[Senate Hearing 115-837]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 115-837
 
                   JOINT HEARING TO RECEIVE TESTIMONY
                   ON THE CYBER OPERATIONAL READINESS 
                   OF THE DEPARTMENT OF DEFENSE (OPEN SESSION)
           

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                             CYBERSECURITY

                                and the

                            SUBCOMMITTEE ON
                               PERSONNEL

                                 of the

                      COMMITTEE ON ARMED SERVICES
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 26, 2018

                               __________

         Printed for the use of the Committee on Armed Services
         
         
         
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]      


                 Available via http://www.govinfo.gov/
                 
                 
                            ______                      


                U.S. GOVERNMENT PUBLISHING OFFICE 
 40-883 PDF              WASHINGTON : 2020                 
                 
                 


                      COMMITTEE ON ARMED SERVICES
                      

    JAMES M. INHOFE, Oklahoma,      JACK REED, Rhode Island
             Chairman               BILL NELSON, Florida
ROGER F. WICKER, Mississippi        CLAIRE McCASKILL, Missouri
DEB FISCHER, Nebraska               JEANNE SHAHEEN, New Hampshire
TOM COTTON, Arkansas                KIRSTEN E. GILLIBRAND, New York
MIKE ROUNDS, South Dakota           RICHARD BLUMENTHAL, Connecticut
JONI ERNST, Iowa                    JOE DONNELLY, Indiana
THOM TILLIS, North Carolina         MAZIE K. HIRONO, Hawaii
DAN SULLIVAN, Alaska                TIM KAINE, Virginia
DAVID PERDUE, Georgia               ANGUS S. KING, JR., Maine
TED CRUZ, Texas                     MARTIN HEINRICH, New Mexico
LINDSEY GRAHAM, South Carolina      ELIZABETH WARREN, Massachusetts
BEN SASSE, Nebraska                 GARY C. PETERS, Michigan
TIM SCOTT, South Carolina
JON KYL, Arizona                     
                                     
               Christian D. Brose, Staff Director
               Elizabeth L. King, Minority Staff Director
                                     
 


                     Subcommittee on Cybersecurity

    MIKE ROUNDS, South Dakota,      BILL NELSON, Florida
             Chairman               CLAIRE McCASKILL, Missouri
DEB FISCHER, Nebraska               KIRSTEN E. GILLIBRAND, New York
DAVID PERDUE, Georgia               RICHARD BLUMENTHAL, Connecticut
LINDSEY GRAHAM, South Carolina
BEN SASSE, Nebraska                  
                                     
                                     
                                     

                       Subcommittee on Personnel

   THOM TILLIS, North Carolina,    KIRSTEN E. GILLIBRAND, New York
             Chairman              CLAIRE McCASKILL, Missouri
JONI ERNST, Iowa                   ELIZABETH WARREN, Massachusetts
LINDSEY GRAHAM, South Carolina
BEN SASSE, Nebraska                  
                                     
                                     

                                  (ii)

  


                             C O N T E N T S


                           September 26, 2018

                                                                   Page

Joint Hearing to Receive Testimony on the Cyber Operational           1
  Readiness of the Department of Defense (Open Session).

Crall, Brigadier General Dennis A., USMC, Principal Deputy Cyber      4
  Advisor and Senior Military Advisor for Cyber Policy.
Miller, Essye B., Principal Deputy, Department of Defense Chief       7
  Information Officer.
Stewart, Lieutenant General Vincent R., USMC, Deputy Commander,       9
  United States Cyber Command.
Fogarty, Lieutenant General Stephen G., USA, Commander, U.S. Army    11
  Cyber Command.

Questions for the Record.........................................    25

                                 (iii)


                   JOINT HEARING TO RECEIVE TESTIMONY



 ON THE CYBER OPERATIONAL READINESS OF THE DEPARTMENT OF DEFENSE (OPEN 
                                SESSION)

                              ----------                              


                     WEDNESDAY, SEPTEMBER 26, 2018

                  United States Senate,    
                      Subcommittee on Cybersecurity
                             and Subcommittee on Personnel,
                               Committee on Armed Services,
                                                    Washington, DC.
    The Subcommittees met, pursuant to notice, at 2:43 p.m. in 
Room SD-106, Dirksen Senate Office Building, Senator Mike 
Rounds (Chairman of the Subcommittee on Cybersecurity) and 
Senator Thom Tillis (Chairman of the Subcommittee on 
Personnel).
    Members present: Senators Rounds and Tillis, presiding, 
Wicker, Fischer, Nelson, Gillibrand, McCaskill, and Warren.

            OPENING STATEMENT OF SENATOR MIKE ROUNDS

    Senator Rounds. The Cybersecurity and Personnel 
Subcommittees meet this afternoon to receive testimony on the 
cyber operational readiness of the Department of Defense.
    Our witnesses are Brigadier General Dennis Crall, Principal 
Deputy Cyber Advisor and Senior Military Advisor for Cyber 
Policy; Ms. Essye Miller, Principal Deputy, Department of 
Defense Chief Information Officer; Lieutenant General Stephen 
Fogarty, Commander, U.S. Army Cyber Command; and Lieutenant 
General Vincent Stewart, Deputy Commander, United States Cyber 
Command.
    Welcome.
    This hearing will commence in open session in which 
Senators Tillis, Nelson, and Gillibrand will all make a few 
opening remarks. At the conclusion of Senator Gillibrand's 
comments, we will ask our witnesses to make their opening 
remarks. After that, we will all have our round of questions 
and answers. We will then transition to SVC-217, the Office of 
Senate Security, and recommence in closed session. Each of the 
witnesses may provide additional context and testimony that 
they were not able to provide in an open setting, and we will 
then close with another round of Q&A. I encourage members and 
staff to stay through the closed session, given the gravity of 
the topic at hand.
    The administration recently issued a new policy document, 
known as National Security Presidential Memorandum 13. The new 
policy entailed by NSPM-13 replaces that of PPD, or 
Presidential Policy Directive, 20, which virtually paralyzed 
the conduct of offensive operations by U.S. Cyber Command 
outside of armed conflict. I look forward to a Department of 
Defense briefing on the new policy in the near future. I am 
hopeful this new policy will enable the Department of Defense 
to act more nimbly and effectively to counter and deter our 
adversaries' ongoing cyberattacks on the United States, attacks 
conducted with virtual impunity.
    However, no such policy, however well crafted, will succeed 
unless U.S. Cyber Command develops and maintains the high level 
of cyber operational readiness required to implement it.
    With the elevation of Cyber Command to status as fully 
unified command and the Cyber Missions Force's achieving full 
operational capability in May, the Department's cyber forces 
appear to have moved beyond adolescence. It is now vital that 
the current capability and operational readiness of the Command 
fulfill the requirements entailed by these designations. I 
invited Senator Tillis and Senator Gillibrand, along with the 
remainder of the Personnel Subcommittee, because these 
shortfalls are not limited to traditional readiness measures of 
equipment and training. Indeed, a great deal of the 
Department's cyber readiness issues resolve around the shortage 
of skilled cyber-capable personnel. These shortfalls will only 
be aggravated if the Cyber Mission Force needs to be expanded 
in the future. I am concerned that the current recruitment, 
pay, retention, and career pathway structures in place are not 
equipped to manage this problem. I am, thus, eager to hear the 
service or tactical-level perspective from General Fogarty, the 
operational Cyber Command's perspective from General Steward, 
the more strategic and governance perspective from General 
Crall in OSD [Office of the Secretary of Defense], and the CIO 
[Chief Information Officer] and civilian personnel perspective 
from Ms. Miller. I am also eager to explore the Department's 
plans to correct these shortfalls with the Senators of the 
Personnel Subcommittee today. I am grateful to have their 
expertise at this table.
    An ongoing concern of the subcommittee, which I am sure the 
Department shares, is that we preempt a hollow cyber force and 
that we have a cyber force that is adequately staffed and 
equipped and has the necessary tools, targeting capability, and 
development capability to respond to operational needs. In 
particular, Cyber Command needs the indigenous capability, 
without over-reliance on NSA [National Security Agency], to 
surveil adversary networks for zero-day vulnerabilities, 
produce malware to exploit these vulnerabilities, and implant 
this malware within a reasonable and realistic timeline. Such 
capabilities are necessary, not only for its own DODIN 
[Department of Defense Information Network] defense and 
national missions, but also for those conducted in support of 
the combatant commands. I am eager to hear about CYBERCOM's 
[Cyber Command] current capability and activity to assist 
EUCOM's [European Command], PACOM's [Pacific Command], and 
CENTCOM's [Central Command] operations.
    Each of our witnesses have an important role to play in 
this space. General Stewart, as Deputy Commander of the Cyber 
Command, is most directly responsible for the readiness of 
Cyber Mission Force. General Crall's role in defining DOD 
[Department of Defense] cyber policy shapes, and is shaped by, 
the capabilities offered by the Cyber Mission Force. General 
Fogarty, as Commander of the Army Cyber Command, is the 
executive agent for the persistent cyber training environment 
and must man, train, and equip the Army's cyber teams. Ms. 
Miller and the CIO's office generally retain responsibility for 
the cyber infrastructure, including that on which the Cyber 
Mission Force will fight and test their malware across the 
Department.
    I will close by thanking our witnesses for their service 
and for their willingness to appear today before the 
subcommittee.
    Senator Tillis.

                STATEMENT OF SENATOR THOM TILLIS

    Senator Tillis. Thank you, Mr. Chairman.
    I'm glad our two committees were able to put together this 
joint hearing. I think it represents an opportunity to examine 
an important topic, but also to share information that's 
instructive to our independent roles on committees. We should 
do more of them.
    Success in the cyber domain is uniquely reliant on highly 
qualified personnel. Where aircraft carriers, stealth 
technology, and smart weapons have given the United States a 
discernible advantage in traditional warfighting domains, the 
U.S. military doesn't have similar technological edges when it 
comes to cyberspace. Rather, we must rely on intelligence, 
creativity, and cunning of our people if we are to be 
successful in this rapidly changing environment. Since 
operating in cyberspace is so heavily dependent on access to 
talented people, we look forward to asking questions on the 
proper cyber workforce mix, the status of Cyber-Excepted 
Service, and the larger personnel management issues within the 
Cyber Mission Force.
    I thank all of the witness for your willingness to be here 
today, and I look forward to the following questions.
    Senator Rounds. Senator Nelson.

                STATEMENT OF SENATOR BILL NELSON

    Senator Nelson. In the interest of time, the questions I'll 
be asking are: ``Are the forces the right size? Are they 
getting the right training? Are they a good match for their 
mission? Do they have the tools and infrastructure they need? 
Are we recruiting the right people? How are we retaining them 
and managing their careers?''
    Thanks.
    Senator Rounds. Senator Gillibrand.
    Senator Gillibrand. Thank you. I look forward to your 
statements.
    Senator Rounds. At this time, I would ask--Ms. Miller, 
would you like to begin, or did you have planned sequence that 
you would like to deliver these remarks today?
    Ms. Miller. Mr. Chairman, if you don't mind, we do have a 
planned sequence.
    Senator Rounds. Okay.
    Ms. Miller. We'll start with General Crall.
    Senator Rounds. Very good.
    General Crall, begin.
    Thank you.

