[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
[H.A.S.C. No. 114-12]
HEARING
ON
NATIONAL DEFENSE AUTHORIZATION ACT
FOR FISCAL YEAR 2016
AND
OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS
BEFORE THE
COMMITTEE ON ARMED SERVICES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING
ON
INFORMATION TECHNOLOGY
INVESTMENTS AND PROGRAMS:
SUPPORTING CURRENT OPERATIONS
AND PLANNING FOR THE FUTURE THREAT ENVIRONMENT
__________
HEARING HELD
FEBRUARY 25, 2015
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
U.S. GOVERNMENT PUBLISHING OFFICE
94-099 WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES
JOE WILSON, South Carolina, Chairman
JOHN KLINE, Minnesota JAMES R. LANGEVIN, Rhode Island
BILL SHUSTER, Pennsylvania JIM COOPER, Tennessee
DUNCAN HUNTER, California JOHN GARAMENDI, California
RICHARD B. NUGENT, Florida JOAQUIN CASTRO, Texas
RYAN K. ZINKE, Montana MARC A. VEASEY, Texas
TRENT FRANKS, Arizona, Vice Chair DONALD NORCROSS, New Jersey
DOUG LAMBORN, Colorado BRAD ASHFORD, Nebraska
MO BROOKS, Alabama PETE AGUILAR, California
BRADLEY BYRNE, Alabama
ELISE M. STEFANIK, New York
Kevin Gates, Professional Staff Member
Lindsay Kavanaugh, Professional Staff Member
Julie Herbert, Clerk
C O N T E N T S
----------
Page
STATEMENTS PRESENTED BY MEMBERS OF CONGRESS
Langevin, Hon. James R., a Representative from Rhode Island,
Ranking Member, Subcommittee on Emerging Threats and
Capabilities................................................... 2
Wilson, Hon. Joe, a Representative from South Carolina, Chairman,
Subcommittee on Emerging Threats and Capabilities.............. 1
WITNESSES
Bender, Lt Gen William J., USAF, Chief, Information Dominance and
Chief Information Officer, United States Air Force............. 6
Ferrell, LTG Robert S., USA, Chief Information Officer/G-6,
United States Army............................................. 5
Halvorsen, Hon. Terry, Acting Department of Defense Chief
Information Officer............................................ 3
Nally, BGen Kevin J.. USMC, Director, Command, Control,
Communications, and Computers (C4)/Chief Information Officer,
Headquarters United States Marine Corps........................ 10
Zangardi, Dr. John, Acting Department of the Navy Chief
Information Officer, and Deputy Assistant Secretary of the Navy
for Command, Control, Communications, Computers, Intelligence,
Information Operations and Space............................... 8
APPENDIX
Prepared Statements:
Bender, Lt Gen William J..................................... 53
Ferrell, LTG Robert S........................................ 36
Halvorsen, Hon. Terry........................................ 27
Nally, BGen Kevin J.......................................... 76
Zangardi, Dr. John........................................... 62
Documents Submitted for the Record:
Testimony for the record from Vice Admiral Ted Branch, Deputy
Chief of Naval Operations for Information Dominance........ 87
Witness Responses to Questions Asked During the Hearing:
[There were no Questions submitted during the hearing.]
Questions Submitted by Members Post Hearing:
Mr. Hunter................................................... 97
INFORMATION TECHNOLOGY INVESTMENTS AND PROGRAMS: SUPPORTING CURRENT
OPERATIONS AND PLANNING FOR THE FUTURE THREAT ENVIRONMENT
----------
House of Representatives,
Committee on Armed Services,
Subcommittee on Emerging Threats and Capabilities,
Washington, DC, Wednesday, February 25, 2015.
The subcommittee met, pursuant to call, at 4:11 p.m., in
room 2118, Rayburn House Office Building, Hon. Joe Wilson
(chairman of the subcommittee) presiding.
OPENING STATEMENT OF HON. JOE WILSON, A REPRESENTATIVE FROM
SOUTH CAROLINA, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND
CAPABILITIES
Mr. Wilson. Ladies and gentlemen, I call this hearing of
the Emerging Threats and Capabilities Subcommittee to order. I
am pleased to welcome everyone here today for the hearing on
the fiscal year 2016 budget request for information technology
[IT] programs for the Department of Defense [DOD].
Information technology systems are critical enablers for
our military, enhancing the performance of individuals and
units by connecting people and weapon systems together in ways
that make them more effective than the sum of their parts. As
we look at the budget request, and as the witnesses describe
their relevant portions, I would like to ask each of you to
address the following questions.
What systems are we investing in? How do these systems
enhance the Department of Defense's ability to execute its
missions, carry out business operations, and generally improve
our ability to conduct warfighting operations? How do we
prevent duplication between the services and agencies to make
sure that the programs we pursue are deployed on time, on
budget, and with the performance capabilities we originally
planned?
Today we have invited a panel of dedicated public servants
to answer these questions. Our witnesses are, first, the
Honorable Terry Halvorsen, acting Chief Information Officer of
the Department of Defense; Lieutenant General Robert S.
Ferrell, Chief Information Officer/G-6 of the United States
Army; Lieutenant General William J. Bender, Chief of
Information Dominance and Chief Information Officer of the
United States Air Force; Dr. John Zangardi, the acting
Department of Navy Chief Information Officer, Deputy Assistant
Secretary of the Navy for Command, Control, Communications,
Computers, Intelligence, Information Operations and Space--
quite a title; Brigadier General Kevin J. Nally, Director of
Command, Control, Communications and Computers (C4), the Chief
Information Officer of the Marine Corps.
We also know that the Navy would like to submit additional
testimony for the record for Vice Admiral Ted Branch, the
Deputy Chief of Naval Operations for Information Dominance, who
was unable to join us today.
If there are no objections, we will include that in the
record.
[The statement of Admiral Branch can be found in the
Appendix on page 87.]
Mr. Wilson. I would like to turn now to my friend, Mr.
James Langevin of Rhode Island, the ranking member, for any
comments he would like to make.
STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM
RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS
AND CAPABILITIES
Mr. Langevin. Thank you, Mr. Chairman.
And I want to thank Mr. Halvorsen, General Ferrell, General
Bender, and Dr. Zangardi, and also General Nally. Thank you all
for appearing before the subcommittee today and all the work
that you do to help our warfighters and the Pentagon be
efficient and effective in the IT realm, and for all you do to
serve our Nation.
It is one thing that hasn't changed the world of technology
since our hearing last year on this topic is the importance of
information systems to everything that we do as a nation. IT
consumes a massive portion of our defense investment, and cyber
continues to be a very high priority for the Department, as
well it should be.
However, with this huge investment comes an equal
responsibility to make sure that we are conducting proper
oversight of those activities. And to that end, I look forward
to hearing from the witnesses about the fiscal year 2016 budget
request as it relates to our investment in cyberspace, and in
securing and modernizing our information systems.
Specifically, Mr. Halvorsen, I would appreciate hearing how
the Joint Information Environment [JIE], described as the
framework for IT modernization, has evolved and has been
implemented. I would also like to hear from each of the
services about their understanding and implementation of JIE,
i.e., either unilaterally or in conjunction with their sister
services, and specific programs associated with this concept.
Conceptually, I support JIE, especially if it provides the
ability to better defend the network against outside and
insider threats. Yet there is still so much to understand about
JIE.
This includes obtaining a solid definition and placing
policy guidance associated with implementation, building
structures for oversight and management within the Department.
And perhaps most relevant today, since it is not an official
program of record, building an understanding of how we in
Congress can conduct our overseer responsibilities.
As part of this dialogue today, I also expect to hear how
the Department will utilize the cloud for both classified and
unclassified information, and leverage public, private, and
government-owned structures.
Cyber is an extensively, extremely personnel-dominated
mission space, and thus is a serious concern when the DOD is
confronted with difficulties in recruiting and retaining
qualified personnel. I hope the witnesses will take this
opportunity to articulate the recruiting and retention
challenges in depth, and provide recommendations on how the
subcommittee can provide new authorities or other assistance in
a National Defense Authorization Act [NDAA] to ensure that we
have the best and the brightest cyber IT workforce.
