[Senate Hearing 116-265] [From the U.S. Government Publishing Office] S. Hrg. 116-265 DEPARTMENT OF DEFENSE ENTERPRISE-WIDE CYBERSECURITY POLICIES AND ARCHITECTURE ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY of the COMMITTEE ON ARMED SERVICES UNITED STATES SENATE ONE HUNDRED SIXTEENTH CONGRESS FIRST SESSION __________ JANUARY 29, 2019 __________ Printed for the use of the Committee on Armed Services [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via http://www.govinfo.gov ______ U.S. GOVERNMENT PUBLISHING OFFICE 41-330 PDF WASHINGTON : 2020 COMMITTEE ON ARMED SERVICES JAMES M. INHOFE, Oklahoma, Chairman ROGER F. WICKER, Mississippi JACK REED, Rhode Island DEB FISCHER, Nebraska JEANNE SHAHEEN, New Hampshire TOM COTTON, Arkansas KIRSTEN E. GILLIBRAND, New York MIKE ROUNDS, South Dakota RICHARD BLUMENTHAL, Connecticut JONI ERNST, Iowa MAZIE K. HIRONO, Hawaii THOM TILLIS, North Carolina TIM KAINE, Virginia DAN SULLIVAN, Alaska ANGUS S. KING, Jr., Maine DAVID PERDUE, Georgia MARTIN HEINRICH, New Mexico KEVIN CRAMER, North Dakota ELIZABETH WARREN, Massachusetts MARTHA McSALLY, Arizona GARY C. PETERS, Michigan RICK SCOTT, Florida JOE MANCHIN, West Virginia MARSHA BLACKBURN, Tennessee TAMMY DUCKWORTH, Illinois JOSH HAWLEY, Missouri DOUG JONES, Alabama John Bonsell, Staff Director Elizabeth L. King, Minority Staff Director Subcommittee on Cybersecurity MIKE ROUNDS, South Dakota, Chairman ROGER F. WICKER, Mississippi JOE MANCHIN, West Virginia DAVID PERDUE, Georgia KIRSTEN E. GILLIBRAND, New York RICK SCOTT, Florida RICHARD BLUMENTHAL, Connecticut MARSHA BLACKBURN, Tennessee MARTIN HEINRICH, New Mexico (ii) C O N T E N T S January 29, 2019 Page Department of Defense Enterprise-Wide Cybersecurity Policies and 1 Architecture. Deasy, The Honorable Dana, Department of Defense Chief 4 Information Officer. Norton, Vice Admiral Nancy A., USN, Director, Defense Information 10 Systems Agency, and Commander, Joint Force Headquarters-- Department of Defense Information Network. Crall, Brigadier General Dennis A., USMC, Principal Deputy Cyber 11 Advisor and Senior Military Advisor for Cyber Policy. Questions for the Record......................................... 32 (iii) DEPARTMENT OF DEFENSE ENTERPRISE- WIDE CYBERSECURITY POLICIES AND ARCHITECTURE ---------- TUESDAY, JANUARY 29, 2019 U.S. Senate, Subcommittee on Cybersecurity, Committee on Armed Services, Washington, DC. The subcommittee met, pursuant to notice, at 2:29 p.m. in Room SR-222, Russell Senate Office Building, Senator Mike Rounds (presiding) chairman of the subcommittee. Members present: Senators Rounds, Wicker, Scott, Blackburn, Manchin, Gillibrand, and Blumenthal. OPENING STATEMENT OF SENATOR MIKE ROUNDS Senator Rounds. The Cybersecurity Subcommittee meets this afternoon for our first hearing of the 116th Congress. Before we begin, I want to welcome our new Ranking Member, Senator Joe Manchin. I'd also like to welcome all of our former members back to the subcommittee and extend a special welcome to the new members joining us. On the Majority side, we are joined by Senator Wicker, Senator Scott, Senator Blackburn. On the Minority side, we are joined by Senator Heinrich. Two years ago, this subcommittee was formed to address the most pressing national cybersecurity matters, with a focus on Department of Defense (DOD)-related legislation and oversight. I look forward to legislation that builds on the hard work we have done over the past 2 years, and continuing our important oversight of the plans, programs, and policies related to cyberforces and capabilities within the Department of Defense. Today, we will receive testimony on the Department of Defense enterprise-wide cybersecurity policies and architecture form: Mr. Dana Deasy, the Department of Defense Chief Information Officer (CIO); Vice Admiral Nancy Norton, the Director of the Defense Information Systems Agency (DISA), and Commander of the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN); and Brigadier General Dennis Crall, the Deputy Principal Cyber Advisor (PLA) and Senior Military Advisor for Cyber Policy. We welcome you. We have a lot of information to cover, so I will be brief. At the conclusion of Ranking Member Manchin's comments, our witnesses will make their opening remarks. I would appreciate the witnesses limiting their remarks to about 5 minutes, with the option of providing a longer statement for the record. After they finish their remarks, we will have a round of questions and answers. One of the Department's main cyberspace objectives articulated in the 2018 Department of Defense Cyber Strategy is securing DOD information and systems against malicious cyber activity. Unfortunately, in recent years, we have seen relentless and sophisticated cyberattacks on the DOD enterprise, other government agencies, and the private sector, while the capabilities of our adversaries continue to increase. Simply continuing to defend our networks as we have in the past is not adequate to counter the growing threats that we face. At a hearing with private-sector witnesses last fall, we heard about the advances that industry has made in developing new tools and techniques for defending large enterprise networks. While there are many unique challenges because of the complexity and scope of the Department of Defense Information Network, also known as the DODIN, it is important that, where possible, we leverage the best practices from industry to defend our networks. In addition, it is equally imperative that the acquisition process of DOD is not precluding it from organically developing and producing state-of-the-art cybersecurity capabilities. In this context, we look forward today to learning more about JFHQ-DODIN and, in particular, how the organization can achieve a complete, realtime picture of the entire DOD network. The Department's cybersecurity tools are not the only factor important to robust defense of the DODIN. It is also critical that the Department formulate and implement appropriate cybersecurity policies and stand up a robust cybersecurity workforce. Specifically, we are looking forward to learning how the Department is implementing their 2018 Cyber Strategy in these areas of cybersecurity. Across the cybersecurity spectrum, it is vital that we are consistent in our approach as we further centralize, standardize, and integrate the complexities of DOD's cyber enterprise. We cannot afford to waste time or resources with the duplication of effort across the services, combatant commands, and support agencies. In that context, the witnesses here today are charged with these important tasks toward further streamlining and modernizing the Department's cyber defensive posture. We look forward to hearing how you are accomplishing this challenging task. Today's discussion builds on many of the themes that were discussed in our cybersecurity hearings with the private sector this past fall. While most of our subcommittee hearings are closed because they include classified information, I chose to hold an open hearing today so that private industry would have further insight into the Department's plans and future cybersecurity needs. I encourage DOD and private industry to continue a robust dialogue so that you can help each other to achieve overlapping goals and prepare for our upcoming cybersecurity hearings this year. Any questions that would require a classified answer can be submitted for the record, for which we would appreciate the Department's timely responses. Let me close by thanking our witnesses for appearing today, and for their service to our Nation. Senator Manchin. STATEMENT OF SENATOR JOE MANCHIN Senator Manchin. Thank you, Mr. Chairman. As you said, this is my first hearing as the Ranking Member of Cyber Subcommittee and how it doves in well with my Ranking on Energy, which we have oversight of cyber also, so it's really going to be helpful. I'm delighted to be joining you, Senator Rounds. We've worked together as Governors together, and now we're back together again as partners to improve the cybersecurity of the Department of Defense and, indeed, I hope, the Nation. I join you in welcoming our