STATEMENT OF BRIGADIER GENERAL DENNIS A. CRALL, USMC, PRINCIPAL 
  DEPUTY CYBER ADVISOR AND SENIOR MILITARY ADVISOR FOR CYBER 
                             POLICY

    Brigadier General Crall. I think the sequence should start 
with the junior person, so I'll certainly oblige, sir.
    First, I'd like to thank the committee members for a couple 
of things. One, for my invite to talk about a matter that's 
clearly important to the Department and the Nation, but also 
your continued interest and investment in improving these 
things that we're about to discuss today. So, I certainly thank 
you for that.
    In your openings, it's very clear that we all understand 
the challenges we have. We keep talking about competitive 
spaces in cyberspace, particularly in how we're going to see 
information contested in our current and future wars that we 
fight. But, we also have an interesting dynamic, as you've 
pointed out. We have competition in the recruitment, retention, 
the training aspect, and development of the cyber workforce. We 
understand that, in our competition, if you look at it that 
way--these are really partnerships, but, when it comes down to 
resources, each of these communities handles these differently, 
and they all have their own unique allures. For private 
industry, we know that it's difficult to match some of the 
compensation packages. It's also difficult to match the speed 
with which they hire and onboard and start individuals and 
clear them for some very sensitive projects. On the military or 
the civilian side for the Department of Defense, we have our 
own allures, as well: service to the Nation, the ability to 
perform very unique mission sets you can't do anywhere else, 
and also the exposure to a wide array of technology that really 
pulls individuals in. So, we need to understand that, and 
understand it well.
    So, what I'd like to do is cover a couple items very 
briefly in my opening, and that is to really set the stage for 
how we--enhancements that we're looking at on how we recruit, 
how we keep the folks that we recruit, and how we develop or 
train them. On the closed session, I'd like to use some of that 
time to talk about the governance structure, as it is 
classified, tied to our recently published Cybersecurity 
Strategy, and going into some of those details require that 
setting.
    So, to really get to the meat of what I will present today 
is in the Cyber-Excepted Service. These are authorities and 
funding that Congress gave the Department back in fiscal year 
2016, and the rollout of that started in 2017. A couple of 
these incentives are already in place. I'll cover a couple of 
them, with a few that are being onboarded here really starting 
in the next 30 days, the first of which is this idea of moving 
between competitive service and noncompetitive service. The 
idea of how we take title 5 and title 10, blend them together, 
and move individuals and attract them to the Cyber-Excepted 
Service without penalty or loss of grade or seniority. 
Certainly an attractant. The other is the idea of building 
qualifications and advancements based on competencies, where 
you can be rewarded, compensated, and advanced because of the 
unique training that you have. Finally, increased pay scale. We 
know that the general service or competitive pay scales stop at 
the pay band of 10, where the Cyber-Excepted Service, we've 
expanded that to include pay bands 11 and 12, which offers a 
little more flexibility for that professional worker who would 
have no other place to go or no other incentive to offer. Those 
are in place today, albeit in a modest fashion. I'll explain 
the numbers in a minute. But, they are in play.
    What we're proposing are a few other items that will, 
again, start, here, hopefully in the next few months. One of 
them is the idea of a targeted market compensation. We know 
that it's difficult to recruit competent quality that we're 
looking for in every part of the country. In some cases, it's 
due to high-demand, low-density assets. There's just really a 
strict competition. In other place, they just don't exist, writ 
large, where we need them. So, that targeted compensation 
package will allow us to apply that particular solution to that 
target set.
    We also are looking at the idea of retention bonuses. 
Current pay caps prevented us from applying these, meaning they 
were available, but they couldn't be used in other 
combinations. You've given us the authority to move out, where 
it makes sense, to apply them, again, to our most gifted 
workforce.
    Finally, the piece the Department has to solve is its long 
security clearance process. We certainly don't want to 
compromise the end result. We want to ensure that we understand 
who we're employing. But, we certainly recognize that we've got 
to cut down the timeframe. You've asked us to do that. We're--
certainly have ways and means in front of us to do just that.
    From the total-force side that we're looking at, we're 
looking at the development and training aspects of this, 
enterprise and joint training standards. We're just finishing a 
coding initiative so that we can understand what a Military 
Occupational Specialty means in language to a civilian hire 
that we have. Right now, we--every service uses different 
descriptions. It's difficult to understand how to move an 
individual from one spot to another. When you're trading spaces 
and looking at benefits of training, manpower reallocation, and 
rightsizing the force, you have to start with a common lexicon. 
That coding effort is largely complete. Goes a long way to 
making sure that we can develop.
    Also, finally, I would say, putting on a career path. What 
right looks like in a workforce management to ensure that we 
don't pyramid out; where we have a lot of competent people that 
are stuck in certain places, but we have either the rotation 
that they need to go to to continue those skillsets or the 
advancement opportunities there in front of them. More work to 
do on that front. Definitely not there yet, but certainly 
putting brainpower to that.
    On the military side, I'd let the generals on the panel 
discuss the efficiency of some of the things that they're 
working on, but direct commissioning, we've been given the 
authority to increase both our rates and the levels in which we 
do that, very similar to the way that we onboard doctors, 
lawyers, and chaplains, bringing in those specialists at higher 
grades initially. Also, the constructive credit, how we can 
take people who are coming from the workforce and actually give 
them the credit due for the job skills they've had previously, 
whether that be in the service or in private industry. So, 
those two are available for our military side, as well.
    Looking at how we phase these, phase 1 was a very modest 
rollout. We had roughly 363, I believe, slots that we created 
in Cyber-Excepted Service, and we targeted U.S. Cyber Command 
with that initiative to begin with. Almost 70 percent of those 
billets were filled in relatively short order, which means I 
think we've got part of the cocktail correct, that the recipe 
may be right. That's only with half the enhancement packages 
onboard. But, given the size of our workforce, that's a very 
small number. Starting this year, we've--we're going to expand 
that to about 8300 slots, and we're going to target a few 
others--DISA [Defense Information Systems Agency] and the 
service cyber components--again, rolling out the full package 
to see if we can get that mix right.
    Some areas that I would tell the committee that I believe 
we need to improve, and in full transparency, we need to 
understand our market better. I think we use too much anecdotal 
evidence and experience to describe what attracts people and 
why people leave. While I would say that most of it sounds 
right, and we do have a few studies that look at it, from, you 
know, doing a couple of recruiting tours, market analysis is 
key, and we've got to make sure we're dialed in and we're not 
focusing on a goal that's maybe a year or two old.
    We may need to take a look at how we recruit. I think our 
message is slow to get out. Not everyone knows what our message 
is. On the military side, I would say the campaign is a little 
easier, far stronger, and we find that our audiences are more 
informed. Very few understand what we offer in the Federal 
Government side that would be an attractant, as well. We've got 
to do better there.
    I attended a ribbon-cutting ceremony with Senator Nelson a 
few years back at the Cyber Center in Tampa, sir. In both your 
public remarks and remarks to me privately, you stressed the 
importance of internships and making sure that we stay 
connected to academia, that we can build the kind of force we 
need if they come out of the schoolhouse equipped and right-set 
for us to put them to work. Neat environment in Tampa, with 
U.S. Central Command and Special Ops Command right there. I'll 
tell you, I think our efforts are still too modest. I don't 
think we've come close to leveraging that requirement and that 
opportunity. Our intelligence community does that well. They 
groom very early. They have recruiters at the universities. 
They teach classes, they stay very connected to that workforce, 
and we could learn something from that. So, we have the means. 
They're in front of us. We've got to execute better to get 
after that. We're a bit slow.
    Lastly, I would say we need to ensure that we have a solid 
baseline and assessment mechanism so, when we come back here 
and talk to you about what's working and what's not working and 
how we've spent money, we can do so with the right kind of 
accountability. We've got to be careful with all these 
incentives--and you've charged us to be careful with those--to 
ensure we just don't simply throw money at a problem without 
making sure that these are targeted, and they're targeted very 
specifically, and the outcomes are examined so we can keep that 
machine refined and moving in the right direction.
    So, hopefully, with an opener, I'll leave it at that, and 
either take questions or pass it on for opening.
    Thank you.
    [The prepared statement of General Crall follows:]

    [Deleted.]

    Senator Rounds. Thank you.
    Who would you like to have move next?
    Ms. Miller. Well, Mr. Chairman, had I known General Crall 
would cover the world----
    [Laughter.]
    Senator Rounds. Okay.
    Well, that's okay, because what we're going to do is, we'll 
take all of your full remarks for the record, but then I'd ask 
that each of you limit your opening remarks to about 5 minutes, 
and we'll kind of move from there.


 STATEMENT OF ESSYE B. MILLER, PRINCIPAL DEPUTY, DEPARTMENT OF 
               DEFENSE CHIEF INFORMATION OFFICER

    Ms. Miller. So----
    Senator Rounds. Ms. Miller, would you like to go next?
    Ms. Miller. So, given that General Crall----
    Senator Rounds. Very good.
    Ms. Miller.--has done a great job of laying out where we 
are with policy and governance and how we are looking at the 
environment, writ large--and I'd like to just add that the 
Department does face workforce challenges that we need to 
address--most of the job losses that we've seen here over the 
last year or so total about 4,000 civilian cyber-related 
personnel losses. We're going to have to, to his point, work 
the recruiting piece of this such that we are postured and we 
know what that industry should look like, what the objectives 
and the outcomes of those hiring positions should be, and how 
we manage the force, in terms of career paths. But, keep in 
mind, too, this is--encompasses more than your traditional IT 
[information technology] intel role. It also includes some our 
health occupations, criminal investigation, and other 
occupational series that we need to keep in mind such that we 
take a holistic approach to how we execute the mission with our 
cyber forces and drive effect and outcome.
    So, with that, sir, I look forward to your questions. I 
really appreciate the opportunity to have this discussion with 
you today.
    [The prepared statement of Ms. Miller follows:]

