b"<html>\n<title></title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                                  \n                          [H.A.S.C. No. 116-7]\n\n                                HEARING\n\n                                   ON\n\n                   NATIONAL DEFENSE AUTHORIZATION ACT\n\n                          FOR FISCAL YEAR 2020\n\n                                  AND\n\n              OVERSIGHT OF PREVIOUSLY AUTHORIZED PROGRAMS\n\n                               BEFORE THE\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n  SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES \n                                HEARING\n\n                                   ON\n\n                         DEPARTMENT OF DEFENSE\n\n                        INFORMATION TECHNOLOGY,\n\n                           CYBERSECURITY, AND\n\n                         INFORMATION ASSURANCE\n\n                               __________\n\n                              HEARING HELD\n                           FEBRUARY 26, 2019\n\n                                     \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n36-233                       WASHINGTON : 2019                     \n          \n--------------------------------------------------------------------------------------\n\n                                     \n  \n\n\n   SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND CAPABILITIES\n\n               JAMES R. LANGEVIN, Rhode Island, Chairman\n\nRICK LARSEN, Washington              ELISE M. STEFANIK, New York\nJIM COOPER, Tennessee                SAM GRAVES, Missouri\nTULSI GABBARD, Hawaii                RALPH LEE ABRAHAM, Louisiana\nANTHONY G. BROWN, Maryland           K. MICHAEL CONAWAY, Texas\nRO KHANNA, California                AUSTIN SCOTT, Georgia\nWILLIAM R. KEATING, Massachusetts    SCOTT DesJARLAIS, Tennessee\nANDY KIM, New Jersey                 MIKE GALLAGHER, Wisconsin\nCHRISSY HOULAHAN, Pennsylvania       MICHAEL WALTZ, Florida\nJASON CROW, Colorado, Vice Chair     DON BACON, Nebraska\nELISSA SLOTKIN, Michigan             JIM BANKS, Indiana\nLORI TRAHAN, Massachusetts\n                Josh Stiefel, Professional Staff Member\n                Peter Villano, Professional Staff Member\n                         Caroline Kehrli, Clerk\n                            \n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nLangevin, Hon. James R., a Representative from Rhode Island, \n  Chairman, Subcommittee on Intelligence and Emerging Threats and \n  Capabilities...................................................     1\nScott, Hon. Austin, a Representative from Georgia, Subcommittee \n  on Intelligence and Emerging Threats and Capabilities..........     3\n\n                               WITNESSES\n\nCrall, BGen Dennis, USMC, Senior Military Advisor for Cyber \n  Policy and Deputy Principal Cyber Advisor, Office of the \n  Secretary of Defense...........................................     6\nDeasy, Dana, Chief Information Officer, Office of the Secretary \n  of Defense.....................................................     4\nHershman, Lisa, Acting Chief Management Officer, Office of the \n  Secretary of Defense...........................................     3\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Crall, BGen Dennis...........................................    60\n    Deasy, Dana..................................................    49\n    Hershman, Lisa...............................................    37\n    Langevin, Hon. James R.......................................    33\n    Stefanik, Hon. Elise M., a Representative from New York, \n      Ranking Member, Subcommittee on Intelligence and Emerging \n      Threats and Capabilities...................................    35\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    Mr. Langevin.................................................    67\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Brown....................................................    74\n    Mr. Conaway..................................................    71\n    Mr. Kim......................................................    74\n    Ms. Stefanik.................................................    71\n                   \n                   \n.                   \n                   DEPARTMENT OF DEFENSE INFORMATION\n          TECHNOLOGY, CYBERSECURITY, AND INFORMATION ASSURANCE\n\n                              ----------                              \n\n                  House of Representatives,\n                       Committee on Armed Services,\n     Subcommittee on Intelligence and Emerging Threats and \n                                              Capabilities,\n                        Washington, DC, Tuesday, February 26, 2019.\n    The subcommittee met, pursuant to call, at 2:05 p.m., in \nroom 2212, Rayburn House Office Building, Hon. James R. \nLangevin (chairman of the subcommittee) presiding.\n\n OPENING STATEMENT OF HON. JAMES R. LANGEVIN, A REPRESENTATIVE \n FROM RHODE ISLAND, CHAIRMAN, SUBCOMMITTEE ON INTELLIGENCE AND \n               EMERGING THREATS AND CAPABILITIES\n\n    Mr. Langevin. The subcommittee will come to order.\n    I want to take this opportunity, first of all, to welcome \nour witnesses here today. And we welcome today's hearing on the \nDepartment of Defense information technology, cybersecurity, \nand information assurance. This is the subcommittee's first \nhearing on the Department's current IT [information technology] \nstatus, its modernization efforts, and its strategic direction \nfor the foreseeable future.\n    Our witnesses today are Ms. Lisa Hershman, the Acting Chief \nManagement Officer; Mr. Dana Deasy, the Department's Chief \nInformation Officer; and Brigadier General Dennis Crall, the \nDeputy Principal Cyber Advisor.\n    The Defense Department's IT infrastructure is as important \nto the mission as the weapons platforms that our service \nmembers employ. We cannot expect the services to maintain \ncombat superiority if the technology that we rely on is \ndeficient, outdated, insecure, or inoperable. IT should never \nbe considered a back-office function as it may have been in \nprevious eras.\n    The challenge of managing the Department's IT is \nhighlighted best by the sheer number of topics that we will be \nhearing about today, including cybersecurity, business systems, \nartificial intelligence, data management, JEDI [Joint \nEnterprise Defense Infrastructure], and the Cyber Excepted \nService.\n    IT reform and modernization require appropriate stewardship \nby the Department's leaders, many of whom are seated here \ntoday. Over the past several years, Congress has endeavored to \nensure that the Department is structured in a way that gives \nsenior leaders the authorities that they need to carry out \ntheir responsibilities.\n    For example, Congress created and elevated the position of \nCMO [Chief Management Officer] and gave that individual the \nresponsibility for business systems. Additionally, Congress \nprovided new standard-setting and budget authorities to the CIO \n[Chief Information Officer] that took effect at the beginning \nof the calendar year. All of this was done with an \nunderstanding that the PCA [Principal Cyber Advisor] also has a \ncritical role to play with respect to cybersecurity of such \nsystems.\n    Given how dynamic the IT space is, it is reasonable for \nthis subcommittee to continually take stock of how the \nDepartment is implementing statutory changes and whether the \noutcomes match congressional intent. For this reason, I am \neager to hear from the witnesses how the new roles, \nresponsibilities, and authorities are being implemented and \nwhether any of the changes made in recent years ought to be \nmodified further. This includes discussion of the resources \ndedicated to the office of the PCA and coordination mechanisms.\n    In addition to organizational changes, the Department is \ntaking positive steps to embrace new technologies. Initiatives \nsuch as the Joint Artificial Intelligence Center and the Joint \nEnterprise Defense Infrastructure cloud initiative seek to \ncapitalize on emergent technologies with significant potential \nbenefits for the Department. This subcommittee is invested in \nthe success of these efforts, if managed correctly, and with an \nunderstanding of how these dollar investments at the OSD \n[Office of the Secretary of Defense] level coincide with \nefforts by the services and agencies, such as the other 300-\nplus cloud computing initiatives.\n    Success of the Department in the IT space is predicated not \nonly on the software and hardware that we buy and maintain, but \nequally on the workforce that we employ. The Pentagon cannot \nsucceed in this new era if we are not recruiting and retaining \nthe very best possible workforce. So I am pleased that the \nworkforce is consistently raised as a priority issue and \nflagged as one of the premier lines of effort in the DOD \n[Department of Defense] Cyber Strategy.\n    The competition for talent, of course, in this space we \nknow is fierce, which is one of the reasons Congress created \nthe Cyber Excepted Service [CES], a personnel system built \nspecifically to attract top-tier talent with competitive \nsalaries. The DOD CIO was designated as the Department's lead \nin crafting this new personnel system. To date, CES has only \nbeen implemented at U.S. Cyber Command Joint Forces \nHeadquarters, DOD Information Networks, and DOD CIO \nCybersecurity. Today provides us an opportunity to ensure the \nappropriate resources are dedicated to swift implementation \nacross the entire Department.\n    Finally, I remain concerned about cybersecurity across the \nDepartment. While we have made significant progress in securing \nthe DODIN [Department of Defense Information Network], \nparticularly as U.S. Cyber Command matures, the theft of DOD \ndata from contractors and the security of weapon systems \nthemselves are both challenges that we absolutely have to \naddress. Congress has taken steps in recent years to evaluate \nthe risk posed by our DIB [defense industrial base] supply \nchain, but I am going to be interested to hear more about how \nthe CIO's office is leveraging its position and expertise to \ntake more steps to mitigate this risk.\n    So, with that, I look forward to hearing from our witnesses \ntoday about how they are posturing the Department for success. \nAnd before we go to our witnesses, I would like to now turn it \nover to the ranking member--or the acting ranking member, Mr. \nScott, for any opening statements that the ranking member may \nhave.\n    [The prepared statement of Mr. Langevin can be found in the \nAppendix on page 33.]\n\nSTATEMENT OF HON. AUSTIN SCOTT, A REPRESENTATIVE FROM GEORGIA, \n     SUBCOMMITTEE ON INTELLIGENCE AND EMERGING THREATS AND \n                          CAPABILITIES\n\n    Mr. Scott. Thank you, Chairman Langevin, and welcome to our \nwitnesses here today. Ranking Member Stefanik is delayed due to \na markup proceeding that is taking place on the Education and \nLabor Committee. I would simply ask that her entire statement \nbe entered into the record, and yield back to the chairman so \nwe can hear from our witnesses prior to votes. Thank you.\n    [The prepared statement of Ms. Stefanik can be found in the \nAppendix on page 35.]\n    Mr. Langevin. I would like to turn it over to our \nwitnesses. Ms. Hershman, we will start with you. Thank you.\n\n STATEMENT OF LISA HERSHMAN, ACTING CHIEF MANAGEMENT OFFICER, \n               OFFICE OF THE SECRETARY OF DEFENSE\n\n    Ms. Hershman. Thank you, Chairman Langevin, Ranking Member \nStefanik, and other members of this subcommittee, for the \nopportunity to testify today on the Department's information \ntechnology, cybersecurity, and information assurance. I am Lisa \nHershman, the acting Chief Management Officer. Today, I would \nlike to outline my roles, responsibilities, and priorities, the \nDepartment's aggressive work to reform and modernize business \noperations, and the monumental changes in our management of \ndata throughout the enterprise.\n    As acting CMO, it is my responsibility to deliver optimized \nbusiness operations to assure the success of the National \nDefense Strategy. This is only made possible by the elevation \nof the CMO as the number three in the Department and the \nincreased authorities granted by the National Defense \nAuthorization Act [NDAA]. My goal as acting CMO aligns directly \nwith the intent of the NDAA, efficiency for lethality, which is \nexecuted by reforming the Department's business processes, \nsystems, and policies, to gain increased effectiveness, higher \nperformance, and reprioritized resources.\n    Integrity and consistency of every measure is a cornerstone \nof my approach. Working closely with the comptroller and \nmilitary departments, we define standards to reform in \nexecution--for reform--and have validated our efforts in the \nbudget. Because of this effort, the Department has realized a \ntotal of $4.7 billion in program savings in fiscal year 2017 \nand 2018. However, reforming the business operations of the \nDepartment must not only be focused on financial savings, but \nalso on creating a sustainable impact by establishing a culture \nof continuous improvement focused on results and \naccountability.\n    The Department's priorities of reform are based upon the \nfiscal year 2019 NDAA, the President's Management Agenda, the \nsenior leader Reform Management Group, and the first DOD-wide \nfinancial audit. While we execute reform in many areas, IT \ninfrastructure, business systems, and data management have some \nof the most significant opportunity for improvement.