[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] [H.A.S.C. No. 114-12] HEARING ON NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2016 AND OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS BEFORE THE COMMITTEE ON ARMED SERVICES HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS FIRST SESSION __________ SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES HEARING ON INFORMATION TECHNOLOGY INVESTMENTS AND PROGRAMS: SUPPORTING CURRENT OPERATIONS AND PLANNING FOR THE FUTURE THREAT ENVIRONMENT __________ HEARING HELD FEBRUARY 25, 2015 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] ______ U.S. GOVERNMENT PUBLISHING OFFICE 94-099 WASHINGTON : 2015 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES JOE WILSON, South Carolina, Chairman JOHN KLINE, Minnesota JAMES R. LANGEVIN, Rhode Island BILL SHUSTER, Pennsylvania JIM COOPER, Tennessee DUNCAN HUNTER, California JOHN GARAMENDI, California RICHARD B. NUGENT, Florida JOAQUIN CASTRO, Texas RYAN K. ZINKE, Montana MARC A. VEASEY, Texas TRENT FRANKS, Arizona, Vice Chair DONALD NORCROSS, New Jersey DOUG LAMBORN, Colorado BRAD ASHFORD, Nebraska MO BROOKS, Alabama PETE AGUILAR, California BRADLEY BYRNE, Alabama ELISE M. STEFANIK, New York Kevin Gates, Professional Staff Member Lindsay Kavanaugh, Professional Staff Member Julie Herbert, Clerk C O N T E N T S ---------- Page STATEMENTS PRESENTED BY MEMBERS OF CONGRESS Langevin, Hon. James R., a Representative from Rhode Island, Ranking Member, Subcommittee on Emerging Threats and Capabilities................................................... 2 Wilson, Hon. Joe, a Representative from South Carolina, Chairman, Subcommittee on Emerging Threats and Capabilities.............. 1 WITNESSES Bender, Lt Gen William J., USAF, Chief, Information Dominance and Chief Information Officer, United States Air Force............. 6 Ferrell, LTG Robert S., USA, Chief Information Officer/G-6, United States Army............................................. 5 Halvorsen, Hon. Terry, Acting Department of Defense Chief Information Officer............................................ 3 Nally, BGen Kevin J.. USMC, Director, Command, Control, Communications, and Computers (C4)/Chief Information Officer, Headquarters United States Marine Corps........................ 10 Zangardi, Dr. John, Acting Department of the Navy Chief Information Officer, and Deputy Assistant Secretary of the Navy for Command, Control, Communications, Computers, Intelligence, Information Operations and Space............................... 8 APPENDIX Prepared Statements: Bender, Lt Gen William J..................................... 53 Ferrell, LTG Robert S........................................ 36 Halvorsen, Hon. Terry........................................ 27 Nally, BGen Kevin J.......................................... 76 Zangardi, Dr. John........................................... 62 Documents Submitted for the Record: Testimony for the record from Vice Admiral Ted Branch, Deputy Chief of Naval Operations for Information Dominance........ 87 Witness Responses to Questions Asked During the Hearing: [There were no Questions submitted during the hearing.] Questions Submitted by Members Post Hearing: Mr. Hunter................................................... 97 INFORMATION TECHNOLOGY INVESTMENTS AND PROGRAMS: SUPPORTING CURRENT OPERATIONS AND PLANNING FOR THE FUTURE THREAT ENVIRONMENT ---------- House of Representatives, Committee on Armed Services, Subcommittee on Emerging Threats and Capabilities, Washington, DC, Wednesday, February 25, 2015. The subcommittee met, pursuant to call, at 4:11 p.m., in room 2118, Rayburn House Office Building, Hon. Joe Wilson (chairman of the subcommittee) presiding. OPENING STATEMENT OF HON. JOE WILSON, A REPRESENTATIVE FROM SOUTH CAROLINA, CHAIRMAN, SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES Mr. Wilson. Ladies and gentlemen, I call this hearing of the Emerging Threats and Capabilities Subcommittee to order. I am pleased to welcome everyone here today for the hearing on the fiscal year 2016 budget request for information technology [IT] programs for the Department of Defense [DOD]. Information technology systems are critical enablers for our military, enhancing the performance of individuals and units by connecting people and weapon systems together in ways that make them more effective than the sum of their parts. As we look at the budget request, and as the witnesses describe their relevant portions, I would like to ask each of you to address the following questions. What systems are we investing in? How do these systems enhance the Department of Defense's ability to execute its missions, carry out business operations, and generally improve our ability to conduct warfighting operations? How do we prevent duplication between the services and agencies to make sure that the programs we pursue are deployed on time, on budget, and with the performance capabilities we originally planned? Today we have invited a panel of dedicated public servants to answer these questions. Our witnesses are, first, the Honorable Terry Halvorsen, acting Chief Information Officer of the Department of Defense; Lieutenant General Robert S. Ferrell, Chief Information Officer/G-6 of the United States Army; Lieutenant General William J. Bender, Chief of Information Dominance and Chief Information Officer of the United States Air Force; Dr. John Zangardi, the acting Department of Navy Chief Information Officer, Deputy Assistant Secretary of the Navy for Command, Control, Communications, Computers, Intelligence, Information Operations and Space-- quite a title; Brigadier General Kevin J. Nally, Director of Command, Control, Communications and Computers (C4), the Chief Information Officer of the Marine Corps. We also know that the Navy would like to submit additional testimony for the record for Vice Admiral Ted Branch, the Deputy Chief of Naval Operations for Information Dominance, who was unable to join us today. If there are no objections, we will include that in the record. [The statement of Admiral Branch can be found in the Appendix on page 87.] Mr. Wilson. I would like to turn now to my friend, Mr. James Langevin of Rhode Island, the ranking member, for any comments he would like to make. STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE FROM RHODE ISLAND, RANKING MEMBER, SUBCOMMITTEE ON EMERGING THREATS AND CAPABILITIES Mr. Langevin. Thank you, Mr. Chairman. And I want to thank Mr. Halvorsen, General Ferrell, General Bender, and Dr. Zangardi, and also General Nally. Thank you all for appearing before the subcommittee today and all the work that you do to help our warfighters and the Pentagon be efficient and effective in the IT realm, and for all you do to serve our Nation. It is one thing that hasn't changed the world of technology since our hearing last year on this topic is the importance of information systems to everything that we do as a nation. IT consumes a massive portion of our defense investment, and cyber continues to be a very high priority for the Department, as well it should be. However, with this huge investment comes an equal responsibility to make sure that we are conducting proper oversight of those activities. And to that end, I look forward to hearing from the witnesses about the fiscal year 2016 budget request as it relates to our investment in cyberspace, and in securing and modernizing our information systems. Specifically, Mr. Halvorsen, I would appreciate hearing how the Joint Information Environment [JIE], described as the framework for IT modernization, has evolved and has been implemented. I would also like to hear from each of the services about their understanding and implementation of JIE, i.e., either unilaterally or in conjunction with their sister services, and specific programs associated with this concept. Conceptually, I support JIE, especially if it provides the ability to better defend the network against outside and insider threats. Yet there is still so much to understand about JIE. This includes obtaining a solid definition and placing policy guidance associated with implementation, building structures for oversight and management within the Department. And perhaps most relevant today, since it is not an official program of record, building an understanding of how we in Congress can conduct our overseer responsibilities. As part of this dialogue today, I also expect to hear how the Department will utilize the cloud for both classified and unclassified information, and leverage public, private, and government-owned structures. Cyber is an extensively, extremely personnel-dominated mission space, and thus is a serious concern when the DOD is confronted with difficulties in recruiting and retaining qualified personnel. I hope the witnesses will take this opportunity to articulate the recruiting and retention challenges in depth, and provide recommendations on how the subcommittee can provide new authorities or other assistance in a National Defense Authorization Act [NDAA] to ensure that we have the best and the brightest cyber IT workforce. Finally, under the leadership of Chairman Thornberry and Ranking Member Smith, the HASC [House Armed Services Committee] is taking up acquisition reform. Our goal is to take a cumbersome process and make it more agile and flexible, allowing for the finest capabilities to be delivered to our warfighters on time and on budget. An agile and flexible system is especially important for IT and cyber where technologies and enemy capabilities rapidly evolve and change, and multiple procurement cycles can exist within a single budget cycle. I hope our witnesses will speak to the authorities provided in last year's Defense Authorization Act and elaborate on what more we can do. With that, again, Mr. Chairman, I want to thank you for organizing this hearing, and to our witnesses for being here today. And I look forward