                 Prepared Statement by Essye B. Miller
                              introduction
    Good afternoon Mr. Chairman, Ranking Member, and distinguished 
Members of both Subcommittees. Thank you for this opportunity to 
testify before the Subcommittees today on the cyber operational 
readiness of the Department of Defense. I am Essye B. Miller, 
Department of Defense (DOD) Principal Deputy Chief Information Officer 
(PDCIO). I am the principal deputy advisor to the Secretary of Defense 
for information management, Information Technology (IT), cybersecurity, 
communications, positioning, navigation, and timing (PNT), spectrum 
management, and senior leadership and nuclear command, control, and 
communications (NC3) matters. These latter responsibilities are clearly 
unique to the DOD, and my imperative, on behalf of the DOD CIO in 
managing this broad and diverse set of functions, is to ensure that the 
Department has the information and communications technology 
capabilities needed to support the broad set of Department missions. 
This includes supporting our deployed forces, cyber mission forces, as 
well as those providing mission and business support functions. I would 
like to provide you with an overview of the current state of the 
Department's cyber workforce policies and programs, as well as provide 
you with an update on the Department's implementation of the Cyber 
Excepted Service (CES) Personnel System.
             department of defense cyber workforce overview
    The DOD cyber workforce is currently comprised of four workforce 
categories. The Office of the DOD CIO is responsible for the policy 
oversight of two categories, Cyber (IT) and Cybersecurity. The 
Principal Cyber Advisor (PCA) leads the Cyber Effects category, while 
the Under Secretary of Defense for Intelligence (USD(I)) is responsible 
for the Intelligence (Cyber) category. Together, the DOD CIO, PCA, and 
the Under Secretary of Defense for Personnel and Readiness (USD(P&R)) 
tri-chair a Cyber Workforce Management Board that works with 
USCYBERCOM, the Military Departments, Joint Staff, OUSD(I), and other 
select DOD Components to provide oversight over the management of the 
DOD civilian and military cyber workforce. Additionally, the Office of 
the DOD CIO also acts as the Functional Community Manager for 18 
civilian occupational series, composed of approximately 52,000 
individuals, working with USD (P&R) and the DOD Components to sustain 
the health and capabilities of each occupation.
    Over the past several months, DOD Components have been coding 
civilian cyber positions, per the Federal Cybersecurity Workforce 
Assessment Act. In addition to the typical or traditional cyber 
occupations, DOD also has some individuals performing cyber 
responsibilities in acquisition and engineering, financial management, 
health care occupations, as well as criminal investigation and physical 
security.
    The Department does face some cyber workforce challenges. DOD has 
seen over 4,000 civilian cyber-related personnel losses across our 
enterprise each year that we seek to replace due to normal job 
turnover. Most of these job losses fall within the IT Management and 
Computer Science occupations, but we also have cyber professionals 
within key engineering occupations such as Electronics Engineering and 
Computer Engineering. We need individuals across a wide variety of 
cyber work roles, including: software developers and secure software 
assessors, system administrators and network operations specialists, 
data analysts, systems security analysts, and system test and 
evaluators. Specific to the Cyber Mission Forces, their personnel needs 
center on planning, coding, forensics, malware, data science, 
linguists, and cybersecurity professionals.
    Congress has been a strong partner in this area. Specifically, 
through a number of key pieces of legislation, Congress has enabled: 
the startup of a new personnel management system for cyber, the Cyber 
Excepted Service; Direct Hire Authority and Advanced-In-Hire Authority 
for Cyber Workforce positions; other compensation flexibilities; new 
term appointment authority; and funding for the DOD Cyber Scholarship 
Program. Each has aided the Department in establishing and maintaining 
the readiness of our cyber warriors.
    We also work closely with other federal stakeholders, through the 
Federal CIO Council and the National Initiative for Cybersecurity 
Education (NICE). We share the same concerns on the challenges to find 
highly qualified job candidates and retain cyber professionals in a 
hyper competitive job market. Enhanced management practices, such as 
the implementation of the National Cybersecurity Workforce Framework, 
will provide greater capabilities to identify personnel requirements 
and target effective solutions.
             cyber excepted service (ces) personnel system
    The Cyber Excepted Service is an enterprise-wide approach for 
managing civilian cyber professionals across the Department. By 
fostering a culture based upon mission requirements and employee 
capabilities, Cyber Excepted Service will enhance the effectiveness of 
the Department's cyber defensive and offensive mission. This personnel 
system will provide DOD with the needed agility and flexibility for the 
recruitment, retention and development of high quality cyber 
professionals. Specifically, the CES will help DOD to streamline its 
hiring procedures to quickly fill vacant mission-critical cyber 
positions across the Enterprise. CES lets DOD Hiring Managers recruit 
candidates from any source and offer more competitive market-based 
compensation packages.
    The Office of the DOD CIO has successfully designed, developed, and 
implemented the new personnel system for U.S. Cyber Command, Joint 
Force Headquarters DOD Information Networks, and the Deputy CIO for 
Cybersecurity. To date, 403 positions have been converted to the CES. 
We are currently partnering with the DOD Components to begin 
implementing CES for 8,305 positions across the Defense Information 
Systems Agency and the Service Cyber Components.
                               conclusion
    DOD recognizes the importance of growing and maintaining the cyber 
workforce. The recent authorities provided by Congress have allowed the 
Department to adjust existing personnel policies and to implement new 
policies that account for this dynamic need in an increasingly 
important mission area. The Department appreciates the support of both 
Subcommittees on this important matter. Thank you for the opportunity 
to testify today and I look forward to your questions.

    Senator Rounds. Thank you.
    General Stewart.

   STATEMENT OF LIEUTENANT GENERAL VINCENT R. STEWART, USMC, 
         DEPUTY COMMANDER, UNITED STATES CYBER COMMAND

    Lieutenant General Stewart. Yeah. Mr. Chairman, Ranking 
Members, members of the committee, first of all, thanks for the 
opportunity to do this. I think the support that we've gotten--
that we've received from the committee that's driven us to 
think about the policy, think about the strategy, think about 
the readiness of the force, has pushed us in the right 
direction. So, I thank you for the opportunity to be here.
    But, more than that, I thank you for the opportunity to be 
able to speak about the men and women who make up this cyber 
force, extraordinary men and women who today are on mission 
against a threat that's operating--that's pervasive in this 
space. I look forward to the opportunity to talk about that, 
and I certainly look forward to the opportunity to discuss that 
in closed session.
    Among the things that we've learned over the last year or 
so is that success in cyberspace requires--in fact, it 
demands--persistent engagement, it demands persistent presence, 
and it demands a persistent innovative spirit. Failure to do 
that means that we will never compete against near-peer 
competitors in this space. So, we're thinking our way now 
through how we move from growing this force to how we 
persistently engage, persistently have presence and we innovate 
in this space.
    We have shifted from building out those teams to how we 
build a force that is operationally relevant and is able to 
deliver outcomes, as necessary, from the Chairman--from the 
national authorities, all the way through the Chairman.
    We've shifted a little bit from building capacity--we think 
about just personnel and their training readiness--to the 
capabilities. Those capabilities requirements speaks to our 
necessity for the right tools or the munitions that we need in 
order to be successful in this space, the access that we need, 
the authorities we need, the infrastructure we need, and the 
intelligence necessary to support operation of a relevant 
force.
    So, we're now melding--in order to get a better sense of 
readiness, we're melding both capability and capacity against 
the problem sets that we've been assigned. So, as we look 
forward, we realize that the future requires us to be 
continually engaged in order to compete in cyberspace. We're 
building a combatant command that will be postured for success. 
We couldn't have built that without--or accomplished what we 
have for this Nation without your dedicated support that we 
receive from the committee. The language you included in the 
Fiscal Year 2019 NDAA [National Defense Authorization Act] was 
especially helpful, and we thank you for your continued 
advocacy and support, and we look forward to your questions.
    [The prepared statement of General Stewart follows:]

      Prepared Statement by Lieutenant General Vincent R. Stewart
        u.s. cyber command (uscybercom) statement for the record
    USCYBERCOM's mission is to direct, synchronize, and coordinate 
cyberspace planning and operations to defend and advance national 
security interests in collaboration with domestic and international 
partners. Success in cyberspace requires persistent engagement, 
persistent presence, and persistent innovation. To support the Nation's 
priorities as a combatant command, USCYBERCOM's focus has shifted from 
building a cyber force to focusing on readiness, partnerships and 
building the ethos of a new Command.
    USCYBERCOM is diligently working to build a more robust fighting 
force for the future. We are embracing innovative ways to develop and 
strengthen our workforce. If we are to maintain our strategic advantage 
in cyberspace, we must invest heavily in the talent of our people and 
the resources they need.
    USCYBERCOM is acutely aware of the challenges that result from 
being in persistent contact with the adversary in cyberspace. Our 
adversaries continue to adapt and evolve . . . so must we.
                         operational readiness
    One component of our evolution is our approach to measuring 
readiness. As a command, we have evolved from a model focused on 
building a force to a model that ensures the sustained readiness of the 
force we've built. Early in our development as a combatant command, we 
measured readiness based on number of people and the status of their 
training. Now that we have matured, previously used readiness metrics 
are not sufficient to provide a holistic readiness picture. The 
sustained readiness approach we are developing merges capability 
metrics with capacity metrics to provide a more complete readiness 
picture. In other words, our new approach assesses readiness in terms 
of both ``capacity'' (people and training), as well as ``capability/' 
(tools, access, authorities, infrastructure, and intelligence).
                               workforce
    As a trailblazer for DOD's Cyber Excepted Service (CES) personnel 
system, USCYBERCOM is using new, fast and flexible hiring authorities 
to tackle civilian vacancies and recruit talent necessary to build our 
Combatant Command. Outside the confines of the traditional DOD hiring 
process, USCYBERCOM is pushing past the norms of laborious, slow hiring 
by actively recruiting talent through job fairs and hiring events where 
our teams screen resumes and conduct on-site interviews leading to the 
best candidates receiving intent-to-hire job offers.
    For our military workforce, like the other Combatant Commands, 
USCYBERCOM relies on the Services to recruit and retain the talent we 
need to deliver joint force objectives for the Nation. We applaud the 
diligent efforts of the Services to organize, train and equip cyber 
operations forces, including fully leveraging recruitment and retention 
incentives and creating talent management programs that grow a robust 
cyber workforce.
                               conclusion
    Whether civilian or military, the men and women of USCYBERCOM are 
committed to being part of something bigger than themselves. Our men 
and women want to make a difference for this Nation, and they do--
everyday.
    USCYBERCOM is a learning organization continuing to innovate and 
adapt as we posture our force for success in the cyberspace domain. 
With the sustained support of Congress, USCYBERCOM will build upon our 
momentum and continue to defend and advance our Nation's national 
security interests in cyberspace.

    Senator Rounds. Thank you, General.
    General Fogarty.