Finally, under the leadership of Chairman Thornberry and
Ranking Member Smith, the HASC [House Armed Services Committee]
is taking up acquisition reform. Our goal is to take a
cumbersome process and make it more agile and flexible,
allowing for the finest capabilities to be delivered to our
warfighters on time and on budget.
An agile and flexible system is especially important for IT
and cyber where technologies and enemy capabilities rapidly
evolve and change, and multiple procurement cycles can exist
within a single budget cycle. I hope our witnesses will speak
to the authorities provided in last year's Defense
Authorization Act and elaborate on what more we can do.
With that, again, Mr. Chairman, I want to thank you for
organizing this hearing, and to our witnesses for being here
today. And I look forward to our discussion.
Mr. Wilson. Thank you, Mr. Langevin.
Before we begin I would like to remind the witnesses that
your written statements will be submitted for the record. So we
ask that you summarize your comments to 5 minutes or less. And
additionally that will apply to the members of the
subcommittee.
And as questions are asked we will be limited to 5 minutes
based on time of arrival and on either side. And we have a
person who is above reproach. Kevin Gates, who will be keeping
the time.
And so we will proceed at this time. And we will begin with
Mr. Halvorsen and proceed to the right.
STATEMENT OF HON. TERRY HALVORSEN, ACTING DEPARTMENT OF DEFENSE
CHIEF INFORMATION OFFICER
Mr. Halvorsen. Good afternoon, Mr. Chairman, Ranking
Member, and distinguished members of the subcommittee. I am
Terry Halvorsen, the acting Department of Defense Chief
Information Officer. As such, I am the senior adviser to the
Secretary of Defense for all IT matters.
I am responsible for managing the DOD's IT spend so we get
more out of each and every dollar, while making sure that the
warfighter has the tools to do the mission. My written
statement provides you specific numbers and details, but I
would like only to highlight some key issues.
One of my key priorities is implementation of the Joint
Regional Security Stacks [JRSS]. That is the foundation of the
Joint Information Environment. It replaces our current
individualized and localized security architecture and systems
with a set of servers, tools, and software that will provide
better C2 [command and control], more security, and do this at
a lower cost. JRSS is an operational and business imperative
for the Department.
I want to talk about how we are improving the alignment of
our business processes and IT systems and investments. I
partner with the Deputy Chief Management Officer, the revised
Defense Business Council. We have been directed by the
Secretary of Defense to conduct a complete review of all
business processes and IT systems in the fourth estate.
That is point one. We will then move into working with my
colleagues to do the same review of the military departments.
We are asking the question, what IT business should DOD be
directly in, and at what level should we be in it? And I think
that is a key question.
We may need your help in changing the business model,
particularly in certain areas. We need to look at how we can
expand private-public partnership, particularly in the area of
data distribution or data centers.
How can I take, in my case, a maybe a DISA [Defense
Information Systems Agency] data center, realign it into a more
public-private partnership and get full value out of what can
be commercial rate improvements? I think we will need to work
some legislation to make that easier for all of us to get done.
We are continuing to approve the accounting procedures and
have more transparency in our dollars. For example, we have
added codes inside the Department that actually show how much
money is being spent on data centers and other key IT areas.
We have contract benchmarked within my own organization
that has saved $10 million this year, and within DISA $20
[million], and we have seen comparable amounts of savings just
by contract benchmarking against industry and other government
sectors. I have directed DISA to create an unclassified
commercial e-mail solution for the Department.
You have asked about cloud. We put out some new cloud
directive. And based on some recommendation from the Defense
Business Board, we have changed the way we engage industry and
publish our documentation.
We have just published a joint cloud security and
implementation guide. And when I mean joint, that was published
with the complete cooperation and involvement of industry from
the start. We have revised who can buy cloud, allowing the
services now to go direct to the provider, not have to go
through DISA, and put DISA in a role of being the security
standards.
We continue to involve critical areas in mobility with
smartphones, wireless and electronic flight bags. I brought two
today.
This is the first dual persona unclassified Blackberry. We
are now using this. This Android phone is capable of doing up
to secret-level security work on it, and it is basically a
modified commercial product. And the prices are coming down.
We need to do a comprehensive review of the DOD cyber
workforce. But again, I think this an area where we may need
help. Somehow we have got to have better movement between
government and private industry in the career fields.
We ought to be able to wake up one day, be a private
employee and the next day come in and be a government employee
and keep that change. I think that expertise, particularly in
the area of security we would gain, is vitally important.
In conclusion, we are trying to drive cultural, business,
and technical improvements, innovation into DOD's IT to better
support our mission and business operations. That requires
teamwork.
I am happy to say I have good relations with General
Hawkins, the director of DISA; Frank Kendall, who is a strong
partner; Admiral Mike Rogers, who I have known for a long time
as NSA [National Security Agency] and USCYBERCOM [United States
Cyber Command]; Mr. Eric Rosenbach, principal security adviser;
and of course my partner in crime, Dave Tillotson, the acting
Deputy Chief Management Officer; my colleagues here to the
left.
We are expanding our relations with industry, and certainly
we enjoy a great relationship with Congress. So I thank you for
your interest and support, and I look forward to taking your
questions.
[The prepared statement of Mr. Halvorsen can be found in
the Appendix on page 27.]
Mr. Wilson. Thank you, Mr. Halvorsen.
General Ferrell.
STATEMENT OF LTG ROBERT S. FERRELL, USA, CHIEF INFORMATION
OFFICER/G-6, U.S. ARMY
General Ferrell. Thank you, Chairman Wilson, Ranking Member
Langevin, and the other distinguished members of the committee
for inviting me to testify today on the Army's network and
information technology progress and requirements.
The network and information technology are integral to
everything the Army does. Our soldiers and unit training, and
mission execution from combat to stability and support to
peacekeeping and building, and even the other daily business
operations all rely on the network and our information
technology systems.
To drive to make the Army more leaner, more agile, and more
expeditionary means the network needs to be even more
essential. This in turn makes the network and information
technology a top modernization priorities for the Army.
We must upgrade our network. In its current state the
network remains open to too many threats. However, our future
common architecture will enable a secure, joint global network
that will provide essential services to our leaders and
soldiers, Active, Guard, and Reserve.
Our current network does not have the capacity or
capability to do these things. We need sustained funding to
upgrade our network.
For the network to do everything that the Army needs, it
must have a specific set of characteristics: worldwide reach,
guaranteed availability, interoperability with our joint and
mission partners, and the ability to accommodate all demands we
place on it in a stringent security.
The Army is aggressively implementing capabilities
necessary to make this robust network a reality, while also
converging multiple disparate networks into a single network.
I recently put in place a comprehensive network campaign
plan for the Army. I would like to give you just a brief
snapshot of what we are doing to empower soldiers, commanders,
and decision makers.
The Army is expanding network capacity and creating an
architecture that will allow future growth. Multiple
initiatives are under way to strengthen the network security.
As a proponent of the Joint Information Environment, the Army
has partnered with the Air Force and the Defense Information
Systems Agency to implement the Joint Regional Security Stacks,
which will reduce the cyber attack surface.
Increasingly effective and efficient network monitoring,
management, and defense will address critical operational gaps
and mitigate evolving threats. Our initial Joint Regional
Security Stack site at Joint Base San Antonio is up and
operating.
The Army is also putting considerable effort into
development and retention of a highly skilled civilian and
military information technology workforce.
Joint cloud computing will have a broad impact on the Army
operations. It will enable reliable access to data,
application, and services, regardless of the location and the
device used. Cloud computing will also allow the Army to
introduce innovative capabilities more quickly, and to better
focus limited resources on meeting evolving missions' needs.
The initiatives I just mentioned are taking place at the
enterprise level, but they all feed directly into enabling the
tactical force. The tactical forces we rely on to carry out the
National Security Strategy.
Most notably, they provide the foundation for expeditionary
mission command, whose success depends on the efficient
transition from home station to the deployed theater. Providing
soldiers and decision makers a modernized network will require
sustained investments, particularly during the modernization
cycle that runs through fiscal year 2021.
