do is it provides that extra level of security 
for the really valuable data that we just can't afford to lose.
    The commercial world is working to move up to those 
standards. And as they do, we will put more into the cloud, but 
not until they meet those requirements. We are not lessening 
our security requirements. In some cases we are standardizing 
them. In other cases we are raising them.
    And the conversation with industry, which they did not like 
but were happy to be engaged in, the way we are publishing the 
cloud documents, what we have had to tell them is the standards 
I put out today in this environment, in the IT world, they will 
change. And they might change in 6 months, depending on what 
the threat does. And we have told them they have to be reactive 
to that.
    We are not going to put anything out there that does not 
meet the standards and that we have not looked at. And we are 
increasing the amount of red-teaming that we are doing across 
the board.
    Mr. Cooper. So we don't need to change the UCMJ?
    Mr. Halvorsen. I don't think we need to change the UCMJ 
today. I will tell you I think we need to enforce some of that. 
And it is not just the UCMJ because that would only govern our 
military as you know, but also the civilians.
    We have got to enforce the policies. And I think that is 
mostly about educating the commanders on how they do that. The 
policy is there.
    Cyber presents some problems even from the forensics side 
of how do you know who put it in. One of the reasons that we 
are doing more PKI [public key infrastructure]-enabling and 
getting down to the single identity is that when you put it in 
we will know.
    Once we have that I think you will see. And we are getting 
that more and more across the board. We have it on some 
systems. You will see us be able to actually hold an individual 
accountable for making a bad action on the network.
    Mr. Cooper. Thank you, Mr. Chairman.
    General Nally. I think--sir, if--just a minute. This might 
make you feel a little bit better, but three quick things. One, 
the Marine Corps is going toward using a private cloud.
    Number two is in terms of what you mentioned about the 
UCMJ. We have actually published a document states we call it a 
negligent discharge. If a marine or civilian takes classified 
information and does something inappropriate with it, whether 
puts it on a NIPRNET [Non-Secure Internet Protocol Router 
Network] or we had a spillage, et cetera.
    We do hold them accountable, the commanders do. So we let 
the commander, whoever the commander is, know that this 
individual had a negligent discharge. They hold them 
accountable.
    And three is we actually are training for a SATCOM 
[satellite communications] degraded intermittent latent 
environment, stressing VHF [very high frequency], UHF [ultra 
high frequency], HF [high frequency], terrestrial types of 
equipment, commander's intent and mission type orders. So we 
are pushing that down to the lowest levels.
    Dr. Zangardi. Sir, may I respond?
    A couple areas. First, modernization is capability and 
security. Our NGEN program has built in modernization so we 
bring in technology on a 4- to 5-year refresh basis.
    Our afloat network CANES has a 2-year software upgrade and 
a 4-year hardware upgrade built in. So as you do modernization 
you bring in the latest technology, bring in the latest 
security.
    Operation Rolling Tide, ORT, dollars are in the budget. 
That is bringing out tools, techniques, procedures to our folks 
out in the fleet that will improve security on our afloat and 
ashore units.
    We stood up in the Navy something called TFCA, Task Force 
Cyber Awakening. And I will read exactly what it does. It 
delivers fundamental change to the Navy's organization, 
resourcing, acquisition, and readiness. And align and 
strengthen authority, accountability, and rigor in Navy 
cybersecurity.
    We have full, broad support across the Navy organization. 
My boss, the Assistant Secretary for Research, Development and 
Acquisition, is the lead for the EXCOM [Executive Committee], 
along with the Vice Chief of Naval Operations. The three-star 
SYSCOMs [System Commands] are involved, all the resource 
sponsors. It has the highest level of interest.
    With regards to the cloud, I align with the DOD CIO on 
that. Before we move any data out to the public cloud, we are 
going to go through the data and screen it very carefully to 
make sure that we are not putting things, data, in commercial 
cloud scenarios that we should not be putting it. We are going 
to proceed with due caution.
    And to add on to General Nally, working, deploying in a 
degraded environment is key to Navy in the Western Pacific. We 
need to have the procedures in place to do that. And we are 