to our discussion. Mr. Wilson. Thank you, Mr. Langevin. Before we begin I would like to remind the witnesses that your written statements will be submitted for the record. So we ask that you summarize your comments to 5 minutes or less. And additionally that will apply to the members of the subcommittee. And as questions are asked we will be limited to 5 minutes based on time of arrival and on either side. And we have a person who is above reproach. Kevin Gates, who will be keeping the time. And so we will proceed at this time. And we will begin with Mr. Halvorsen and proceed to the right. STATEMENT OF HON. TERRY HALVORSEN, ACTING DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER Mr. Halvorsen. Good afternoon, Mr. Chairman, Ranking Member, and distinguished members of the subcommittee. I am Terry Halvorsen, the acting Department of Defense Chief Information Officer. As such, I am the senior adviser to the Secretary of Defense for all IT matters. I am responsible for managing the DOD's IT spend so we get more out of each and every dollar, while making sure that the warfighter has the tools to do the mission. My written statement provides you specific numbers and details, but I would like only to highlight some key issues. One of my key priorities is implementation of the Joint Regional Security Stacks [JRSS]. That is the foundation of the Joint Information Environment. It replaces our current individualized and localized security architecture and systems with a set of servers, tools, and software that will provide better C2 [command and control], more security, and do this at a lower cost. JRSS is an operational and business imperative for the Department. I want to talk about how we are improving the alignment of our business processes and IT systems and investments. I partner with the Deputy Chief Management Officer, the revised Defense Business Council. We have been directed by the Secretary of Defense to conduct a complete review of all business processes and IT systems in the fourth estate. That is point one. We will then move into working with my colleagues to do the same review of the military departments. We are asking the question, what IT business should DOD be directly in, and at what level should we be in it? And I think that is a key question. We may need your help in changing the business model, particularly in certain areas. We need to look at how we can expand private-public partnership, particularly in the area of data distribution or data centers. How can I take, in my case, a maybe a DISA [Defense Information Systems Agency] data center, realign it into a more public-private partnership and get full value out of what can be commercial rate improvements? I think we will need to work some legislation to make that easier for all of us to get done. We are continuing to approve the accounting procedures and have more transparency in our dollars. For example, we have added codes inside the Department that actually show how much money is being spent on data centers and other key IT areas. We have contract benchmarked within my own organization that has saved $10 million this year, and within DISA $20 [million], and we have seen comparable amounts of savings just by contract benchmarking against industry and other government sectors. I have directed DISA to create an unclassified commercial e-mail solution for the Department. You have asked about cloud. We put out some new cloud directive. And based on some recommendation from the Defense Business Board, we have changed the way we engage industry and publish our documentation. We have just published a joint cloud security and implementation guide. And when I mean joint, that was published with the complete cooperation and involvement of industry from the start. We have revised who can buy cloud, allowing the services now to go direct to the provider, not have to go through DISA, and put DISA in a role of being the security standards. We continue to involve critical areas in mobility with smartphones, wireless and electronic flight bags. I brought two today. This is the first dual persona unclassified Blackberry. We are now using this. This Android phone is capable of doing up to secret-level security work on it, and it is basically a modified commercial product. And the prices are coming down. We need to do a comprehensive review of the DOD cyber workforce. But again, I think this an area where we may need help. Somehow we have got to have better movement between government and private industry in the career fields. We ought to be able to wake up one day, be a private employee and the next day come in and be a government employee and keep that change. I think that expertise, particularly in the area of security we would gain, is vitally important. In conclusion, we are trying to drive cultural, business, and technical improvements, innovation into DOD's IT to better support our mission and business operations. That requires teamwork. I am happy to say I have good relations with General Hawkins, the director of DISA; Frank Kendall, who is a strong partner; Admiral Mike Rogers, who I have known for a long time as NSA [National Security Agency] and USCYBERCOM [United States Cyber Command]; Mr. Eric Rosenbach, principal security adviser; and of course my partner in crime, Dave Tillotson, the acting Deputy Chief Management Officer; my colleagues here to the left. We are expanding our relations with industry, and certainly we enjoy a great relationship with Congress. So I thank you for your interest and support, and I look forward to taking your questions. [The prepared statement of Mr. Halvorsen can be found in the Appendix on page 27.] Mr. Wilson. Thank you, Mr. Halvorsen. General Ferrell. STATEMENT OF LTG ROBERT S. FERRELL, USA, CHIEF INFORMATION OFFICER/G-6, U.S. ARMY General Ferrell. Thank you, Chairman Wilson, Ranking Member Langevin, and the other distinguished members of the committee for inviting me to testify today on the Army's network and information technology progress and requirements. The network and information technology are integral to everything the Army does. Our soldiers and unit training, and mission execution from combat to stability and support to peacekeeping and building, and even the other daily business operations all rely on the network and our information technology systems. To drive to make the Army more leaner, more agile, and more expeditionary means the network needs to be even more essential. This in turn makes the network and information technology a top modernization priorities for the Army. We must upgrade our network. In its current state the network remains open to too many threats. However, our future common architecture will enable a secure, joint global network that will provide essential services to our leaders and soldiers, Active, Guard, and Reserve. Our current network does not have the capacity or capability to do these things. We need sustained funding to upgrade our network. For the network to do everything that the Army needs, it must have a specific set of characteristics: worldwide reach, guaranteed availability, interoperability with our joint and mission partners, and the ability to accommodate all demands we place on it in a stringent security. The Army is aggressively implementing capabilities necessary to make this robust network a reality, while also converging multiple disparate networks into a single network. I recently put in place a comprehensive network campaign plan for the Army. I would like to give you just a brief snapshot of what we are doing to empower soldiers, commanders, and decision makers. The Army is expanding network capacity and creating an architecture that will allow future growth. Multiple initiatives are under way to strengthen the network security. As a proponent of the Joint Information Environment, the Army has partnered with the Air Force and the Defense Information Systems Agency to implement the Joint Regional Security Stacks, which will reduce the cyber attack surface. Increasingly effective and efficient network monitoring, management, and defense will address critical operational gaps and mitigate evolving threats. Our initial Joint Regional Security Stack site at Joint Base San Antonio is up and operating. The Army is also putting considerable effort into development and retention of a highly skilled civilian and military information technology workforce. Joint cloud computing will have a broad impact on the Army operations. It will enable reliable access to data, application, and services, regardless of the location and the device used. Cloud computing will also allow the Army to introduce innovative capabilities more quickly, and to better focus limited resources on meeting evolving missions' needs. The initiatives I just mentioned are taking place at the enterprise level, but they all feed directly into enabling the tactical force. The tactical forces we rely on to carry out the National Security Strategy. Most notably, they provide the foundation for expeditionary mission command, whose success depends on the efficient transition from home station to the deployed theater. Providing soldiers and decision makers a modernized network will require sustained investments, particularly during the modernization cycle that runs through fiscal year 2021. Additionally, the committee has asked about the impact of sequestration. Sequestration will slow network modernization. In fiscal year 2016 the Army will have to reduce spending on the network services and information assurance by almost $400 million. This cut would impact every aspect of daily Army operations to include training and network security, which could degrade readiness and/or mission execution. I thank this committee for the opportunity to appear today. The Army and I are grateful for your interest in the network and the information technology needs. I look forward to your