\n    Our current IT and business systems environment is \nextremely complex, with hundreds of business systems, thousands \nof data centers, hundreds of cloud efforts, and thousands of \napplications, in addition to 65 CIOs. It is extremely difficult \nfor us to deliver an effective, innovative, or secure IT \nenvironment. As the CIO for Defense Business Systems, working \nclosely with the PCA and the CIO, it is our collective \nresponsibility to reverse this environment.\n    We are executing business systems reform in three major \nareas: eliminating redundant systems, maximizing shared service \ndelivery, and streamlining business operations in areas like \nprocurement through category management. Through initiatives in \nthese areas, we have already made progress towards simplifying \nthe IT landscape, reducing operational costs, and enabling \nbusiness process integration.\n    As we execute reform, we remain ever mindful that the goal \nis delivery of secure, relevant, clean data to support business \ndecisions, while IT infrastructures and business systems act as \nvehicles by which the data travels.\n    I want to personally thank you for supporting the data \nneeds of the Department through the NDAA. This law provided CMO \nwith the framework to establish common enterprise data and data \nmanagement and analytics as a shared service. To ensure data \nmanagement had the full dedication it requires, I hired the \nDepartment's first chief data officer, Mr. Michael Conlin.\n    As outlined in my implementation plan for common enterprise \ndata, we will make decisions based on accurate, timely business \ndata as opposed to internal boundaries and past experiences. \nThis is a monumental shift in the way the Department conducts \nits business operations, and I am committed to ensuring the \npriority of data management in my role.\n    Thank you for the opportunity to outline my roles, \nresponsibilities, and priorities, and provide details of our \nwork in reforming the Department's IT, business systems, and \ndata management. I welcome your questions.\n    [The prepared statement of Ms. Hershman can be found in the \nAppendix on page 37.]\n    Mr. Langevin. Thank you, Ms. Hershman.\n    And now turn it over to Mr. Deasy.\n\n STATEMENT OF DANA DEASY, CHIEF INFORMATION OFFICER, OFFICE OF \n                    THE SECRETARY OF DEFENSE\n\n    Mr. Deasy. Good afternoon, Mr. Chairman, Ranking Member, \nand members of the subcommittee. Thank you for the opportunity \nto testify before the subcommittee today on the current efforts \nunderway pertaining to the Department's information technology \nand cybersecurity. I am Dana Deasy, the Department of Defense \nChief Information Officer. Today, I would like to highlight key \nareas of the Department's digital modernization, including \ncloud, AI [artificial intelligence], C3 [command, control and \ncommunications], and cyber, as well as a separate effort on IT \nreform.\n    Earlier this month, the Department submitted its cloud \nreport and strategy. As stated in that submission, DOD will \nremain a multicloud environment with both general purpose and \nfit-for-purpose clouds as part of our long-term strategy. As I \nhave discussed with some of you previously, JEDI is a \npathfinder, general purpose, enterprise-wide cloud. As part of \nour strategy, JEDI will enable DOD to learn how to implement an \nenterprise cloud solution, taking advantage of economies of \nscale and enhanced data-driven decision making.\n    The National Defense Strategy makes clear that the \ncharacter of warfare is changing. Competitors like Russia and \nChina are investing heavily in modernization in AI to refine \nthe future of warfare. DOD must do the same. The AI strategy \nemphasizes the need to increase speed and agility, which will \ndeliver AI-enabled capabilities, the importance of evolving our \npartnerships with industry and academia, and the Department's \ncommitment to lead military, ethics, and AI safety. The Joint \nArtificial Intelligence Center [JAIC] is the focal point for \ncarrying out the DOD AI strategy. JAIC will accelerate DOD's \ndelivery and adoption of AI to achieve our global mission.\n    The emergence of digital technologies has introduced new \nchallenges to the traditional C3 landscape. In order to take \nadvantage of the new digital capabilities and to protect our \nwarfighter from corresponding weaknesses, we must modify and \nmodernize our C3 systems. In order to facilitate economic \ngrowth while accounting for national security, DOD CIO, working \nwith OUSD(R&E) [Office of the Under Secretary of Defense, \nResearch and Engineering] and Federal partners, will play a key \nrole in the Department's effort in the implementation of 5G.\n    Turning to cyber, DOD released its 2018 Cyber Strategy this \npast September. The Cyber Strategy articulates how DOD \nimplements the National Defense Strategy in cyberspace. DOD's \nCIO, working closely with DISA [Defense Information Systems \nAgency] and PCA, implements the DOD Cyber Strategy, in close \ncoordination with the military departments and component CIOs. \nDOD CIO and PCA co-lead weekly meetings focused on cyber issues \nwith the Deputy Secretary of Defense, military departments, and \nOSD [Office of the Secretary of Defense] principals present.\n    The Department has created the Cyber Top Ten, which help us \nto prioritize where and how we apply resources and innovation \nto execute our Cyber Strategy. The Cyber Top Ten focuses on \nremediation strategies for a complex cyber landscape, with \ncomponents ranging from information networks to our cyber \nworkforce and supply chain risk management, and beyond.\n    DOD CIO works closely with the Protecting Critical \nTechnology Task Force to identify technical solutions to \nenhance protection of the defense industrial base. For the \nfirst time, DOD CIO is reviewing and certifying all IT budgets, \nwhich includes cyber, across the Department.\n    DOD CIO now has the authority to set and enforce IT \nstandards across the Department. The Department's cyber \nworkforce is critical to our mission success. Authorities \nprovided by Congress, such as the Cyber Excepted Service, has \nallowed the Department to adjust existing personnel policies \nand to implement new policies that account for this dynamic \nneed in an increasing important mission area. DOD CIO is \nworking closely with the CMO to modernize business systems and \nto eliminate legacy networks, infrastructure, and applications.\n    In closing, I want to emphasize the importance of our \npartnership with Congress in all areas, but with particular \nfocus on digital modernization and IT reform. I look forward to \ncontinuing to work with Congress in these critical areas. Thank \nyou for the opportunity to testify this afternoon, and I do \nlook forward to your questions.\n    [The prepared statement of Mr. Deasy can be found in the \nAppendix on page 49.]\n    Mr. Langevin. Thank you, Director.\n    And, General, the floor is now yours.\n\n STATEMENT OF BGEN DENNIS CRALL, USMC, SENIOR MILITARY ADVISOR \nFOR CYBER POLICY AND DEPUTY PRINCIPAL CYBER ADVISOR, OFFICE OF \n                    THE SECRETARY OF DEFENSE\n\n    General Crall. Thank you, Chairman, Ranking Chairman, and \nmembers. I appreciate the opportunity to come here and talk to \nyou a bit and answer your questions from an implementation or \noutcome side of this equation here in front of you.\n    So I am honored to lead the Office of the Principal Cyber \nAdvisor's cross-functional team. This was put in motion in NDAA \nlanguage back in 2014, section 932. And while that predates by \na few years language in the 2017 NDAA, section 911, which gets \nafter cross-functional teams writ large and encourages that in \nthe Department, I think it meets the vision, or at least I hope \nit does, that Congress was looking at in a cross-functional \nteam.\n    And I am going to say this with some measured enthusiasm, \nbecause while I am excited about what I would consider to be \nour launch point and where we are right now, there is a lot of \nreally heavy lifting ahead. And the measure of our \neffectiveness is really yet to be proven, but I am optimistic \nthat we are going to get to where we need to be. So it is a \nreally good start for the team and getting after the strategy \nthat was just mentioned.\n    So to the point, the cross-functional team is focused on \noutcomes. It doesn't do us a lot of good to have a Cyber \nStrategy or a Posture Review that shows gaps and not really \nhave a means to close those gaps and show outcomes and \nimprovement. That is what I am focused on 24/7, is the team \nlooking at getting the outcomes and implementing the strategy \nand learning from that as we go through our process.\n    We are also taking a hard look at our measures of \neffectiveness. I have made comments before that I used to think \nthat one of the hardest things to do in this line is to start \nnew work. I have learned that it is to stop work that is \ncurrently in progress. So to make good decisions where maybe \nthings have gone past their point of good investments, and the \nDepartment needs to be more flexible to turn to those things \nwhich really pay bigger dividends. We are looking at all of \nthose.\n    So, really, what is the recipe? Just very quickly, what \nmakes, I think, our efforts unique this go-around than maybe \nwhat you have seen in the past. There are only a few \ningredients, the first of which I would say is we have got \nreally good team members. We are allowed to pick them, and they \ncome from a good cross-section across the Department. And \nbecause we are looked at normally as not having a bias, because \nwe have so much diversity in background, that we are normally a \ntrusted entity that can defuse some of these problems and move \nthe Department forward.\n    We have got a solid strategy, as Mr. Deasy mentioned. \nStrategies are only good if the lines of effort within them are \nactionable, that you can do them. Not just, you know, \nproclamations or really good statements you can pin to a wall \nor aspire to, but things you can actually measure your progress \nagainst. We have got a good strategy.\n    We also have a very good Posture Review. The gaps that are \nincluded in there are very honest and allows us to put \nresources against those gaps and really provide substance to \nthe way that we are working and moving forward.\n    We also bring together all the stakeholders. We are at this \ntable for a reason. Work very closely with the DOD CIO, the \nCMO, with CAPE [Cost Assessment and Program Evaluation], the \nJoint Staff, services. These aren't just tangential things or \npassing in the hallways but integrated into our planning \nefforts and daily battle rhythms. So we work just not with each \nother but closely with each other, which I think is important.\n    We also have great leadership within DOD. We have got an \nActing Secretary of Defense who has been laser focused on this \nin his previous role and current role and who is performing the \nduties of the Assistant Secretary of Defense now that are \nreally focused on a battle rhythm where we are in front of them \nat least in a formal meeting every other week, going through \nwhat our scorecards, our outcomes, challenges and successes \nare. So we have very close interest within the Department.\n    And lastly, I would say, and certainly not least, is the \ninterest here in this body. Congress has done us well to \nestablish the cross-functional team and put us on a good glide \nslope to achieve results. So I thank you for the language that \nwe have in the NDAA, and also your staffers who are sitting in \nthe back. I assure you this: They know what I do as well as I \nknow what I do, because they have been in my office spaces, \nthey have read through our work, they have seen our product and \nhow we are moving forward, and they have been extremely helpful \nat keeping us on path.\n    So, with that, I thank you for the opportunity, and look \nforward to taking your questions.\n    [The prepared statement of General Crall can be found in \nthe Appendix on page 60.]\n    Mr. Langevin. Very good. Thank you, General.\n    And I thank our witnesses for your testimony. We will now \ngo to questions. We are expecting votes around 2:30, so we are \ngoing to get through as many as we can and then we will recess \nand then we will be coming back.\n    As is the case with the full committee, the chair and \nranking member are not on the clock, but it is up to us to keep \nourselves in check. After that, we will recognize members \naccording to seniority, according to who was here first at \ngavel.\n    So, with that, let me start on the Cyber Excepted Service. \nSo obviously, we touched on this topic. I am glad you all have \nmentioned it. Congress created the Cyber Excepted Service for \nthe Department of Defense to be able to hire a skilled and \ntalented cyber workforce. I understand, though, that less than \nfive individuals from your office are dedicated to \nimplementation of this authority, which is significantly \ndelaying utilization of new hiring authorities across the \nDepartment. So as I noted in my opening statement, the \nworkforce is the pinnacle of IT reform, modernization, and \nassurance.\n    So, Mr. Deasy, I am going to go to you first. Can you \nplease describe the resources your office has dedicated to \nimplementation of CES and why not more dedicated--why we have \nmore dedicated implementation authority that might be needed?