Additionally, the committee has asked about the impact of
sequestration. Sequestration will slow network modernization.
In fiscal year 2016 the Army will have to reduce spending on
the network services and information assurance by almost $400
million. This cut would impact every aspect of daily Army
operations to include training and network security, which
could degrade readiness and/or mission execution.
I thank this committee for the opportunity to appear today.
The Army and I are grateful for your interest in the network
and the information technology needs. I look forward to your
questions.
[The prepared statement of General Ferrell can be found in
the Appendix on page 36.]
Mr. Wilson. General, thank you very much. And I
particularly appreciate your efforts for network modernization.
As an Army veteran myself who was trained on SINCGARS [Single
Channel Ground and Airborne Radio System], you have come a long
way.
General Bender.
STATEMENT OF LT GEN WILLIAM J. BENDER, USAF, CHIEF, INFORMATION
DOMINANCE AND CHIEF INFORMATION OFFICER, U.S. AIR FORCE
General Bender. Good afternoon, Mr. Chairman, Ranking
Member, and distinguished members of the subcommittee. I am
Lieutenant General Bill Bender, the United States Air Force
Chief Information Officer.
In the first 5 months in this position, I have decided to
act upon my responsibilities by focusing upon four major lines
of effort: enhancing the service's cybersecurity efforts;
advancing the Joint Information Environment; developing the IT
and cyber workforce by transforming career field development;
and finally, operationalizing chief information officer
authorities in a way that adds greater value to headquarters
Air Force.
My lines of effort are relevant to the myriad of ongoing IT
and cyber-related initiatives within the Air Force, and play a
critical role in assuring the United States Air Force can
accomplish its mission successfully.
First it is important to note cyberspace is an operational
domain. It affords us a wider range of operational
opportunities, and conversely it exposes us to vulnerabilities
and threats that place the Air Force's five core missions, air
and space superiority, ISR [intelligence, surveillance, and
reconnaissance], rapid global mobility, global strike, and
command and control, at risk.
Cybersecurity is at the forefront of my priorities for IT
within the Air Force. We must understand and confront the
reality that the vulnerabilities we face in cyberspace
jeopardize our wartime capabilities, including our aircraft,
space, and other weapons systems.
Therefore I have convened under the direction of the Air
Force chief of staff a cyber task force with the
straightforward objectives of diagnosing the full extent of the
cyber threat, developing an enterprise level risk management
strategy, informing a better understanding of our priorities
for investments.
The momentum toward cybersecurity drives one of my other
lines of effort, ensuring the Air Force is a full partner in
achieving the Joint Information Environment with the DOD and
the other services. We fully understand the imperative to move
forward this environment with respect to both operational
capability and efficiencies to be gained.
My third line of effort addresses the need to completely
transform our IT and cyberspace workforce. It is imperative
that we recruit, train, and retain those with the necessary
skills to meet IT and cyberspace challenges of the 21st
century.
With respect to IT and cyber budgets, the Air Force is
partnering with DOD and Air Force acquisition leaders to
streamline our acquisition processes. Our Information
Technology Governance Executive Board aligns our IT investments
and acquisition efforts to the Air Force corporate process.
Additionally remain actively engaged with Air Force Space
Command, which is the Air Force's lead major command, with
responsibility for the IT and cyber portfolios. Together we are
doing what we can to strengthen the investment reviews and
requirements management processes.
My office manages the IT Capital Planning and Investment
Control process, and leads coordinated and regimented reviews
of major investments that are mandated as Exhibit 300s. These
reviews will provide greater accuracy on a daily basis,
significantly aid the Air Force IT budget and Federal
Information Technology Dashboard reporting process, and enable
a process to validate IT requirements and follow our
investments.
The lines of effort I have outlined today, if executed
well, will deliver the appropriate policies, personnel,
capabilities, and resources needed to assure Air Force missions
against a determined adversary. I thank you for the opportunity
to address the subcommittee, and I also thank you for your
interest in these critically important issues. And I look
forward to your questions.
[The prepared statement of General Bender can be found in
the Appendix on page 53.]
Mr. Wilson. Thank you very much, General.
Dr. Zangardi.
STATEMENT OF DR. JOHN ZANGARDI, ACTING DEPARTMENT OF THE NAVY
CHIEF INFORMATION OFFICER, AND DEPUTY ASSISTANT SECRETARY OF
THE NAVY FOR COMMAND, CONTROL, COMMUNICATIONS, COMPUTERS,
INTELLIGENCE, INFORMATION OPERATIONS AND SPACE
Dr. Zangardi. Good afternoon, Chairman Wilson and Ranking
Member Langevin and distinguished members. Thank you for the
privilege to speak before you today on the Department of Navy's
information technology budget. I will keep my comments brief.
There has been an astounding increase in IT capability over
the last few decades. It has important implications for the
Department of Navy.
However, unlike traditional weapons systems acquisitions,
the Department is not driving the pace of innovation. It is
industry. The question is how do we leverage what industry is
doing now?
Last week I visited forward-deployed naval forces in both
Japan and Guam. I met with marines and sailors. I will briefly
share with you different perspectives I gained from those
interactions.
I met a young aerographer's mate at the Naval Oceanographic
Antisubmarine Warfare Command in Yokosuka, Japan. She was in
the top three of her A-school class. Most impressively, she
advanced from an E1 to E5 in less than 2 years.
She is reliant on the Navy's overseas network to access
tactical applications such as the Naval Integrated Tactical
Environmental System, or NITES program. Without access to the
network and tactical applications such as NITES, she cannot
fully support the warfighter mission with meteorological and
mission-planning data, despite all her training.
I also met with senior-level leadership in the Western
Pacific. Providing mobile, secure command and control, or C2,
over forces is an important concern of the fleet, strike group,
and unit commanders. Our overseas expeditionary and afloat
networks must be able to respond to this demand signal and
deliver capability.
The expectations from the Navy and Marine Corps warfighter
are high. The reason we need to harness the industry trends of
lower cost and more readily available capability is because
information technology provides the means to enable better
decision making.
For example, if the Department never improves the network
or the tactical applications used by the aerographer's mate,
she will not be able to provide the fleet the knowledge
products they need to perform their mission or execute it.
Information technology has become the thread that weaves
together platforms, tactics, and personnel to execute our
strategy. This drives home just how important it is to move
forward with transitioning ONE-NET [Outside the Continental
United States Navy Enterprise Network] to NMCI [Navy-Marine
Corps Intranet], and continuing with installation of
Consolidated Afloat Networks and Enterprise Services [CANES]
program. Both are absolutely critical in our support of our
forward-deployed forces.
Department of Navy programs such as Marine Corps Enterprise
Network, Navy Multiband Terminal, Automated Digital Network
System, and Mobile User Objective System need your continued
support to provide connectivity to the warfighter and afloat
and expeditionary warfighter.
In an era of constrained budgets, we need to learn and
leverage lessons from industry. It is incumbent on us to reduce
redundancy, drive out costs, and deliver innovation.
How we buy more smartly and put technology in the hands of
the warfighter? NGEN [Next Generation Enterprise Network]. Our
ashore network contract, NGEN, is a true success story that is
providing capability now. The NGEN contract delivered $1.2
billion in real savings across the FYDP [Future Years Defense
Plan] as a result of competitive market forces.
I believe that we bought smartly. The NGEN contract
provides for an enterprise network for both Navy and Marines.
NGEN is also how we will deliver JIE and JRSS. We are engaged
in the development of JIE and implementation of JRSS.
Data center consolidation and application rationalization
are another effort. They are not easy tasks. Industry will tell
you that while these are challenging, they are critical
components to drive out costs and drive in security.
We are making progress. The desired end state is a single
integrated global ashore infrastructure service delivering,
leveraging Navy data centers, application hosting, and
commercial cloud services. The objective is to drive out cost
while still providing the warfighter the information they need
when they need it.
Providing increased mobility options to the warfighter is
paramount. Putting new industry standard devices that deliver
consistent security by separating business data from employee
personal information is just starting up, and should be
complete by year's end for about 30,000 devices across the
Navy.