questions. [The prepared statement of General Ferrell can be found in the Appendix on page 36.] Mr. Wilson. General, thank you very much. And I particularly appreciate your efforts for network modernization. As an Army veteran myself who was trained on SINCGARS [Single Channel Ground and Airborne Radio System], you have come a long way. General Bender. STATEMENT OF LT GEN WILLIAM J. BENDER, USAF, CHIEF, INFORMATION DOMINANCE AND CHIEF INFORMATION OFFICER, U.S. AIR FORCE General Bender. Good afternoon, Mr. Chairman, Ranking Member, and distinguished members of the subcommittee. I am Lieutenant General Bill Bender, the United States Air Force Chief Information Officer. In the first 5 months in this position, I have decided to act upon my responsibilities by focusing upon four major lines of effort: enhancing the service's cybersecurity efforts; advancing the Joint Information Environment; developing the IT and cyber workforce by transforming career field development; and finally, operationalizing chief information officer authorities in a way that adds greater value to headquarters Air Force. My lines of effort are relevant to the myriad of ongoing IT and cyber-related initiatives within the Air Force, and play a critical role in assuring the United States Air Force can accomplish its mission successfully. First it is important to note cyberspace is an operational domain. It affords us a wider range of operational opportunities, and conversely it exposes us to vulnerabilities and threats that place the Air Force's five core missions, air and space superiority, ISR [intelligence, surveillance, and reconnaissance], rapid global mobility, global strike, and command and control, at risk. Cybersecurity is at the forefront of my priorities for IT within the Air Force. We must understand and confront the reality that the vulnerabilities we face in cyberspace jeopardize our wartime capabilities, including our aircraft, space, and other weapons systems. Therefore I have convened under the direction of the Air Force chief of staff a cyber task force with the straightforward objectives of diagnosing the full extent of the cyber threat, developing an enterprise level risk management strategy, informing a better understanding of our priorities for investments. The momentum toward cybersecurity drives one of my other lines of effort, ensuring the Air Force is a full partner in achieving the Joint Information Environment with the DOD and the other services. We fully understand the imperative to move forward this environment with respect to both operational capability and efficiencies to be gained. My third line of effort addresses the need to completely transform our IT and cyberspace workforce. It is imperative that we recruit, train, and retain those with the necessary skills to meet IT and cyberspace challenges of the 21st century. With respect to IT and cyber budgets, the Air Force is partnering with DOD and Air Force acquisition leaders to streamline our acquisition processes. Our Information Technology Governance Executive Board aligns our IT investments and acquisition efforts to the Air Force corporate process. Additionally remain actively engaged with Air Force Space Command, which is the Air Force's lead major command, with responsibility for the IT and cyber portfolios. Together we are doing what we can to strengthen the investment reviews and requirements management processes. My office manages the IT Capital Planning and Investment Control process, and leads coordinated and regimented reviews of major investments that are mandated as Exhibit 300s. These reviews will provide greater accuracy on a daily basis, significantly aid the Air Force IT budget and Federal Information Technology Dashboard reporting process, and enable a process to validate IT requirements and follow our investments. The lines of effort I have outlined today, if executed well, will deliver the appropriate policies, personnel, capabilities, and resources needed to assure Air Force missions against a determined adversary. I thank you for the opportunity to address the subcommittee, and I also thank you for your interest in these critically important issues. And I look forward to your questions. [The prepared statement of General Bender can be found in the Appendix on page 53.] Mr. Wilson. Thank you very much, General. Dr. Zangardi. STATEMENT OF DR. JOHN ZANGARDI, ACTING DEPARTMENT OF THE NAVY CHIEF INFORMATION OFFICER, AND DEPUTY ASSISTANT SECRETARY OF THE NAVY FOR COMMAND, CONTROL, COMMUNICATIONS, COMPUTERS, INTELLIGENCE, INFORMATION OPERATIONS AND SPACE Dr. Zangardi. Good afternoon, Chairman Wilson and Ranking Member Langevin and distinguished members. Thank you for the privilege to speak before you today on the Department of Navy's information technology budget. I will keep my comments brief. There has been an astounding increase in IT capability over the last few decades. It has important implications for the Department of Navy. However, unlike traditional weapons systems acquisitions, the Department is not driving the pace of innovation. It is industry. The question is how do we leverage what industry is doing now? Last week I visited forward-deployed naval forces in both Japan and Guam. I met with marines and sailors. I will briefly share with you different perspectives I gained from those interactions. I met a young aerographer's mate at the Naval Oceanographic Antisubmarine Warfare Command in Yokosuka, Japan. She was in the top three of her A-school class. Most impressively, she advanced from an E1 to E5 in less than 2 years. She is reliant on the Navy's overseas network to access tactical applications such as the Naval Integrated Tactical Environmental System, or NITES program. Without access to the network and tactical applications such as NITES, she cannot fully support the warfighter mission with meteorological and mission-planning data, despite all her training. I also met with senior-level leadership in the Western Pacific. Providing mobile, secure command and control, or C2, over forces is an important concern of the fleet, strike group, and unit commanders. Our overseas expeditionary and afloat networks must be able to respond to this demand signal and deliver capability. The expectations from the Navy and Marine Corps warfighter are high. The reason we need to harness the industry trends of lower cost and more readily available capability is because information technology provides the means to enable better decision making. For example, if the Department never improves the network or the tactical applications used by the aerographer's mate, she will not be able to provide the fleet the knowledge products they need to perform their mission or execute it. Information technology has become the thread that weaves together platforms, tactics, and personnel to execute our strategy. This drives home just how important it is to move forward with transitioning ONE-NET [Outside the Continental United States Navy Enterprise Network] to NMCI [Navy-Marine Corps Intranet], and continuing with installation of Consolidated Afloat Networks and Enterprise Services [CANES] program. Both are absolutely critical in our support of our forward-deployed forces. Department of Navy programs such as Marine Corps Enterprise Network, Navy Multiband Terminal, Automated Digital Network System, and Mobile User Objective System need your continued support to provide connectivity to the warfighter and afloat and expeditionary warfighter. In an era of constrained budgets, we need to learn and leverage lessons from industry. It is incumbent on us to reduce redundancy, drive out costs, and deliver innovation. How we buy more smartly and put technology in the hands of the warfighter? NGEN [Next Generation Enterprise Network]. Our ashore network contract, NGEN, is a true success story that is providing capability now. The NGEN contract delivered $1.2 billion in real savings across the FYDP [Future Years Defense Plan] as a result of competitive market forces. I believe that we bought smartly. The NGEN contract provides for an enterprise network for both Navy and Marines. NGEN is also how we will deliver JIE and JRSS. We are engaged in the development of JIE and implementation of JRSS. Data center consolidation and application rationalization are another effort. They are not easy tasks. Industry will tell you that while these are challenging, they are critical components to drive out costs and drive in security. We are making progress. The desired end state is a single integrated global ashore infrastructure service delivering, leveraging Navy data centers, application hosting, and commercial cloud services. The objective is to drive out cost while still providing the warfighter the information they need when they need it. Providing increased mobility options to the warfighter is paramount. Putting new industry standard devices that deliver consistent security by separating business data from employee personal information is just starting up, and should be complete by year's end for about 30,000 devices across the Navy. The Department is focused on innovation. We increasingly realize that information is an asset. The Department's information systems provide an opportunity, and can enable innovation areas of business intelligence and the cloud. We need to rethink how we value and share information. We have to ensure that our processes move at the speed necessary in the information age. Lastly, Vice Admiral Branch couldn't attend, but wishes to have his statement added to the record. And I would appreciate your consideration there, sir. The Department of Navy is very proud of our efforts in IT. I am standing by for your questions. [The prepared statement of Dr. Zangardi can be found in the Appendix on page 62.] Mr. Wilson. Thank you very much, doctor. And now we proceed to General Nally. STATEMENT OF BGEN KEVIN J. NALLY, USMC, DIRECTOR, COMMAND, CONTROL, COMMUNICATIONS, AND