\n    Mr. Deasy. So first off, so as General Crall pointed out, \nthis is a very important tool set you gave us. I will tell you \nthat as I dug into this, this isn't a case of the volume of \npeople we need inside of my respective organization or working \non General Crall's cross-functional team. This is about \ncompetencies that need to exist in them. This is a new way of \ndoing business.\n    And, more importantly, the P&R [Personnel and Readiness] \norganization and the respective mil [military] services need to \ntrain up, I think, at a faster rate the people that they need \nto bring on board to actually accelerate Cyber Excepted \nService. If you look at where we are today, as you pointed out \nin your opening remarks, U.S. Cyber Command, DISA, DOD CIO \noffice is well on its way. Where we need to up the game and up \nthe speed is inside the respective mil services.\n    Now, General Crall here is living this on the front line \neach and every day, in terms of how we are tackling this, so I \nrespectfully would see if he would want to add any comments to \nthis.\n    General Crall. Thank you, sir.\n    I would add, sir, really to the point of your question, in \nour implementation experience thus far, we have identified \ninside the building, and I have a request that we are putting \ntogether now that will be making its rounds to Mr. Deasy here \nshortly, that asks for some more resourcing inside the building \nto get after unfolding this a bit faster. So that is one area, \njust to be blunt. We could do a little bit better inside the \nbuilding to get after it, and I am articulating what those \nspecific needs are. So that is forthcoming.\n    The second piece that we are looking at is for all the talk \nin implementation, one area that the Department is focused on \nthat, again, we have got to pick up the pace a bit is in how we \ndo security clearances. The onboarding process can be very \nfrustrating. So while we might have four of the five elements \nof the recipe right in bringing people on, if we can't bring \nthem on quickly because they are held up in the security \nclearance process, it is a potential that they lose some \ninterest and we don't garner the result we are looking for. So \nthere is an effort underway right now to get after both of \nthose critical areas.\n    Mr. Langevin. I am concerned about the slowdown with the \nsecurity clearance process as well. And I know we are looking \nat alternatives, including using technology as perhaps a pilot \nproject to see how the two would compare, using algorithms and \ndata analytics to speed that process along more quickly. But I \nshare your concern about the clearance process.\n    And I will be interested, General, to hear more about the \nresources that are requested to more fully implement the work \nthat you are doing.\n    Ms. Hershman, has your office been able to utilize CES, and \nwhat is your perspective?\n    Ms. Hershman. We have not to this point, so we don't have \nthat perspective yet.\n    Mr. Langevin. Why is that?\n    Ms. Hershman. We are just actually about 6 weeks into \nmanaging the business systems piece.\n    Mr. Langevin. Okay. Well, we are going to want to follow up \nwith you on that and to see the degree you will be able to \nutilize CES.\n    To all of our witnesses, I mentioned in my opening \nstatement, Congress has enacted major statutory changes \nregarding the position of CIO, CMO, and PCA over the years. How \nare such changes being implemented, and what challenges or \noverlap have been identified?\n    Ms. Hershman. So Dana and I have from the very beginning \nworked very closely, primarily from the reform standpoint, but \nwe have been able to come to an agreement on how the roles and \nresponsibilities are bifurcated. In general, we as CMO manage \nall the business systems and the data pieces of the Department. \nThe CIO manages the network.\n    If we use a little bit of a visual to describe this, if you \npicture walking into this room, you have lights, you have the \nmicrophones, you have the monitors that are working. CMO would \nown everything that you would see, the lights down to the plug, \nand then the CIO would manage from the outlet to all the wiring \nthat is behind. We also have the data, non-weapon system data, \nbut all the business data that feeds in and shares both of the \norganizations.\n    So Dana and I have worked closely together. He has been \npart of my Reform Management Group. We also meet regularly in \none-on-ones to make sure that the roles, responsibilities, and \nso forth are clear. And to date, we are handling any \nexceptions. Not everything is always black and white. One of \nthe, I shouldn't say issues, but topics that came up at an \nearly point was, I think it was Microsoft Office, and we were \nwondering is that considered more of an application or is that \nmore of a business tool.\n    So Dana and I work closely with our teams to manage by \nexception. We sit on each other's cross-functional teams. I am \nalso a member of the CIO Cyber cross-functional team. They are \nmembers of our Defense Business Council, which reviews software \napplications and so forth and certifies them in terms of dollar \nand value. We also--I am trying to think on some of the other \nteams. My chief data officer meets regularly with his team. So \nwe have formed a good partnership and, to date, haven't had any \nreal issues.\n    One last thing that I will add that we have done with \nregard to reform, and it is something new that we have done \nwith the fiscal year 2019 new year, is that it used to be that \nCMO was seen as the only one who owned reform. And this year, \nbecause many of my colleagues are responsible for \nimplementation, we work closely with colleagues and partners \nlike Dana where we share in the metrics and the outcomes of our \nreform efforts.\n    So, Dana, I would invite you to add.\n    Mr. Deasy. So specifically what I will talk about is the \nnew authorities that kicked in as of January 1st this year, two \ntypes of authorities. One was I am now in a position to \nactually review the entire Department of Defense IT budget, \nwhich is at $40-plus billion. So we came up with a process this \nyear to actually go through and look at the highest priorities, \nwhich you will hear us talk about today, and to identify where \nthere are gaps or where there is full alignment around the \nexecution towards that digital modernization strategy. I \nactually issued to the Secretary back at the end of January the \nfirst ever certified budget for the Department of Defense.\n    Second, the other part of that speaks to standards and \nframeworks. And we now have the authority to identify standards \nand frameworks. So far, I will actually say that I think that \nwill probably be used by exception. If I have the right working \nrelationships and we have the right alignment, my ability to \nhave to use that right to actually overrule will hopefully not \nbe the norm but will be the exception. To date, I have not had \nto actually execute that authority, as we have strong alignment \non the digital modernization program activity. But at a point \nwhere we do need to do that, I will be sure to use that \nauthority.\n    Mr. Langevin. So the CMO mentioned governing by exception. \nHow are we institutionalizing the CMO and CIO roles, \nrespectively?\n    Mr. Deasy. I will start by saying that what we did was, as \nMs. Hershman pointed out, there are growing pains any time you \ntake activity and you split it across organizations. There is \nfriction that occur. So we thought the right way to do this was \nto have our respective organizations sit down and literally map \nout what are all of the areas where you can step on and have \ncross activity.\n    We had a working team that went through that, and then at \nthe end, she and I respectively signed a memo that describes \nthe activity set that is going to be done by my office and the \nactivity set that will be done by her office.\n    Mr. Langevin. Is that something that you can share with us? \nWould that be appropriate?\n    Ms. Hershman. Yes. Actually, we have that going through \nfinal signature and review now.\n    Mr. Langevin. Okay. The thing is, we are really interested \nin to make sure that this all works well together, and that we \nwant to get our heads around whether this is, you know, not \njust personality-driven, but it is process-driven, that we have \nthis more institutionalized, if you will. So that the next \npeople that will be occupying your roles, again, it is not \npersonality-driven, but it is actually institutionalized going \nforward, and we take best practice or we take the best out of \nthe work that you are doing and make sure that there is \ncontinuity.\n    So I am going to have additional questions, and it looks \nlike we are going to votes right now, but I will turn to the \nranking member for questions, and hopefully we can get through \nher questions and then we will recess after that.\n    Ms. Stefanik. Thank you, Chairman Langevin.\n    I wanted to build upon your question, and also expand on \nyour opening testimony, Ms. Hershman. You very clearly outlined \nthe disparate, fractured, and duplicative nature of our current \nIT and business systems environment. We have more than 1,800 \nbusiness systems across the portfolio, thousands of data \ncenters, hundreds of cloud efforts, some 65 CIOs, and a total \nbudget of almost $42 billion per fiscal year.\n    With all of these complications in terms of the \nDepartment's overall strategy to reform this area, what does \nthis need to look like 5 years from now? And equally as \nimportant, how do you intend to get there?\n    Ms. Hershman. What it is to look like 5 years from now is \nactually very difficult to project, only because of the \nchanging nature of both technology and how we do business. What \nwe all can agree on is that this needs to be less complicated \nso it is easier to manage, not only from a--you know, from \nusing the systems within the organization, but also to ensure \nthat data that flows through these multiple systems is also \nproperly protected.\n    So one of the things that we have done is certainly align \nthese initiatives with how it supports our National Defense \nStrategy. We also, from a reform perspective, are looking at \nwhat will create the biggest impact, create the greatest value, \nand what is the timing? In fact, some of these initiatives, we \nare taking a very different approach, in that we are not \nnecessarily waiting all the way to the end of the project to \nproduce results. We are actually taking iterative, prototype, \nminimum viable product type approaches to start deliver and \ntest as we continue to go through the program or the project.\n    So we also have used--I was a--the CMO was a cosponsor for \nthe comptroller's audit. We are using audit findings to also \nhelp inform reform. So those are just some examples of how we \nare collectively looking at what is most important, where are \nour biggest risks, what are our biggest vulnerabilities, and \nhow can we mitigate or solve those problems, and are ordering \nor reordering our initiatives accordingly.\n    Ms. Stefanik. Let me ask you about the efficiencies and \ncost savings that you talked about. Do you expect the cost of a \nmodernized and efficient IT and cyber budget to remain at \napproximately $42 billion per year?\n    Ms. Hershman. It is difficult to answer that question on \nthe expectations for the budget, only because we are working \nwith what we know now, and there are always new opportunities \nor new issues that could pop up. So I can't really speak to the \nbudget and cost.\n    Ms. Stefanik. Okay. And my final follow-up. Mr. Deasy, do \nyou have anything to add? I would like to get your perspective \non what this needs to look like 5 years from now. How do we get \nthere? And the budget question, in terms of do we anticipate \nthis costing $42 billion per year?\n    Mr. Deasy. Yeah. I would say that if we look at the \nemergent technologies, such as cloud, AI, modernization of C3, \nand what we are going to have to do to secure the Department of \nDefense, I think the question really is one of are we getting \nthe most out of every dollar, not if $42 billion is right. It \nmay be in the future that the Department of Defense budget, \nfrom an IT standpoint, actually needs to go up for what it \nneeds to do for the business. To me, the real question is, are \nwe getting the most out of every dollar? So that I would say is \nkind of part one to your question.\n    Two, what does the world look like in the future? I \nenvision it a world where every new application will be cloud \nfirst. When we are going to look at consolidation of business \nsystems, we will take the opportunity as we migrate on the \ncloud to do standardization and consolidation of business \nsystems. We will use that opportunity to start using data \nmanagement in a much more joined-up common way. And we will use \nthings like AI robotics to actually help us deliver a much more \nefficient--back to my first question of how do you deliver a \nmuch more efficient budget.\n    Ms. Stefanik. Thank you. I yield back.\n    Mr. Langevin. Okay. So votes have been called. We will \nrecess until about 5 minutes or so after votes.\n    So, with that, the subcommittee stands in recess.\n    [Recess.]\n    Mr. Langevin. The committee will come to order.\n    Again, I want to thank our witnesses for testifying here \ntoday. Sorry for the delay getting restarted, but we are going \nto go now.\n    The gentlelady from Pennsylvania, Ms. Houlahan, is \nrecognized for 5 minutes.\n    Ms. Houlahan. Thank you, Mr. Chairman.