distinguished witnesses today: Chief Information Officer Dana Deasy--is it--is--am I correct on that? Okay. Defense Information System Agency Director, Admiral Norton; and General Crall, who has the challenging task of overseeing, on behalf of the Secretary of Defense, the implementation of the Department's new Cyber Strategy. The committee has long looked for a way to empower DOD with the ability to adopt an effective strategy and plan of action to deter cyberattacks and defend against them. Thankfully, based on initial reviews of the new Cyber Strategy and the results of the new Cyber Posture Review, there is optimism that DOD has turned a corner, that we now have a credible strategy and a commitment to implement it. The specifics of the new wide-ranging strategy are quite complicated, but I believe common sense can make this all understandable to our constituents back home. Here are some examples: I'm told we have not one network in DOD, but, in fact, thousands. Each military service, defense agency, and every component within them have built their own networks, with chaotic results. They can't work together effectively, and they are hard to defend. There is now a plan to break down these fractured networks and implement a common security architecture. We cannot allow computers and other devices to be connected to the network without verifying who installed them and whether they're correctly configured and protected. We have to be able to manage who accesses the network and what they can see and do, according to the role they are assigned. We have to monitor the activity that people and the computers they control are conducting on our network to guard against insider threats, like Snowden. We have to improve the security of the networks of the companies that build weapons and provide services to DOD. We cannot allow China to keep stealing our technology and program plans to cyberattacks on the industrial base. We have to recruit, train, and retain real experts in cyber warfare, despite fierce competition with the private sector and the hiring obstacles that the government faces. We have to figure out how to apply new artificial intelligence (AI) and machine learning technologies to detect cyber intrusions, as well as to help our cyber forces operate better and faster. These are the types of issues that the committee and DOD have talked about fixing for a long time, but now, finally, the Department may be prepared to take real action. We hope so. So, I want to thank you, Mr. Chairman. And we look forward to y'all's testimony. Senator Rounds. Thank you. And I would note, also, that former Governor Scott is here with us, as well. Senator Manchin. Yeah. Senator Rounds. So, now you face questioning from three different Governors from---- Senator Manchin. Things will happen now. Senator Rounds.--as well. So, going to start things popping. And thanks, Joe. We look forward to working---- Senator Manchin. Yes sir. Senator Rounds.--with you on this project, as well. We'll do the questioning in 5-minute cycles, and we'll just take our time and work our way through. We'll try to limit our questions to get specifics, and then we'll ask each of our members if we would try to limit them to 5 minutes, and we'll move back and forth. So, as I said earlier, you are all welcome to provide a complete transcript or a statement for the record, but we would appreciate it if you would also keep your opening statements to 5 minutes, as well. Mr. Deasy, I'll turn to you first, if you'd like to begin, and then I'll let you decide how you would like to proceed from there. STATEMENT OF THE HONORABLE DANA DEASY, DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER Mr. Deasy. Okay. Thank you. Good afternoon, Mr. Chairman, Ranking Member, distinguished members of the subcommittee. Thank you for this opportunity to testify before the subcommittee today on the Department's cyber architectures and policies. I'm Dana Deasy, the Department of Defense Chief Information Officer. With me today are Vice Admiral Nancy Norton, Director of DISA and Commander, JFHQ-DODIN; and Brigadier General Dennis Crall, Senior Military Advisor for cyber policy and Deputy Principal Cyber Advisor to the Secretary of Defense. Since my arrival at the Department last May, I have made cybersecurity one of my top priorities. In September of 2018, the Department released a top-level DOD Cyber Strategy. This Strategy represents the Department's vision for addressing cyber threats and implementing the cyber priorities of the National Security Strategy (NSS) and National Defense Strategy (NDS). The Department also released its Cyber Posture Review to Congress, which provided a comprehensive review of the cyber posture for the DOD and identified gaps in our strategy, policy, and cyber capabilities. Also last year, the Secretary and the Deputy Secretary asked me to undertake a study to determine what the Department's cyber priorities should be. This led to the creation of the top ten cyber priorities. Cyber roles and responsibilities are shared across the Department. Only by working together, as you will hear from the three of us today, we are able to close the gaps and secure our systems. For the first time under the authorities granted by section 909 of Fiscal Year 2018 National Defense Authorization Act (NDAA), the DOD is reviewing, commenting on, and certifying all of the Information Technology (IT) budgets, which includes cyber, across the Department. Additionally, the DOD CIO now has the authority to set and enforce IT standards across the Department. Together, DOD CIO, DISA, and PCA work regularly to implement the DOD Cyber Strategies, in close coordination with the Military Departments and other DOD components. DOD CIO and PCA co-lead a weekly meeting focused on cyber issues with the Deputy Secretary of Defense, at which all Military Departments and Office of the Secretary of Defense (OSD) principals are in attendance. A key element of the Department's approach to standardizing cybersecurity across the Department is setting the standards in the cybersecurity reference architecture, which is the tool to providing cyber guidance for the family of architectures that align to the DOD overall enterprise architecture. As we aggressively leverage automation, new endpoint security technologies, and standard architectures to achieve military advantage through information, having strong assurances of who is accessing the data and how they are accessing the data is critical. We have been actively deploying a DOD identity credential and access management strategy that recognizes the changing environment and addresses the increasing dependence on digital identities to share information rapidly and more securely. Turning to cyber workforce. As my Deputy, Ms. Essye Miller, testified before you last September, DOD recognizes the importance of growing and maintaining the cyber workforce. It's an imperative that DOD attract the next generation to view the Department as an employer with unique and challenging opportunities within the cybersecurity career field. Recent authorities provided by Congress have allowed the Department to adjust existing policies and to implement new policies that account for this dynamic need in an increasing important mission area. One of these key authorities has been the establishment of a Cyber Excepted Service. In closing, the close working relationship among DOD CIO, DISA, and PCA is critical to our ability to address cybersecurity vulnerabilities. The importance of connection between policy, standard architectures, and remediation cannot be overstated. The Department has clearly defined cybersecurity problems to be solved, has a well-thought-out remediation approach; the right mechanisms are in place to monitor and report on our progress on the top ten cyber priorities. I want to emphasize the importance of our partnership with Congress in all areas, but with particular focus on cybersecurity. Continued support for a flexible approach to cyber resourcing, budgeting, acquisition, and personnel will help enable success against an ever-changing, dynamic cyber threat. Thank you