COMPUTERS (C4)/CHIEF INFORMATION OFFICER, HEADQUARTERS U.S. MARINE CORPS General Nally. Chairman Wilson, Ranking Member Langevin, distinguished members of the committee. First and foremost I would like to start off my oral statement by stating my number one priority is now and has been for the past 5 years, people, which includes marines and our civilians supporting marines, and are providing support to our forward-deployed forces, which includes marines and sailors. It is my number one priority. Today, as always, your Marine Corps is committed to remaining the Nation's force in readiness, a force truly capable of responding to a crisis anywhere around the globe at a moment's notice. As we gather here today, 32,000 marines are forward-deployed around the world, promoting peace, protecting our Nation's interests, and securing our defense. We have marines currently conducting security cooperation activities in 29 countries across the globe and continue to make a difference. All these marines remain trained, well- equipped, and at the highest state of readiness. Information technology is a key enabler to the Marine Corps being able to fight and win our Nation's battles. As we align our information technology with our Commandants' Planning Guidance and Expeditionary Force 21, we take the approach from the furthest deployed marine and move back to the Pentagon. This approach, fighting hole to flagpole, allows us to best understand our command and control, and information demands, and to build our networks and programs to support the Marine Corps broad range of missions. As we look to the future, Expeditionary Force 21 is our corps capstone concept that will increase our enduring presence around the globe. We employ tailored, regionally oriented forces that can rapidly respond to emergencies and crises. Having the capability to rapidly deploy command and control packages provides a fully joint capable force that can operate as part of a more integrated naval force to better fight and win complex conflicts throughout the littorals. A key tenet to support Expeditionary Force 21 is the Marine Corps moving towards a single network, the Marine Corps Enterprise Network. The Marine Corps Enterprise Network unification plan provides the Marine Corps path to the Joint Information Environment, or JIE. We are unifying multiple networks to ensure effective use of our resources, and more importantly to allow reliable access to information for all our forces. Information assurance remains a key component of our Marine Corps Enterprise Network. We have established the Marine Corps Cyber Range to enable the development and testing of information systems, support cyberspace training, and conduct operational planning and realistic exercise support. Finally, our workforce, the marines and civilian marines who operate and defend the network 24 hours a day, 365 days a year, are our most critical asset. This workforce enables the Commandant's Planning Guidance and Expeditionary 21, and most importantly, supports those deployed marines in accomplishing their mission. I want to thank the chairman and the committee for the opportunity to appear here today to discuss Marine Corps information technology matters. Thank you for the opportunity to appear before you today. I look forward to answering your questions. [The prepared statement of General Nally can be found in the Appendix on page 76.] Mr. Wilson. Thank you, General Nally. And as you cited, 32,000 Marines in 29 countries around the world. Actually, Congresswoman Stefanik and myself last week saw firsthand at embassies throughout the Middle East and Central Asia the extraordinary young marines providing security. And it would make any and every American very proud. So thank you very much for your service. General Nally. Thank you. Mr. Wilson. As we proceed, and we will be on the 5 minutes for each of us, including myself. And so first of all, with General Ferrell, because the civilian part of the workforce is so integral when it comes to information technology and cyber, what are we doing to better manage that part of the workforce? In your testimony you have made some recommendations. Can you please elaborate on some of the things that you would recommend as we should be doing? Do any of the others on the panel have any other and additional recommendations? General Ferrell. General Ferrell. Congressman, thank you for that question. The Army is doing an awful lot to increase the capacity, both on our cyber workforce and as well as in our IT workforce. We have over 11,000 civilian IT workforce that we currently have on the books. And we are implementing a holistic strategy to transform information technology and the cyber workforce, from recruiting to training to training critical parts of the information technology. From a recruiting side of the house, we have an extensive outreach program that is aligned with STEM [science, technology, engineering, and mathematics] into the high school from K-12, as well as putting on demonstrations to encourage-- technical demonstration to encourage the high school students to pursue a career in the STEM world. We also have the opportunity where we have an internship program where we take high school students as well as college students, about 50 annually a year, and then include them as part of the Presidential Management Fellows. We have about currently three that are on hand working with the Army. So again, we have the STEM program, outreach with the K-12. And we also have an internship program that we work with the high school students as well as the college students. On the retaining side of the house, we are also exploring additional incentive pay to promote retention and remain competitive with the industry partner. And the last piece that--on the training side of the house, the technical programs that we have in place is both from the military side that we offer to advance more technology in the cyber world as well as intel world. And we will offer some civilian opportunities as well. These are some of the programs that we have within the Army. Mr. Wilson. Thank you very much. Does anyone else have any to add? Dr. Zangardi. Dr. Zangardi. Yes, sir. Thank you. Very briefly, on the civilian side from 2012 to 2014 we have seen our attrition rate of civilians drop from 9.7 to 5.1. That may be due to the economy. But I also think it reflects the unique work that we do at locations and SPAWAR [Space and Naval Warfare] Systems Command out in California. It is a unique opportunity to work on some cutting-edge technology, or also to serve your country. I agree with the general that things like STEM and outreach to schools and other industries to bring in uniquely qualified personnel are very helpful to our ability to keep and retain highly qualified civilians. On the military side, our rates for accession and retention are being met. We utilize selective retention bonuses and we provide increased training opportunities at the 12- to 14-year mark, which is a mark at which most people will not leave after they get the training. Mr. Wilson. Thank you very much. And the next question for me, General Nally, each of you have talked about the personnel challenges related to finding, hiring, and training information technology professionals, both military and civilian. I would like to hear your thoughts on a couple of points. One is leveraging commercial certifications or commercial training. General Nally. Thank you, sir. We don't have a problem recruiting and retaining if we are talking to the military first for entry-level Marines. Whether they are enlisted or officers, the training is conducted out at Twentynine Palms, California, at our Marine Corps communications and electronic schools. The cyber network operators, they actually at the entry- level first formal school, upon graduation they actually receive commercial certifications in four various commercial companies equal to what they would offer for certifications. For example, Microsoft, they depart the school and they have commercial Microsoft certifications. As they progress in their careers if they decide to stay in they receive additional certifications, i.e., through Cisco, VMware, NetApp are a few of the companies. And all that training is conducted in Twentynine Palms. So we have a formal working relationship with those companies where they actually receive those company certifications. For civilians I have a budget to train and educate the civilian IT cyber workforce so we ensure that they receive the training, education, and certifications that they require for the appropriate billets that they hold. Mr. Wilson. Well, I would like to congratulate you because I would have thought our retention would be very difficult in the 9.7 to 5.1, doctor. That is incredible because you are dealing with such talented people. Thank you all for your extraordinary efforts to maintain your personnel. Mr. Langevin. Mr. Langevin. Thank you, Mr. Chairman. Again I want to thank our witnesses for your testimony today. Mr. Halvorsen, in 2011 the commander of U.S. Cyber Command briefed the Joint Chiefs of Staff on the inability to see the entire DOD networks, and the risks associated with the limitation. In addition to providing more efficient and effective networks, the Joint Information Enterprise, JIE, initiative is intended to enable U.S. Cyber Command the visibility of the network required to defend it. In your opinion, is the initiative moving towards that end state? Why or why not? And what official guidance has been provided to the services to ensure that end state? Mr. Halvorsen. Sir, thank you. Yes, we are making good progress on that. The JRSS, as we implemented the first set of software, already exposes more of the network than we had exposed before from CYBERCOM and from the new stood-up DODIN [Department of Defense Information Networks] headquarters which