\n    Thank you so much to all of you for coming. I have a few \nquestions for you. The first one is to Ms. Hershman. I was \nwondering a little bit about the capabilities of our domestic \nmanufacturing. Twenty percent of our memory chips are only made \nin this country and the rest come from international sources. \nAnd I was wondering if you had any concerns that we need an \norganic source, a domestic source of these kinds of manufacture \nof these kinds of chips, to make sure that we are secure with \nthe work that you do and also for business in general.\n    Ms. Hershman. I would say, in general, we share your \nconcerns. However, my role does not deal with that directly, so \nI will defer to Mr. Deasy or Mr. Crall.\n    Ms. Houlahan. Thank you.\n    Mr. Deasy. So do I believe that we need a domestic supply \nchain for key chip? Absolutely. All you have to do is look at \nthings like 5G. And the need to have an industrial base in the \nU.S. where we can get secure technologies such as what you are \nreferring to is something I think we need to focus more on, \nyes.\n    General Crall. Ma'am, I wouldn't add any more to that.\n    Ms. Houlahan. So the following question is, what sort of \nlegislative help can we as a Congress provide to you so that we \ncan enable that to happen?\n    Mr. Deasy. I would tell you, I am not sure I am the right \nexpert, being the CIO, to tell you what the policy requirements \nand how best that we legislate that. I would be happy to get \nthe people engaged inside the Pentagon that would be best able \nto address that particular question.\n    Ms. Houlahan. Thank you. My next question has to do with \nsmall businesses. In addition to being a veteran, I am also an \nentrepreneur. And we know that small businesses play a really \ncritical part in our defense industrial complex, and they are \nobviously mostly supply chain-related in most cases. And they \nare largely fairly inadequately prepared to deal with issues of \ncybersecurity as they are growing or starting up.\n    And so my question is, how is the Department working with \nentities like small businesses and up and down the supply chain \nto make sure that cybersecurity practices and IT systems are \nprotected from the threats that we know exist and that larger \ncompanies are capable of handling?\n    Mr. Deasy. So I share this concern. When we start talking \nabout small businesses at what I will call tier two, tier three \ndown in the supply chain, they don't have the wherewithal, the \nfinancial wherewithal, nor the knowledge domain expertise \nwherewithal at the sophistication levels of tier one.\n    A couple things that we are looking at in this space is, \none is how do we use the NIST [National Institute of Standards \nand Technology] Framework and how do we take that framework to \nhelp educate the tier two and tier three in a way that is more \neffective for them to use. Two is, I am a firm believer in that \nwe need to develop an independent standard, kind of like what \nwe have for CMMI [Capability Maturity Model Integration] for \ndevelopment or ISO [International Organization for \nStandardization] 9000 for quality. I think this needs to be \ndeveloped. I think if we could get this developed in this \ncountry, this would actually help better educate and focus \nsmall business on the talent they would then need to hire.\n    I think the last thing is we are looking at how do we use \ntechnology that we are starting to put in place maybe at cloud \ntechnology that would allow us, instead of passing data to them \nand then them having to secure it, how could we keep the data \non our own premises and they could connect into it. So that is \nanother thing that we are evaluating.\n    Ms. Houlahan. Excellent. Thank you very much.\n    And the last question I have is that my understanding from \nour briefings here and then also at the NSA [National Security \nAgency] is one of the biggest vulnerabilities for all of us \nemployees, regardless of where we work, is spear-phishing \nattacks. And I am wondering what you have done to make sure \nthat you are holding people accountable, if you are holding \npeople accountable, for these kind of mistakes; and are there \nany practices that we can adopt from the accountability for \nindividuals--are there best practices that we can adopt from \naccountability from individuals that you have found effective?\n    Mr. Deasy. Yeah, I will be happy to take that. So coming \nfrom private industry, one of the stats that we know exists out \nthere is if you look at all the vulnerabilities that get \ncreated, both inside government as well as private industry, it \nis human error still tends to be the number one cause of the \nvulnerabilities. And at the top of that list is spear phishing \nor just general phishing.\n    To that end, I think best practices that I have seen in \nprivate industry have been around training programs where you \nactually create test-phishing campaigns. You use those. You \nactually then phish a set of employee base that you want to \nstart with. And it is real time, because what comes back to \nthem is the fact that they have just been phished. They get \neducated in real time on what they are seeing in that email \nthat would have shown them the attributes of what a phishing \nlooks like. And then you follow through with a round two, and \nyou reach a point where if someone continues to fail, then you \ntake other actions, which would include increased training.\n    Ms. Houlahan. Wonderful. Thank you.\n    I yield back. Thank you.\n    Mr. Langevin. I thank the gentlelady.\n    Mr. Scott is now recognized for 5 minutes.\n    Mr. Scott. Thank you, Mr. Chairman.\n    And I appreciate the Department's total force perspective \nand using all facets of civilian and military forces to get \nahead of our adversaries. We have granted new hiring \nauthorities for Cyber Excepted Services, direct hire authority, \nand pay adjustments in salaries.\n    How far are we along with the implementation of this? And \nare there other barriers that are holding you back from \nrecruiting and training the right people? If so, how do we \nintend to overcome these barriers? How are you working with \nuniversities, ROTC [Reserve Officers' Training Corps] programs \nto create a conduit of new talent for this career field? And \nwhat additional resources do you need from Congress in the way \nof either language in the National Defense Authorization Act or \nother forms of legislation to assist you in this field?\n    General Crall. Sir, I would be glad to take that question. \nAnd I appreciate the scope that you just framed that, because \nthose are really kind of a mixed bag for us on areas that I \nwould say--and I will cover them--that I think we are doing \nbetter in some and not so well in others.\n    So I would like to take a look at really our target \naudience. The Department--and I have testified on this before, \nthat the Department has to do a better job, and we are looking \nat ways to ensure we understand the market properly. In many \ncases, we think we know where we should be recruiting, and we \nmay not be recruiting to the level that we should.\n    So understanding the type of applicant that we are \nsearching for and the needs of those applicants, we need to \nbolster our understanding a little bit better. So we are \nlooking at a way to kind of package that.\n    I think your comments are spot on on internships, for \nexample. We do too few of them. Academia has proven their \nwillingness to work with us, and as a department, we have just \ngot to really take advantage of those where it makes sense. We \nhave several of these near our bases that would be attractants \nto these things, and we are still underutilized.\n    I think on the ROTC front, we are doing a little bit \nbetter. And I realize that may not be a detailed or satisfying \nenough answer, but we are addressing that. And I talk to the \nservices about how they run their programs, and it is clearly \nan area of interest in the college environment.\n    But the last piece I would say is our biggest challenge, \nand we have covered this a little bit earlier today and I would \njust reemphasize it. Rolling this out at a level that is \nsufficient I think is a fair criticism where the Department has \nto do better. So the phase one of the Cyber Excepted Service \nwas modest by design of under about 500 billets that we put \nout, to make sure that we knew what we were doing. Were we \ntrained properly? Could we track those individuals properly?\n    And you are right, Congress has given us a lot of \nenhancements, from pay to direct hire, et cetera. This next \nphase, which we are in right now, is going to bring that \nexponentially higher in number. And the resources in the \nbuilding are lacking for us to both internally and then at the \nservice level to make sure we can handle that workload, and we \nare addressing it.\n    Mr. Scott. And when you say resources, do you mean money? \nDo you mean physical resources?\n    General Crall. People, sir.\n    Mr. Scott. People.\n    General Crall. Which could be viewed as money.\n    Mr. Scott. Sure. Yes.\n    General Crall. But looking at people, to dedicate the right \nnumber and the mix to get after this at scale. And that scale \nhas to change for us to meet pace.\n    Mr. Scott. Okay. Anybody else like to comment on that?\n    Mr. Deasy. So having spent most of my career in private \nindustry, I would say that one of the problems is a whole-of-\ngovernment issue we have to address, and that is most cyber \npeople never come across government in their career. They just \ndon't touch it. They don't intersect with government. What does \nthat mean? That means when they are thinking about progressing \ntheir career and taking that next step, they don't stop to have \na conversation with themselves saying, well, what about an \nopportunity of doing a career inside of government?\n    And I think that is one of the things that we in the DOD \nneed to step up and address, but I think others are going to \nneed to address as well is, how do we create exposure that even \nlets the average person in private industry even know what the \nopportunities could look like for them in government? Because \nonce we do bring these people in and we expose them to the \nmission, they get pretty excited about it, but it is how do we \ncreate a better avenue of awareness I think is part of what we \nhave to address.\n    Mr. Scott. I have only got about 30 seconds left, but you \nbrought something up on the periphery of it has been on my \nmind. This issue where several employees of a company that we \ncontract with did not want to push forward with the contract \nbecause it was a DOD contract.\n    I am very concerned about how few companies there are out \nthere that are actually good in these fields that we are \ntalking about. And when you have a small group of select \nemployees, their ability to create problems with that contract \nand their perception of DOD I think is very wrong. I mean, it \nwas the Department of Defense that went to Africa when we had \nthe outbreaks of potentially contagious diseases. I mean, we \nare in the business of helping people.\n    And I do hope that--I know you are paying attention to it \nand interested in further conversations about the private \nsector and the challenges there with select groups who do not \nwant to work with us. But thank you for your time.\n    Mr. Langevin. Thank you, Mr. Scott.\n    Before I go to Mrs. Trahan, General, if I could just follow \nup with you on Mr. Scott's question. You answered and you \ntalked about resources you need, and you said people. Can you \nhelp the committee understand the amount of people we are \ntalking about in numbers? Is it 10? Is it 50? Is it 100? \nBallpark it for us. Not to hold you to that, but we are trying \nto get our arms around this as well, and your perspective would \nbe helpful.\n    General Crall. Yes, sir. So my evidence behind my number I \nam just going to admit is a bit sketchy. But to do service to \nyour question, the Department had looked at having between five \nor six people full time to do the initial planning and rollout, \nwhich, again, was kind of modest.\n    So my ballpark estimation would be at least that number of \n5 or 6 and likely something closer to the order of 10 \ninternally if we are dealing with thousands that need to be, \nyou know, brought in and the training that is required, because \nthey have to travel to some of these places to make sure that \ntraining takes place and it is understood well. So that would \nbe my ballpark estimate, sir.\n    Mr. Langevin. That doesn't seem like a significant increase \nover what--so that seems to be eminently doable. You are \ntalking about an additional number of people that are needed?\n    General Crall. It does seem that way, yes, sir.\n    Mr. Langevin. So which office needs to provide those \nresources?\n    General Crall. Sir, I think that would come across several \noffices potentially to do that. And I am not an expert, but I \nthink the requirement for that that I am piecing together, I am \ntrying to answer that question now to submit to Mr. Deasy. So \nto be fair, he hasn't received my request, but I think that \nwill rest with him eventually, and we will have to look within \nthe Department as to where the resources come to get those \nhirees.\n    Mr. Langevin. Okay. I appreciate it. Your candor is very \nhelpful and it helps us to understand the scope of the \nchallenge and what we need to do to get this right.\n    With that, let me recognize Mrs. Trahan from Massachusetts \nfor 5 minutes.\n    Mrs. Trahan. Thank you, Mr. Chairman. Thank you.