for the opportunity to testify today, and I look forward to your questions. With that, over to Admiral Norton. [The prepared statement of Mr. Deasy follows:] Prepared Statement by The Honorable Dana Deasy on Behalf of the Department of Defense introduction Good afternoon Mr. Chairman, Ranking Member, and distinguished Members of the Subcommittee. Thank you for this opportunity to testify before the Subcommittee today on the Department's cybersecurity architecture and policies. I am Dana Deasy, the Department of Defense (DOD) Chief Information Officer (CIO). I am the principal advisor to the Secretary of Defense for information management, IT, cybersecurity, communications, positioning, navigation, and timing (PNT), spectrum management, senior leadership communications, and nuclear command, control, and communications (NC3) matters. These latter responsibilities are clearly unique to the DOD, and my imperative as the CIO in managing this broad and diverse set of functions, is to ensure that the Department has the information and communications technology capabilities needed to support the broad set of Department missions. This includes supporting our deployed forces, cyber mission forces, as well as those providing mission and business support functions. With me today are Vice Admiral Nancy Norton, Director, Defense Information Systems Agency (DISA)/Commander, Joint Force Headquarters- Department of Defense Information Network (JFHQ-DODIN) and Brigadier General Dennis Crall, Senior Military Advisor for Cyber Policy and Deputy Principal Cyber Advisor (PCA) to the Secretary of Defense (OSD). Since my arrival at the Department last May, I have made cybersecurity one of my top priorities, along with cloud computing, artificial intelligence, and command, control, and communications. In September 2018, the Department released its top-level DOD Cyber Strategy. The Strategy represents the Department's vision for addressing cyber threats and implementing the cyberspace priorities of the National Security Strategy and National Defense Strategy. The Department also released its Cyber Posture Review to Congress, which provided a comprehensive review of the cyber posture of the United States and identified gaps in our strategy, policy and cyber capabilities. These gaps are being addressed through the implementation of the DOD Cyber Strategy Lines of Effort (LOE) managed by PCA. About a year ago, the Deputy Secretary of Defense tasked the DOD CIO and PCA to compile a list of the top ten cyber priorities of the Department and, with Service input, we identified the four areas the Department should address first. Addressing these top risks and priorities will go a long way toward implementing cybersecurity capabilities, addressing critical vulnerabilities, and building a Cyber Workforce that will improve DOD's overall cyber posture to effectively deter our adversaries. Today, I would like to highlight five key areas. First, I will highlight the cyber roles and responsibilities of DOD CIO, DISA, and PCA. Then I will provide a brief overview of the Department's cyber architecture, along with details regarding DOD's use of automation and identity, credential and access management. Finally, I would like to reiterate the critical importance of our cyber workforce to our success in our cybersecurity mission. cyber roles and responsibilities Cyber roles and responsibilities are shared across the Department. Only by working in partnership together, are we able to close the gaps and secure our systems. As stated previously, the role of the DOD CIO is a unique position in the Federal Government. I have the traditional CIO roles associated with information management, IT, and cybersecurity, as well as the more complex and unique roles associated with PNT, NC3, and senior leadership communications. Section 909 of the National Defense Authorization Act of 2018 clarified and expanded upon my roles and responsibilities to also include the certification of the DOD's IT budget, to include cybersecurity, and the development and enforcement of IT standards.Cyber Budget Certification: For the first time, DOD CIO is reviewing, commenting on, and certifying all of the IT budgets, which include cyber, across the Department. The DOD CIO's congressionally mandated responsibility to certify the Military Departments' cybersecurity investments and efforts enables me to ensure the Department is pursuing enterprise cybersecurity solutions that are lethal, flexible, and resilient. Standards: DOD CIO now has the authority to set and enforce IT standards across the Department. Standards are not limited to the technical standards developed by the commercial sector and organizations like the International Standards Organization. Standards include setting the bar for cybersecurity requirements, such as endpoint security standards and standards for architecture, and DODIN standards. Determining the standard for the Department is a theme across many of our architectural and technical initiatives. defense information systems agency Operating under the direction of the DOD CIO, the Defense Information Systems Agency (DISA) is a combat support agency that on behalf of the Department builds, operates, and secures global telecommunications and IT infrastructure in support of joint warfighters, national-level leaders, and other mission and coalition partners across the full spectrum of operations. The Agency delivers enterprise services and data at the user point of need and is focused on securing, operating, and modernizing our networks, applications, and systems with innovative tools to counter threats, minimize risks, and maintain a competitive advantage. VADM Norton is dual-hatted as Commander of JFHQ-DODIN and Director of DISA. JFHQ-DODIN's global responsibility is to direct unity of effort for the command and control, planning, direction, coordination, integration, and synchronization of DODIN operations and Defensive Cyberspace Operations--Internal Defense Measures (DCO-IDM) for the DODIN infrastructure in support of DOD, Combatant Command, Military Service, Defense Agency and Coalition missions. JFHQ-DODIN, under Operational Control of U.S. Cyber Command, has Directive Authority for Cyberspace Operations over all 43 DOD Components to enable power projection and freedom of action across all warfighting domains. DISA is one of those Components. DISA is an IT service provider which aligns efforts to the DOD Cyber Strategy, Cyber Posture, Cyber Top 10 and DOD Directives. DISA designs, deploys, sustains, operates and secures the Defense Information Systems Network (DISN), which is the core element for all DOD/Joint architectures, Unified Capabilities (UC), voice, video, data and internet technology transport within the larger DODIN. DISA serves a critical role in advancing IT and cybersecurity capabilities across the Department. As the primary IT engineering arm for the Department, DISA develops solutions that support implementation of the DOD CIO-directed standardized solutions such as the Windows 10 Secure Host Baseline and JRSS. DISA prevents about one billion cyber operations events targeting the DODIN each month, providing layered defense across the enterprise from the internet access points (IAP) to the end user devices. DISA partnerships with industry and other organizations across the Federal government are key to delivering cybersecurity related processes and services. For example, working in close partnership with industry, DISA develops and publishes a wide breadth of technical security guidance enabling the secure deployment of products and capabilities. DISA enterprise services such as our IAP, Cloud Access Points, Enterprise Networks (NIPRNET/SIPRNET), Email (Defense Enterprise Email), and Data Centers (Acropolis/Big Data Platform) have established a DOD enterprise approach to cybersecurity and network operations resiliency. These services are enabling future data-driven infrastructures, which is required to deploy software defined networks (SDN) with machine-augmented workflows, cybersecurity machine learning for increased detection and mitigation of cyber threats and future