   STATEMENT OF LIEUTENANT GENERAL STEPHEN G. FOGARTY, USA, 
               COMMANDER, U.S. ARMY CYBER COMMAND

    Lieutenant General Fogarty. Chairman Rounds, Chairman 
Tillis, Ranking Members, and members of the subcommittee, I 
want to thank you for the support, from both committees, which 
is vitally important to Army Cyber Command's continued progress 
and the critical missions of our dedicated and talented 
soldiers, Army civilians, contractors, and Reserve and Army 
National Guardsmen carry out every day on behalf of the Army 
and the Nation.
    The Army's philosophy for training is to train as you 
fight. For the Army's teams within the DOD Cyber Mission Force, 
training to a joint standard is predicated on a culture of 
adaptive learning for operations and form, training at every 
level. A ``train as you fight'' philosophy in cyberspace also 
depends on employing realistic, dynamic, and complex range 
environments against simulated peer and near-peer adaptive 
adversaries. Cyber Mission Force training must be tough, 
realistic, relevant, and holistic, just like it is for the rest 
of our forces. With the achievement of full operational 
capabilities for the Army's CMF [Cyber Mission Force] last 
year, the Army and joint forces are shifting focus to measuring 
and sustaining CMF readiness. While achieving full operational 
capabilities of these teams was an important milestone, it is 
certainly not an end state and doesn't tell the complex story 
of the Army and joint force's overall readiness to fight and 
win.
    Readiness is a combination of the CMF's ability to conduct 
cyberspace operations, reflects a team's ability to plan, 
develop access, report, and maneuver in cyberspace, hold 
targets at risk, and deliver capabilities based on assigned 
missions. This is the standard we use for operations, and it 
must be the standard we use for training. This includes a focus 
on nonstandard access methodologies, title 10 operator 
training, and integration with mission partners to improve 
mission readiness. Again, training as we fight.
    Army Cyber Command's mission success rests on our people. 
We must recruit, retain, and reward the most talented people. 
As such, we put tremendous focus on talent management. Thanks 
to your support, Army talent management initiatives continue to 
show increased results in civilian hiring and military 
recruiting. But, we do have a challenge with retaining the core 
skills that we need. We have a superb recruitment pool that we 
draw from. I think the training is outstanding. They get on the 
mission. But, our challenge, as the other witnesses have 
already mentioned, is the compensation to keep that trained 
force. You know, the average interactive online operator, it 
takes about 2 and a half years of training to be able to 
conduct operations. In a 6-year enlistment, you get about 3, 
maybe 3\1/2\ years of useful work out of that individual. So, 
it's absolutely critical that we roll out, really, the 
incentives we need to maintain that force.
    Now, readiness of the total force requires that our 
investment in cyber ensure that Active and Reserve and Guard 
forces are trained and equipped to one standard. We also 
continue to make progress toward fully integrating the Army's 
Reserve and National Guard into the Cyber Mission Force. We're 
already benefiting from the critical skills the Reserve 
component brings to bear and look forward to their full 
integration.
    The Reserve component is approved to build and maintain 21 
Cyber Protection Teams, 11 in the Army National Guard and 10 in 
the U.S. Army Reserve. One Army National Guard and two Army 
Reserve CPTs [Cyber Protection Terms] have already achieved 
initial operational capabilities. The Army National Guard is 
scheduled to have all 11 CPTs at full operational capability by 
fiscal year 2022. In the Army Reserves, 10 CPTs will be fully 
operational-capable by fiscal year 2024, trained and equipped 
to the same standards as the Active component. I'll discuss PCT 
[Persistant Cyber Training] at detail to answer your questions.
    One of the things I did want highlight is, my command is 
getting ready to move from Fort Belvoir down to Fort Gordon, 
Georgia. We'll do that in about 18 months. That is a 
significant investment, almost $1.3 billion, that the Army has 
placed in Army Cyber Command and the Army Cyber Center of 
Excellence, which is our premier schoolhouse. We train Active, 
we train civilians, and then we train Army National Guard and 
Reserve forces. For the Army, this is important, because we'll 
have the operational headquarters, the operational platform, 
and the schoolhouse all on the same location. We think that's 
going to give us the ability to take operators that are in 
Active missions to be able to move over and instruct, realtime, 
in the classroom. It also gives a stability for our workforce. 
You can have an entire career at Fort Gordon, Georgia, if you 
decide that you wanted to have your family there.
    The soldiers, civilians, and contractors from Army Cyber 
Command are persistently engaged against a wide range of 
adversaries and competitors in the cyber domain. We remain 
committed to preserving U.S. superiority in cyberspace and 
defending the Nation. Furthermore, we are committed to working 
with our interagency partners, international allies and 
partners, the defense industrial base, and defense critical 
infrastructure partners to secure that critical infrastructure. 
It's worth stating that operations in the cyber domain require 
problem-solving in ways never employed before by the U.S. Army. 
But, creativity, aggressive problem-solving, and rapid mastery 
of new fighting methods are not just possible for the Army, 
they are, in fact, qualities that lie at the core of our 
service. I'm confident that, with your continued support, we 
will continue to make progress and continue to achieve mission 
success.
    I thank you for the opportunity to testify today and look 
forward to answering your questions.
    [The prepared statement of General Fogarty follows:]