is at DISA, which is now responsible for overseeing that under the operational control of Admiral Rogers. The services have all been provided guidance, both operational guidance from Mike Rogers, policy guidance from my office, that says we will implement the JRSS. We have laid out the timelines. They are all committed, all team members. You have heard them all testify to that. We have figured out the funding on how to do this. The next version of the software, which is version 2.0, will complete that picture so that all of the services can see the same picture as CYBERCOM. That is funded. One of the ways we were able to do that is by looking at some of the business processes in DISA, taking that money and applying it inside of DISA to fund the software. That is step one. And I want to point out that JRSS is the first step. The next step--and you have heard all of the services talk about how they collapse their enterprise networks. Each of the service entered at a different spot with regard to enterprise networks. They are all working to collapse that. As we collapse the networks, that will also give us a better picture. It is a little physics. It is less for us to look at. So in addition to putting up the JRSS, we are working with all the services to collapse the total number of networks that frankly Mike has to look at and to make sure that are secure. Mr. Langevin. And, Mr. Halvorsen, the Joint Chiefs of Staff, Cyber Command, the acquisition community, the services, and many other entities have a stake in JIE. What office, and who, is in charge of this mission? Mr. Halvorsen. I own JIE and making sure that that is complete to everybody's satisfaction. Mike Rogers owns it from an operational standpoint. The single point to make sure that it gets done from funding operations is my office. Mr. Langevin. Okay. And you described the Joint Regional Security Stack, JRSS, as the foundation of JIE. General Ferrell, you mentioned moving forward with JRSS with the Air Force and DISA, and Dr. Zangardi and General Nally, when will the Navy and Marine Corps move out with JRSS? And Mr. Halvorsen, what is your view of the different services' timelines? What is each service's programmed investment through the next 5 years in JRSS? And is it equitable and a strategy allowing for the best bang for the buck? Mr. Halvorsen. Sir, if you permit me I will first answer that. All of the services are completely committed to this and have funded. And when we look at what the current condition is, the Department of Navy, and for truth in advertising my previous job was the Department of Navy's Chief Information Officer, collapsed its systems first around NGEN and previous NMCI. They are in some cases better positioned because of that to do and see their network better. The Air Force and Army are moving very rapidly in that direction. The reason they are moving first behind JRSS is that will give them the same level of capability that the Marine Corps and Navy enjoy now. When the Navy and the Marine Corps, we go to JRSS 2.0, that gives everybody increased capability and everybody will move on that. The Army and the Air Force will be completed in 2017 migration. The Navy and Marine Corps complete in 2018. That is an aggressive schedule to get all of the networks and the complexity done, but I think it is the right schedule and one that I do not think we can let slip. That is the goal. You mentioned the ``Tank'' [Joint Chiefs of Staff conference room]. I briefed the ``Tank'' two weeks ago. All of the service chiefs are 100 percent behind that and committed to making sure that we do not slip that date. Mr. Langevin. Anybody else got a comment? Dr. Zangardi. Yes, sir. I concur with Mr. Halvorsen's statement since he had my job previously. NGEN, the NGEN contract is our path forward to JIE. It-- specifically, the technical refresh or modernization dollars within the program will be channeled to JIE activities or acquisitions as the standards are defined. We are engaged now in engineering, planning, and budgeting on the JIE team. We have engineers involved. We have our SPAWAR folks playing in there. We plan to be part of the definition of JIE and JRSS. As Mr. Halvorsen said, we will be complete in 2018. We align with that schedule. We are also working closely with PACOM [Pacific Command] J6 on what JIE increment 2.0 is. So we are very involved in the whole effort of JIE and JRSS, and have the mechanisms in place in NGEN to move forward. General Bender. Sir, if I could clarify for the Air Force. We are actually at an end-of-life condition. We are on a single security architecture since 2011 with 16 gateways. And this is the next evolution. So JIE, JRSS, is the right way for the Air Force to go. General Ferrell. And sir, I would like to give you a good news story on the progress of the JRSS, specifically at Joint Base San Antonio where there is a partnership between the Army and the Air Force and Defense Information System Agency. When we started this journey about a year ago of again taking the JRSS capability, as well as expanding the capacity at Joint Base San Antonio, put it in place and worked through the technical challenges of how do we collapse the network. I am very pleased to tell you to date that we have expanded the capacity there at Joint Base San Antonio. We have installed the JRSS devices. And we have also passed traffic, both Air Force and Army traffic, over the same network between Joint Base San Antonio as well as Montgomery, Alabama. So again, that is the first step toward progress, physical progress with this effort. We have taken lessons learned from that initial site and we are going to incorporate that on all the follow-on sites, both CONUS [continental United States] and OCONUS [outside the continental United States]. Mr. Langevin. Thank you. Mr. Wilson. Thank you, Mr. Langevin. We now proceed to Congressman Rich Nugent, of Florida. Mr. Nugent. Thank you, Mr. Chairman. And I appreciate this panel being here today. You know one of the things that I always get nervous about when I was over an agency that had computers and every time you have a gateway, a way in, how that opens up. But it is even more troubling as to when you look back at the Snowden incident 2 years ago. How are we protecting ourselves against an insider attack that could obviously cripple us if that information got out to our adversaries? And I will let anyone take a stab at that one. Mr. Halvorsen. Doing a couple things. I mean we have implemented all the directives. And you can see in all of our written testimony, we have complied with all the directives. And we will be implementing a deep insider threat. But a couple things that I think illustrate what we have done is the biggest insider threat is from systems administrators, the guys that have complete access. We have strengthened the security requirements on those. We will be in conjunction with Mike Rogers shortly, putting out some more detail on that. It requires them to be token- enabled on our way to making that completely CAC [Common Access Card]-enabled so you will have a visible identity of every system administrator. We have put in place under Mike's direction, and we could go deeper in a different venue, the ability to see what system administrators are doing and some ability to monitor, I won't say abnormal behavior, but different behavior. When you are in a computer business it is hard. So if they route traffic differently or if they are seeing some--if we are seeing them move things around differently, that ability is expanding within the Department in addition to all of the things that were directed in the NDAA, which we are on schedule to comply with. General Ferrell. Congressman, in addition to what my colleague to my right has shared, we are also implementing an extensive educational program to educate our users on identifying the types of malisons that will occur on the network and how to mitigate that. So again, we are really reaching out to--as well as putting the protection from the software on the computers, as well as monitoring the activities of the administrators, we are also doing the educational aspect as well. Mr. Nugent. I know there was a GAO [Government Accountability Office] report out a while back, particularly as it relates to DISA, but as it relates to JIE that it is so broad that there is no one program administrator. Were they correct in that assumption? Or was---- Mr. Halvorsen. I think there was certainly some truth that we were a little fractured in what we had defined JIE. So with the help of my colleagues over the last year what we did was take a look at what is JIE. JIE is a concept. We are not going to ever implement JIE. What we will implement is the steps that get us to a Joint Information Environment. So what I can now tell you, and I think you have heard today, the first step of that is to get to the Joint Regional Security Stacks, phase one. Phase two is for us to then--how do we implement and take that into our mission and coalition partners. So they are the first two key, very physical, very visible, measurable. You can put metrics on them, steps that we have to do with JIE. And I think we had not clarified that really, simply, until the last year. And that is--that may be what was the single biggest driver is that we really did clarify. Those are the key points that have to happen in that sequence. Mr. Nugent. All right. It makes sense because obviously if you have one agency or one group that is in charge of all of the IT for all the services there are some real gaps that would occur. Things the Air Force would be important to would not be as important to the Army or vice versa. So I think that your concept is great. And I think that you have--through the services you have some great folks that are very talented that can move this forward. You know IT is always something changing. I can remember my past life it always