artificial intelligence for data protection and network healing at cyber speeds. principal cyber advisor As described in section 932 of the National Defense Authorization Act for Fiscal Year 2014, the PCA is the civilian DOD official who acts as the principal advisor to the Secretary of Defense on the Department's military and civilian cyber forces and activities. The PCA synchronizes, coordinates, and oversees the implementation of the Department's Cyber Strategy and other relevant policy and planning documents to achieve DOD's cyber missions, goals, and objectives. At the core of the PCA is the Cross Functional Team (CFT) of detailed personnel from key Departments, Services, and Agencies. The CFT provides an objective and broad perspective needed to ensure outcomes match both short and long-term approved, strategic visions. The PCA executes the DOD Cyber Strategy, including addressing the gaps identified in the DOD Cyber Posture Review, through the LOE implementation process. The LOE implementation process also allows the Department to take a system view of the environment, address disparate approaches and eliminate friction points across the Services and the enterprise. While the LOE end states defined in the Cyber Strategy are enduring, the objectives are more dynamic to allow the Department to re-evaluate and adjust as needed to the operating environment. PCA activities are rooted in strategy, and prioritized by risk; they are warfighter focused with the aim of increasing lethality. To that end, we are leading a Department-wide effort to translate the Cyber Strategy LOEs into specific objectives, tasks, and sub-tasks that are focused on outcomes which can be monitored and measured to demonstrate return on investment. The DOD's ``Top 10 Cyber Priorities'' and ``First Four'' efforts, already underway, are nested under the Cyber Strategy LOEs. LOE 3, Transform Network and System Architecture, identifies objectives to achieve enterprise-wide cybersecurity policies and architecture based on priorities determined by DOD CIO. Similarly, LOE 8, ``Sustain a Ready Cyber Workforce'', is focused on the enterprise approach to recruit, retain, develop, and train cyber professionals. Through implementing the ``First Four,'' the PCA is focused on outcomes to improve perimeter, network, and endpoint defense. Additionally, the Top 10, along with the DOD Cyber Strategy implementation process, provides the Department with the ability to prioritize investments, such as the modernization of cybersecurity architectures and the cyber workforce. Together, DOD CIO, DISA, and PCA work together regularly to implement the DOD Cyber Strategy in close coordination with the Military Department and other DOD Component CIOs. DOD CIO and PCA co- lead weekly meetings focused on cyber issues with the Deputy Secretary of Defense with all of the Military Departments and Office of the Secretary of Defense (OSD) Principals present. These meetings ensure that the Deputy Secretary of Defense is kept abreast of progress on cyber initiatives and that all Department leaders are present to receive direction and share challenges. cyber architecture overview A key element of the Department's approach to standardizing cybersecurity across the Department is setting the standard in the Cybersecurity Reference Architecture (CS RA) which is a tool providing cybersecurity guidance for the family of architectures that aligned to the DOD Information Enterprise Architecture (IEA) and establishes a modern and adaptive approach to meet future cybersecurity requirements. The recently developed CS RA Version 4.1 aims to baseline the enterprise cloud security landscape for DOD components currently migrating or planning migrations to commercial cloud and leverages techniques such as automation, next generation network architecture, and Machine Learning and Artificial Intelligence. The DOD Cyber Architecture features a tiered system of cyber defenses that act in concert to provide protections from a variety of cyber threats. The major components for these tiers include the IAP, JRSS, and End Points. The IAPs are the gateway between the internal DOD environment and the larger internet. They provide email security, analysis of web traffic using intelligence-informed sensors and other tools, and they manage the flow of information between DOD and the internet. JRSS is another major component of DOD's architectural approach. They provide network security functionality for traffic flows across DOD networks, providing traffic inspection, incident detection, and analysis capabilities for both inbound and outbound internal and external users or services. Other ways DOD is transforming the cyber architecture include cloud initiatives such as Joint Enterprise Defense Initiative (JEDI), Secure Development Operations (DevSecOps) and DOD Cybersecurity Analysis and Review (DODCAR). Joint Enterprise Defense Initiative (JEDI), one of the main elements of DOD CIO's recently-released Cloud Strategy, aims to provide a general purpose cloud computing solution and drives the standardization of secure commercial cloud service offerings across the DOD enterprise alongside other efforts such as the Defense Enterprise Office Solution (DEOS). The Department is deploying an enterprise DevSecOps Platform in the cloud that will establish an enduring secure software development environment to demonstrate that Agile DevSecOps can rapidly deliver software by fully automating the development, testing, and cybersecurity focused pipelines. DODCAR, a cooperative effort between NSA, DISA and DOD CIO, is a modernized systems engineering methodology that is designed to incorporate threat-based data into all phases of the technology lifecycle from architecture through development and deployment. Its techniques and tools allow architects, engineers and operations professionals to assess how well their capabilities defend against actual adversary threat conditions. Next Generation Cybersecurity Architecture: DOD CIO, working in concert with DISA, is evaluating emerging architectures to shift the way the Department's networks are protected. This requires rethinking how we implement protections so that our ability to conduct operations is unimpeded but ensures that the network resists unauthorized activity and makes it easier to detect bad actors. using cyber automation as a defensive ``force multiplier'' In 2016, the Defense Science Board recommended DOD consider cyber approaches to assess system resilience and leverage emerging technologies to increase system resilience. The study detailed a set of recommendations for the ``next dollar spent'' to maximize effects against cyber threats. The new areas of investment include increasing automation for cyber defense, improving endpoint security, and heightening cyber preparedness to accelerate cyber force readiness reporting in response to different kinds and levels of cyber-attack. The 2018 DOD Cyber Strategy also called for the Department to leverage automation and data analysis across the enterprise to improve effectiveness in cyber defense and cyber capabilities. Private industry enterprises, in comparison to DOD cyber operations, employ highly automated IT and IT security operations (IT SECOPS) processes to keep their networks secure and updated as quickly as possible. Cost containment is necessary to drive down the expense of running their enterprises. For DOD, current IT SECOPS is a largely manual and very labor- intensive process. Our networks are critical to our warfighting and support missions, but they must become cheaper to operate with increased investments in data protection. By increasing the use of automation across the enterprise and limiting the standing privileges that systems administrators have, we can have stronger assurances of the security of the environment, in addition to stronger safeguards against the insider threat. We must integrate automation in an effective cyber flow to enable our IT workforce to focus on the most sophisticated cyber attacks and we must automate IT SECOPS to protect mission critical systems. DOD has a number of automated cyber defenses currently