      Prepared Statement by Lieutenant General Stephen G. Fogarty
    Chairman Rounds, Chairman Tillis; Ranking Members Nelson and 
Gillibrand; and Members of the Subcommittees on Cybersecurity and 
Personnel, thank you for your continued support of the dedicated 
soldiers and Army civilians of U.S. Army Cyber Command (ARCYBER) and 
the entire Army Cyber Enterprise. It's an honor to represent the Army's 
Cyber Team, alongside my colleagues from the Department of Defense and 
U.S. Cyber Command, to discuss the critical issues associated with 
sustaining a ready Cyber Mission Force (CMF). My testimony addresses 
the following topics as requested by the Subcommittees: retaining and 
maintaining the Army's cyber talent; individual and unit level training 
of the Army's CMF; integration of the Army's Reserve Component into the 
CMF; and the development of the National Cyber Range Complex and 
Persistent Training Environment.
           retaining and maintaining the army's cyber talent
    Army Cyber Command's mission success rests with recruiting, 
retaining, and rewarding talented people, and as such we put tremendous 
focus on talent management. Thanks to congressional support, Army 
talent management initiatives continue to show increased results in 
civilian hiring and military recruiting. The Army is on pace to man, 
train, and equip Total Army cyber forces to meet current and future 
threats. Readiness of the total force requires that our investments in 
cyber ensure that Active and Reserve forces are trained and equipped to 
one joint standard. We have established innovative and tech-centric 
recruiting cells; are exercising our direct hiring authority for cyber 
professionals supported by Fiscal Year 2017 National Defense 
Authorization Act; and using internships, scholarship programs, and 
talent management initiatives focused on attracting, employing, 
developing and retaining technical people, including our Cyber Officer 
Direct Commissioning Pilot supported by Fiscal Year 2017 National 
Defense Authorization Act. The first two 1st Lieutenants under the 
Direct Commissioning Program are now training and we are assessing the 
next accessions from hundreds of applicants. With the expanded 
constructive service credit (up to O6 (Colonel) level) included in the 
Fiscal Year 2019 National Defense Authorization Act, we intend to 
attract candidates from a wider pool of applicants in the coming 
months.
    To help the Army resolve some of our toughest talent management and 
technical challenges, we have partnered with the Pentagon's Defense 
Digital Service (DDS) to bring technically-gifted soldiers together 
with interns and top private sector civilian talent to rapidly develop 
immediate-need cyber capabilities. We have also partnered with DDS on a 
Civilian Hiring as a Service Pilot to streamline the hiring process for 
technical talent and better leverage hiring authorities and incentives. 
We are working with DDS and the State of Georgia to expand this program 
to Fort Gordon and the region surrounding Augusta, Georgia, the Army's 
center of gravity for cyber operations and training. This innovative 
partnership is solving problems and serving as a powerful retention and 
recruitment tool. Additionally, in partnership with DDS, ARCYBER and 
the Cyber Center of Excellence launched a training pilot in January 
2018 to compress and streamline joint cyber training courses.
   individual and unit level training of the army cyber mission force
    The Army's philosophy for training is to ``Train as you fight!'' 
For the Army's teams within the DOD's Cyber Mission Force (CMF), 
training to a joint standard is predicated on a culture of adaptive 
learning, where operations inform training at every level. A ``train as 
you fight'' philosophy in cyberspace also depends on employing 
realistic, dynamic, and complex cyber range environments against 
simulated peer and near-peer adaptive adversaries. Cyber Mission Force 
training is tough, realistic, relevant, and holistic.
    With the achievement of Full Operational Capability of the Army 
CMF, the Army and Joint Force are shifting focus to measuring and 
sustaining CMF readiness. Readiness of the CMF's ability to conduct 
cyberspace operations reflects a teams' ability to plan; develop 
access; report and maneuver in cyberspace; hold targets at risk; and 
deliver capabilities based on assigned missions; this is the standard 
we use for training. This includes a focus on non-standard access 
methodologies, title 10 operator training, and integration with mission 
partners to improve mission readiness.
    The readiness of our defensive teams is tested daily, during 
remediation of routine incidents; proactive defensive cyberspace 
operations; and during contingency operations. Training programs must 
constantly sharpen our edge to adapt faster than our adversaries. 
Mission rehearsals, simulating complex conditions, are necessary to 
ensure sufficient procedures are in place, while real-world operations 
grow our understanding of our adversaries' capabilities and add a 
decisive edge to our collective training.
    The Army's Cyber Protection Brigade has taken the lead in Cyber 
Protection Team (CPT) training by developing a concise training manual, 
known as ``Cyber Gunnery Tables,'' that defines the tasks individuals, 
crews, and mission elements must master. These tables provide 
foundational training for individuals and teams and serve as training 
and readiness validation events, certifying that a crew has the 
required knowledge, skills, and abilities to participate in collective 
exercises as part of a mission element. They also provide a metrics-
based assessment to determine individual and crew readiness.
    The Army's Cyber Electro-Magnetic Activities Support to Corps and 
Below (CSCB) initiative provides another venue to improve team 
readiness levels. Teams are integrated into the Combat Training Center 
rotations, War Fighter Exercises, and senior leader developmental 
exercises and events that train and challenge supported units and keep 
teams proficient on individual and collective skills. Army Cyber 
Command has built real-time reach-back links between Corps and Below 
level forces at the National Training Center and cyber operators at 
Fort Meade, Maryland and Fort Gordon, Georgia, that further enhance 
training capabilities for the Army's Brigade Combat Teams as well as 
our cyber forces. Based on lessons learned from the CSCB initiative, 
the Army will start building a Cyber Warfare Support Battalion (CWSB) 
in fiscal year 2019, dedicated to integrating tactical operations with 
strategic cyber capabilities, and supporting Electronic Warfare and 
cyber planning and integration.
    Training is critical for operators and teams, but the CMF also 
needs infrastructure, tool development, and mission alignment of these 
ready teams. In 2017 the Army completed the second of two joint mission 
operations centers for offensive cyberspace operations, located at 
Forts Meade and Gordon. The Army has also established tool development 
workspaces at three locations and aligned talented personnel to 
innovate the creation of these in-house tools. To support this effort, 
the Army is developing a sustainable career map for tool developer 
Officers and Warrant Officers.
    The Army is also leading the way with broadly-scaled multi-domain 
exercises for the Active, Reserve, and National Guard components. These 
exercises take place at existing CTCs and purpose-built environments 
like Muscatatuck, Indiana's ``Cybertropolis'' facility. In September, 
2018 the Army exercise ``Cyber Blitz'' based out of Joint Base McGuire-
Dix-Lakehurst, New Jersey will allow Total Army forces to synchronize 
new technologies and define how the information warfare capabilities 
can be employed in the Multi-Domain fight. Specifically, the Army is 
looking at how Cyber Operations, Information Operations and Electronic 
Warfare can be synchronized with maneuver warfare and precision fires 
to bring effects to bear against adversaries.
the army's investment in fort gordon, ga as a power projection platform
    Thanks to congressional support and over $1 billion in cumulative 
construction and modernization projects, Fort Gordon, Georgia will be 
the Army's focal point for cyberspace operations and training for 
responsive and enhanced support to the Army and the Joint forces. The 
ARCYBER headquarters will relocate to Fort Gordon beginning in 2020. 
The new purpose-built, modern headquarters will support more than 1,300 
new cyber soldiers and civilian employees at Fort Gordon, is projected 
to be ready for occupation in summer 2020 and fully operational by 
2022. The co-location of Army cyber operational and institutional 
forces will enable collaboration, flow of instructors, and speed up 
requirements development and acquisition.
    Additionally, the transformative modernization project of the Army 
Cyber Center of Excellence (Cyber CoE) at Fort Gordon will break ground 
in fiscal year 2019. This will increase training capacity and provide 
modern training and workspaces to gain efficiencies across the 
installation. The Cyber CoE continues to make significant progress 
growing the cyber, electronic warfare and signal workforce. The Cyber 
CoE is the Army's principal organization for future cyberspace, EW and 
signal innovation, providing capability through concepts, design and 
experimentation, across Doctrine, Organization, Training, Materiel, 
Leadership and Education, Personnel, Facilities, and Policy. In 
addition to training, the Cyber CoE provides force modernization, 
capabilities and career management for Signal, Cyber and Electronic 
Warfare forces.
    The Cyber CoE trained over 13,000 students in fiscal year 2018. 
This includes students from the Cyber School, Signal School and the 
Non-commissioned Officer Academy. The Cyber School trains officers, 
warrant officers, and enlisted soldiers from all three force components 
(Active, Guard, and Reserve), provides training across the joint 
forces, and offers two industry certifications tied to training.
    The Signal School provides trained soldiers to the operational 
force to conduct Department of Defense Information Network (DODIN) 
operations and cybersecurity, training 17 military occupational 
specialties and providing 42 industry certifications tied to training. 
Signal soldiers install, operate, and maintain the Army's portion of 
the DODIN. The Signal School provides a common foundation in networking 
fundamentals in support of DODIN Operations to all new Signal soldiers.
        integration of the army's reserve component into the cmf
    The Reserve Component (RC) is approved to build and maintain 21 
CPTs; 11 in the Army National Guard (ARNG) and 10 in the U.S. Army 
Reserve (USAR). One ARNG and two USAR CPTs have already achieved 
Initial Operational Capability, the ARNG is scheduled to have all 11 
CPTs at Full Operational Capability (FOC) by fiscal year 2022, and the 
USAR's 10 CPTs will be FOC by f24; trained and equipped to the same 
standards as the Active Component.
    Beyond the build of these teams, soldiers from the Army's Reserve 
and National Guard are trained, ready, and on-mission today, performing 
critical and unique support and effects-delivery roles for Army and 
Joint cyber missions. The 91st Cyber Brigade was initiated in 
September, 2017, as the Army National Guard's first cyber brigade. In 
August, 2017, the all-National Guard Task Force Echo was launched to 
engineer, install, operate, and maintain critical networks for U.S. 
Cyber Command.
    Our RC cyber soldiers bring critical skills that are a force 
multiplier. Continued support from Congress for programs to attract 
soldiers, such as Direct Commissions, Special Duty and Assignment Pay, 
and Cyber Affiliation Bonuses will assist in recruiting and retaining 
RC cyber talent.
    the national cyber range complex and persistent cyber training 
                              environment
    Currently, DOD operates four Cyber Training and Test Ranges: the 
DOD Cyber Security Range; the Joint Information Operations Range; the 
National Cyber Range Complex; and the C5 Assessments Division range. 
The Persistent Cyber Training Environment (PCTE) is a material solution 
that provides the total cyber force a training platform to conduct 
joint training (including exercises and mission rehearsals), 
experimentation, certification, as well as the assessment and 
development of cyber capabilities and tactics, techniques, and 
procedures for missions that cross boundaries and networks. PCTE will 
use resources from all four of the DOD ranges, as well as resources 
from other existing cyber training facilities.
    Headquarters, Department of the Army is the DOD's Executive Agent 
for Cyber Training Ranges, a responsibility led by the Army's Deputy 
Chief of Staff, G-3/5/7. Army Cyber Command is in support as a primary 
advisor to the G-3/5/7, with the Army's Program Executive Office for 
Simulation, Training, and Instrumentation (PEO-STRI) serving as the 
lead for acquisition, prototyping, and deployment of PCTE. The entire 
PCTE effort is governed by a board that includes Army Cyber Command, 
the DOD's Principal Cyber Advisor, and the Undersecretaries of Defense 
for Personnel & Readiness and Acquisition, Technology, & Logistics, as 
well as U.S. Cyber Command's J7, through which the Joint Cyber Service 
Components take part in shaping the PCTE to meet current joint 
operational needs.
    The PCTE v1.0 prototype was delivered 31 July 2018, just one year 
after the Army received initial funding for the project, and is 
currently undergoing limited user assessment, with feedback informing 
the next prototype, PCTE v2.0. Follow-on capability drops are projected 
to occur every six months (v2.0 in January 2019; v3.0 in July 2019; 
etc.). To meet the requirements for individual and lower-level 
collective training, the Army is also using a commercially available 
cyber range product. To meet higher collective training tasks, the Army 
is evaluating another commercial platform used by the U.S. Navy, which 
provides a broader collective training environment. All Services are 
currently using, or considering, both platforms to meet training 
requirements. These tools will be a bridging effort until the PCTE is 
fully operational.
                               conclusion
    Thank you again for inviting me to appear before you today 
representing the Army Cyber Enterprise. Your support has been 
enormously important to the maturation of Army Cyber Command, the Army 
Cyber Enterprise, and the critical mission our dedicated and talented 
soldiers and Army civilians conduct for the Army and the Nation. The 
Army Cyber Enterprise has made tremendous progress during the last 
eight years--building a cyber branch, schoolhouse, cyber 
infrastructure, and a Total Army cyber force. Although much remains to 
be done, I am confident that with your sustained support we will 
continue to make progress and achieve mission success. The tasks before 
us are great, however the talent and drive of our people is greater.

    Senator Rounds. Thank you, General.
    This group in front of us as a team has a huge 
responsibility. Cyberspace, this new domain, requires 
personnel. The reason that we're doing a program like this with 
both subcommittees, Personnel and Cyber, together is because we 
recognize the seriousness of the situation at hand.
    General Fogarty, the Army faces significant manning gaps in 
the roles of tool developers and interactive on-network 
operators, or, I think, as we call them, IONs. While the Army 
needs about 150 operators, for example, it has about half of 
its requirements. Part of the problem is that the Army has only 
about 14 spots in the RIOT training, which is Remote 
Interactive Operational Training, which is provided by the NSA. 
About half of these personnel will fail the training, meaning 
that the Army might only see seven graduate to the Cyber 
Mission Force as capable operators for any given RIOT course. 
This could leave the Army below the replacement level, given 
promotions and retirements, and yields a major capability gap. 
The Air Force has noted to us that the NSA has facilitated--
they're obtaining more spots in training, as required, and 
that, because they send their operators to training later, they 
are less likely to fail, leaving them without the shortfalls 
that afflict the Army.
    My specific question is, What is the impact of the 
resulting gaps--in particular, in infrastructure, IONs, and 
tool developers--on your operations?
    Lieutenant General Fogarty. So, Senator, we have identified 
three critical missions for--or critical work roles for the 
offensive force. So, the IONs, the exploitation analysts, and 
the tool developers. Each one is really--for the Army, is in a 
different point. So, you've aptly described our challenge with 
IONs. There are two things that we're doing about this. First 
of all, as we conduct more and more operations off of title 10 
infrastructure--and the Army is really--we were the service 
that had title 10 infrastructure first, we've got the most 
robust capability--what we recognize is, not every ION has to 
be RIOT qualified. We have a title 10 operators course that 
allows our IONs to actually operate off the title 10 
infrastructure. That gives us the opportunity to observe them 
as they start to act, conduct reps. Then we can identify better 
those star athletes that we need to send to RIOT. What we're 
hoping is, we can identify someone who has better aptitude, a 
better likelihood of actually graduating, and that would 
essentially double our numbers if we can get that straight, 
per----
    Senator Rounds. Excuse me. You don't----
    Lieutenant General Fogarty.--per year.
    Senator Rounds.--you don't quite have it straight yet, so 
what is that doing to your operational timelines today?
    Lieutenant General Fogarty. So, what happens, sir, is, with 
the current limit of 15 per year--and I would say, for the Air 
Force, we actually gave up slots, both for EAs [exploitation 
analysts] and IONs, so they could actually get fully 
operational-capable and meet their timelines. So, we took a 
little bit of hit there. But, I think the big thing is, we 
weren't selecting people that were making it all the way 
through the course. So, by getting them in the title 10 
operators course, we get them actually on mission much sooner 
than we do if we send them through RIOT training. That allows 
us to determine the best athletes that would then allow us to 
get them into RIOT, have a much better chance of graduating. 
So, we think that will increase graduation.
    We've also talked to General Nakasone. We think, 
ultimately, we're going to have to expand the throughput of the 
RIOT course. So, we think that's going to be necessary to meet 
our ultimate requirements.
    But, we think success, for us, is a number of RIOT-trained 
operators, and then a larger number, actually, of title 10 
operators. Because, again, as you said very eloquently, we've 
got to get off of the NSA platform, become more independent. 
The title 10 infrastructure with title 10 IONs actually allows 
us to achieve that goal.
    Senator Rounds. One thing that I'm going to ask, for the 
record, of both you, General Fogarty, and also for you, General 
Crall, is a timeline for actually meeting the guidelines 
necessary to make that happen.
    [The information referred to follows:]