seemed like you know we just upgraded our servers and then it wasn't 2 years later saying hey, boss, the stuff is no good. We got to get new stuff. And I am sure you face that same type of environment. But how do you guard against that, I mean constant change over what you need, equipment? And I don't know if you can. Mr. Halvorsen. I think you have to do two things. I mean one of the things that this group has done is decide about some ways that we will all look at certain investments. So we now have within this group a standardized business case analysis process. And when I say business case, our business is war. So it also looks at the operational pieces, too. It is not just on the business systems. That is one way that we can all look and make sure that we are looking at things and measuring the same way. It is okay for things to be different, particularly in the physical properties, different equipment, as long as it will perform to the same standards. It measures up to the same money, accountability, and all the other measures. We are doing better at that. We are also looking at what is our current inventory of not just things but software and applications. One of the things that we are looking at now is how do our applications line up? I will give you an example. When we look at logistics, about 80 percent of our logistics applications share a large majority of data elements that are the same. And I think that is the other change. You really have to go to the data level. If those data elements are the same, maybe the first thing that we can do is start shrinking the number of systems, let the applications that the services need, because they do need to be distinct in some areas. You pointed out right the Air Force, the Army, the Marine Corps they have different requirements on some of this. We can combine the data elements and wrap that. That is not a great term. Wrap that around the different parts of the applications that each of the services need, share common data, protect it in one location. And it both reduces costs and improves your operational capability. We are looking hard at how we expand that effort. Mr. Nugent. I appreciate that. And, Chairman, thank you for indulging me---- Mr. Wilson. Here, here. Mr. Nugent. Thank you. Mr. Wilson. Thank you very much, Sheriff Nugent. We now proceed to Congressman Jim Cooper, of Tennessee. Mr. Cooper. Thank you. I am worried we are already in a cyber war, we are just not admitting it. I don't remember from history a time in history of warfare when more eggs have been put in one basket, basically. Virtually every chip in the world being made in one country that is not here. And the software is so unimaginably complex it is almost impossible for human beings to figure it out. So I am worried that the acronym ``CLOUD'' really stands for the ``Chinese Love Our Uploaded Data.'' I worry that none of the witnesses that I have ever heard calls for a change in the UCMJ, the Uniform Code of Military Justice, so that computer security becomes a value to be preserved because computer hygiene is staggeringly important. And perhaps there has been testimony to that effect. I haven't heard it. I am worried that our troops would be incapable of working if the Net went down and things go dark. I don't know anybody knows the degree of Internet of Things when facilities could be shut down, as relatively unprotected. And I don't know. Maybe you have been red-teaming all this. But to me the vulnerability is amazing when virtually every major U.S. company has already been taken down to some extent. Entire countries like Estonia were almost put out of commission years ago by hackers. I just worry there is more vulnerability here than perhaps this hearing has indicated so far. Mr. Halvorsen. Sir, I don't think we could tell you that we are perfectly secure. I think that would be a bit ridiculous statement to make. What I can tell you is that we are doing the things you talked about. And you talked about accountability. And I will get you a copy of the recent memo. But we did working together have the Deputy Secretary of Defense for the sign out a recent memo that improved accountability in how we hold individuals, both civilian and military, more accountable for their cyber actions. That is working. We have had recent discussions about how do we raise the bar on cyber hygiene. As we have had our discussion with the cloud, I will tell you that the most contentious issue with industry--we are not dodging the hard question of how they will meet our requirements, and then frankly how will they respond when they have a penetration and lose our data? What is the accountability that they are going to have. It is one of the things right now that is slowing the higher level cloud movement because we have not worked that out. Industry has not yet said that they will abide by some of those rules. We are certainly open to them showing us different technology to do that. But they still have to show us that they are doing it. So we are having that dialogue. We are looking at what it means to be cloud. So maybe I should expand just a minute on that. We are not going to just use commercial cloud. We will use every hybrid there. DISA has the milCloud. And to their credit, they have dropped the rates so it is more competitive with commercial. But what it does do is it provides that extra level of security for the really valuable data that we just can't afford to lose. The commercial world is working to move up to those standards. And as they do, we will put more into the cloud, but not until they meet those requirements. We are not lessening our security requirements. In some cases we are standardizing them. In other cases we are raising them. And the conversation with industry, which they did not like but were happy to be engaged in, the way we are publishing the cloud documents, what we have had to tell them is the standards I put out today in this environment, in the IT world, they will change. And they might change in 6 months, depending on what the threat does. And we have told them they have to be reactive to that. We are not going to put anything out there that does not meet the standards and that we have not looked at. And we are increasing the amount of red-teaming that we are doing across the board. Mr. Cooper. So we don't need to change the UCMJ? Mr. Halvorsen. I don't think we need to change the UCMJ today. I will tell you I think we need to enforce some of that. And it is not just the UCMJ because that would only govern our military as you know, but also the civilians. We have got to enforce the policies. And I think that is mostly about educating the commanders on how they do that. The policy is there. Cyber presents some problems even from the forensics side of how do you know who put it in. One of the reasons that we are doing more PKI [public key infrastructure]-enabling and getting down to the single identity is that when you put it in we will know. Once we have that I think you will see. And we are getting that more and more across the board. We have it on some systems. You will see us be able to actually hold an individual accountable for making a bad action on the network. Mr. Cooper. Thank you, Mr. Chairman. General Nally. I think--sir, if--just a minute. This might make you feel a little bit better, but three quick things. One, the Marine Corps is going toward using a private cloud. Number two is in terms of what you mentioned about the UCMJ. We have actually published a document states we call it a negligent discharge. If a marine or civilian takes classified information and does something inappropriate with it, whether puts it on a NIPRNET [Non-Secure Internet Protocol Router Network] or we had a spillage, et cetera. We do hold them accountable, the commanders do. So we let the commander, whoever the commander is, know that this individual had a negligent discharge. They hold them accountable. And three is we actually are training for a SATCOM [satellite communications] degraded intermittent latent environment, stressing VHF [very high frequency], UHF [ultra high frequency], HF [high frequency], terrestrial types of equipment, commander's intent and mission type orders. So we are pushing that down to the lowest levels. Dr. Zangardi. Sir, may I respond? A couple areas. First, modernization is capability and security. Our NGEN program has built in modernization so we bring in technology on a 4- to 5-year refresh basis. Our afloat network CANES has a 2-year software upgrade and a 4-year hardware upgrade built in. So as you do modernization you bring in the latest technology, bring in the latest security. Operation Rolling Tide, ORT, dollars are in the budget. That is bringing out tools, techniques, procedures to our folks out in the fleet that will improve security on our afloat and ashore units. We stood up in the Navy something called TFCA, Task Force Cyber Awakening. And I will read exactly what it does. It delivers fundamental change to the Navy's organization, resourcing, acquisition, and readiness. And align and strengthen authority, accountability, and rigor in Navy cybersecurity. We have full, broad support across the Navy organization. My boss, the Assistant Secretary for Research, Development and Acquisition, is the lead for the EXCOM [Executive Committee], along with the Vice Chief of Naval Operations. The three-star SYSCOMs [System Commands] are involved, all the resource sponsors. It has the highest level of interest. With regards to the cloud, I align with the DOD CIO on that. Before we move any data out to the public cloud, we are going to go through the data and screen it very carefully to make sure that we are not putting things, data, in commercial cloud scenarios that we should not be putting it. We are going to proceed with due caution. And to add on to General Nally, working, deploying in a degraded environment is key to Navy in the