\n    You mentioned the opportunity in government and how some \nfolks in the private sector don't even entertain that \npossibility. Given the recent shutdown, what is the value \nproposition? What is the--how are we going to attract and \nretain the best and the brightest from everything from MIT \n[Massachusetts Institute of Technology] to competitive \ncommunity colleges to help us tackle this problem?\n    Mr. Deasy. So it is clearly the mission. And let me bring \nit to life through an example. We run a yearly competition \nwhere universities compete on a cyber challenge, and then we \nbring the winning university in for a day into the Department \nof Defense. And in that, they get a chance to meet with my \noffice. They get a chance to meet with several of the \nprincipals, the COCOMs [unified combatant commands], the \nmilitary side. And by the end of this day, every single one of \nthem says the same thing: I had no idea just how amazing it \ncould be to do this sort of work if I had not had the \nopportunity to come in and spend a day and just get exposed and \ntalk to people and hear firsthand from the people out in the \nfield why cyber matters.\n    So I cannot stress the importance enough for a lot of young \npeople if they never get exposure, they never talk to someone \nin uniform, they are just not going to put in the forefront of \ntheir mind coming and working for the DOD.\n    Mrs. Trahan. That is helpful. And are these employees that \nwe are attracting, do they have that label essential/\nnonessential associated with them? How would they be affected \nby a potential shutdown, for example?\n    Mr. Deasy. I am not sure I could--I would have to look into \nthe specific nature of how they are classified and come back \nand answer that.\n    Mrs. Trahan. That is great. I am interested in knowing what \nthe consequences are when we shut down the government, how that \nis actually going to affect our cybersecurity strategy.\n    But I will shift gears. The success of our--I believe I \njust read something where you were quoted, Mr. Deasy, that the \nsuccess of our AI initiatives relies on robust relationships \nwith industry, with our allies, certainly with academia, to \nmeet the needs of speed and agility specifically. What role do \nour allies play in that?\n    Mr. Deasy. So interesting enough, I just had a conversation \nwith our Five Eyes CIOs just yesterday on this very topic. I \nwould say, right now, we are clearly in the leadership role. \nAnd I think the biggest role that we are going to play is help \nto educate them and help them to understand what it took for us \nas a Department of Defense to establish a Joint Artificial \n[Intelligence] Center capability, as they are all looking to \nestablish a like capability. So I think our role will be one of \nleadership and how we went about doing this.\n    Mrs. Trahan. Great. Thank you.\n    I yield back.\n    Mr. Langevin. Thank you, Mrs. Trahan.\n    I recognize Mr. Waltz now for 5 minutes.\n    Mr. Waltz. Thank you, Mr. Chairman.\n    I just wanted to thank you all for coming, by the way. And, \nGeneral, I wanted to pick up, or, Mr. Deasy, on your comment \nabout human capital and the challenges that you are having with \nhuman capital. What role do you see the Guard and Reserve \nplaying in there?\n    It seems to me if there is any entity that flows back and \nforth between civilian and uniformed or even government \nservice, it would be the Guard and the Reserve that can kind \nof, one, stay current on the civilian side as technology paces \nso quickly, but then flow back in as they come in and off of \norders. Where do they fit in the broader strategy?\n    General Crall. Sir, you know, the question is timely. We \njust had a chance to take the team down to Augusta, Georgia, \nand talk to a lot of the units that are down there that are \npracticing this. And the Guard and Reserve is really a staple \nof the conversation, not an add-on. So a lot of the Guard and \nReserve units are extremely active, very competent, cutting-\nedge technology trained, and a very integral part of what we \ndo.\n    So I can't comment onto the adequacy, you know, if we are \ndoing enough or not enough, but I know that many of those Guard \nunits have quite a bit of operational time under their belt as \nwell. So very proficient, very impressive. And we use them \nregularly, not just in their activated time periods, but in \ntheir civilian period as well.\n    And I would admit, I don't believe that is limited just to \ncyber. I think that is pretty common. In my, you know, noncyber \nexperience in the Marine Corps, we have been augmented in \nalmost every MOS [military occupational specialty] that I can \nthink of by Guard units and Reserve units who have performed \nbrilliantly.\n    Mr. Waltz. Fair enough. But I would think that it would be \nquite unique to cyber, right, or at least the technology field, \nright? So you could have where that civilian skill set then is \nso--I can't think of anywhere else that on the civilian side is \noutpacing the military from a technological standpoint.\n    General Crall. Well, maybe, sir, because here is an area \nwhere it depends on what kind of mission we are talking about. \nSo if we are talking about defensive missions and those \nindividuals have experience doing kind of our protection type \nof work possibly. On the offensive side, I would argue that I \nthink within the military, that capability, it is really the \nonly legal place you could do some of that work. And that \nallure is there. So it would depend on the skill set.\n    Mr. Waltz. Fair enough. Switching gears to JEDI, and \napologies if you have already answered some questions along \nthese lines, but just talk to me about how critical JEDI is. \nHow critical is the success of JEDI and other DOD enterprise \ncloud initiatives in supporting future AI?\n    And along those lines, then what are the--I am assuming you \nare going to say it is critical and you are going to tell me \nhow critical. But then what are the drivers or delays to \nimplementations, and what are we losing as implementation is \ndelayed?\n    Mr. Deasy. So not specific to JEDI, but just what are the \ncritical benefits. So what is the problem set we are trying to \nsolve for inside the Department of Defense? Number one is if \nyou look at what it takes today to stand up compute capability \nfrom the time that a service or a COCOM sees a need to the time \nthat you bring the assets inside the Department, test them, \nstand them up, make them operational, that is a multi-month \nperiod.\n    Benefit number one of cloud is the ability to purpose and \nstand up compute capability in literally hours. So you solve \nfor how do you solve for episodic needs where you need to stand \nup compute capability. That is very important, as you can \nimagine, to the Department.\n    Two is when we build capability today inside the \nDepartment, we always have to think about peak need. So you buy \nenough necessary hardware for that peak capacity. The second \nbeauty of cloud is called elasticity. You ramp up and scale \nmore compute as you need it; and as you don't need it, you can \nscale it down, and it happens in real time.\n    The third one is resiliency. The idea with the cloud is \nthat if you write your application from day one to be cloud \nnative, you get built-in resiliency. As it finds itself in an \nunhealthy condition or as it finds itself needing to use other \nresources, it has the intelligence to do that. In a world where \nwe can't have a not fail mission set, the resiliency, as you \ncan imagine, becomes mission-critical.\n    Mr. Waltz. What are we losing as this moves forward? I \nmean, I understand the process is moving forward, and----\n    Mr. Deasy. Yeah.\n    Mr. Waltz [continuing]. You are not going to get into \nprotests and, you know, all of the industry issues.\n    Mr. Deasy. No.\n    Mr. Waltz. But what are we losing as this----\n    Mr. Deasy. The biggest thing we are losing right now is--\nthe Department of Defense needs to bring data and integration \ntogether. It has been a constant conversation; it is not a new \nconversation. Our enterprise cloud, for the first time, allows \nus to establish a common platform where we can bring data \ntogether in a common way.\n    What will happen is, the longer we delay standing up a JEDI \ncapability, you are going to--the military services are going \nto need to go solve for mission sets, and they are going to \ncontinue to stand up in their own individual environments. And \nI don't see that as being beneficial over the long term to the \nDepartment.\n    Mr. Waltz. Thank you, Mr. Chairman. I have exceeded my \ntime.\n    Mr. Langevin. Okay. Thank you, Mr. Waltz.\n    We are going to go to a second round of questions now.\n    So, following up on the JEDI issue, obviously this is a big \ndeal for the Department, something Congress is following very \nclosely. I have been frustrated that we haven't moved it along \nmore quickly.\n    But, Mr. Deasy, just last week, news reports emerged about \na potential conflict of interest related to the JEDI program. \nIt would be an understatement to say that I was frustrated that \nthe subcommittee and our staff had to learn about the \ndevelopment, from what we understand, through a presser rather \nthan from Department staff.\n    You know, given the significant congressional attention to \nthe effort of ensuring that the transition of cloud is \nsuccessful, we really do expect and anticipate better \ncommunication from the Department moving forward on this issue. \nAnd I wanted to ask for your commitment to improving \ncommunication with Congress to prevent a surprise issue like \nthis happening again.\n    Mr. Deasy. Absolutely.\n    I will take it that I did not get back to you in as timely \nof a way as we should have. We were walking a very fine line \nbetween an ongoing conversation with the Department of Justice \naround what we could say and we couldn't say. We got the \nclarity on a certain day this last week, and as soon as I got \nthat clarity, I called.\n    We did put a holding statement out to the press, but I \nwanted to be able to share with further clarity beyond the \nholding statement with you. And that is what I was waiting to \nget from the Department of Justice.\n    Mr. Langevin. Okay. Well, good communication and----\n    Mr. Deasy. Absolutely important.\n    Mr. Langevin [continuing]. Timeliness is essential. And I \nwould appreciate your commitment to doing that.\n    So, on this topic, again, the Department recently \nidentified more than 300 cloud initiatives across the \nDepartment. So how does JEDI relate to those initiatives?\n    Mr. Deasy. We believe that inside those 300 initiatives are \nwhat I will call general purpose cloud computing, meaning that \nmany of those initiatives do not need what I will call a unique \ncloud stack but they can be best served through something \nreferred to as JEDI. And then we have some that sit inside \nthere that are truly going to need what we call fit-for-purpose \nor unique cloud capability.\n    Until we can get a direct line of sight as to how soon we \nwill be able to stand up a general purpose cloud capability, \nobviously, the cloud initiatives need to continue. As soon as \nwe know within line of sight of what I will say is probably \nwithin 60 days of when we think we will actually be able to go \nlive, then we will be able to go back to some of the early \nportions of those cloud initiatives, where they are still in \nthe early days, and redirect them. That is our intent.\n    So the fine line we are walking right now is not to impede \nthe need for mission success where people are standing up on \nthe cloud, but as soon as we can provide clarity to the DOD on \nwhen the enterprise cloud will be available, to then redirect \nthose activities onto JEDI.\n    Mr. Langevin. So your best guess in, you know, the world of \ncloud, what percentage do you think are unique, specific to \neach of the departments, and what are more common, what \npercentage is going to be more common in cloud?\n    Mr. Deasy. Yeah, the way I like to have this conversation \nis, it depends if we are talking legacy or what I like to refer \nto as brownfield or if you are talking greenfield, new \napplications that need to be written.\n    I am a strong believer that the vast majority, probably 85, \n90 percent, of all things in the future that we were to build \ncould go onto either a fit-for-purpose or a general purpose \ncloud.\n    So then that begs the question, what about the world of all \nthe applications you have today? Many of those applications, \njust the sheer cost and the magnitude of lifting them and \nreporting them onto the cloud would be cost-prohibitive, would \nbe time-prohibitive, and would probably not serve the \nDepartment well.\n    So what you really have to do is you have to then go \nthrough your legacy estate based on the cloud we are eventually \ngoing to stand up--and that is actually a key statement--based \non what it is we are going to stand up, and then be able to \nstart targeting what would the services look to do what is \ncalled a report, where they are going to rewrite the \napplication, or a lift and shift, where they are going to take \nthe application and bring it over as is and put it onto the \ncloud.\n    So there are various ways we can move over. But the big \nthing hanging out there right now is, until we know what that \narchitecture in that cloud is going to look like, it is very \ndifficult to start estimation exercises.\n    Mr. Langevin. Okay.