    Lieutenant General Fogarty. Since the standup of the Cyber 
Mission Force (CMF) in 2012, the work roles presenting the 
greatest training and retention challenges for the Army are 
Interactive on-Network Operator (ION) and Tool Developer (TD). 
Both are high demand, low density work roles requiring 
personnel with advanced technical aptitude, training and 
certification. Since 2012, changing mission requirements, 
organic platform developments, and programmatic changes 
necessitated a revised model for Army's training of IONs. The 
Army developed our own interactive cyber operator course 
external to NSA's training pipeline with a curriculum informed 
by and more directly supporting the evolving USCYBERCOM 
mission. Since the Army's development of this course in 2017, 
as of January 2019, 73 Army students have graduated, and over 
21 individuals have been Joint Qualification Reviewed (JQR)-
certified and are on-mission supporting USCYBERCOM operations. 
The remainder are fulfilling JQR requirements. The Army plan 
going forward is to hand-pick the high performing graduates of 
this course and select them for the RIOT course. We project 
this will increase graduation rates, and help close the ION 
gap. Tool Developers (TD), much like IONs, fill a critical role 
in the execution of cyberspace missions by building software 
and hardware capabilities to enable a variety of operations. To 
better serve the TD mission, the Army built a developer 
environment that enables the rapid production and delivery of 
cyberspace capabilities to our operational force. Our 
experience indicates officers and civilians are the best 
equipped to fill the TD work role, often arriving with computer 
science, electrical engineering, or computer engineering 
degrees. As a result, the Army developed the Tool Developer 
Qualification Course (TDQC) in partnership with the University 
of Maryland Baltimore County (UMBC) Training Center. The 11-
month course provides students with the basic fundamentals of 
computer science and programming. The average class size is 14, 
with a graduation rate of approximately 75 percent. The high 
pass rate is directly attributed to the strong emphasis placed 
on identifying and assessing the best candidates for the 
course. Since 2016, the Army has successfully graduated 64 
soldiers. The Army executes assessment tests and selection 
panels to identify the best qualified TD and ION candidates. 
The most experienced in the force administer the assessments 
and oversee the selection panels, ensuring the prospective 
candidates understand the rigors and challenges ahead of them. 
Once a candidate is selected, (e.g. IONs for RIOT), a mentor is 
assigned to them to ensure help is available should the need 
arise. However, the aptitudes and talent required for ION and 
TD roles come from the same population. As we improve 
recruiting and training, we must also improve retention of our 
Cyber force. The attrition rate of trained IONs and TDs equals 
or exceeds the production rate of new personnel. Part of the 
challenge with this highly technical force is compensating 
trained and experienced IONs and TDs at an appropriate level. 
Currently HQDA has authorized the maximum Selective Retention 
Bonus it can provide ($72,000 for a 6-year re-enlistment) for 
enlisted soldiers serving as IONs, TDs, and Exploitation 
Analysts (EA). HQDA has also implemented a Written Bonus 
Agreement that will have a maximum of $100,000 for an 
additional four years of service for our most experienced 
senior Non-Commissioned Officers, and has approved Assignment 
Incentive Pay ranging from $200-$500 a month and Special Duty 
Assignment Pay ranging from $150-$300 per month for personnel 
trained and serving in these key work roles. ARCYBER leadership 
continues to work with HQDA to maximize the benefits that can 
be provided to these soldiers by law, in order to reduce the 
compensation gap that can be offered by the private sector, or 
even other governmental agencies.

    Senator Rounds. General Crall, I'm out of time, but the 
same questions that I've asked of General Fogarty I will be 
asking of you for the record, as well.
    [The information referred to follows:]

    Brigadier General Crall. [Deleted.]