in use. Intelligence-informed sensors takes automated action against web-based threats using behavioral analysis and commercially derived intelligence resulting in 7 million automated mitigations executed per day. DISA's Fight By Indicator system automatically scans Threat Intelligence Reports developed by NSA, Defense Cyber Crime Center, DIA, and others and automatically scans a PDF document to parse out the threat indicators documented in the report. Fight By Indicator processes 300+ indicators automatically which results in 19 million blocks at the IAP perimeter per day. Advances in IT security devices have allowed DOD to provide more protections on email, examine previously encrypted web traffic for malicious content and data loss prevention, and provide more security on public facing DOD web sites. These are in place today. There is a significant amount of automation in DISA's Ecosystem that saves hundreds of thousands of manual work hours. We are working to fully extend those capabilities across the enterprise. DOD recognizes that we must plan and architect for an increasingly automated cyber environment to improve accuracy, timeliness, and effectiveness of our cyber workforce. We have evaluated machine learning systems and are working to integrate them into the Big Data Platform and End Point Security. The LOE implementation process managed by PCA offers the Department the ability to incorporate cyber automation both near term, such as through the ``First Four'' Comply to Connect initiative, and long-term through the development of next generational technologies. The Department must be dedicated to increasing cyber space security and cyber space defense. During last year's budget planning cycle, DOD CIO led a strategic effort to increase investment in cyber security management. identity, credential, and access management As we aggressively leverage new architectures and technologies to achieve military advantage through information, having strong assurances of who is accessing data and how is critical. We have been actively developing a DOD Identity, Credential, and Access Management (ICAM) Strategy that recognizes the changing environment and these objectives and addresses our increasing dependence on digital identities to share information rapidly and more securely. Like the Cyber Strategy, the goals of the ICAM Strategy are enduring. At the urging of the services as part of the First Four, we are investing in foundational ICAM enterprise capabilities to meet immediate critical needs, and provide the necessary platform for ongoing innovation and adoption at scale going forward. Maintaining end-to-end integration of evolving ICAM capabilities is critical to enabling modernization of DOD's networked capabilities. ICAM provides indispensable auditable functional and security controls that implement dynamic digital policies. Increased use of machine-to-machine interfaces and robotic processes requires the same level of assurance in terms of identities and access control. The ICAM Strategy and ongoing investment in ICAM capabilities will allow warfighters and supporting systems to rapidly access whatever information they are authorized to access from wherever they are on the network. Importantly, this access must be removed when it is no longer authorized. The bottom line for ICAM is that we need to know who or what is on our network at all times. cybersecurity workforce As my deputy, Ms. Essye Miller, testified before you last September, DOD recognizes the importance of growing and maintaining the cyber workforce. The recent authorities provided by Congress have allowed the Department to adjust existing personnel policies and to implement new policies that account for this dynamic need in an increasingly important mission area. One key authority being the establishment of the Cyber Excepted Service (CES). As Ms. Miller relayed to the Subcommittee, fostering a culture based upon mission requirements and employee capabilities, CES will enhance the effectiveness of the Department's cyber defensive and offensive mission. This personnel system will provide DOD with the needed agility and flexibility for the recruitment, retention and development of high quality cyber professionals. conclusion We believe a cyber capable adversary will focus their efforts on disrupting DOD's front line mission systems, during a conflict or in preparation for conflict, by exploiting vulnerabilities we did not realize we had. Increasing automation across the joint networks will support our Joint Forces' globally-integrated multi-domain operations. The close working relationship between DOD CIO, DISA, and PCA is critical to our ability to remediate our cybersecurity vulnerabilities. The importance of the connection between policy, network monitoring, and remediation cannot be overstated. The Department has clearly defined cybersecurity problems to be solved, and has a well thought out remediation approach. The right mechanisms are in place to monitor and report our progress in network security. I want to emphasize the importance of our partnerships with Congress in all areas, but with a particular focus on cybersecurity. The increased cyber authorities granted to the DOD CIO with each National Defense Authorization Act are one key example of this partnership. Continued support for a flexible approach to cyber resourcing, budgeting, acquisition, and personnel will help enable success against an ever-changing dynamic cyber threat. I look forward to continuing to work with Congress in this critical area. Thank you for the opportunity to testify this afternoon, and I look forward to your questions. Senator Rounds. Vice Admiral Norton, welcome. STATEMENT OF VICE ADMIRAL NANCY A. NORTON, USN, DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY, AND COMMANDER, JOINT FORCE HEADQUARTERS-DEPARTMENT OF DEFENSE INFORMATION NETWORK Vice Admiral Norton. Good afternoon, Mr. Chairman, Ranking Member, and distinguished members of the subcommittee. As Mr. Deasy said, I'm Vice Admiral Nancy Norton, and I serve as the Commander of the Joint Force Headquarters-DODIN, or JFHQ-DODIN, and the Defense Information Systems Network--I'm sorry, the Director of the Defense Information Systems Agency, also known as DISA. Thank you for your invitation to join Mr. Deasy and Brigadier General Crall here today as we discuss our cybersecurity efforts. The JFHQ-DODIN was created to globally integrate command and control (C2) for DODIN operations and Defensive Cyberspace Operations Internal Defensive Measures, or DCOIDM, across all 43 DOD components. As an operational component command under U.S. Cyber Command (CYBERCOM), JFHQ-DODIN provides unity of effort and unity of command across the DOD's layered defense construct to protect DOD networks. JFHQ-DODIN exercises Directive Authority for Cyberspace Operations, or DACO, to establish a coordinated approach for implementing priority actions at all levels of cyber defense. In addition, we issue orders and directives to all DOD components that address threats and vulnerabilities to the DODIN. Our daily interactions with all 43 DOD components involve sharing cybersecurity operations information and cyber intelligence, validating status of directed cyberspace actions, and updating defensive cyber priorities regarding unclassified and classified networks and cyber-enabled devices that are connected to the DODIN. JFHQ-DODIN provides the operational requirements and expected outcomes aligned to the Cyber Strategy and the cyber top ten, which benefit from the standardization of capabilities across the cyber enterprise that is directed under the DOD CIO's authority. Additionally, JFHQ-DODIN conducts cyber readiness inspections, which require each network owner and their cybersecurity service providers to understand how their cyber readiness relates to their own mission and operational risks, and reviews their cyber compliance factors. DISA is a combat support agency that provides, operates, and assures command-and-control and information-sharing capabilities in direct support of joint warfighters, national- level leaders, and other mission and