The Department is focused on innovation. We increasingly
realize that information is an asset. The Department's
information systems provide an opportunity, and can enable
innovation areas of business intelligence and the cloud. We
need to rethink how we value and share information. We have to
ensure that our processes move at the speed necessary in the
information age.
Lastly, Vice Admiral Branch couldn't attend, but wishes to
have his statement added to the record. And I would appreciate
your consideration there, sir.
The Department of Navy is very proud of our efforts in IT.
I am standing by for your questions.
[The prepared statement of Dr. Zangardi can be found in the
Appendix on page 62.]
Mr. Wilson. Thank you very much, doctor.
And now we proceed to General Nally.
STATEMENT OF BGEN KEVIN J. NALLY, USMC, DIRECTOR, COMMAND,
CONTROL, COMMUNICATIONS, AND COMPUTERS (C4)/CHIEF INFORMATION
OFFICER, HEADQUARTERS U.S. MARINE CORPS
General Nally. Chairman Wilson, Ranking Member Langevin,
distinguished members of the committee.
First and foremost I would like to start off my oral
statement by stating my number one priority is now and has been
for the past 5 years, people, which includes marines and our
civilians supporting marines, and are providing support to our
forward-deployed forces, which includes marines and sailors. It
is my number one priority.
Today, as always, your Marine Corps is committed to
remaining the Nation's force in readiness, a force truly
capable of responding to a crisis anywhere around the globe at
a moment's notice. As we gather here today, 32,000 marines are
forward-deployed around the world, promoting peace, protecting
our Nation's interests, and securing our defense.
We have marines currently conducting security cooperation
activities in 29 countries across the globe and continue to
make a difference. All these marines remain trained, well-
equipped, and at the highest state of readiness.
Information technology is a key enabler to the Marine Corps
being able to fight and win our Nation's battles. As we align
our information technology with our Commandants' Planning
Guidance and Expeditionary Force 21, we take the approach from
the furthest deployed marine and move back to the Pentagon.
This approach, fighting hole to flagpole, allows us to best
understand our command and control, and information demands,
and to build our networks and programs to support the Marine
Corps broad range of missions.
As we look to the future, Expeditionary Force 21 is our
corps capstone concept that will increase our enduring presence
around the globe. We employ tailored, regionally oriented
forces that can rapidly respond to emergencies and crises.
Having the capability to rapidly deploy command and control
packages provides a fully joint capable force that can operate
as part of a more integrated naval force to better fight and
win complex conflicts throughout the littorals.
A key tenet to support Expeditionary Force 21 is the Marine
Corps moving towards a single network, the Marine Corps
Enterprise Network. The Marine Corps Enterprise Network
unification plan provides the Marine Corps path to the Joint
Information Environment, or JIE.
We are unifying multiple networks to ensure effective use
of our resources, and more importantly to allow reliable access
to information for all our forces. Information assurance
remains a key component of our Marine Corps Enterprise Network.
We have established the Marine Corps Cyber Range to enable the
development and testing of information systems, support
cyberspace training, and conduct operational planning and
realistic exercise support.
Finally, our workforce, the marines and civilian marines
who operate and defend the network 24 hours a day, 365 days a
year, are our most critical asset. This workforce enables the
Commandant's Planning Guidance and Expeditionary 21, and most
importantly, supports those deployed marines in accomplishing
their mission.
I want to thank the chairman and the committee for the
opportunity to appear here today to discuss Marine Corps
information technology matters. Thank you for the opportunity
to appear before you today. I look forward to answering your
questions.
[The prepared statement of General Nally can be found in
the Appendix on page 76.]
Mr. Wilson. Thank you, General Nally. And as you cited,
32,000 Marines in 29 countries around the world.
Actually, Congresswoman Stefanik and myself last week saw
firsthand at embassies throughout the Middle East and Central
Asia the extraordinary young marines providing security. And it
would make any and every American very proud. So thank you very
much for your service.
General Nally. Thank you.
Mr. Wilson. As we proceed, and we will be on the 5 minutes
for each of us, including myself.
And so first of all, with General Ferrell, because the
civilian part of the workforce is so integral when it comes to
information technology and cyber, what are we doing to better
manage that part of the workforce?
In your testimony you have made some recommendations. Can
you please elaborate on some of the things that you would
recommend as we should be doing? Do any of the others on the
panel have any other and additional recommendations?
General Ferrell.
General Ferrell. Congressman, thank you for that question.
The Army is doing an awful lot to increase the capacity, both
on our cyber workforce and as well as in our IT workforce.
We have over 11,000 civilian IT workforce that we currently
have on the books. And we are implementing a holistic strategy
to transform information technology and the cyber workforce,
from recruiting to training to training critical parts of the
information technology.
From a recruiting side of the house, we have an extensive
outreach program that is aligned with STEM [science,
technology, engineering, and mathematics] into the high school
from K-12, as well as putting on demonstrations to encourage--
technical demonstration to encourage the high school students
to pursue a career in the STEM world.
We also have the opportunity where we have an internship
program where we take high school students as well as college
students, about 50 annually a year, and then include them as
part of the Presidential Management Fellows. We have about
currently three that are on hand working with the Army.
So again, we have the STEM program, outreach with the K-12.
And we also have an internship program that we work with the
high school students as well as the college students.
On the retaining side of the house, we are also exploring
additional incentive pay to promote retention and remain
competitive with the industry partner.
And the last piece that--on the training side of the house,
the technical programs that we have in place is both from the
military side that we offer to advance more technology in the
cyber world as well as intel world. And we will offer some
civilian opportunities as well. These are some of the programs
that we have within the Army.
Mr. Wilson. Thank you very much.
Does anyone else have any to add? Dr. Zangardi.
Dr. Zangardi. Yes, sir. Thank you.
Very briefly, on the civilian side from 2012 to 2014 we
have seen our attrition rate of civilians drop from 9.7 to 5.1.
That may be due to the economy. But I also think it reflects
the unique work that we do at locations and SPAWAR [Space and
Naval Warfare] Systems Command out in California.
It is a unique opportunity to work on some cutting-edge
technology, or also to serve your country. I agree with the
general that things like STEM and outreach to schools and other
industries to bring in uniquely qualified personnel are very
helpful to our ability to keep and retain highly qualified
civilians.
On the military side, our rates for accession and retention
are being met. We utilize selective retention bonuses and we
provide increased training opportunities at the 12- to 14-year
mark, which is a mark at which most people will not leave after
they get the training.
Mr. Wilson. Thank you very much.
And the next question for me, General Nally, each of you
have talked about the personnel challenges related to finding,
hiring, and training information technology professionals, both
military and civilian. I would like to hear your thoughts on a
couple of points. One is leveraging commercial certifications
or commercial training.
General Nally. Thank you, sir. We don't have a problem
recruiting and retaining if we are talking to the military
first for entry-level Marines. Whether they are enlisted or
officers, the training is conducted out at Twentynine Palms,
California, at our Marine Corps communications and electronic
schools.
The cyber network operators, they actually at the entry-
level first formal school, upon graduation they actually
receive commercial certifications in four various commercial
companies equal to what they would offer for certifications.
For example, Microsoft, they depart the school and they have
commercial Microsoft certifications.
As they progress in their careers if they decide to stay in
they receive additional certifications, i.e., through Cisco,
VMware, NetApp are a few of the companies. And all that
training is conducted in Twentynine Palms. So we have a formal
working relationship with those companies where they actually
receive those company certifications.
For civilians I have a budget to train and educate the
civilian IT cyber workforce so we ensure that they receive the
training, education, and certifications that they require for
the appropriate billets that they hold.
Mr. Wilson. Well, I would like to congratulate you because
I would have thought our retention would be very difficult in
the 9.7 to 5.1, doctor. That is incredible because you are
dealing with such talented people. Thank you all for your
extraordinary efforts to maintain your personnel.
Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. Again I want to
thank our witnesses for your testimony today.
Mr. Halvorsen, in 2011 the commander of U.S. Cyber Command
briefed the Joint Chiefs of Staff on the inability to see the
entire DOD networks, and the risks associated with the
limitation. In addition to providing more efficient and
effective networks, the Joint Information Enterprise, JIE,
initiative is intended to enable U.S. Cyber Command the
visibility of the network required to defend it.