    Senator Rounds. Thank you.
    With that, Senator Tillis.
    Senator Tillis. Thank you, Mr. Chair.
    Again, thank you all for being here.
    General Crall, thank you for, I think, covering good 
landscape in your opening comments.
    Ms. Miller, my first question is for you. I believe you 
chair the Cyber Workforce Management Board. Is that correct?
    Ms. Miller. Yes, sir, along with----
    Senator Tillis. And P&R [Personnel and Readiness] co-
chairs, right?
    Ms. Miller.--P&R, exactly.
    Senator Tillis. Tell me a little bit about how that 
relationship works, and how the roles are playing out right 
now.
    Ms. Miller. Well, actually, sir, we're very well aligned. 
The board was charted to manage the health and welfare maturity 
of the force, both civilian and military, so we have an 
opportunity to oversee and assess the use of the force, how we 
are doing on the recruiting and attracting, as General Crall 
talked about. Predominantly, efforts have been focused on Phase 
1 and how we code the positions, identifying the work roles and 
understanding where our shortfalls are and where we need to 
focus our efforts. But, I think it's pretty safe to say, the 
relationship between the three organizations are very closely 
aligned. We meet on a regular basis, and our staffs are joined 
at working the issues, be it with the coding or with the 
hiring-and-retention piece.
    Senator Tillis. This question is probably for all of you. I 
spent virtually all of my professional career in technology, 
first in research and development, then architecture 
definition, deployment, and then project execution. Sometimes I 
worked at Pricewaterhouse, so sometimes we would acquire 
another firm, or at IBM we would acquire another firm, and it 
would be standing alone, but it really didn't make sense to 
have it stand alone for long. In most of your mission sets, I 
can see a very rational basis for--the mission of the Marines 
has its own kind of training, tools, tactics, it's separate 
from the Army, the Navy, the Air Force. But, in this domain, 
I'm struggling--except at the atomic level, maybe equipment 
that you need to a service line--I'm struggling to understand 
why we're not looking at a more innovative way to leverage--you 
know, we had matrixed organizations, where we have the silos of 
the service lines now, or we had market domains or technology 
domains--but the common platform that we're talking about, can 
you explain to me the rationale for having--and the risk of 
having duplicative systems and environments and potentially 
sub-optimizing some of the cross-learning? I'm not saying that 
any one service should own it, but I'm wondering whether or not 
we should be looking at a very different structure than the 
current trajectory.
    Lieutenant General Stewart. Let me take the first shot at 
this one. In fact, what we've designed and what we've put 
forward, Senator, is what we call the Joint Cyber Warfighting 
Architecture. It is an integrated architecture. It includes 
building common firing platforms, common set of tools, common 
infrastructure, common cockpit for command and control. Now, 
none of the services will do that by themselves, but we will 
designate a specific service to build one element of that Joint 
Cyber Warfighting Architecture.
    Senator Tillis. So, a center-of-excellence sort of 
capability.
    Lieutenant General Stewart. So, for the training component, 
the Army will take that persistent common training environment. 
so, they will bring that into a common architecture, where U.S. 
Cyber Command will set the standards, set the information 
exchange protocols, and then each of the elements within our 
subordinate elements within Cyber Command will build those 
pieces and those components to a common standard. So, we get 
the idea that we don't want each of the services build their 
own unique tools, build their own training environment, build 
it on--and so, now we've put that all together, and we 
structured that into what we call the Joint Cyber Warfighting 
Architecture.
    Senator Tillis. And the government----
    Lieutenant General Stewart. So, we're moving in that----
    Senator Tillis. Okay.
    Lieutenant General Stewart.--direction.
    Senator Tillis. Because I'm going to be limited on time--I 
have to step out briefly to go to a VA [Veterans Affairs] 
Committee--I think that the--with respect to something that 
General Fogarty and I talked about, and as Chair of the 
Personnel Subcommittee, we have provided some authorizations 
that, hopefully, are helping you be a little bit more 
competitive recruiting and retaining resources. But, you can 
expect that we'll have a hearing in Personnel to talk about 
what more we can do.
    General Crall, you made a very important point. If we're 
giving you these authorities to use to be more competitive, but 
we're also going to be expecting seeing how they've been used 
and what the results are. We'll discuss those in the--we'll 
discuss those in the hearing or in meetings that we'll have in 
my office.
    For many of you, I've got a lot of questions, and I know--
I'm looking forward to getting back so we can go to the closed 
session, but I'll probably have a number of questions that are 
structural in nature that'll be instructive to some of the work 
we'll be doing on the Personnel Subcommittee.
    Thank you, Mr. Chair.
    Senator Rounds. Thank you.
    Senator Nelson.
    Senator Nelson. General Stewart, how are we going to 
objectively measure the readiness of Cyber Mission Force to 
execute their mission?
    Lieutenant General Stewart. So, we know we have a standard 
now that the Chairman measures: personnel readiness, number of 
folks that the services are providing, the level of their 
training. So, we have a standard approach for measuring that. 
Now, what we have to do is--in U.S. Cyber Command, is clearly 
define the mission essential task and the joint mission 
essential task that says, ``When a team is presented to us, 
here are the things that we need them to do against a 
particular target set.'' That is more than just the personnel. 
That's easy objective measurement. The services are either 
providing them at a certain level or they're not, they're 
either trained to a certain level or not. Quite frankly, the 
services are doing a remarkable job in presenting personnel.
    Senator Nelson. Will the combatant commanders understand 
this so-called meaningful set of metrics that you're talking 
about, a standard?
    Lieutenant General Stewart. There is no doubt in my mind 
that we've identified intelligence requirements that are 
essential for delivering capabilities, we've identified access 
requirements that are important, we've identified tools and 
munitions that are important, we've identified architecture 
that's important to get to the target. Those are things that I 
think any combatant commanders would understand, ``In order for 
me to have an operational effect, here are the things that I 
must have in order to deliver those outcomes.'' So, we think 
that's pretty well-defined, and we'll continue to refine that 
over time.
    Senator Nelson. So, how are you going to make sure that the 
services are giving you what you need in their training and 
standards?
    Lieutenant General Stewart. We've now mandated or laid out 
the requirements for 1,000-2,000 level. That's the basic entry-
level training. The services are building capability and 
capacity. We were just down in Georgia, had an opportunity to 
see the things that the Army was doing. All of the services 
understand the requirements. Quite frankly, Senator, I think 
they're delivering a fairly capable--and I say that, ``fairly 
capable,'' because we now have to take them, when they come to 
Cyber Command, and take them from the journeymen and the 
apprentice level to the mastery level. I think the services are 
doing a remarkable job, and we have to--to go back to the 
question on IONs, for instance, we have to now define whether 
or not we have the right number of IONs on the teams. We 
started with a number, based on our best guess of how we would 
operate in the space. The reality is, we may not need as many 
IONs, and that will change the training requirements and allow 
us to do some things that are more creative to get our 
workforce from journeyman, from apprentice, to a mastery level. 
I--we're working to refine those as we speak.
    Senator Nelson. General Fogarty, the Secretary assigned to 
you the job of building a cyber range and training system. Why 
aren't all of these separate ranges being consolidated and 
moving to a cloud?
    Lieutenant General Fogarty. Senator, currently, there are 
so many ranges--there are so many ranges. I'm the executive 
agent for the training ranges. There are a whole series of 
test-and-evaluation ranges that TRMC [Test Resource Management 
Center] is the executive agent for.
    Services have built ranges. So, what we're trying to do at 
this point is start to move these ranges, connect them. The 
objective actually is to move them into the cloud. So, that's 
the direction we believe we need to be at.
    But, it's--I think it's similar to many challenges. Over a 
long period of time, you had organizations that built their own 
capability because they had an immediate need for it. We're at 
the point now where we're--we've inventoried those. We know 
what the advantages and disadvantages of the different ranges 
are, how to better connect them. There are certain ranges that, 
frankly, we'll probably have very limited interest in. It 
doesn't mean there's not a requirement, but it's not for the 
Cyber Mission Force. There's others that are very robust. We 
don't want to duplicate that. We actually want to connect to 
those ranges.
    Senator Nelson. Can I assume that what you're saying is 
that you're going to move to the cloud so that you don't have 
to constantly upgrade the in-house computing infrastructure?
    Lieutenant General Fogarty. Senator, that's actually a 
succinct way of saying that, but we're----
    Senator Nelson. Okay.
    Lieutenant General Fogarty.--we're not there yet----
    Senator Nelson. Let me----
    Lieutenant General Fogarty.--for sure.
    Senator Nelson. Let me ask General Crall. Cyber Command, 
created in 2009, but it wasn't until 2013 that we actually 
started to build the mission force. So, a number of years, we 
had a command with no forces. It took another couple of years 
for the Department to start the acquisition process for command 
and control, network, infrastructure, weapons, and so forth. 
Why the delays?
    Brigadier General Crall. Sir, that's probably a question 
that I'll have to go back and do some forensics to give you an 
adequate answer. I can give you a few answers that I think 
apply generally, and certainly not making excuses. But, 
understanding what rightsizing looks like, I've learned the 
challenges of moving anything quickly in the Department. 
Matching resources, at the time they're available, with the 
need and the planning that we're trying to execute has also 
been a challenge. You could ask the same question on our 
infrastructure, writ large. We've been modernizing our IT 
infrastructure for 10 years, at least, in a holistic fashion. 
Change has been difficult, but I think we're looking at the 
problem set in a new way. And, in the closed session, we're 
going to lay out a placemat for you to consider the ``eaches'' 
of how we're trying to do this in a way that makes some sense. 
But, I'll tell you, sir, one of the areas that we're making 
improvements on, General Stewart has already covered. We've 
allowed too much of unique building. Lack of standards, 
allowing each person to do what's right in their own eyes in 
the process, and not holding individuals or services 
accountable for a common standard, I believe, have all been 
contributors, and significant contributors, to delays.
    Senator Nelson. Thanks.
    Senator Rounds. Senator Gillibrand.
    Senator Gillibrand. General Stewart, I appreciate that your 
authority is focused on addressing foreign cyberactivities and 
you're constrained in working on domestic matters. However, I'm 
very concerned that foreign adversaries have abused the 
borderless nature of the Internet to stage cyberattacks on our 
domestic critical infrastructure, such as our election system. 
How do you coordinate with domestic Federal agencies, as well 
as local and State agencies, where much of our election 
security is entrusted?
    Lieutenant General Stewart. Well, we're generally not, 
Senator, directly interfacing with the State and local levels. 
We are, in fact, working closely with the Department of 
Homeland Security. We've had a series of engagements to ensure 
that they understand the threats as we see the threats, that 
we've asked them to pass those indicators of compromises down 
to the States so they can also see the threats. So, we're 
working this, to borrow a phrase, by, with, and through DHS 
[Department of Homeland Security] to get the insights that we 
have, both from Cyber Command and from our NSA partners, turn 
those into real indicators, and pushing those out to the State 
and local level. Beyond that, we have limited authority to go 
to the State and local levels.
    So, if I were going to use this platform to send a message, 
I suspect the message would be: As we move indicators of 
compromise from DHS down to the State levels, how do we make 
sure the States are loading those indicators of compromise onto 
the appropriate sensors and then passing them back up through 
DHS so that we can be proactive in going after the adversary in 
gray and red space?
    Senator Gillibrand. It also sounds, though, that your 
limited authority is limiting for you. I'm concerned that, you 
know, you have a mission to protect this country and our 
critical infrastructure. That's part of Department of Defense 
mission. But, you've not been given all the authorities you 
need, in fact, to prevent or stop or respond to cyberattacks to 
critical infrastructure if it has to do with the electoral 
system. I think that's a mistake. So, one thing that I hope you 
will do is seek the authorities that you think you need from 
this committee, because, regardless of what the administration 
believes, I believe that better coordination, more holistic 
coordination, through the National Guard perhaps, so that the 
States can have on-the-ground expertise that is feeding 
information and data and intelligence back up to the 
Department, so that you have a fully integrated defense system 
for this country. Because if they were bombing a powerplant or 
they were bombing, or even cyberattacking, a powerplant, you 
might have a response, or a responsibility, but, because 
somehow it's an election infrastructure, you have to stay 
hands-off. So, I hope that you will seek authorities, as you 
believe from your expertise you think you should have them.
    Lieutenant General Stewart. In the closed session, we 
should probably talk about the changes in authorities over the 
last 6 months.
    Senator Gillibrand. Correct.
    Lieutenant General Stewart. If you had approached me 6 
months ago about the limits of our authorities, I would tell 
you that it would cause me great frustration.
    Senator Gillibrand. Yes.
    Lieutenant General Stewart. We're in a much better place 
today, Senator.
    Senator Gillibrand. I understand. But, I think there's even 
more authority that you should seek, especially in giving more 
support to the National Guard to continue to be eyes and ears 
on the ground. We will--I will pursue this more in closed 
session, because I think it's so vital.
    General Crall, the military's ability to pay for high-
quality educational degrees through ROTC [Reserve Officer 
Training Corps.] programs or direct accession programs for 
skilled doctors and lawyers have undoubtedly played a key role 
in recruiting talented individuals into our uniformed ranks. In 
addition to paying cyber operators for the skills through 
specialized compensation, I also believe we should leverage our 
ability to pay for the educational--education of servicemembers 
and civilians interested in joining the cyber workforce. Do you 
believe that a cyber ROTC scholarship or advanced degree-
holders would help us to attract skilled military cyber 
officers?
    Brigadier General Crall. Ma'am, I do. I believe that's a 
wise course of action. In fact, in the opening, we talked about 
expanding all the opportunities. But, what I would also add to 
that is, it's important for us to ensure that, when we track 
this, we learn what's working and what doesn't work. I've found 
that sometimes these things are a bit counterintuitive. We have 
to apply our resources properly, as you would expect us to, and 
we want to make sure, as the markets change, we follow those 
trends very carefully and we apply our valued resources to the 
right population groups and pockets.
    But, I will say this. Every university--this is anecdotal, 
this is me walking around and talking to people in these 
environments--it is the most talked-about subject matter. 
Whether we're at the service academies or out in the local 
communities, we've got a large force of young civilians who are 
very interested and eager to work in the cyber workforce.
    Senator Gillibrand. Thank you.
    Thank you, Mr. Chairman.
    Senator Rounds. Thank you.
    Senator Warren.
    Senator Warren. Thank you, Mr. Chairman.
    Thank you, to our witnesses, for being here today.
    Talent management is a critical component of the ability to 
maintain cyber readiness. That means that we need to recruit 
and retain for a set of skills that might not necessarily be 
considered traditional military skills. I was glad to see that 
talent management is included as a key component of the 
Department's updated cyber strategy, which was released last 
week. But, the strategy doesn't offer much detail on the 
specifics of how exactly the Department plans to recruit and 
retain men and women with the necessary skills.
    So, can I start with you, General Crall? Can you be more 
specific for us on the Department's long-term plans for cyber 
talent management?
    Brigadier General Crall. Yes, ma'am, I can. I'll also share 
with you some shortcomings in that, because I think your 
instincts of maybe--on some of the leads of understanding that 
market, we may not be as refined as we need to be. I share--if 
those are your concerns, I share some of those.
    But, yes, when it comes to developing, you know, the 
recruitment aspect, the military side has a very unique 
recruiting campaign and designated workforce that gets after 
that, professional recruiters who work very aggressively at 
ensuring that message is out. In part of my opening, I 
described a kind of a vacuum for the Federal Government side. 
The civilian side, we really don't have, even the initial 
tenets of our Cyber-Excepted Service, well known. So, we need 
to get our message out, for one.
    One of the ways that we could get that message out is to 
ensure that we have very robust presences in areas where these 
people are being trained--in academia, you know, our 
universities, internships, exchanges with private sector--all 
of those areas where we can get natural exposure to some of 
those benefits that only we can provide. And, while it's still, 
I would say, maybe anecdotal to express it this way, the people 
that we've spoken to have explained very carefully their desire 
to serve the Nation, do unique mission sets they can't do in 
the private sector, and work with emerging technology. Those 
are things that we can offer that--very unique to our 
government. So, yes, we need to do more in that.
    On the civilian side for Excepted Service, I had mentioned 
we've covered a few to close some of the pay gaps. Congress has 
given us the authority to address some of those, to include 
regional pay gaps, compensation, higher step increases. But, 
those are normally only known by those who are really at our 
doorstep already. We need to do a better job of getting the 
word out on what we can offer, and to pursue those individuals 
at a very early start.
    Senator Warren. Well, I'm very glad to hear this, General 
Crall, and glad to hear your enthusiasm for this. You know, our 
readiness is only as good as our people. If we don't recruit 
and retain the best and offer the kind of career incentives for 
people to stay in public service, then we can't mount an 
effective cybersecurity defense or response. So, thank you for 
that.
    I have one other issue I want to raise. I am a big 
supporter of the Defense Innovation Unit, which has an office 
in Cambridge, for piloting new approaches to technology, 
including cyber and software engineering. I want to ask about 
one of those experiments. In 2016, the software system at the 
Al Udeid Air Operations Center in Qatar was so outdated--are 
you ready for this? In 2016, airmen were using a flight board 
to manage aerial refueling. Now, in response, DIU [Defense 
Innovation Unit] worked with the Air Force to sponsor a small 
program, called the Kessel Run, to teach Active Duty Air Force 
personnel how to code. In the span of 4 months, at a cost of 
just about $2 million, they designed a software application 
that automated the refueling. And because the airmen now have 
the coding skills, they can continuously update that software 
to meet the mission.
    So, maybe I could ask you, Ms. Miller. Do you think having 
in-house coding ability like this can also help improve our 
cyber operational readiness?
    Ms. Miller. Yes, ma'am, I do. That's actually one of the 
skillsets. If you look at the list of specific skills that we 
know we need to mature, that is one at the top of the list.
    Senator Warren. So, we're trying to build this in-house. I 
think that makes a lot of sense. I'm glad to hear it. But, 
getting the Kessel Run Development Lab up and running was not 
easy. I understand there was some real resistance within 
segments of the Department. So, the question I want to ask is, 
How can we normalize and scale these types of programs up and 
make technical skills, like coding or cyber defense, a core 
competency for Active Duty personnel and defense civilians?
    General Crall, it looks like you want to answer.
    Brigadier General Crall. Yes, ma'am. This is an exciting 
question, because you're----
    Senator Warren. Good.
    Brigadier General Crall.--you're spot-on. We have young 
folks, who are--have zero experience in doing this formally, 
who are writing programs for us today. Going back to my answer 
earlier, the proper venue and outlet for this is to ensure that 
we have the right developers toolkits and the right coding 
infrastructure, the lateral limits, left and right, so that 
they know what standards to write these to. We spent a lot of 
time and frustration in the Department of trying to make these 
disparate software applications communicate with each other. In 
the closed session, I can cover some of the solutions we have. 
But, they are screaming for ways to contribute, and we are 
taking that onboard, and it's showing great promise. But, there 
is a lot of work ahead, ma'am.
    Senator Warren. Good. So, I--again, I'm glad to hear your 
enthusiasm, but I sure want us to concentrate on how we can 
scale this up and normalize it within the Department.
    Thank you.
    Thank you, Mr. Chair.
    Senator Rounds. Thank you, Senator.
    Okay, this will conclude the open portion of the session. 
My intention is to recess until 4 o'clock, and that will be in 
SVC-217.
    At this point, we will recess.
    [The open portion of the hearing concluded at 3:42 p.m. The 
Subcommittees recessed until 4:00 p.m. to meet for the closed 
portion of this hearing.]