coalition partners across the full spectrum of operations. Its primary purposes are to provide the information technology necessary for the DOD to protect our Nation and to support the JFHQ-DODIN and U.S. Cyber Command in defense of ongoing cyber attacks, clearly critical to national security. DISA is a combined workforce of approximately 16,000 military, civilian, and contract employees. DISA is operating and evolving a global enterprise infrastructure based on common standards set by the DOD CIO, enabling effective, resilient, and interoperable solutions that support multidomain warfare in the face of escalating cyber threats. DISA directs, coordinates, and synchronizes the DISA-managed portions of the DODIN supporting the DOD around the world, and supports U.S. Cyber Command in its mission to secure, operate, and defend the DODIN. DISA's acquisition strategy works to provide efficient and compliant procurement services for information technology, telecommunications, and cybersecurity capabilities in defense of our Nation. The agency relies on a robust partnership with industry to achieve its mission. Just as the military services look to industry to design, build, and field weapons and platforms based on stringent requirements, DISA looks to industry to design, build, and field cybersecurity tools that will meet our stringent requirements in the rapidly evolving cyber domain. DISA's trusted partnerships with industry are critical to bringing effective and secure capability to leaders and warfighters around the world. DISA routinely engages with industry to ensure they have a clear understanding of what the Department needs are now and how we anticipate they will evolve in the future. Both DISA and Joint Force Headquarters-DODIN focus on one primary endeavor: to connect and protect our joint warfighters in cyberspace to increase lethality across all warfighting domains in defense of our Nation. I thank you for this opportunity to be here today, and I look forward to answering your questions. Thank you. Senator Rounds. Thank you, Vice Admiral Norton. General Crall, you may begin. STATEMENT OF BRIGADIER GENERAL DENNIS A. CRALL, USMC, PRINCIPAL DEPUTY CYBER ADVISOR AND SENIOR MILITARY ADVISOR FOR CYBER POLICY Brigadier General Crall. Thank you, sir. I certainly appreciate, like the others, the opportunity to come before the subcommittee and share a few thoughts and ideas, answer your questions. But, more importantly, I thank you for your genuine interest and help in this critical domain. It's made a difference. Just want to cover a couple items. If last year, maybe, the theme was on strategy, sir, and you've mentioned the fact that we finally published a Cyber Strategy, complete with a posture review, we can take a look at some of those gaps that we have, and get after them. I would say this year's moniker is a bit different. This is about implementation. We know where we need to head. We know the pacing that we have in front of us. But, it's now time to show results. So, I would say that this is the year of outcomes. We're focused on delivering the capabilities and improvements that we've discussed for some time. We have actionable lines of effort that come from our Cyber Strategy. These are things we can do and we can measure our progress against. That's what we're focused on. So, while it's a good year for implementation, I would say it may not be a good year for some items. And let me just share with you a couple of those. The first is stovepiped solutions. It's a bad year for those who like to approach this in a way that we have endless niche capabilities, that run off and do business their own way, lack standards, individual development, and have difficulty in integrating. We're putting an end to that practice, which has really robbed us of success. It's also a bad year for those who don't like measures of effectiveness or discussions on data-driven return of investments. We owe an accountability for how we've spent our money and also a level of accountability on what capabilities we've achieved in the spenditure of that money and effort. Lastly, I would say it's a bad year for those who like endless pilots, pathfinders, and experiments that lead to nowhere. This is about getting to results, experimenting quickly, and the learning that we get from those, and putting that back into implementation. So, I do agree that there's a sense of optimism. I think the Department has turned a corner. But, this is the year that we really have to show the results of that effort. I look forward to answering your questions. Senator Rounds. Thank you, General Crall. We've just been advised that we have votes at 3 o'clock. So, we will probably just keep the hearing going, but we'll take turns leaving, going and getting the vote in, and then coming back in. So, no disrespect meant, but we're going to be rotating in and out. To all witnesses--and this is a question that I guess I gave you all kind of a heads-up on that I'm going to ask today--in a hearing with private industry on best cybersecurity practices, we heard from Dimitri Alperovitch, of CrowdStrike, that they have a 1-10-60 challenge for responding to cyber intrusions: 1 minute to detect it, 10 minutes to understand it, and 1 hour to contain it. How well would DOD measure against these metrics? Are there any services or components that are better positioned to meet these goals? Mr. Deasy, I'll let you start. Mr. Deasy. Sure. So, this is clearly an operational question on how you handle a realtime event. Senator Rounds. This is a metrics question. Mr. Deasy. Absolutely. So, this is clearly best for Vice Admiral Norton to answer, since this is what she faces every day. Vice Admiral Norton. Yes sir. I appreciate that question, and definitely enjoyed the conversation that you had with industry in talking about that. That way of thinking about the challenge that we have, 1-10-60, was a good way of laying out what kinds of speed that we need in order to pace cybersecurity threats. We have not, in DOD, laid out a similar kind of benchmark, like the 1-10-60, but absolutely are looking at what the requirements are for detecting as rapidly as possible, responding as rapidly as possible, and how we can continuously increase that pace at the pace of cyber. So, I would like to take that question for the record for specifics on the response, but very definitely understand that we are watching and building towards a timed pacing of our adversary like that, just without that 1-10-60 construct. [The information referred to follows:] Vice Admiral Norton. The DOD absolutely recognizes the need for utmost speed in resolving cyber incidents, the focus to date has been on adopting automation to reduce cyber incident response time, to the greatest possible. DOD does not measure an incident response interval for analyst operations, analogous to the 1:10:60 rule. DOD does keep metrics on automated systems, for example from Oct 2017 - July 2018 the Sharkseer program created 300,000 automated response actions and mitigated 3.2 Billion distinct threats. The DODIN has a 3- tiered defensive framework, where security and defense is layered around Tier 1: the outermost perimeter; Tier 2: the mid-tier; and Tier 3: the endpoint. There are cybersecurity sensors at each tier to detect suspicious or malicious activity in place by DISA or other DOD components that operate close to network-speed. These sensors auto-inject commercial threat intelligence and auto-block commercially known and provided threat vectors. This type of automated capability is provided by DISA for most (not all) of the DODIN at the boundary (Tier 1). The DODIN is comprised of multiple networks below Tier 2, and multiple classifications. Each of the 43 DODIN Components designated as Area of Operations (AO) Commanders or Directors provide the cybersecurity response reporting requirements for the AO over which they are responsible. Their Cybersecurity Service Providers (CSSP) have the responsibility for Significant Activity (SIGACT) reporting to be conducted to JFHQ-DODIN within 1 hour of detection of suspicious or malicious activity, and CJCSM 6510 reporting