In your opinion, is the initiative moving towards that end
state? Why or why not? And what official guidance has been
provided to the services to ensure that end state?
Mr. Halvorsen. Sir, thank you.
Yes, we are making good progress on that. The JRSS, as we
implemented the first set of software, already exposes more of
the network than we had exposed before from CYBERCOM and from
the new stood-up DODIN [Department of Defense Information
Networks] headquarters which is at DISA, which is now
responsible for overseeing that under the operational control
of Admiral Rogers.
The services have all been provided guidance, both
operational guidance from Mike Rogers, policy guidance from my
office, that says we will implement the JRSS. We have laid out
the timelines. They are all committed, all team members. You
have heard them all testify to that.
We have figured out the funding on how to do this. The next
version of the software, which is version 2.0, will complete
that picture so that all of the services can see the same
picture as CYBERCOM. That is funded.
One of the ways we were able to do that is by looking at
some of the business processes in DISA, taking that money and
applying it inside of DISA to fund the software. That is step
one. And I want to point out that JRSS is the first step.
The next step--and you have heard all of the services talk
about how they collapse their enterprise networks. Each of the
service entered at a different spot with regard to enterprise
networks. They are all working to collapse that.
As we collapse the networks, that will also give us a
better picture. It is a little physics. It is less for us to
look at. So in addition to putting up the JRSS, we are working
with all the services to collapse the total number of networks
that frankly Mike has to look at and to make sure that are
secure.
Mr. Langevin. And, Mr. Halvorsen, the Joint Chiefs of
Staff, Cyber Command, the acquisition community, the services,
and many other entities have a stake in JIE. What office, and
who, is in charge of this mission?
Mr. Halvorsen. I own JIE and making sure that that is
complete to everybody's satisfaction. Mike Rogers owns it from
an operational standpoint. The single point to make sure that
it gets done from funding operations is my office.
Mr. Langevin. Okay.
And you described the Joint Regional Security Stack, JRSS,
as the foundation of JIE. General Ferrell, you mentioned moving
forward with JRSS with the Air Force and DISA, and Dr. Zangardi
and General Nally, when will the Navy and Marine Corps move out
with JRSS?
And Mr. Halvorsen, what is your view of the different
services' timelines? What is each service's programmed
investment through the next 5 years in JRSS? And is it
equitable and a strategy allowing for the best bang for the
buck?
Mr. Halvorsen. Sir, if you permit me I will first answer
that. All of the services are completely committed to this and
have funded.
And when we look at what the current condition is, the
Department of Navy, and for truth in advertising my previous
job was the Department of Navy's Chief Information Officer,
collapsed its systems first around NGEN and previous NMCI. They
are in some cases better positioned because of that to do and
see their network better.
The Air Force and Army are moving very rapidly in that
direction. The reason they are moving first behind JRSS is that
will give them the same level of capability that the Marine
Corps and Navy enjoy now. When the Navy and the Marine Corps,
we go to JRSS 2.0, that gives everybody increased capability
and everybody will move on that.
The Army and the Air Force will be completed in 2017
migration. The Navy and Marine Corps complete in 2018. That is
an aggressive schedule to get all of the networks and the
complexity done, but I think it is the right schedule and one
that I do not think we can let slip. That is the goal.
You mentioned the ``Tank'' [Joint Chiefs of Staff
conference room]. I briefed the ``Tank'' two weeks ago. All of
the service chiefs are 100 percent behind that and committed to
making sure that we do not slip that date.
Mr. Langevin. Anybody else got a comment?
Dr. Zangardi. Yes, sir. I concur with Mr. Halvorsen's
statement since he had my job previously.
NGEN, the NGEN contract is our path forward to JIE. It--
specifically, the technical refresh or modernization dollars
within the program will be channeled to JIE activities or
acquisitions as the standards are defined.
We are engaged now in engineering, planning, and budgeting
on the JIE team. We have engineers involved. We have our SPAWAR
folks playing in there. We plan to be part of the definition of
JIE and JRSS.
As Mr. Halvorsen said, we will be complete in 2018. We
align with that schedule. We are also working closely with
PACOM [Pacific Command] J6 on what JIE increment 2.0 is. So we
are very involved in the whole effort of JIE and JRSS, and have
the mechanisms in place in NGEN to move forward.
General Bender. Sir, if I could clarify for the Air Force.
We are actually at an end-of-life condition. We are on a single
security architecture since 2011 with 16 gateways. And this is
the next evolution. So JIE, JRSS, is the right way for the Air
Force to go.
General Ferrell. And sir, I would like to give you a good
news story on the progress of the JRSS, specifically at Joint
Base San Antonio where there is a partnership between the Army
and the Air Force and Defense Information System Agency.
When we started this journey about a year ago of again
taking the JRSS capability, as well as expanding the capacity
at Joint Base San Antonio, put it in place and worked through
the technical challenges of how do we collapse the network.
I am very pleased to tell you to date that we have expanded
the capacity there at Joint Base San Antonio. We have installed
the JRSS devices. And we have also passed traffic, both Air
Force and Army traffic, over the same network between Joint
Base San Antonio as well as Montgomery, Alabama.
So again, that is the first step toward progress, physical
progress with this effort. We have taken lessons learned from
that initial site and we are going to incorporate that on all
the follow-on sites, both CONUS [continental United States] and
OCONUS [outside the continental United States].
Mr. Langevin. Thank you.
Mr. Wilson. Thank you, Mr. Langevin.
We now proceed to Congressman Rich Nugent, of Florida.
Mr. Nugent. Thank you, Mr. Chairman. And I appreciate this
panel being here today.
You know one of the things that I always get nervous about
when I was over an agency that had computers and every time you
have a gateway, a way in, how that opens up. But it is even
more troubling as to when you look back at the Snowden incident
2 years ago.
How are we protecting ourselves against an insider attack
that could obviously cripple us if that information got out to
our adversaries? And I will let anyone take a stab at that one.
Mr. Halvorsen. Doing a couple things. I mean we have
implemented all the directives. And you can see in all of our
written testimony, we have complied with all the directives.
And we will be implementing a deep insider threat.
But a couple things that I think illustrate what we have
done is the biggest insider threat is from systems
administrators, the guys that have complete access. We have
strengthened the security requirements on those.
We will be in conjunction with Mike Rogers shortly, putting
out some more detail on that. It requires them to be token-
enabled on our way to making that completely CAC [Common Access
Card]-enabled so you will have a visible identity of every
system administrator.
We have put in place under Mike's direction, and we could
go deeper in a different venue, the ability to see what system
administrators are doing and some ability to monitor, I won't
say abnormal behavior, but different behavior. When you are in
a computer business it is hard.
So if they route traffic differently or if they are seeing
some--if we are seeing them move things around differently,
that ability is expanding within the Department in addition to
all of the things that were directed in the NDAA, which we are
on schedule to comply with.
General Ferrell. Congressman, in addition to what my
colleague to my right has shared, we are also implementing an
extensive educational program to educate our users on
identifying the types of malisons that will occur on the
network and how to mitigate that.
So again, we are really reaching out to--as well as putting
the protection from the software on the computers, as well as
monitoring the activities of the administrators, we are also
doing the educational aspect as well.
Mr. Nugent. I know there was a GAO [Government
Accountability Office] report out a while back, particularly as
it relates to DISA, but as it relates to JIE that it is so
broad that there is no one program administrator. Were they
correct in that assumption? Or was----
Mr. Halvorsen. I think there was certainly some truth that
we were a little fractured in what we had defined JIE. So with
the help of my colleagues over the last year what we did was
take a look at what is JIE.
JIE is a concept. We are not going to ever implement JIE.
What we will implement is the steps that get us to a Joint
Information Environment.
So what I can now tell you, and I think you have heard
today, the first step of that is to get to the Joint Regional
Security Stacks, phase one. Phase two is for us to then--how do
we implement and take that into our mission and coalition
partners. So they are the first two key, very physical, very
visible, measurable.