\n    And, Ms. Hershman, from your perspective on business \nsystems, what capabilities will JEDI bring to reform? And how \ndoes the chief data officer you recently hired intend to \nutilize JEDI, and how is he working with the CIO on data \nmanagement?\n    Ms. Hershman. So, yes, sir, that it does have a big impact \non what we are doing in CMOs. Mr. Deasy explained that it has \nan interrelationship with data.\n    So Mr. Conlin, our chief data officer, does work with Mr. \nDeasy and his team. We were very fortunate in that Mr. Conlin \ncomes from industry and also has a cyber background, which \nmakes him a very unique find.\n    What I also am struggling with, similar to my colleagues \nhere, is those hiring authorities. While previously, before the \nbusiness systems role, we had not looked purely at IT but just \nfrom a data management standpoint, we too have difficulty with \nthe hiring.\n    There isn't--there are two--actually, there are two pieces \nto that. Number one is there isn't a single data scientist \nposition description anywhere in government. So that is one \nthing that we need to refine and improve. We have also come \nunder some challenges with hiring data scientists. All of \nindustry is also looking for the same talent type.\n    So, while previously you asked me about the CES, we were \nlooking more to align with hiring authority and the \ncompensation freedom that an organization like DARPA [Defense \nAdvanced Research Projects Agency] is able to have, which is \nwhy we are now looking at the CES to see if that applies to us.\n    So both from a reform standpoint and also to be able to \nsupport JEDI and what we need to contribute from a data \nstandpoint, those resources are becoming very critical.\n    And just to anticipate what you had asked General Crall \nearlier as well, when we are talking numbers, we are also \nlooking for just single digits.\n    Mr. Langevin. Okay. Good to know. That is helpful for us to \nunderstand. Thank you for that.\n    The last question that I will have, and then I want to turn \nto the ranking member. General Crall, from your perspective, \nhow would JEDI improve or impact cybersecurity efforts? And \nwill cyber protection teams [CPTs] have the appropriate \naccesses to a commercial cloud if there is a security issue?\n    General Crall. Yes, sir. I think, one, I am probably not \nbest suited to talk about the CPT's accesses. I think U.S. \nCyber Command would be in a better position to do that. And I \ncan certainly take that back, sir, to give you a--to have them \nrespond with a direct answer to the question.\n    [The information referred to can be found in the Appendix \non page 67.]\n    Mr. Langevin. Okay. So how do you, in your work, interact \nwith the cyber protection teams?\n    General Crall. So I would say maybe the first part of your \nquestion talked about my work and how JEDI might impact that \nwould be maybe a more appropriate question for me to answer, \nsir. And I will start with that and then come back to the \nsecond piece, if you are amenable to that.\n    Mr. Langevin. Sure. Yes.\n    General Crall. What I think would be a real help to us, \nwhen we start looking at how applications behave and what it \nmeans to get an authority to operate on the distant end, how do \nyou move something through the system from design so that, \nsecure and hosted, it really streamlines the ability and \nimplementation in our strategy to get to our end state much \nfaster.\n    We spend a lot of time at the service level doing some \nactivities that are less than desirable, somewhat antiquated, \nand expensive to try and make up for what a cloud environment \ncould provide us. So from a security implementer, for pieces of \nthat cybersecurity strategy, that is a game changer for us.\n    Mr. Langevin. Very good. Thank you. And then the other part \nof it?\n    General Crall. Yes, sir. I think I would like to come back \nto you, again, on the CPT.\n    And my work specifically with CPTs, I am part of a team in \na composite that looks at readiness. So when we start looking \nat readiness levels across the Department, that really has been \nmy focus on both CMTs [combat mission teams] and CPTs, as Cyber \nCommand continues to drive at setting those standards. We take \na look at translating those standards into the way that we can \nevaluate those teams against those readiness metrics.\n    So I play a small role in that process within the \nDepartment to ensure those standards are clear, published, and \nwe are driving to them.\n    Mr. Langevin. Fair enough. Thank you.\n    I now yield to the ranking member for as much time as she \nmay consume.\n    Ms. Stefanik. Thank you.\n    General Crall, can you expand upon DOD's top 10 cyber \npriorities from the Cyber Strategy? I know we have an unclass \n[unclassified] slide here that I don't think we have gone over \ntoday.\n    And then if you could answer, which of the priorities do \nyou anticipate will be the most difficult?\n    [The slide referred to is for official use only and \nretained in the committee files.]\n    General Crall. Yes, ma'am.\n    So the cartoon graphic that you have in front of you really \nkind of lays out the areas that do have our focus. And maybe \nthe takeaway from this is, I understand it is imperfect, right? \nIt is two-dimensional. It is meant to be read linearly, maybe \nleft to right, when, in fact, some of these things appear in \nmany parts of our network. But it is just a simple way to frame \nwhat we are talking about.\n    If you look at the gold box of network and information-\nsharing, that is where some of the immediate efforts we have, \neven here in fiscal year 2019. And those callout boxes in gray \nand blue describe in the areas of endpoint management, \nidentity, our enterprise development operations, and our cyber \nworkforce where they have the attention of the Department.\n    So the way that we are looking at this--and maybe the \ntakeaway is, if you pressurize one set of this or if you try \nand handle security or effectiveness or functionality in one \nend, then you depressurize something else, and that is where \nyour risk is going to come. So it is important that we look at \nthis holistically.\n    And I will say, the CIO is certainly geared to describe \nthat relationship as he is driving this as an enterprise to \nmake sure that we are paying attention to every one of these \nparts.\n    To answer your second question about what do you think is \nthe most difficult, I would answer ``yes'' to that question. \nThere is nothing easy on this slide at all. And maybe to take a \nlook at maybe increasing levels of difficulty, I will say that \nscale and scope of some of these are really daunting tasks. So \nI wouldn't want to pick any out in particular.\n    But I know the members are very familiar with 1647 and \n1650, weapons systems and critical infrastructure. That is a \npretty big lift in the Department.\n    Having to modernize our encryption, that is a very heavy \nlift that is extremely complicated that not only goes to the \ncentral repository of how that encryption is designed and \ndisseminated but all the way to the tactical devices that we \nuse on the battlefield. So it is a wide, very complex problem.\n    Position, navigation, and timing, again, would be another \nchallenge.\n    Those things that appear to the right-hand side, that \ntactical edge, probably affect the force in volumes and ways \nthat we are still getting our arms around.\n    I don't know if that is a satisfying answer, ma'am. But \nthat is what I----\n    Ms. Stefanik. It is helpful to outline a little bit the \nthinking behind this slide. I think the other members of the \ncommittee, we will share that with them.\n    My next question is for Mr. Deasy.\n    Can you provide this committee with specific updates and \nspecific initiatives from the Joint AI Center--in particular, \nthe national mission initiatives and also added component \nmission initiatives?\n    Mr. Deasy. So, as you know, we received towards the end of \nlast year our initial funding to stand up JAIC. We now have our \ninitial billets in from the services side as well as the \ncivilian side.\n    We have identified two national mission initiatives right \nnow. One of them is in the predictive maintenance space, and \none is in the humanitarian space. So let me take you through \neach of those.\n    What we were looking for when we talk about a national \nmission initiative is something that touches all services, a \ncommon problem they are looking to solve for, and, most \nimportantly when it comes to AI, access to data that is \nmeaningfully available. Because if you think about AI, AI needs \ndata. You are ingesting that data, and then you are running it \nthrough a machine-learning algorithm, and then you are coming \nout with, hopefully, an operational output.\n    Predictive maintenance was, if you think of the amount of \nmoney we spend inside the Department of Defense just on \nmaintenance, we broke out maintenance and we said: Aircraft, \nsignificant amount.\n    We said, what is an asset that we are using that all \nservices use that have common problems with maintenance? We \nlooked at the Black Hawk, the UH-60 [medium utility \nhelicopter]. And what we found was, if you look at engine wear \nin conditions where there is a great deal of sand out in desert \nconditions, that turns to glass. And so what if we could do a \npredictive analytics to go in, teach a machine to look at all \nthat sensor data coming off of those vehicles, and be able to \nstart to predict in advance of when the glass condition is \noccurring so you could actually repair it in advance?\n    So that is the one we are working on right now. That is the \nfirst NMI [national mission initiative] on the predictive \nmaintenance side.\n    The second one, the humanitarian side, was we wanted to \nlook at one that had a whole-of-government where we could take \na leadership in. And we said there was two significant \nconditions that are occurring. One was if you look at the \nhurricanes we had this past year, and one was if you look at \nthe wildfires that occurred out in California. So let's take \neach of those.\n    On the wildfire one, what is the problem you are trying to \nsolve there? You are trying to solve for the fire line, where \nit exists. And what if you could take imagery instead of the \nhuman asset having to go out, visually look at the fire line, \nbut actually use artificial intelligence to look at the fire \nline, determine where it is moving, and be able to overlay that \nonto a handheld device that a firefighter is using?\n    Hurricanes. The other example there is hurricanes cover a \nlarge, vast area. So can we use imagery over a large, vast area \nto determine where the flooding is occurring, how high the \nflood waters are, and whether there is human risk space or \nother types of assets in a risk space? So, once again, we are \ngoing to use the imagery data to be able to look at risk space.\n    Why are those both important to us? Because the algorithms \nthat we will develop to intelligently learn fire lines are the \nalgorithms we will develop to intelligently learn a better way \nof looking at flood, is we will be able to apply that to other \nmission sets inside the Department of Defense.\n    That is the value of JAIC. The value of JAIC is to take \nthose algorithms that are developed for purpose A and then be \nable to reapply them elsewhere inside the Department of \nDefense. So we think we will be able to reapply those \nalgorithms elsewhere.\n    Ms. Stefanik. So just to follow up on the reapplication of \nthose two national mission initiatives, you know, one of my \ngreatest concerns when we think about emerging threats is \nChina's investment in AI capabilities and China's investment in \ndata, that this is a strategic priority.\n    My question is, do you believe that those two identified \nnational mission initiatives will ensure that we not just keep \npace with how China is investing in AI but we will be able to \ncatapult how we are approaching AI not just from DOD but from a \nwhole-of-government approach?\n    Because my concern is that, while those are two very \nimportant issues--predictive maintenance and humanitarian \nassistance--that scope is quite limited when you look at the \nscope of China's investment utilizing AI for part of its \ndefense strategy.\n    Mr. Deasy. So, of course, those in themselves aren't going \nto solve for what you are bringing up. We are going to need a \nseries of national mission initiatives.\n    As I pointed out, we just literally started this up in late \nDecember, and here we are now in February. I think the fact \nthat we have been able to stand up an initial set of billets \nwith two NMIs in approximately 60 days says volumes to just how \nsmart and quickly we are working this.\n    But to your very point, we are going to need a number of \nnational mission initiatives in different areas.\n    I think part of the thing that you are probably getting at \nis also vis-a-vis where China is; you know, do we have the \nability to outpace them. I think Dr. Portis said it best in a \ntestimony that I did with her recently. China may be at a level \nof investment where we compare to ourselves as quite \nsignificantly higher, but if you look at the vast talent, the \nU.S. still holds the majority of the talent when it comes to \nAI. And what we have to do is we have to learn how to quickly \nleverage and bring that talent in.\n    Which is why I am so passionate about the need that JAIC \nhas to connect to the academia world and to the private-sector \nworld. Because our success is going to require those \npartnerships to go well beyond two NMIs.