is ongoing afterwards with JFHQ-DODIN analysts and AO operations centers working together. Senator Rounds. Okay. But, I'm going to go one step farther, and this time I'm going to direct it to General Crall. Metrics are important. In this particular case, CrowdStrike, who is public, clearly can say, in public, that's their goal. Are these metrics that should be attainable, or are these metrics that an enterprise such as the DODIN can look at right now? Are there metrics out there that we're trying to achieve? Share with me your thoughts about the importance of this type of an approach. Brigadier General Crall. Yes sir. I think, even in my opening, I talked about our ability to measure. So, there's no doubt that we need metrics in place. I can't comment specifically to the 1-10-60, whether that's the right metric for every DOD domain. These domains are constructed quite differently. And, even with some tactical-edge considerations on how they operate, we take some unique risks at the tactical edge that we might not take in other aspects of our network. So, those need to be tailored to the mission at hand. But, I would say this. The right question for a closed session, perhaps--is, What are our metrics? How are we striving to achieve them? In a closed session, I think we could talk about some of the first efforts that Mr. Deasy has laid out, that I'm helping institute, as it comes to some detection, remediation efforts that would drive that. Senator Rounds. Thank you. Mr. Deasy, you have publicly announced that your four priorities are cloud, AI, cybersecurity, and C2. What progress have you made in modernizing the Department's cybersecurity? Does your office have all of the resources it needs to execute these priorities? Mr. Deasy. I would say that, when I talk publicly about those four priorities, one of the things that I point out is how interlinked those are, meaning that, if you're having a cloud conversation, the way we're going to institute cloud is very much going to help our cyber posture. It's going to help the way we build applications and it's going to help the way we house our data. When we think of AI, AI is very much going to help the cyber agenda. Some of our early national mission initiatives are looking at, how do we use AI, for example, to look at insider threats? How do we look for anomalies in our, environment? Finally, on the command, control, and communications (C3) side, we know that we have generations of communications equipment that were designed in what I'll call a pre-cyber era. So, as we build the next generation of command, control, and communications, we are building them, first and foremost, with what it means to have the right cyber in place. As I go about discussing these priorities, we always say that cyber is at the heart of the digital modernization of the Department of Defense. Everything that we are banking on and building for the future is starting with the mindset of, we must bake cyber in from the start. Senator Rounds. Thank you. Senator Manchin. Senator Manchin. Thank you, Mr. Chairman. Mr. Deasy you have quite an impressive resume, basically in the private sector. Coming to the government sector, we appreciate you for your service. Seeing that over the years how we've been hacked and the espionage that's gone on, and the things that I have mentioned, as far as a thousand different sites, if you will, and none of them seem to be talking to each other or protecting each other, do you believe that we can rapidly close that gap and change our approach to how we do business? Mr. Deasy. It's an outstanding question, and probably one of the top ones every day I address. I think General Crall actually hit upon it. The days that people, what I like to refer to as roll their own solutions and stand up unique systems to solve unique mission sets, has to be revisited. So, one of the things, especially now, given the new authorities that I have, is that we are putting out a tone that, as we go through the remediation of our various cyber programs, the days of debating, what are the various tools and software that we're going to use? We have to stop. We have to quickly move from the debate of what's the right source of a solution to the implementation approach. I've always said, there's no reason we need different tools to solve for many of these problems. The way we will implement those tools are obviously going to be different if you're dealing with a tactical edge and advanced space versus if you're going to deal inside the Pentagon. But, I have been very direct and quite vocal that we need to standardize more, we need to stop rolling individual solutions, and we need to move beyond the debates of, what are the right product sets? And we need to spend all of our time talking about how to get the work done. Senator Manchin. I wanted to ask you about your cyber top ten to see where you're working. But, first of all, on the different types of systems we have been using in different applications in the companies we have dealt with, or contracted with, speaking of Kaspersky and Huawei, have you all been able to see if we're still using those contractors? Or their equipment? Mr. Deasy. I would say that some of this discussion should probably be held in a private--you know, classified session. But, I can say, generically, that, yes, we are aware of the capability of those particular---- Senator Manchin. Because I was on Intel, so I know where you're coming from, but, have you all done the evaluation we probably requested in Intel to tell us who is still using--in any departments, are still using these components? Mr. Deasy. Yes. We have evaluated. Happy to share with you, offline, what the results of that. Senator Manchin. We'd love to see that. Mr. Deasy. More importantly, I would share with you the approach we're using, as we find additional vendors, how we deal with this. Senator Manchin. Well, maybe the Chairman and I can get together with you all on that in a classified setting. Mr. Deasy. Okay. Senator Manchin. How about your top-ten issues to characterize your priorities? Can you tell me what are your items of your top-ten list, and what's the relationship with the Cyber Strategy? Mr. Deasy. The way that I describe the top ten is, we stepped back--because if--depending on who you went and talked to inside the Department and said, what is a risk? You would get a very different answer, if you're talking to someone who's sitting at an endpoint, your desktop, or if you're out managing a weapon system. So, we stepped back and said, if you think this through the eyes of an adversary and how they think of the world, how they would traverse the Department of Defense. We stepped back, and we laid out a set of priorities to address all the points of interventions where we think adversaries would try to intersect with us. Obviously, it would not be prudent for me, today, to walk through each of those individual ten things, as one could draw conclusions from that, but suffice to say we've taken a very holistic approach, for the first time, of how we think about all aspects of the chain of how data moves across Department of Defense, and then, what are the points that we need to put prioritization against? Senator Manchin. Admiral Norton, you're the Director of the Defense Information System Agency, correct? But, you're also dual-hatted as the Commander of the Joint Force Headquarters for the DOD Information Network for the totality of the DOD's networks. Are all the cybersecurity providers scattered across DOD; are they under your purview, your command? Vice Admiral Norton. They are not under my command, sir, they are under my Directive Authority for Cyberspace Operations. So, those cybersecurity service providers (CSPs), in some cases, work for me, as DISA; in other cases, they work for the military---- Senator Manchin. How about the cyber protection teams? Vice Admiral Norton. The cyber protection teams are the same thing. I do have some. I have six of those that work for me, specifically, as the Joint Force Headquarters-DODIN, directly supporting the DODIN backbone and the perimeter defenses. But, others of