You can put metrics on them, steps that we have to do with
JIE. And I think we had not clarified that really, simply,
until the last year. And that is--that may be what was the
single biggest driver is that we really did clarify. Those are
the key points that have to happen in that sequence.
Mr. Nugent. All right. It makes sense because obviously if
you have one agency or one group that is in charge of all of
the IT for all the services there are some real gaps that would
occur. Things the Air Force would be important to would not be
as important to the Army or vice versa.
So I think that your concept is great. And I think that you
have--through the services you have some great folks that are
very talented that can move this forward.
You know IT is always something changing. I can remember my
past life it always seemed like you know we just upgraded our
servers and then it wasn't 2 years later saying hey, boss, the
stuff is no good. We got to get new stuff.
And I am sure you face that same type of environment. But
how do you guard against that, I mean constant change over what
you need, equipment? And I don't know if you can.
Mr. Halvorsen. I think you have to do two things. I mean
one of the things that this group has done is decide about some
ways that we will all look at certain investments.
So we now have within this group a standardized business
case analysis process. And when I say business case, our
business is war.
So it also looks at the operational pieces, too. It is not
just on the business systems. That is one way that we can all
look and make sure that we are looking at things and measuring
the same way.
It is okay for things to be different, particularly in the
physical properties, different equipment, as long as it will
perform to the same standards. It measures up to the same
money, accountability, and all the other measures. We are doing
better at that.
We are also looking at what is our current inventory of not
just things but software and applications. One of the things
that we are looking at now is how do our applications line up?
I will give you an example.
When we look at logistics, about 80 percent of our
logistics applications share a large majority of data elements
that are the same. And I think that is the other change.
You really have to go to the data level. If those data
elements are the same, maybe the first thing that we can do is
start shrinking the number of systems, let the applications
that the services need, because they do need to be distinct in
some areas.
You pointed out right the Air Force, the Army, the Marine
Corps they have different requirements on some of this. We can
combine the data elements and wrap that. That is not a great
term.
Wrap that around the different parts of the applications
that each of the services need, share common data, protect it
in one location. And it both reduces costs and improves your
operational capability. We are looking hard at how we expand
that effort.
Mr. Nugent. I appreciate that.
And, Chairman, thank you for indulging me----
Mr. Wilson. Here, here.
Mr. Nugent. Thank you.
Mr. Wilson. Thank you very much, Sheriff Nugent.
We now proceed to Congressman Jim Cooper, of Tennessee.
Mr. Cooper. Thank you.
I am worried we are already in a cyber war, we are just not
admitting it. I don't remember from history a time in history
of warfare when more eggs have been put in one basket,
basically.
Virtually every chip in the world being made in one country
that is not here. And the software is so unimaginably complex
it is almost impossible for human beings to figure it out. So I
am worried that the acronym ``CLOUD'' really stands for the
``Chinese Love Our Uploaded Data.''
I worry that none of the witnesses that I have ever heard
calls for a change in the UCMJ, the Uniform Code of Military
Justice, so that computer security becomes a value to be
preserved because computer hygiene is staggeringly important.
And perhaps there has been testimony to that effect. I haven't
heard it.
I am worried that our troops would be incapable of working
if the Net went down and things go dark. I don't know anybody
knows the degree of Internet of Things when facilities could be
shut down, as relatively unprotected.
And I don't know. Maybe you have been red-teaming all this.
But to me the vulnerability is amazing when virtually every
major U.S. company has already been taken down to some extent.
Entire countries like Estonia were almost put out of commission
years ago by hackers.
I just worry there is more vulnerability here than perhaps
this hearing has indicated so far.
Mr. Halvorsen. Sir, I don't think we could tell you that we
are perfectly secure. I think that would be a bit ridiculous
statement to make. What I can tell you is that we are doing the
things you talked about.
And you talked about accountability. And I will get you a
copy of the recent memo. But we did working together have the
Deputy Secretary of Defense for the sign out a recent memo that
improved accountability in how we hold individuals, both
civilian and military, more accountable for their cyber
actions. That is working.
We have had recent discussions about how do we raise the
bar on cyber hygiene. As we have had our discussion with the
cloud, I will tell you that the most contentious issue with
industry--we are not dodging the hard question of how they will
meet our requirements, and then frankly how will they respond
when they have a penetration and lose our data?
What is the accountability that they are going to have. It
is one of the things right now that is slowing the higher level
cloud movement because we have not worked that out.
Industry has not yet said that they will abide by some of
those rules. We are certainly open to them showing us different
technology to do that. But they still have to show us that they
are doing it. So we are having that dialogue.
We are looking at what it means to be cloud. So maybe I
should expand just a minute on that. We are not going to just
use commercial cloud. We will use every hybrid there.
DISA has the milCloud. And to their credit, they have
dropped the rates so it is more competitive with commercial.
But what it does do is it provides that extra level of security
for the really valuable data that we just can't afford to lose.
The commercial world is working to move up to those
standards. And as they do, we will put more into the cloud, but
not until they meet those requirements. We are not lessening
our security requirements. In some cases we are standardizing
them. In other cases we are raising them.
And the conversation with industry, which they did not like
but were happy to be engaged in, the way we are publishing the
cloud documents, what we have had to tell them is the standards
I put out today in this environment, in the IT world, they will
change. And they might change in 6 months, depending on what
the threat does. And we have told them they have to be reactive
to that.
We are not going to put anything out there that does not
meet the standards and that we have not looked at. And we are
increasing the amount of red-teaming that we are doing across
the board.
Mr. Cooper. So we don't need to change the UCMJ?
Mr. Halvorsen. I don't think we need to change the UCMJ
today. I will tell you I think we need to enforce some of that.
And it is not just the UCMJ because that would only govern our
military as you know, but also the civilians.
We have got to enforce the policies. And I think that is
mostly about educating the commanders on how they do that. The
policy is there.
Cyber presents some problems even from the forensics side
of how do you know who put it in. One of the reasons that we
are doing more PKI [public key infrastructure]-enabling and
getting down to the single identity is that when you put it in
we will know.
Once we have that I think you will see. And we are getting
that more and more across the board. We have it on some
systems. You will see us be able to actually hold an individual
accountable for making a bad action on the network.
Mr. Cooper. Thank you, Mr. Chairman.
General Nally. I think--sir, if--just a minute. This might
make you feel a little bit better, but three quick things. One,
the Marine Corps is going toward using a private cloud.
Number two is in terms of what you mentioned about the
UCMJ. We have actually published a document states we call it a
negligent discharge. If a marine or civilian takes classified
information and does something inappropriate with it, whether
puts it on a NIPRNET [Non-Secure Internet Protocol Router
Network] or we had a spillage, et cetera.
We do hold them accountable, the commanders do. So we let
the commander, whoever the commander is, know that this
individual had a negligent discharge. They hold them
accountable.
And three is we actually are training for a SATCOM
[satellite communications] degraded intermittent latent
environment, stressing VHF [very high frequency], UHF [ultra
high frequency], HF [high frequency], terrestrial types of
equipment, commander's intent and mission type orders. So we
are pushing that down to the lowest levels.
Dr. Zangardi. Sir, may I respond?
A couple areas. First, modernization is capability and
security. Our NGEN program has built in modernization so we
bring in technology on a 4- to 5-year refresh basis.
Our afloat network CANES has a 2-year software upgrade and
a 4-year hardware upgrade built in. So as you do modernization
you bring in the latest technology, bring in the latest
security.
Operation Rolling Tide, ORT, dollars are in the budget.
That is bringing out tools, techniques, procedures to our folks
out in the fleet that will improve security on our afloat and
ashore units.
We stood up in the Navy something called TFCA, Task Force
Cyber Awakening. And I will read exactly what it does. It
delivers fundamental change to the Navy's organization,
resourcing, acquisition, and readiness. And align and
strengthen authority, accountability, and rigor in Navy
cybersecurity.
We have full, broad support across the Navy organization.
My boss, the Assistant Secretary for Research, Development and
Acquisition, is the lead for the EXCOM [Executive Committee],
along with the Vice Chief of Naval Operations. The three-star
SYSCOMs [System Commands] are involved, all the resource
sponsors. It has the highest level of interest.