working those.
    Mr. Cooper. Thank you, sir.
    Mr. Wilson. Thank you, Congressman Cooper.
    We will now proceed to Congresswoman Elise Stefanik of New 
York.
    Ms. Stefanik. Thank you, Mr. Chairman. And thank you to all 
of our witnesses for your testimony today.
    General Ferrell touched on this briefly, but I wanted to 
ask each of you to weigh in. In your view, what are the risks 
and vulnerabilities to our network campaign plans, network 
modernization efforts, should DOD be forced to execute funding 
levels at BCA funding levels?
    Mr. Halvorsen. In the short term we will lose 2 to 3 years. 
And that really sums it up. We will fall 2 to 3 years behind. 
You have heard the specific numbers. There are specific numbers 
in testimony. Sequestration will delay the modernization 2 to 3 
years.
    And that comes with all of the things you have heard today. 
If we don't do that we will be more vulnerable. We will maybe, 
using your definition, sir, of ``CLOUD'' if we don't get some 
modernization. We won't support the warfighters. They will be 
at risk.
    Ms. Stefanik. And could you add on also what that means for 
the current threat assessment, how the threats have increased 
over the past 5 to 10 years?
    Mr. Halvorsen. I can tell you that they have increased in 
this form over the last 3 to 5 years. They are certainly more 
capable. And that includes everything from your country state 
threats to terrorist groups that would be in the news today.
    Any slowdown in our modernization will make it easier for 
even less complicated or less sophisticated groups to interfere 
with our business. It will expand the number of threats we will 
have to face if we don't carry through with some of the 
modernization and some of the security changes we are making. 
And they will be delayed by sequestration.
    Ms. Stefanik. Would anyone else like to add?
    General Bender. I will add just very briefly that I am 
relatively new in the position. But 5 months of discovery 
leaves me with a very strong impression that we are not going 
to harden or protect our networks to a completely safe, secure 
environment. It is nearly impossible because of the evolving 
nature of the threat.
    That said we need to have, and as the other services have 
already mentioned, the ability to fight through a determined 
adversary and find our way through it. And so risk management 
becomes really what is key and essential to our approach going 
forward.
    Dr. Zangardi. As I mentioned in a previous question, 
modernization is fundamental to providing us security and the 
capability we need. Sequestration will hamper, slow by several 
years our ability to modernize our IT capability.
    General Nally. Our biggest concern is people. So if we have 
to reduce funding and then the people that actually defend and 
protect the network, and we have to let those people go. That 
is our concern.
    And again, that gets back to my first priority. It is the 
people. If I don't have the right people to operate and defend 
the network, the network is worthless.
    Ms. Stefanik. Thank you. I have one question on a separate 
topic. And this is for just my background and for everyone else 
on the committee.
    Can you give an assessment of where other countries are in 
terms of their investment in network modernization efforts? Are 
we behind? Are we losing our edge? I know that is a very broad 
question, but it is an important one.
    Mr. Halvorsen. I don't think we are losing the total edge. 
Do I think that particularly if we get sequestration, which 
would not impact, say some larger countries in the world that 
we were all concerned with? They will gain.
    I mean that is a fact. I think right now we are in a good 
position in terms of the edge. But in IT that edge can 
disappear so very quickly.
    And very candidly, this is public knowledge that the 
Chinese, the Russians, other groups are making investments in 
all of these areas. If we are not able to continue our plan we 
will lose some of that edge and they will gain capability.
    Ms. Stefanik. Thank you very much, unless anyone has 
anything else to add. Thank you. I yield back.
    Mr. Wilson. And thank you very much for your terrific 
questions. We appreciate that, and Mr. Langevin.
    At this time I would like to again thank each of our 
witnesses for being here today.
    I want to thank the subcommittee members for their 
participation. And then, of course, Kevin Gates has just been 
extraordinary sitting here quietly maintaining time.
    And for each of you, thank you for your service. It is so 
important for our country.
    We are now adjourned.
    [Whereupon, at 5:12 p.m., the subcommittee was adjourned.]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
      