    [Questions for the record with answers supplied follow:]

            Questions Submitted by Senator M. Michael Rounds
                               redundancy
    1. Senator Rounds. Lieutenant General Stewart, to serve in the 
interim as the Unified Platform is developed, does Cyber Command have 
or plan to develop an integrated database or organizing structure of 
all tools and tool development efforts in the Services and its own 
capabilities development group?
    Lieutenant General Stewart. [Deleted.]

    2. Senator Rounds. Lieutenant General Stewart, what redundancies 
has Cyber Command seen in the Services and what efforts are underway to 
mitigate them?
    Lieutenant General Stewart. [Deleted.]
          missing authorities and outstanding resource issues
    3. Senator Rounds. Brigadier General Crall and Lieutenant General 
Stewart, please provide a list of missing authorities, outstanding 
resource issues and misallocations, and interagency issues that are 
hampering the readiness of the Cyber Mission Force, to include 
difficulties in using accesses and tools that originate with the 
intelligence community.
    Brigadier General Crall. My fellow witness, Lieutenant General 
Stewart, is best positioned to provide a response regarding the 
authorities related to the Cyber Mission Force.
    Lieutenant General Stewart. [Deleted.]
                                 tools
    4. Senator Rounds. Lieutenant General Stewart, how much do each of 
the Services and how much does CYBERCOM spend on tool development each 
year? How does this compare with the NSA?
    Lieutenant General Stewart. [Deleted.]

    5. Senator Rounds. Lieutenant General Stewart, what efforts--
manning, technological, and policy--are underway to accelerate 
CYBERCOM's tool development (including accessing and surveilling of 
adversary networks)? How can Congress help?
    Lieutenant General Stewart. [Deleted.]
                          information warfare
    6. Senator Rounds. Brigadier General Crall, what efforts are 
underway to integrate cyber operations with information operations, 
electronic warfare and military deception especially at CYBERCOM? How 
can Congress help in this regard?
    Brigadier General Crall. [Deleted.]

    7. Senator Rounds. Brigadier General Crall, how are the PCA and 
CYBERCOM working with ASD(SO/LIC) and SOCOM to integrate information 
warfare into cyber operations? What efforts are still required?
    Brigadier General Crall. [Deleted.]
                                metrics
    8. Senator Rounds. Lieutenant General Stewart, it is our 
understanding that the readiness metrics CYBERCOM uses are built off of 
those used for conventional forces, assessing manning, training, and 
``equipment'' as percentages instead of measuring the capability and 
capacity of a given team. How do these metrics compare to those used by 
SOCOM, and is work underway to determine what the best metrics to 
measure force capability are going forward?
    Lieutenant General Stewart. [Deleted.]

    9. Senator Rounds. Lieutenant General Stewart, please provide a 
complete spreadsheet of the manning status of each required position--
including tool developer, exploitation analyst, and on-network 
operator--for each team in the Cyber Mission Force.
    Lieutenant General Stewart. [Deleted.]
                               timelines
    10. Senator Rounds. Lieutenant General Stewart and Brigadier 
General Crall, with the Department's cyber posture review and recent 
policy changes, what is the expected future operational timeline from 
identification of a target to insertion of malware?
    Lieutenant General Stewart. [Deleted.]
    Brigadier General Crall. I support the responses from my fellow 
witnesses, Lieutenant General Stewart and Lieutenant General Fogarty, 
on this specific question regarding the expected future operational 
timeline from identification of a target to insertion of malware.
                           combatant commands
    11. Senator Rounds. Lieutenant General Stewart, how many of EUCOM's 
priority Russian targets has Cyber Command compromised? For how many of 
these has Cyber Command developed or identified an extant tool? For how 
many of these has Cyber Command delivered the tool?
    Lieutenant General Stewart. [Deleted.]

    12. Senator Rounds. Lieutenant General Stewart: How many of PACOM's 
priority Chinese targets has Cyber Command compromised? For how many of 
these has Cyber Command developed or identified an extant tool? For how 
many of these has Cyber Command delivered the tool?
    Lieutenant General Stewart. [Deleted.]
                               __________
           Questions Submitted by Senator Kirstin Gillibrand
                 civilian personnel and cyber force mix
    13. Senator Gillibrand. Brigadier General Crall, Cyber Command 
appears in many respects to have been conceived along the lines of a 
traditional military operational unit, meaning most immediately that 
``operators'' are primarily military personnel. This has led to much 
discussion about relaxing military standards to enlist or commission 
nontraditional recruits for military service. Meanwhile, civilian 
employees are not subject to these standards, cost less to the 
Government in terms of pay, benefits, and training, and generally can 
stay in one place longer as part of a successful career. Moreover, 
civilian positions can be filled by individuals who are otherwise not 
interested or qualified to serve in uniform, leaving those military 
recruits available for other military duty. For those who are qualified 
to serve, civilians can also serve in the Guard and Reserve as a 
compliment to their civilian duties. What is your view of the proper 
use of civilian personnel in building the cyber force?
    Brigadier General Crall. [Deleted.]

    14. Senator Gillibrand. Brigadier General Crall, what is your view 
of the optimum force mix of military and civilian personnel?
    Brigadier General Crall. [Deleted.]

    15. Senator Gillibrand. Brigadier General Crall, what is the proper 
force mix between Active Duty and Reserve personnel (who may also be 
full time civilian employees within the command)?
    Brigadier General Crall. My fellow witness, Lieutenant General 
Fogarty, is best positioned to provide a response regarding the proper 
mix between Active Duty and Reserve personnel.

    16. Senator Gillibrand. Lieutenant General Stewart, among the 
operational billets in Cyber Command, what percentage are filled by 
civilian personnel?
    Lieutenant General Stewart. [Deleted.]

    17. Senator Gillibrand. Lieutenant General Stewart and Lieutenant 
General Fogarty, are any restrictions on the hiring of civilian 
personnel hampering your ability to hire more civilians? If so, please 
explain.
    Lieutenant General Stewart. [Deleted.]
    Lieutenant General Fogarty. There are restrictions hampering the 
Army's ability to hire more civilians within the cyber workforce. First 
is the time requirement to acquire a Top Secret (TS), Sensitive 
Compartmentalized Information (SCI), Counterintelligence (CI) Polygraph 
(Poly) security clearance. Cyber professionals are required to obtain 
and maintain a TS, SCI, Poly which could potentially take over one year 
to obtain. There may also be an additional security vetting requirement 
if the place of employment is located with the National Security Agency 
(NSA) teams/workspace which may take an additional six months for 
adjudication. The security requirements add significantly to the 
timeliness of hiring and on-boarding a civilian employee, which may 
dissuade applicants from applying and following through for these types 
of positions. However, we are addressing this setback by authorizing 
civilian new hires to train and work on unclassified mission sets until 
such time as the security clearance vetting process is complete. Second 
is the salary rate of cyber professionals working in the private sector 
compared to that of DA civilians. Private industry can offer 
significantly higher salaries, stock/share options, bonuses and 
financial incentives, loan incentives, various types of paid leave 
packets, daily meals, campus transportation, medical, dental, and child 
care on work-site as well as an environment that's conducive and 
attractive to cyber professionals. While dollar for dollar, the 
salaries are incomparable, the Army can offer a wide range of 
compensation and incentives that include recruitment, retention, and 
relocation incentives, student loan incentives, accelerated salary 
incentives, additional leave incentives, paid federal holidays, paid 
sick leave, Thrift Savings Plan match incentives, Permanent Change of 
Station (relocation) benefits and entitlements, coupled with the 
standard DA civilian compensation packet to include a defined benefit 
plan (pension) not normally offered in the private sector, plus the 
stability of the Government workforce. Currently, however, when DA 
Civilian compensation packages are compared to that of private 
industry, the Army's inability to offer a comparable industry salary 
may limit future recruiting and retention efforts of cyber operators.

    18. Senator Gillibrand. Lieutenant General Stewart, Lieutenant 
General Fogarty, and Brigadier General Crall, do you believe that 
existing personnel authorities for military and civilian personnel are 
adequate to build the cyber force to meet identified requirements?
    Lieutenant General Stewart. [Deleted.]
    Lieutenant General Fogarty. A holistic DOD strategy to building a 
cohesive cyber workforce that includes the current authorities and an 
industry level compensation program, for both military and civilians, 
would reduce the retention and recruitment challenges and help 
stabilize the current highly skilled cyber workforce while building the 
future identified requirements. The 37 U.S. Code Sec.  353 limits skill 
incentive pay to $1,000 per month, and proficiency bonuses to $12,000 
per year for qualified cyber soldiers. While adequate for most military 
career fields, these monetary incentives may not be competitive or 
commensurate with that of other government agencies and private 
industry in order to retain our highly skilled talent. Amending the law 
to enable payments up to $5000 per month for skill incentive pay, and 
$60,000 per year for proficiency bonuses, provides additional 
incentives close the compensation disparity between private and 
military/government sectors. Furthermore, this would enable the 
services to establish a Cyber Proficiency Pay/Bonus scale similar to 
that of the Medical and Legal Corps. Furthermore, increased incentive 
may aid in the retention of the Army's highly skilled, cyber 
professionals, who are routinely recruited by other government agencies 
and private industry based upon their extensive training, knowledge, 
skills and abilities, within key work-rolls. For DA civilians, the 
current Direct Hiring Authorities (DHA) are adequate. However, the 
variations between multiple DHAs may hamper the Army's ability to build 
a cyber civilian workforce. Specifically, streamlined and flexible 
hiring process would be beneficial to Army Cyber.
    Brigadier General Crall. I support the responses from my fellow 
witnesses, Lieutenant General Stewart and Lieutenant General Fogarty, 
on this specific question regarding personnel authorities for military 
and civilian personnel.