Western Pacific. We need to have the procedures in place to do that. And we are working those. Mr. Cooper. Thank you, sir. Mr. Wilson. Thank you, Congressman Cooper. We will now proceed to Congresswoman Elise Stefanik of New York. Ms. Stefanik. Thank you, Mr. Chairman. And thank you to all of our witnesses for your testimony today. General Ferrell touched on this briefly, but I wanted to ask each of you to weigh in. In your view, what are the risks and vulnerabilities to our network campaign plans, network modernization efforts, should DOD be forced to execute funding levels at BCA funding levels? Mr. Halvorsen. In the short term we will lose 2 to 3 years. And that really sums it up. We will fall 2 to 3 years behind. You have heard the specific numbers. There are specific numbers in testimony. Sequestration will delay the modernization 2 to 3 years. And that comes with all of the things you have heard today. If we don't do that we will be more vulnerable. We will maybe, using your definition, sir, of ``CLOUD'' if we don't get some modernization. We won't support the warfighters. They will be at risk. Ms. Stefanik. And could you add on also what that means for the current threat assessment, how the threats have increased over the past 5 to 10 years? Mr. Halvorsen. I can tell you that they have increased in this form over the last 3 to 5 years. They are certainly more capable. And that includes everything from your country state threats to terrorist groups that would be in the news today. Any slowdown in our modernization will make it easier for even less complicated or less sophisticated groups to interfere with our business. It will expand the number of threats we will have to face if we don't carry through with some of the modernization and some of the security changes we are making. And they will be delayed by sequestration. Ms. Stefanik. Would anyone else like to add? General Bender. I will add just very briefly that I am relatively new in the position. But 5 months of discovery leaves me with a very strong impression that we are not going to harden or protect our networks to a completely safe, secure environment. It is nearly impossible because of the evolving nature of the threat. That said we need to have, and as the other services have already mentioned, the ability to fight through a determined adversary and find our way through it. And so risk management becomes really what is key and essential to our approach going forward. Dr. Zangardi. As I mentioned in a previous question, modernization is fundamental to providing us security and the capability we need. Sequestration will hamper, slow by several years our ability to modernize our IT capability. General Nally. Our biggest concern is people. So if we have to reduce funding and then the people that actually defend and protect the network, and we have to let those people go. That is our concern. And again, that gets back to my first priority. It is the people. If I don't have the right people to operate and defend the network, the network is worthless. Ms. Stefanik. Thank you. I have one question on a separate topic. And this is for just my background and for everyone else on the committee. Can you give an assessment of where other countries are in terms of their investment in network modernization efforts? Are we behind? Are we losing our edge? I know that is a very broad question, but it is an important one. Mr. Halvorsen. I don't think we are losing the total edge. Do I think that particularly if we get sequestration, which would not impact, say some larger countries in the world that we were all concerned with? They will gain. I mean that is a fact. I think right now we are in a good position in terms of the edge. But in IT that edge can disappear so very quickly. And very candidly, this is public knowledge that the Chinese, the Russians, other groups are making investments in all of these areas. If we are not able to continue our plan we will lose some of that edge and they will gain capability. Ms. Stefanik. Thank you very much, unless anyone has anything else to add. Thank you. I yield back. Mr. Wilson. And thank you very much for your terrific questions. We appreciate that, and Mr. Langevin. At this time I would like to again thank each of our witnesses for being here today. I want to thank the subcommittee members for their participation. And then, of course, Kevin Gates has just been extraordinary sitting here quietly maintaining time. And for each of you, thank you for your service. It is so important for our country. We are now adjourned. [Whereupon, at 5:12 p.m., the subcommittee was adjourned.] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] ======================================================================= A P P E N D I X February 25, 2015 ======================================================================= PREPARED STATEMENTS SUBMITTED FOR THE RECORD February 25, 2015 ======================================================================= [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] ======================================================================= DOCUMENTS SUBMITTED FOR THE RECORD February 25, 2015 ======================================================================= QUESTIONS SUBMITTED BY MEMBERS POST HEARING February 25, 2015 ======================================================================= QUESTIONS SUBMITTED BY MR. HUNTER Mr. Hunter. Has the Department considered revising the Cloud Computing Services deviation to allow for more flexibility for mission owners and cloud service providers in obtaining a Provisional Authorization (PA) for a dedicated or private cloud service while going through a contracting motion? As an example, a vendor may be awarded a contract, but PA is a contingent milestone of the contract award. Mr. Halvorsen. The DFARS Class Deviation on Contracting for Cloud Services currently requires that a commercial cloud service provider be granted a DOD Provisional Authorization (PA) prior to contract award. The Department is considering modifications to the policies and procedures currently specified in the Class Deviation, including whether a PA should continue to be a prerequisite for contract award, as part of its deliberations regarding DFARS Case 2013-D018. That DFARS case is planned to supersede the Class Deviation, and the Department will be seeking public comment on the new DFARS coverage through the public rulemaking process. Mr. Hunter. The DOD software inventory plan executed under section 937 of the FY National Defense Authorization Act included numerous exemptions, did not require an automated solution to compile the inventory, and it did not include an audit trail. These and other requirements are outlined in section 935 of the FY14 National Defense Authorization Act which your office is currently developing a plan to be submitted to Congress by the prescribed timeline of September 30, 2015. Please detail for the committee how your office is developing this plan, the input received from the services, and how your office is reaching out to industry to understand what automated capabilities exist and how this inventory can be performed to the satisfaction of both parties? Mr. Halvorsen. The FY14 NDAA Section 935 planning effort is ongoing. Efforts to date have been directed towards developing a business case analysis (BCA) of alternative courses of action for an enterprise software inventory reporting process. The BCA outlines several alternatives with varying degrees of centralized software license management and reporting operations to determine the most appropriate approach for DOD. As part of the BCA, the DOD Chief Information Officer (CIO) is analyzing two ongoing internal information technology (IT) management reporting efforts to determine the extent to which they could be leveraged to support the Section 935 software license reporting requirements. The DOD plan will build on these internal efforts to formulate a holistic approach for software license reporting. Once the appropriate software license reporting framework is selected, DOD CIO will develop a plan for a software license reporting process. The plan will be completed by the end of FY15 The DOD CIO issued a memorandum in June 2014 directing the CIOs of the Military Departments and DISA (the Components) to designate action officers to support DOD planning efforts for the Section 935 requirements. Through joint bi-weekly meetings hosted by DOD CIO, the Components' action officers have been collaborating in the planning efforts and reviewing work products. The Components have been an integral part in identifying the overall strengths, weaknesses, opportunities, and threats for each of the alternatives being considered in the BCA. The joint team has reached out to industry by: 1) hosting commercial IT asset management (ITAM) and software license management vendors to present overviews and demonstrations of their product and service offerings; 2) meeting with corporate software license management teams to share lessons learned from their software asset management (SAM) implementations; and, 3) meeting with ITAM industry analysts to discuss DOD requirements and potential SAM implementation options. The DOD joint team has used industry benchmark data and lessons learned in support of its BCA alternatives. The DOD CIO and Component CIO representatives also meet with ITAM and other software providers through ongoing DOD Enterprise Software Initiative (DOD ESI) IT strategic sourcing operations. The DOD joint team has shared lessons learned about Component-level implementations of ITAM processes and tools using commercial software products. The Components have also independently reached out to industry to assess alternatives for Component-level ITAM and SAM efforts. Mr. Hunter. Please detail the Army's efforts to date on software inventory as prescribed by both section 935 of the FY13 