=======================================================================




                            A P P E N D I X

                           February 25, 2015

=======================================================================

 
              PREPARED STATEMENTS SUBMITTED FOR THE RECORD

                           February 25, 2015

=======================================================================

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]      

      
     
=======================================================================


                   DOCUMENTS SUBMITTED FOR THE RECORD

                           February 25, 2015

=======================================================================


              QUESTIONS SUBMITTED BY MEMBERS POST HEARING

                           February 25, 2015

=======================================================================

      

                   QUESTIONS SUBMITTED BY MR. HUNTER

    Mr. Hunter. Has the Department considered revising the Cloud 
Computing Services deviation to allow for more flexibility for mission 
owners and cloud service providers in obtaining a Provisional 
Authorization (PA) for a dedicated or private cloud service while going 
through a contracting motion? As an example, a vendor may be awarded a 
contract, but PA is a contingent milestone of the contract award.
    Mr. Halvorsen. The DFARS Class Deviation on Contracting for Cloud 
Services currently requires that a commercial cloud service provider be 
granted a DOD Provisional Authorization (PA) prior to contract award. 
The Department is considering modifications to the policies and 
procedures currently specified in the Class Deviation, including 
whether a PA should continue to be a prerequisite for contract award, 
as part of its deliberations regarding DFARS Case 2013-D018. That DFARS 
case is planned to supersede the Class Deviation, and the Department 
will be seeking public comment on the new DFARS coverage through the 
public rulemaking process.
    Mr. Hunter. The DOD software inventory plan executed under section 
937 of the FY National Defense Authorization Act included numerous 
exemptions, did not require an automated solution to compile the 
inventory, and it did not include an audit trail. These and other 
requirements are outlined in section 935 of the FY14 National Defense 
Authorization Act which your office is currently developing a plan to 
be submitted to Congress by the prescribed timeline of September 30, 
2015. Please detail for the committee how your office is developing 
this plan, the input received from the services, and how your office is 
reaching out to industry to understand what automated capabilities 
exist and how this inventory can be performed to the satisfaction of 
both parties?
    Mr. Halvorsen. The FY14 NDAA Section 935 planning effort is 
ongoing. Efforts to date have been directed towards developing a 
business case analysis (BCA) of alternative courses of action for an 
enterprise software inventory reporting process. The BCA outlines 
several alternatives with varying degrees of centralized software 
license management and reporting operations to determine the most 
appropriate approach for DOD. As part of the BCA, the DOD Chief 
Information Officer (CIO) is analyzing two ongoing internal information 
technology (IT) management reporting efforts to determine the extent to 
which they could be leveraged to support the Section 935 software 
license reporting requirements. The DOD plan will build on these 
internal efforts to formulate a holistic approach for software license 
reporting. Once the appropriate software license reporting framework is 
selected, DOD CIO will develop a plan for a software license reporting 
process. The plan will be completed by the end of FY15
    The DOD CIO issued a memorandum in June 2014 directing the CIOs of 
the Military Departments and DISA (the Components) to designate action 
officers to support DOD planning efforts for the Section 935 
requirements. Through joint bi-weekly meetings hosted by DOD CIO, the 
Components' action officers have been collaborating in the planning 
efforts and reviewing work products. The Components have been an 
integral part in identifying the overall strengths, weaknesses, 
opportunities, and threats for each of the alternatives being 
considered in the BCA.
    The joint team has reached out to industry by: 1) hosting 
commercial IT asset management (ITAM) and software license management 
vendors to present overviews and demonstrations of their product and 
service offerings; 2) meeting with corporate software license 
management teams to share lessons learned from their software asset 
management (SAM) implementations; and, 3) meeting with ITAM industry 
analysts to discuss DOD requirements and potential SAM implementation 
options. The DOD joint team has used industry benchmark data and 
lessons learned in support of its BCA alternatives. The DOD CIO and 
Component CIO representatives also meet with ITAM and other software 
providers through ongoing DOD Enterprise Software Initiative (DOD ESI) 
IT strategic sourcing operations. The DOD joint team has shared lessons 