With regards to the cloud, I align with the DOD CIO on
that. Before we move any data out to the public cloud, we are
going to go through the data and screen it very carefully to
make sure that we are not putting things, data, in commercial
cloud scenarios that we should not be putting it. We are going
to proceed with due caution.
And to add on to General Nally, working, deploying in a
degraded environment is key to Navy in the Western Pacific. We
need to have the procedures in place to do that. And we are
working those.
Mr. Cooper. Thank you, sir.
Mr. Wilson. Thank you, Congressman Cooper.
We will now proceed to Congresswoman Elise Stefanik of New
York.
Ms. Stefanik. Thank you, Mr. Chairman. And thank you to all
of our witnesses for your testimony today.
General Ferrell touched on this briefly, but I wanted to
ask each of you to weigh in. In your view, what are the risks
and vulnerabilities to our network campaign plans, network
modernization efforts, should DOD be forced to execute funding
levels at BCA funding levels?
Mr. Halvorsen. In the short term we will lose 2 to 3 years.
And that really sums it up. We will fall 2 to 3 years behind.
You have heard the specific numbers. There are specific numbers
in testimony. Sequestration will delay the modernization 2 to 3
years.
And that comes with all of the things you have heard today.
If we don't do that we will be more vulnerable. We will maybe,
using your definition, sir, of ``CLOUD'' if we don't get some
modernization. We won't support the warfighters. They will be
at risk.
Ms. Stefanik. And could you add on also what that means for
the current threat assessment, how the threats have increased
over the past 5 to 10 years?
Mr. Halvorsen. I can tell you that they have increased in
this form over the last 3 to 5 years. They are certainly more
capable. And that includes everything from your country state
threats to terrorist groups that would be in the news today.
Any slowdown in our modernization will make it easier for
even less complicated or less sophisticated groups to interfere
with our business. It will expand the number of threats we will
have to face if we don't carry through with some of the
modernization and some of the security changes we are making.
And they will be delayed by sequestration.
Ms. Stefanik. Would anyone else like to add?
General Bender. I will add just very briefly that I am
relatively new in the position. But 5 months of discovery
leaves me with a very strong impression that we are not going
to harden or protect our networks to a completely safe, secure
environment. It is nearly impossible because of the evolving
nature of the threat.
That said we need to have, and as the other services have
already mentioned, the ability to fight through a determined
adversary and find our way through it. And so risk management
becomes really what is key and essential to our approach going
forward.
Dr. Zangardi. As I mentioned in a previous question,
modernization is fundamental to providing us security and the
capability we need. Sequestration will hamper, slow by several
years our ability to modernize our IT capability.
General Nally. Our biggest concern is people. So if we have
to reduce funding and then the people that actually defend and
protect the network, and we have to let those people go. That
is our concern.
And again, that gets back to my first priority. It is the
people. If I don't have the right people to operate and defend
the network, the network is worthless.
Ms. Stefanik. Thank you. I have one question on a separate
topic. And this is for just my background and for everyone else
on the committee.
Can you give an assessment of where other countries are in
terms of their investment in network modernization efforts? Are
we behind? Are we losing our edge? I know that is a very broad
question, but it is an important one.
Mr. Halvorsen. I don't think we are losing the total edge.
Do I think that particularly if we get sequestration, which
would not impact, say some larger countries in the world that
we were all concerned with? They will gain.
I mean that is a fact. I think right now we are in a good
position in terms of the edge. But in IT that edge can
disappear so very quickly.
And very candidly, this is public knowledge that the
Chinese, the Russians, other groups are making investments in
all of these areas. If we are not able to continue our plan we
will lose some of that edge and they will gain capability.
Ms. Stefanik. Thank you very much, unless anyone has
anything else to add. Thank you. I yield back.
Mr. Wilson. And thank you very much for your terrific
questions. We appreciate that, and Mr. Langevin.
At this time I would like to again thank each of our
witnesses for being here today.
I want to thank the subcommittee members for their
participation. And then, of course, Kevin Gates has just been
extraordinary sitting here quietly maintaining time.
And for each of you, thank you for your service. It is so
important for our country.
We are now adjourned.
[Whereupon, at 5:12 p.m., the subcommittee was adjourned.]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
A P P E N D I X
February 25, 2015
=======================================================================
PREPARED STATEMENTS SUBMITTED FOR THE RECORD
February 25, 2015
=======================================================================
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
=======================================================================
DOCUMENTS SUBMITTED FOR THE RECORD
February 25, 2015
=======================================================================
QUESTIONS SUBMITTED BY MEMBERS POST HEARING
February 25, 2015
=======================================================================
QUESTIONS SUBMITTED BY MR. HUNTER
Mr. Hunter. Has the Department considered revising the Cloud
Computing Services deviation to allow for more flexibility for mission
owners and cloud service providers in obtaining a Provisional
Authorization (PA) for a dedicated or private cloud service while going
through a contracting motion? As an example, a vendor may be awarded a
contract, but PA is a contingent milestone of the contract award.
Mr. Halvorsen. The DFARS Class Deviation on Contracting for Cloud
Services currently requires that a commercial cloud service provider be
granted a DOD Provisional Authorization (PA) prior to contract award.
The Department is considering modifications to the policies and
procedures currently specified in the Class Deviation, including
whether a PA should continue to be a prerequisite for contract award,
as part of its deliberations regarding DFARS Case 2013-D018. That DFARS
case is planned to supersede the Class Deviation, and the Department
will be seeking public comment on the new DFARS coverage through the
public rulemaking process.
Mr. Hunter. The DOD software inventory plan executed under section
937 of the FY National Defense Authorization Act included numerous
exemptions, did not require an automated solution to compile the
inventory, and it did not include an audit trail. These and other
requirements are outlined in section 935 of the FY14 National Defense
Authorization Act which your office is currently developing a plan to
be submitted to Congress by the prescribed timeline of September 30,
2015. Please detail for the committee how your office is developing
this plan, the input received from the services, and how your office is
reaching out to industry to understand what automated capabilities
exist and how this inventory can be performed to the satisfaction of
both parties?
Mr. Halvorsen. The FY14 NDAA Section 935 planning effort is
ongoing. Efforts to date have been directed towards developing a
business case analysis (BCA) of alternative courses of action for an
enterprise software inventory reporting process. The BCA outlines
several alternatives with varying degrees of centralized software
license management and reporting operations to determine the most
appropriate approach for DOD. As part of the BCA, the DOD Chief
Information Officer (CIO) is analyzing two ongoing internal information
technology (IT) management reporting efforts to determine the extent to
which they could be leveraged to support the Section 935 software
license reporting requirements. The DOD plan will build on these
internal efforts to formulate a holistic approach for software license
reporting. Once the appropriate software license reporting framework is
selected, DOD CIO will develop a plan for a software license reporting
process. The plan will be completed by the end of FY15
The DOD CIO issued a memorandum in June 2014 directing the CIOs of
the Military Departments and DISA (the Components) to designate action
officers to support DOD planning efforts for the Section 935
requirements. Through joint bi-weekly meetings hosted by DOD CIO, the
Components' action officers have been collaborating in the planning
efforts and reviewing work products. The Components have been an
integral part in identifying the overall strengths, weaknesses,
opportunities, and threats for each of the alternatives being
considered in the BCA.
The joint team has reached out to industry by: 1) hosting
commercial IT asset management (ITAM) and software license management
vendors to present overviews and demonstrations of their product and
service offerings; 2) meeting with corporate software license
management teams to share lessons learned from their software asset
management (SAM) implementations; and, 3) meeting with ITAM industry
analysts to discuss DOD requirements and potential SAM implementation
options. The DOD joint team has used industry benchmark data and
lessons learned in support of its BCA alternatives. The DOD CIO and
Component CIO representatives also meet with ITAM and other software
providers through ongoing DOD Enterprise Software Initiative (DOD ESI)
IT strategic sourcing operations. The DOD joint team has shared lessons
learned about Component-level implementations of ITAM processes and
tools using commercial software products. The Components have also
independently reached out to industry to assess alternatives for
Component-level ITAM and SAM efforts.