National Defense Authorization Act and section 937 of the FY14 National Defense Authorization Act? General Ferrell. The FY13 National Defense Authorization Act (NDAA), Section 937, required the Department of Defense (DOD) Chief Information Officer (CIO), in consultation with the CIOs of the Military Departments (MILDEP), to issue a plan for the inventory of selected software licenses, and to assess the need for the licenses. Under the auspices of the DOD CIO, all Services, Defense agencies and DOD Field Activities were directed to conduct an inventory of selected software licenses, including a comparison of software licenses purchased to licenses installed, and to submit a projection of the licenses needed over the following two years. The intent was to provide baseline information to enable economies of scale and cost savings in future procurement, use and optimization of the selected software licenses. Under the direction of the HQDA CIO/G-6, the Army assembled an integrated product team (IPT), with representation from all Army organizations and the Joint Commands for which Army is the executive agent, to conduct a selected software license inventory (SSLI). Meeting on a weekly basis, first with key stakeholders to develop the plan, and then with all appropriate organizations, the IPT provided oversight for conducting the SSLI audit. The audit used automated scanning and discovery tools where available, and a data call for networks or enclaves where automated tools were not readily available. CIO/G-6 aggregated and rationalized the inventory reports and completed the analysis of selected software licenses purchased in comparison to software licenses installed. The SSLI effort included a projection of future need for these licenses over the following two-year period. The initial report was submitted to the DOD CIO on July 18, 2014; after providing some additional information and clarifications, the final report was submitted on August 28, 2014. The Army owned 250 of the 937 titles included in the selected software list. We estimate that the SSLI audit across the Army involved approximately 400 personnel and 10,000 hours over an eight-month period. FY14 NDAA Section 935 directed DOD to update the plan for the inventory of selected software licenses, to include: inventorying all software licenses utilized within DOD for which a military department spends more than $5 million annually on any individual title; a comparison of licenses purchased to licenses in use; and plans for implementing an automated solution capable of reporting software license compliance with a verified audit trail and verification by an independent third party. It also mandated the plan provide details of the process and business systems necessary to regularly perform reviews, and a procedure for validating and reporting the registration and deregistration of new software. The updated plan is due no later than September 30, 2015. In support of the FY14 NDAA, CIO/G-6 established a pilot project to test commercial software asset management (SAM) tools that will, ultimately, provide the Army the capability to manage software licenses across the enterprise. The SAM pilot is intended to test feasibility and scalability across Army networks, as well as commercial best practices and business processes for managing software utilization, entitlements and license compliance. Additionally, the Army CIO/G-6 continues to support the DOD CIO's Software License Management Tiger Team effort. This team is updating the plan developed per FY13 NDAA Section 937 and is on track to meet the 30 September deadline. The DOD effort has included a working group to determine potential solutions to satisfy DOD reporting requirements and a follow-on effort to determine the most practical and cost- effective solution for the DOD enterprise. Mr. Hunter. Please detail the Army's efforts to date on software inventory as prescribed by both section 935 of the FY13 National Defense Authorization Act and section 937 of the FY14 National Defense Authorization Act? General Bender. In 2013 the Air Force initiated network scans to determine the amount of DOD/CIO-selected software installed on Air Force-managed sections of the NIPR and SIPR networks. The Air Force is also presently performing research and analysis of existing data repository tools as an interim solution to consolidate, manage, and report current software inventory. Another interim solution is the leveraging of existing scanning tools such as Microsoft's Host-based Security System (HBSS) and Systems Center Configuration Manager (SCCM) to collect and analyze installed software applications until a permanent automated software license management solution is determined. In early and proactive efforts to identify a license management solution, the Air Force released a Request for Information (RFI) to industry requesting the identification of software solutions capable of addressing the Air Force's Information Technology Asset Management (ITAM) requirements. Solutions from 46 small and large businesses included the use of commercially available software with implementation options including leveraging current government personnel and processes, primarily contractor support, and some level of hybrid approach. These options are presently under consideration, however, discussions with DOD/CIO and other military departments (MILDEP) have identified that there is not a singular solution to resolve the software license management task at hand. Regarding the DOD/CIO and other MILDEPs; the Air Force has actively participated in discussions and working groups in efforts to identify present software license management processes and tools as well as a joint solution. The Air Force has also been an active participant in the interagency agreement supporting the DOD Joint Enterprise License Agreement (JELA) effort and will continue to leverage the JELA process to determine software needs for the next two years. The Air Force will continue to aggressively identify, collect, and report software licenses in accordance with license agreements and congressional directives. Efforts and preparations are ongoing to meet both Section 937 of the National Defense Authorization Act (NDAA) for 2013 and Section 935 of the NDAA for 2014 as well as that of Section 1003 of the NDAA for 2010, Financial Improvement and Audit Readiness (FIAR). The Air Force is working toward a viable solution to not only meet the intent of the two NDAAs but to also establish an equitable solution for the future management of its entire ITAM program. Mr. Hunter. Dr. Zangardi, please detail the Navy's efforts to date on software inventory as prescribed by both section 935 of the FY13 National Defense Authorization Act and section 937 of the FY14 National Defense Authorization Act. Dr. Zangardi. The Department of the Navy (DON) is actively engaged in the Department of Defense Chief Information Officer (DOD CIO) Integrated Product Team (IPT) for Information Technology Asset Management (ITAM) created to address reporting requirements prescribed by Section 937 of the FY13 National Defense Authorization Act (NDAA) and revised by Section 935 of the FY14 NDAA. The DON used available IT portfolio management tools and authoritative data sources to prepare the DON software license inventory and needs assessment submitted to the DOD CIO and will continue its support of the DOD CIO Joint IPT as it works to comply with the requirements of the Acts. Mr. Hunter. Please detail the USMC's efforts to date on software inventory as prescribed by both section 935 of the FY13 National Defense Authorization Act and section 937 of the FY14 National Defense Authorization Act? General Nally. The Marine Corps, in coordination with the Department of Defense (DOD), completed an inventory of all software that met the established criteria per Section 937 of National Defense Authorization Act (NDAA) 2013. The Marine Corps inventory has been submitted in accordance with the July 18, 2013 DOD Chief Information Officer memorandum, Subject: Department of Defense-wide Selected Software Licenses Inventory Plan. Marine Corps representatives are ongoing participants in the software license planning meetings established by the DOD Chief Information Officer in the May 30, 2014 memorandum, Subject: Establishing a Joint Software License Reporting Team for the Fiscal Year 2014 National Defense Authorization Act. The Marine Corps provides input for requirements and supports development of the DOD plan. The Marine Corps is developing an Information Technology Asset Management Module (ITAMM) and License Management Module (LMM) within its BMC Remedy environment to replace the legacy Virtual Procurement Management System (VPMS) customer software ordering tool. With the sun- setting of VPMS in FY16, ITAMM and LMM will enable the Marine Corps to identify what software is purchased and in conjunction with approved network software discovery tools, track what software is in use on the Marine Corps Enterprise Network (MCEN) in order to identify discrepancies for remediation. All requests to procure software products are processed through the Marine Corps Information Technology Procurement Review and Approval System (ITPRAS) and require registration in the DON Application and Database Management repository prior to final approval by Marine Corps Director C4/Deputy DON Chief Information Officer (CIO) (Marine Corps). Software is captured in the appropriate functional area portfolio and Functional Area Managers retain responsibility to regularly perform reviews of and validate and report on their portfolios to the Director C4/DDCIO-MC. The Marine Corps continues to work with the DOD and DON CIO Integrated Product Team (IPT) for Information Technology Asset Management (ITAM) created to address reporting requirements prescribed by Section 937 of the FY13 NDAA and revised by Section 935 of the FY14 NDAA. [all]