learned about Component-level implementations of ITAM processes and 
tools using commercial software products. The Components have also 
independently reached out to industry to assess alternatives for 
Component-level ITAM and SAM efforts.
    Mr. Hunter. Please detail the Army's efforts to date on software 
inventory as prescribed by both section 935 of the FY13 National 
Defense Authorization Act and section 937 of the FY14 National Defense 
Authorization Act?
    General Ferrell. The FY13 National Defense Authorization Act 
(NDAA), Section 937, required the Department of Defense (DOD) Chief 
Information Officer (CIO), in consultation with the CIOs of the 
Military Departments (MILDEP), to issue a plan for the inventory of 
selected software licenses, and to assess the need for the licenses. 
Under the auspices of the DOD CIO, all Services, Defense agencies and 
DOD Field Activities were directed to conduct an inventory of selected 
software licenses, including a comparison of software licenses 
purchased to licenses installed, and to submit a projection of the 
licenses needed over the following two years. The intent was to provide 
baseline information to enable economies of scale and cost savings in 
future procurement, use and optimization of the selected software 
licenses. Under the direction of the HQDA CIO/G-6, the Army assembled 
an integrated product team (IPT), with representation from all Army 
organizations and the Joint Commands for which Army is the executive 
agent, to conduct a selected software license inventory (SSLI). Meeting 
on a weekly basis, first with key stakeholders to develop the plan, and 
then with all appropriate organizations, the IPT provided oversight for 
conducting the SSLI audit. The audit used automated scanning and 
discovery tools where available, and a data call for networks or 
enclaves where automated tools were not readily available. CIO/G-6 
aggregated and rationalized the inventory reports and completed the 
analysis of selected software licenses purchased in comparison to 
software licenses installed. The SSLI effort included a projection of 
future need for these licenses over the following two-year period. The 
initial report was submitted to the DOD CIO on July 18, 2014; after 
providing some additional information and clarifications, the final 
report was submitted on August 28, 2014. The Army owned 250 of the 937 
titles included in the selected software list. We estimate that the 
SSLI audit across the Army involved approximately 400 personnel and 
10,000 hours over an eight-month period. FY14 NDAA Section 935 directed 
DOD to update the plan for the inventory of selected software licenses, 
to include: inventorying all software licenses utilized within DOD for 
which a military department spends more than $5 million annually on any 
individual title; a comparison of licenses purchased to licenses in 
use; and plans for implementing an automated solution capable of 
reporting software license compliance with a verified audit trail and 
verification by an independent third party. It also mandated the plan 
provide details of the process and business systems necessary to 
regularly perform reviews, and a procedure for validating and reporting 
the registration and deregistration of new software. The updated plan 
is due no later than September 30, 2015. In support of the FY14 NDAA, 
CIO/G-6 established a pilot project to test commercial software asset 
management (SAM) tools that will, ultimately, provide the Army the 
capability to manage software licenses across the enterprise. The SAM 
pilot is intended to test feasibility and scalability across Army 
networks, as well as commercial best practices and business processes 
for managing software utilization, entitlements and license compliance. 
Additionally, the Army CIO/G-6 continues to support the DOD CIO's 
Software License Management Tiger Team effort. This team is updating 
the plan developed per FY13 NDAA Section 937 and is on track to meet 
the 30 September deadline. The DOD effort has included a working group 
to determine potential solutions to satisfy DOD reporting requirements 
and a follow-on effort to determine the most practical and cost-
effective solution for the DOD enterprise.
    Mr. Hunter. Please detail the Army's efforts to date on software 
inventory as prescribed by both section 935 of the FY13 National 
Defense Authorization Act and section 937 of the FY14 National Defense 
Authorization Act?
    General Bender. In 2013 the Air Force initiated network scans to 
determine the amount of DOD/CIO-selected software installed on Air 
Force-managed sections of the NIPR and SIPR networks. The Air Force is 
also presently performing research and analysis of existing data 
repository tools as an interim solution to consolidate, manage, and 
report current software inventory. Another interim solution is the 
leveraging of existing scanning tools such as Microsoft's Host-based 
Security System (HBSS) and Systems Center Configuration Manager (SCCM) 
to collect and analyze installed software applications until a 
permanent automated software license management solution is determined. 
In early and proactive efforts to identify a license management 