\n    Ms. Stefanik. And another question regarding the JAIC. In \nprevious testimony, we have heard about the hundreds of AI \ninitiatives with the DOD. How, specifically, are those \nindividual AI missions or initiatives being integrated into the \noverall strategy from the JAIC?\n    Mr. Deasy. Right now, there is not a significant amount \ngoing on inside of JAIC to integrate those individual projects. \nWhere that integration will take place--and it goes back to Mr. \nWaltz's question earlier--is going to be how do we stand up an \nenterprise cloud capability where all of those individual \nprojects can benefit.\n    Cloud itself does not do a whole lot; it is what you put on \ntop of it that matters. And what we need to put onto that cloud \nis data. And data is what is going to drive the success of a \nlot of our AI initiatives across the Department of Defense.\n    I have been asked many times what will slow us down, and \nwhat will always slow us down is our access to data, our \nability to quickly integrate that data, and then to turn that \ndata into something that we can then apply machine learning.\n    Ms. Stefanik. Yeah. No, I understand, Mr. Deasy, the \nimportance of cloud and the importance of data in terms of the \nfuel when it comes to AI. But my question--and I am going to \ncontinue asking these tough questions of the Department--is, \nwhen we are creating a Joint AI Center and we are failing to \nintegrate the hundreds of other AI initiatives within the \nDepartment, that is of concern here, because it means that we \nare not looking at this from a whole-of-department approach.\n    Again, I understand the connection to moving to the cloud, \nto access to data, but we need to continue pushing the \nDepartment when it comes to how we are addressing AI, because I \nam fearful we are falling behind our adversaries in terms of \nhow they are addressing this.\n    I want to ask a budget question as it relates to AI. We \nknow that AI is a very shiny object. And if we label everything \nas AI, it is going to exponentially increase cost.\n    So how are you dealing with this initiative and identifying \ntrue AI capabilities that the Department will need, in terms of \nyour fiscal year 2020 budget request?\n    Mr. Deasy. So we are working closely with the various \ncomponents and the services on defining the categorization for \nAI.\n    I want to point out that we are not ignoring 300. We are \nlearning how to quickly get a flywheel going of how to bring in \nand integrate these initiatives. And I cannot stress that our \nflywheel is about 60-some days old now and we are integrating \nat a rapid rate.\n    What we want to be able to do is to take all of those \ninitiatives and define which of them are actually, truly NMIs \nand how can we better integrate those in the JAIC.\n    And then the real question is, where they are not national \nmission initiatives and they are actually individual \ncomponents, we have set up a requirement that if they are of a \ncertain dollar value they need to go through JAIC, they need to \nbe validated by JAIC to ensure that they are being set up the \nright, successful way. So JAIC will intersect with CMIs that \nexist out in the services when they hit a certain dollar \nthreshold.\n    Ms. Stefanik. Okay. Thank you.\n    I yield back.\n    Mr. Langevin. I thank the ranking member.\n    So just a last couple of questions, if I could.\n    Going back to the discussion on cloud, Mr. Deasy, I just \nwanted to say, so a fit-for-purpose cloud obviously can only be \npursued with an exception from the CIO's office. Do you have an \nestimate of how many exceptions you are going to issue?\n    Mr. Deasy. Earlier, there was a question asked about the \nongoing 300-plus cloud initiatives, and I pointed out that one \nof the things we need to do is to go through and take a \ndetermination of how many of those are more general purpose \nversus what will be truly fit-for-purpose. That is something we \nstill have to do.\n    Right now, obviously, our focus is to make sure we know \nwhat the architecture is going to look like for our general \npurpose, which will help inform us on things that will stay \nfit-for-purpose or move over. So it would be really \ninappropriate for me--I would be surely guessing as to a \ncertain percentage or a number of those 300 that will be \nmigrated onto general versus fit-for-purpose until we \nunderstand the overall architecture.\n    Mr. Langevin. Okay.\n    And the last question I had for you, Mr. Deasy and for the \npanel: After CES phase two is unveiled and implemented, will \nthere be a petition process for DOD components to participate \nin CES, such as the case of Ms. Hershman and the data \nscientist?\n    Mr. Deasy. I think I understand the nature of your question \nas taking Cyber Excepted Service and how do we expand it to \nbeyond. So I will tell you right now, we are already using \nthose authorities on how we are approaching AI. We are going to \nneed to use those authorities, clearly, when it comes to things \nlike data scientists.\n    So one of my asks back to Congress is to continue to help \nus on how we take the great work we have done with CES and \nthink about other technologies that we are going to be \nconfronted with and we are going to want to leverage inside the \nDepartment and be able to use the goodness of CES beyond its \noriginal cyber intended purposes.\n    Mr. Langevin. Okay. But there will be a petition process \nwithin----\n    Mr. Deasy. Yeah.\n    Mr. Langevin. Okay. Very good.\n    That is all I had at this point. Anything from the ranking \nmember?\n    Okay.\n    So, in closing, let me just say, if I could, Mr. Deasy--and \nI appreciate the work that you and all of you are doing on \nthese important topics.\n    If I could just mention, I think that the approval request \nfor resources, if they can move quickly to implement the Cyber \nExcepted Services, those requests, they are approved quickly--\nit doesn't seem like a large number of people we are talking \nabout--that would be helpful to move things along more \neffectively. But I leave that to you to work out, and we will \nbe following up with this closely.\n    I really do thank all of you for your testimony and for the \nwork you are doing. I look forward to following up further at \neither hearings or briefings.\n    But, with that, if there are no further questions, the \ncommittee stands adjourned.\n    [Whereupon, at 4:21 p.m., the subcommittee was adjourned.]\n\n     \n=======================================================================\n\n\n                            A P P E N D I X\n\n                           February 26, 2019\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                           February 26, 2019\n\n=======================================================================\n\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n      \n=======================================================================\n\n\n              WITNESS RESPONSES TO QUESTIONS ASKED DURING\n\n                              THE HEARING\n\n                           February 26, 2019\n\n=======================================================================\n\n      \n\n             RESPONSE TO QUESTION SUBMITTED BY MR. LANGEVIN\n\n    General Crall. A modern digital infrastructure is critical to \ndefending against cyber-attacks as well as enabling machine learning \nand artificial intelligence. The DOD cloud initiative is part of a \nlarger effort to modernize information technology across the DOD \nenterprise. Consolidating currently disparate efforts at the enterprise \nlevel will enable the Department of Defense to provide greater security \nand ensure greater reliability of the department's digital \ninfrastructure. The DOD Cloud Initiative includes multiple cloud \nefforts, including JEDI Cloud. JEDI will allow DOD to take advantage of \neconomies of scale, ensure superiority through data aggregation and \nanalysis, and lay the foundational technology for artificial \nintelligence and machine learning.   [See page 21.]\n\n    \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                           February 26, 2019\n\n=======================================================================\n\n      \n\n                  QUESTIONS SUBMITTED BY MS. STEFANIK\n\n    Ms. Stefanik. In your testimony, you claimed $4.702 billion in \nprogrammed savings in FY17 and FY18. Can I get a list of these savings \nand where you found them?\n    Ms. Hershman. The Department has saved $4.702B through reform \nefforts in FYs 2017 and 2018 combined, and is on track to save more \nthan $6B in FY 2019. This achievement is a collective effort by key \nstakeholders in the Department. The CMO, Military Departments, and the \nUSD(C) identified, validated, and presented savings formally in the FY \n2020 budget that were reinvested in priorities identified in the NDS. \nThe Department was successful in meeting or exceeding many of its \npriority initiatives, including those related to achieving \nefficiencies, effectiveness and cost savings, audit readiness, and \nimproving the quality of the Department's business operations. The list \nbelow includes some areas in which the Department has found found \nsavings:\n    <bullet>  Management Headquarters Reductions\n    <bullet>  Services Requirements Review Board and Contractor Courts\n    <bullet>  IT Circuit Optimization\n    <bullet>  Enterprise Licensing Agreements\n    <bullet>  Data Center infrastructure\n    <bullet>  Military Health IT Optimization\n    <bullet>  Defense Travel Modernization\n    <bullet>  Defense Agencies and DOD Field Activities Civilian \nPersonnel Reductions\n    <bullet>  Defense Media Activity Business Process and Systems \nReview\n    Ms. Stefanik. What is your savings goal for the next five years?\n    Ms. Hershman. Over the next five years the Department is projecting \na $44.9B savings in ongoing reform initiatives. These reform savings \nwill be garnered from business process improvements, business systems \nimprovements, policy reforms, weapons systems acquisition reform, \ndivestments, and better alignment of resources to the National Defense \nStrategy. Additionally, studies are underway to further streamline or \nconsolidate 4th Estate functions, with the intent on a more efficient \nstructure.\n    Ms. Stefanik. How are you re-investing the $4.702 billion?\n    Ms. Hershman. DOD is actively institutionalizing reform and is \ncommitted to reinvesting the savings in the Military Departments in \nsupport of readiness and lethality priorities. The FY 2020 budget \nrequest builds on our success with the FY 2018 and FY 2019 budgets to \nrepair damaged readiness and marks a key shift in preparing to deter or \ndefeat great power adversaries well into the future.\n                                 ______\n                                 \n                   QUESTIONS SUBMITTED BY MR. CONAWAY\n    Mr. Conaway. Are any of the witnesses concerned about the \ninvestments China is making in Chinese companies to pursue Artificial \nIntelligence and Machines Learning capabilities? If so, how important \nis it for the United States to have a robust technology industrial \nbase?\n    Ms. Hershman. CMO will defer to DOD CIO's response to this \nquestion.\n    Mr. Conaway. How does a winner take all cloud competition help \nbolster that robust industrial base?\n    Ms. Hershman. CMO will defer to DOD CIO's response to this \nquestion.\n    Mr. Conaway. What are the cyber risks of placing too much of our \nnational security sensitive data within the infrastructure of one cloud \nprovider?\n    Ms. Hershman. CMO will defer to DOD CIO's response to this \nquestion.\n    Mr. Conaway. Are you aware of any assessments underway at DOD or \nDNI to assess the implications of a vulnerability in a cloud providers \ninfrastructure and how that vulnerability could impact data held across \nthe national security enterprise?\n    Ms. Hershman. CMO will defer to DOD CIO's response to this \nquestion.\n    Mr. Conaway. What are security benefits of cloud diversity?\n    Ms. Hershman. CMO will defer to DOD CIO's response to this \nquestion.\n    Mr. Conaway. Are any of the witnesses concerned about the \ninvestments China is making in Chinese companies to pursue Artificial \nIntelligence and Machines Learning capabilities? If so, how important \nis it for the United States to have a robust technology industrial \nbase?\n    Mr. Deasy. There are three reasons to be concerned about the \ninvestments China is making in AI and Machine Learning.\n    First, the significant scale and strategic focus demonstrated by \nChinese Artificial Intelligence (AI) investments and their stated goal \nto dominate the global AI technology landscape. As stated in the recent \nExecutive Order 13859 of February 11, 2019 ``Continued American \nleadership in AI is of paramount importance to maintaining the economic \nand national security of the United States and to shaping the global \nevolution of AI in a manner consistent with our Nation's values, \npolicies, and priorities.''\n    Second, the Department of Defense is concerned about the powerful \ntools available to the Chinese government to coerce commercial Chinese \ncompanies to support Chinese military AI development.\n    Finally, the Department is concerned that Chinese military leaders \nhave explicitly stated that their investments in AI are aimed at \nclosing the gap in military power between China and the United States. \nChina seeks to use AI as a tool to ``leapfrog'' the United States' \ncurrent global leadership position in military technology. Given the \nprogress in AI demonstrated by China over the past few years, that is \nnot something the U.S. should take lightly.