Mr. Hunter. Please detail the Army's efforts to date on software
inventory as prescribed by both section 935 of the FY13 National
Defense Authorization Act and section 937 of the FY14 National Defense
Authorization Act?
General Ferrell. The FY13 National Defense Authorization Act
(NDAA), Section 937, required the Department of Defense (DOD) Chief
Information Officer (CIO), in consultation with the CIOs of the
Military Departments (MILDEP), to issue a plan for the inventory of
selected software licenses, and to assess the need for the licenses.
Under the auspices of the DOD CIO, all Services, Defense agencies and
DOD Field Activities were directed to conduct an inventory of selected
software licenses, including a comparison of software licenses
purchased to licenses installed, and to submit a projection of the
licenses needed over the following two years. The intent was to provide
baseline information to enable economies of scale and cost savings in
future procurement, use and optimization of the selected software
licenses. Under the direction of the HQDA CIO/G-6, the Army assembled
an integrated product team (IPT), with representation from all Army
organizations and the Joint Commands for which Army is the executive
agent, to conduct a selected software license inventory (SSLI). Meeting
on a weekly basis, first with key stakeholders to develop the plan, and
then with all appropriate organizations, the IPT provided oversight for
conducting the SSLI audit. The audit used automated scanning and
discovery tools where available, and a data call for networks or
enclaves where automated tools were not readily available. CIO/G-6
aggregated and rationalized the inventory reports and completed the
analysis of selected software licenses purchased in comparison to
software licenses installed. The SSLI effort included a projection of
future need for these licenses over the following two-year period. The
initial report was submitted to the DOD CIO on July 18, 2014; after
providing some additional information and clarifications, the final
report was submitted on August 28, 2014. The Army owned 250 of the 937
titles included in the selected software list. We estimate that the
SSLI audit across the Army involved approximately 400 personnel and
10,000 hours over an eight-month period. FY14 NDAA Section 935 directed
DOD to update the plan for the inventory of selected software licenses,
to include: inventorying all software licenses utilized within DOD for
which a military department spends more than $5 million annually on any
individual title; a comparison of licenses purchased to licenses in
use; and plans for implementing an automated solution capable of
reporting software license compliance with a verified audit trail and
verification by an independent third party. It also mandated the plan
provide details of the process and business systems necessary to
regularly perform reviews, and a procedure for validating and reporting
the registration and deregistration of new software. The updated plan
is due no later than September 30, 2015. In support of the FY14 NDAA,
CIO/G-6 established a pilot project to test commercial software asset
management (SAM) tools that will, ultimately, provide the Army the
capability to manage software licenses across the enterprise. The SAM
pilot is intended to test feasibility and scalability across Army
networks, as well as commercial best practices and business processes
for managing software utilization, entitlements and license compliance.
Additionally, the Army CIO/G-6 continues to support the DOD CIO's
Software License Management Tiger Team effort. This team is updating
the plan developed per FY13 NDAA Section 937 and is on track to meet
the 30 September deadline. The DOD effort has included a working group
to determine potential solutions to satisfy DOD reporting requirements
and a follow-on effort to determine the most practical and cost-
effective solution for the DOD enterprise.
Mr. Hunter. Please detail the Army's efforts to date on software
inventory as prescribed by both section 935 of the FY13 National
Defense Authorization Act and section 937 of the FY14 National Defense
Authorization Act?
General Bender. In 2013 the Air Force initiated network scans to
determine the amount of DOD/CIO-selected software installed on Air
Force-managed sections of the NIPR and SIPR networks. The Air Force is
also presently performing research and analysis of existing data
repository tools as an interim solution to consolidate, manage, and
report current software inventory. Another interim solution is the
leveraging of existing scanning tools such as Microsoft's Host-based
Security System (HBSS) and Systems Center Configuration Manager (SCCM)
to collect and analyze installed software applications until a
permanent automated software license management solution is determined.
In early and proactive efforts to identify a license management
solution, the Air Force released a Request for Information (RFI) to
industry requesting the identification of software solutions capable of
addressing the Air Force's Information Technology Asset Management
(ITAM) requirements. Solutions from 46 small and large businesses
included the use of commercially available software with implementation
options including leveraging current government personnel and
processes, primarily contractor support, and some level of hybrid
approach. These options are presently under consideration, however,
discussions with DOD/CIO and other military departments (MILDEP) have
identified that there is not a singular solution to resolve the
software license management task at hand. Regarding the DOD/CIO and
other MILDEPs; the Air Force has actively participated in discussions
and working groups in efforts to identify present software license
management processes and tools as well as a joint solution. The Air
Force has also been an active participant in the interagency agreement
supporting the DOD Joint Enterprise License Agreement (JELA) effort and
will continue to leverage the JELA process to determine software needs
for the next two years.
The Air Force will continue to aggressively identify, collect, and
report software licenses in accordance with license agreements and
congressional directives. Efforts and preparations are ongoing to meet
both Section 937 of the National Defense Authorization Act (NDAA) for
2013 and Section 935 of the NDAA for 2014 as well as that of Section
1003 of the NDAA for 2010, Financial Improvement and Audit Readiness
(FIAR). The Air Force is working toward a viable solution to not only
meet the intent of the two NDAAs but to also establish an equitable
solution for the future management of its entire ITAM program.
Mr. Hunter. Dr. Zangardi, please detail the Navy's efforts to date
on software inventory as prescribed by both section 935 of the FY13
National Defense Authorization Act and section 937 of the FY14 National
Defense Authorization Act.
Dr. Zangardi. The Department of the Navy (DON) is actively engaged
in the Department of Defense Chief Information Officer (DOD CIO)
Integrated Product Team (IPT) for Information Technology Asset
Management (ITAM) created to address reporting requirements prescribed
by Section 937 of the FY13 National Defense Authorization Act (NDAA)
and revised by Section 935 of the FY14 NDAA. The DON used available IT
portfolio management tools and authoritative data sources to prepare
the DON software license inventory and needs assessment submitted to
the DOD CIO and will continue its support of the DOD CIO Joint IPT as
it works to comply with the requirements of the Acts.
Mr. Hunter. Please detail the USMC's efforts to date on software
inventory as prescribed by both section 935 of the FY13 National
Defense Authorization Act and section 937 of the FY14 National Defense
Authorization Act?
General Nally. The Marine Corps, in coordination with the
Department of Defense (DOD), completed an inventory of all software
that met the established criteria per Section 937 of National Defense
Authorization Act (NDAA) 2013. The Marine Corps inventory has been
submitted in accordance with the July 18, 2013 DOD Chief Information
Officer memorandum, Subject: Department of Defense-wide Selected
Software Licenses Inventory Plan.
Marine Corps representatives are ongoing participants in the
software license planning meetings established by the DOD Chief
Information Officer in the May 30, 2014 memorandum, Subject:
Establishing a Joint Software License Reporting Team for the Fiscal
Year 2014 National Defense Authorization Act. The Marine Corps provides
input for requirements and supports development of the DOD plan.
The Marine Corps is developing an Information Technology Asset
Management Module (ITAMM) and License Management Module (LMM) within
its BMC Remedy environment to replace the legacy Virtual Procurement
Management System (VPMS) customer software ordering tool. With the sun-
setting of VPMS in FY16, ITAMM and LMM will enable the Marine Corps to
identify what software is purchased and in conjunction with approved
network software discovery tools, track what software is in use on the
Marine Corps Enterprise Network (MCEN) in order to identify
discrepancies for remediation.
All requests to procure software products are processed through the
Marine Corps Information Technology Procurement Review and Approval
System (ITPRAS) and require registration in the DON Application and
Database Management repository prior to final approval by Marine Corps
Director C4/Deputy DON Chief Information Officer (CIO) (Marine Corps).
Software is captured in the appropriate functional area portfolio and
Functional Area Managers retain responsibility to regularly perform
reviews of and validate and report on their portfolios to the Director
C4/DDCIO-MC. The Marine Corps continues to work with the DOD and DON
CIO Integrated Product Team (IPT) for Information Technology Asset
Management (ITAM) created to address reporting requirements prescribed
by Section 937 of the FY13 NDAA and revised by Section 935 of the FY14
NDAA.
[all]