solution, the Air Force released a Request for Information (RFI) to 
industry requesting the identification of software solutions capable of 
addressing the Air Force's Information Technology Asset Management 
(ITAM) requirements. Solutions from 46 small and large businesses 
included the use of commercially available software with implementation 
options including leveraging current government personnel and 
processes, primarily contractor support, and some level of hybrid 
approach. These options are presently under consideration, however, 
discussions with DOD/CIO and other military departments (MILDEP) have 
identified that there is not a singular solution to resolve the 
software license management task at hand. Regarding the DOD/CIO and 
other MILDEPs; the Air Force has actively participated in discussions 
and working groups in efforts to identify present software license 
management processes and tools as well as a joint solution. The Air 
Force has also been an active participant in the interagency agreement 
supporting the DOD Joint Enterprise License Agreement (JELA) effort and 
will continue to leverage the JELA process to determine software needs 
for the next two years.
    The Air Force will continue to aggressively identify, collect, and 
report software licenses in accordance with license agreements and 
congressional directives. Efforts and preparations are ongoing to meet 
both Section 937 of the National Defense Authorization Act (NDAA) for 
2013 and Section 935 of the NDAA for 2014 as well as that of Section 
1003 of the NDAA for 2010, Financial Improvement and Audit Readiness 
(FIAR). The Air Force is working toward a viable solution to not only 
meet the intent of the two NDAAs but to also establish an equitable 
solution for the future management of its entire ITAM program.
    Mr. Hunter. Dr. Zangardi, please detail the Navy's efforts to date 
on software inventory as prescribed by both section 935 of the FY13 
National Defense Authorization Act and section 937 of the FY14 National 
Defense Authorization Act.
    Dr. Zangardi. The Department of the Navy (DON) is actively engaged 
in the Department of Defense Chief Information Officer (DOD CIO) 
Integrated Product Team (IPT) for Information Technology Asset 
Management (ITAM) created to address reporting requirements prescribed 
by Section 937 of the FY13 National Defense Authorization Act (NDAA) 
and revised by Section 935 of the FY14 NDAA. The DON used available IT 
portfolio management tools and authoritative data sources to prepare 
the DON software license inventory and needs assessment submitted to 
the DOD CIO and will continue its support of the DOD CIO Joint IPT as 
it works to comply with the requirements of the Acts.
    Mr. Hunter. Please detail the USMC's efforts to date on software 
inventory as prescribed by both section 935 of the FY13 National 
Defense Authorization Act and section 937 of the FY14 National Defense 
Authorization Act?
    General Nally. The Marine Corps, in coordination with the 
Department of Defense (DOD), completed an inventory of all software 
that met the established criteria per Section 937 of National Defense 
Authorization Act (NDAA) 2013. The Marine Corps inventory has been 
submitted in accordance with the July 18, 2013 DOD Chief Information 
Officer memorandum, Subject: Department of Defense-wide Selected 
Software Licenses Inventory Plan.
    Marine Corps representatives are ongoing participants in the 
software license planning meetings established by the DOD Chief 
Information Officer in the May 30, 2014 memorandum, Subject: 
Establishing a Joint Software License Reporting Team for the Fiscal 
Year 2014 National Defense Authorization Act. The Marine Corps provides 
input for requirements and supports development of the DOD plan.
    The Marine Corps is developing an Information Technology Asset 
Management Module (ITAMM) and License Management Module (LMM) within 
its BMC Remedy environment to replace the legacy Virtual Procurement 
Management System (VPMS) customer software ordering tool. With the sun-
setting of VPMS in FY16, ITAMM and LMM will enable the Marine Corps to 
identify what software is purchased and in conjunction with approved 
network software discovery tools, track what software is in use on the 
Marine Corps Enterprise Network (MCEN) in order to identify 
discrepancies for remediation.
    All requests to procure software products are processed through the 
Marine Corps Information Technology Procurement Review and Approval 
System (ITPRAS) and require registration in the DON Application and 
Database Management repository prior to final approval by Marine Corps 
Director C4/Deputy DON Chief Information Officer (CIO) (Marine Corps). 
Software is captured in the appropriate functional area portfolio and 
Functional Area Managers retain responsibility to regularly perform 
reviews of and validate and report on their portfolios to the Director 
C4/DDCIO-MC. The Marine Corps continues to work with the DOD and DON 
CIO Integrated Product Team (IPT) for Information Technology Asset 
Management (ITAM) created to address reporting requirements prescribed 
by Section 937 of the FY13 NDAA and revised by Section 935 of the FY14 
NDAA.

                                  [all]