\n    The strength of the U.S. technology industrial base and the \ncommercial AI ecosystem is a critical source of U.S. competitive \nadvantage. Just as commercial spending on computers and other \ninformation technology has historically far outpaced DOD spending, so \ntoo does commercial investment in AI. DOD should seek to effectively \npartner with American companies and draw upon the innovativeness of \nAmerican AI experts. This partnership must, however, remain consistent \nwith American values.\n    Mr. Conaway. How does a winner take all cloud competition help \nbolster that robust industrial base?\n    Mr. Deasy. The Department will implement a commercial General-\nPurpose enterprise-wide cloud solution, Joint Enterprise Defense \nInfrastructure (JEDI), for the majority of systems and applications. \nHowever, the DOD's Cloud Strategy defines the need for additional fit \nfor purpose clouds to meet specific needs and gaps. DOD expects that \ncloud technology and offerings will continue to become more \ninteroperable and seamlessly integrated, enabling lower transaction \ncosts and better inter-cloud security features across multiple \nproviders. DOD is best served by a robust, competitive, and innovative \ntechnology industrial base.\n    Further, maximizing competition is critical to a robust and \ncomprehensive enterprise-wide environment for all cloud-related \ncontracting actions and not limited to any one particular contract. \nCloud-related contracting actions go beyond just contracts for hosting \nenvironments (whether the environment is JEDI, milCloud 2.0, DEOS, or \nother fit for purpose needs). More critically, the engineering and \nmigration support necessary to develop and deploy systems and \napplications are often suited to companies with more agile and nimble \ncapabilities, which often may be appropriate for smaller specialized \nbusiness entities.\n    Mr. Conaway. What are the cyber risks of placing too much of our \nnational security sensitive data within the infrastructure of one cloud \nprovider?\n    Mr. Deasy. Applications and data within a single cloud environment \nare able to maximize the native security features of cloud technology, \nwhich includes robust and automated failover and redundancy features. \nThe risks are managed according to the sensitivity of the data by \nadding controls at the specified security level. It is also important \nto note that a single cloud environment does not mean that all data and \napplications are hosted in a single physical environment where \neverything is vulnerable to a single attack. Rather, the provider will \nhave varying levels of logical and physical isolation available, based \nthe sensitivity of the data, which will work in concert with the \nDepartment's existing cyber security tool sets. Leveraging a single \nversus multiple cloud provider environment reduces the number of \npotential vulnerabilities, since with each provider comes additional \nconnection points and accreditations, resulting in the possible \nincrease in both vulnerabilities and time and cost.\n    Mr. Conaway. Are you aware of any assessments underway at DOD or \nDNI to assess the implications of a vulnerability in a cloud providers \ninfrastructure and how that vulnerability could impact data held across \nthe national security enterprise?\n    Mr. Deasy. The Department continues to perform an ongoing \ncomprehensive risk assessment of cloud security risks. The risks are \nmanaged according to the sensitivity of the data by adding controls at \nthe specified security level. This assessment is not limited to a \nparticular current or future program, but rather is a holistic \nassessment across the Department's cloud portfolio. The Department's \nassessment is ongoing, continuously analyzing and understanding how to \ncharacterize risks and effectively mitigate them. The Department has \nalso been looking closely at the work being done by groups outside of \nthe government.\n    Mr. Conaway. What are security benefits of cloud diversity?\n    Mr. Deasy. The benefits of cloud diversity include more variety of \nchoices in services, to include cyber security services, partnerships \nand unique solutions along with the increased availability of hosting \nlocations, which provides physical diversity. Cloud diversity is \nbeneficial, which is why DOD's Cloud Strategy is to remain a multiple \ncloud environment.\n    However, technical complexity increases, based on the number of \ncloud providers and available offerings. The risk associated with \ndeploying wide-reaching cloud diversity entails understanding how to \ndeploy and secure workloads properly in any cloud environment while \nalso understanding and utilizing all of the services available to help \nsecure workloads across multiple cloud environments, when necessary.\n    Mr. Conaway. Are any of the witnesses concerned about the \ninvestments China is making in Chinese companies to pursue Artificial \nIntelligence and Machines Learning capabilities? If so, how important \nis it for the United States to have a robust technology industrial \nbase?\n    General Crall. China's 2017 national AI strategic plan calls for \nChinese technology to be on par with that of the United States by 2020 \nand for China to become the world leader in AI by 2030. In 2019, \nChina's aggressive pursuit of and investment in AI has significantly \nclosed the technology gap with the United States. China now ranks first \nin the quantity and citations of AI research papers, holds more AI \npatents than the US and Japan, and exports armed autonomous platforms \nand surveillance AI. However, China's January 2018 ``White Paper on \nArtificial Intelligence Standardization'' points out that the China's \nAI ecosystem lags in several key areas: top talent, technical \nstandards, software platforms, and semiconductors. These are strengths \nin our technology industrial base that the United States must \ncapitalize on to maintain a leading edge in AI development.\n    Mr. Conaway. How does a winner take all cloud competition help \nbolster that robust industrial base?\n    General Crall. I agree with DOD(CIO) as the Department will \nimplement a commercial General-Purpose enterprise-wide cloud solution, \nJoint Enterprise Defense Infrastructure (JEDI), for the majority of \nsystems and applications. However, the DOD's Cloud Strategy defines the \nneed for additional fit for purpose clouds to meet specific needs and \ngaps. DOD expects that cloud technology and offerings will continue to \nbecome more interoperable and seamlessly integrated, enabling lower \ntransaction costs and better inter-cloud security features across \nmultiple providers. DOD is best served by a robust, competitive, and \ninnovative technology industrial base.\n    Further, maximizing competition is critical to a robust and \ncomprehensive enterprise-wide environment for all cloud-related \ncontracting actions and not limited to any one particular contract. \nCloud-related contracting actions go beyond just contracts for hosting \nenvironments (whether the environment is JEDI, milCloud 2.0, DEOS, or \nother fit for purpose needs). More critically, the engineering and \nmigration support necessary to develop and deploy systems and \napplications are often suited to companies with more agile and nimble \ncapabilities, which often may be appropriate for smaller specialized \nbusiness entities.\n    Mr. Conaway. What are the cyber risks of placing too much of our \nnational security sensitive data within the infrastructure of one cloud \nprovider?\n    General Crall. I agree with DOD(CIO) as applications and data \nwithin a single cloud environment are able to maximize the native \nsecurity features of cloud technology, which includes robust and \nautomated failover and redundancy features. The risks are managed \naccording to the sensitivity of the data by adding controls at the \nspecified security level. It is also important to note that a single \ncloud environment does not mean that all data and applications are \nhosted in a single physical environment where everything is vulnerable \nto a single attack. Rather, the provider will have varying levels of \nlogical and physical isolation available, based the sensitivity of the \ndata, which will work in concert with the Department's existing cyber \nsecurity tool sets. Leveraging a single versus multiple cloud provider \nenvironment reduces the number of potential vulnerabilities, since with \neach provider comes additional connection points and accreditations, \nresulting in the possible increase in both vulnerabilities and time and \ncost.\n    Mr. Conaway. Are you aware of any assessments underway at DOD or \nDNI to assess the implications of a vulnerability in a cloud providers \ninfrastructure and how that vulnerability could impact data held across \nthe national security enterprise?\n    General Crall. As the DOD(CIO) has emphasized, the Department \ncontinues to perform an ongoing comprehensive risk assessment of cloud \nsecurity risks. The risks are managed according to the sensitivity of \nthe data by adding controls at the specified security level. This \nassessment is not limited to a particular current or future program, \nbut rather is a holistic assessment across the Department's cloud \nportfolio. The Department's assessment is ongoing, continuously \nanalyzing and understanding how to characterize risks and effectively \nmitigate them. The Department has also been looking closely at the work \nbeing done by groups outside of the government.\n    Mr. Conaway. What are security benefits of cloud diversity?\n    General Crall. As stated by the DOD(CIO), the benefits of cloud \ndiversity include more variety of choices in services, to include cyber \nsecurity services, partnerships and unique solutions along with the \nincreased availability of hosting locations, which provides physical \ndiversity. Cloud diversity is beneficial, which is why DOD's Cloud \nStrategy is to remain a multiple cloud environment.\n    However, technical complexity increases, based on the number of \ncloud providers and available offerings. The risk associated with \ndeploying wide-reaching cloud diversity entails understanding how to \ndeploy and secure workloads properly in any cloud environment while \nalso understanding and utilizing all of the services available to help \nsecure workloads across multiple cloud environments, when necessary.\n                                 ______\n                                 \n                    QUESTIONS SUBMITTED BY MR. BROWN\n    Mr. Brown. In June 2017 the administration issued EO 13800 to \n``Strengthen the Cybersecurity of Federal Networks and Critical \nInfrastructure.'' Yet, after the first defense-wide audit was completed \nin November 2018, Deputy Secretary of Defense Patrick Shanahan stated \n``We failed the audit. But we never expected to pass it.'' The \nsubsequent report stated that the IT systems have ``systemic shortfalls \nin implementing cybersecurity measures to guard the data protection \nenvironment'' and ``issues exist in policy compliance with \ncybersecurity measures, oversight, and accountability.'' How are these \ntwo efforts--the EO and the audit--informing each other? What explains \nthe significant noncompliance with cybersecurity standards almost two \nyears after the EO was issued?\n    Mr. Deasy. The DOD follow-on activities to EO 13800 and DOD actions \nto remediate FM Audit Notice of Findings and Recommendations (NFR) have \nimportant intersections. Following analysis of the FM Audit NFRs, DOD \ndeveloped a prioritization approach that seeks to prioritize addressing \nthose findings with a nexus to both cybersecurity and material \nweakness. These analyses and prioritization efforts pointed to the need \nfor enterprise capabilities in support of Identify, Credential and \nAccess Management (ICAM). Following DOD efforts to respond to EO 13800, \nDOD developed its top 10 Cyber Priorities. Among areas identified as \nthe ``first four,'' were strategic initiatives associated with ICAM. \nThese efforts are in alignment with ongoing Cyber Hygiene Scorecard \nefforts, which identified and tracked needed improvements associated \nwith credential management, privileged users, and access control.\n                                 ______\n                                 \n                     QUESTIONS SUBMITTED BY MR. KIM\n    Mr. Kim. As you are well aware, the overwhelming majority of \ninternet traffic travels via undersea cables. Importantly, there are \nthree major cable landing points in my home State of New Jersey. These \ncables and accompanying infrastructure are vital to economic and \nnational security. What efforts are currently underway either internal \nto government or in partnership with the private sector to keep \ntelecommunications infrastructure secure and accessible to the Defense \nDepartment?\n    Mr. Deasy. The DOD partners with the Department of Homeland \nSecurity, Intelligence Community, other government agencies, and \nIndustry on a routine basis to ensure the security and resiliency of \nundersea cables, landing sites and associated infrastructure. \nSpecifically the DOD CIO, partners with Joint Staff, United States \nStrategic Command, Defense Information Systems Agency, and Defense \nThreat Reduction Agency to secure cable landing points by funding and \nremediating physical and cyber vulnerabilities found.\n\n                                  [all]\n</pre></body></html>\n"