the cyber protection teams are assigned to the services and some to each of the combatant commands, as well. But, all of those, both the cyber security service providers and the cyber protection teams, as well as every system administrator, every one of those cyber workforces, is under my Directive Authority for Cyberspace Operations (DACO), meaning I can synchronize the actions across all of the DOD for any responses that we need to take, any changes that we need to make on the network, based on that DACO that I have under U.S. Cyber Command. Senator Manchin. How can you prevent, through cyber, the attacks that may be going on, could be going on, if you're not over total control? Your one directive goes across all of the different commands, but they don't report directly to you, and each of the commands have different chains? Vice Admiral Norton. Yes sir. So---- Senator Manchin. Is that a disconnect there? Vice Admiral Norton. I don't believe it is. JFHQ-DODIN was stood up specifically to do the synchronization and command- and-control of the defensive cyberspace operations forces across the DOD. So, it would be very difficult to aggregate them all into one command. There are about 250,000 cyber workforces across the DOD. They're as disparate as serving in a squadron in the Air Force or a submarine in the Navy, every one of the agencies, across the board. But, with that Directive Authority for Cyberspace Operations, I'm able to mandate what kind of actions they're taking on a daily basis, and do that through a daily cyber tasking order that we have with all 43 components. Senator Manchin. I think, in a nutshell, what I'm asking, how do we prevent a Snowden from continuing all the different breaks that the public knows about? There's more that they don't know about. The ones that have been very public, have we taken steps? Mr. Deasy or General Crall, you've seen this through your career. Are there steps being taken to close that loophole so that doesn't repeat? Vice Admiral Norton. Yes sir. We absolutely have. There are many, many actions that we've taken. Snowden, of course, was an insider threat, and we have taken specific actions---- Senator Manchin. Right. Admiral Norton.--addressing an insider threat, across the Department. There's always more to be done, because that's a very complex problem. But, we absolutely have. And Joint Force Headquarters-DODIN has only been in existence for 4 years, this week, so we are maturing in the ability to synchronize all of those efforts. We didn't have this when Snowden was able to infiltrate and exfiltrate the data that he did. Senator Manchin. I'm going to go vote, and I'll be right back. Vice Admiral Norton. Yes sir. Senator Rounds. Let me just continue on, because I think that's an important part of it. The reason why we do the open hearing now is to talk a little bit about how big this challenge is, because you're talking about not just all of the Armed Forces, but you're also talking about our acquisition processes, you're talking about a huge contractor base out there that is just as susceptible to cybertheft as our armed services are. And yet, all of our air, land, and sea domains are at risk if our cyber domain is not secured, just like our space domain has to be secured. And I think that's part of the message we're trying to get here, is, this is not something that can be done simply by the Department of Defense alone. This is a case of where we have to have the rest of industry, obviously, in tune with us. Can you talk a little bit about the coordination which you're trying to do with those entities that are defense contractors and their subcontractors, how big this is, but also what you're doing to try to focus on that? Mr. Deasy. I'll be happy to address that. On that top-ten priority list is the defense industrial base, or often referred to just as the supply chain. It's very, very clear that defending our networks extend all the way out to our contractor networks. You could argue they're just an extension of what we do. We pass classified data. They do things on behalf of us. So, there's no doubt, when you look at the first tier and the second tier, and you think about exfiltrations and the problems that have occurred, we have to treat our subcontracting base the same way that we think about defending our own networks. Now, to that end, we get some help. There are standards that our defense contractors are obligated to follow. It's the National Institute of Standards and Technology (NIST) standard. It's the same one the Department of Defense follows. The Deputy of Defense Secretary recently stood up a task force. I had made a recommendation that we need to look at, holistically, from the day we awarded a contract to the moment we have an exfil or a spill occurred, and how we then handle that needs to be re- thought through. Right now, there is a task force that is stepping through the entire way through which we handle our contractual relationships, our notification of problems, our forensics, and, when we do have a problem, to improve upon that. This problem is not necessarily a tier-1 supply level, it's down in the tier 3 and the tier 4. Senator Rounds. Explain what that is. Mr. Deasy. In many cases, we will contract with a very large traditional defense, but they don't build everything for us, they don't engineer everything for us. They will go out and contract with a firm---- Senator Rounds. Which means they share classified information with their subcontractors, who may very well share that same classified information with a subset of contractors again. Mr. Deasy. And that entire chain is tracked. Where the issue breaks down is, as you go down to those various subcontractors, do they understand, are they equipped, do they have the knowledge and the capability to defend themselves? And what is it that we should be doing more of to help them learn how to defend themselves at those tiers? Senator Rounds. Okay. It's not a new problem. But, most certainly, it's one that this is where we find a lot of our hygiene problems at. And that's the way most of our information is lost, is through improper cyber hygiene, meaning somebody at a level, basically, made a mistake, and somebody got into their system and now has access. It's one thing to make a law or a rule. It's another thing to be able to enforce it. Talk to me about your enforcement actions and how you see ways to, not only make the law, but enforce the law, and then to follow and audit the process. What do you have in place, and where are you short of capabilities today? Mr. Deasy. First of all, you make a very good point. If you look at a lot of the problems that have occurred and where the forensics have been done, it does come back, many times, to basic hygienes. So, we start with a self-certification process. We are now looking at a new process that the Office of the Under Secretary of Defense for Acquisition and Sustainment (A&S) is leading, and that is, how do we then build in a confidence score against their certification? Ellen Lord's organization, where they go through and they evaluate that self-assessment, they put a confidence score against that, and what they're now looking at is, how do we go out and have a closed-loop system, where we can go out and validate what it is that they self-assessed against? This is a massively large supply base, so there's discussions right now on, what is the right approach on doing that, given that trying to get every single member of that supply base might be overly challenged? And so, how do you sample, and how do you do this in a way where you can start to get confidence that, as you move down those tiers, that their self-certification---- Senator Rounds. Let me follow up, because I think that's a critical lead-in to another piece here. As other members come back, we'll allow them to get into this, as well, but I have to ask. Even if you could hire--and I know that you need to hire more experts in cybersecurity, but you're also going to have to hire and contract out with entities that have real expertise in cybersecurity. Do you have a process in place to invite and vet expertise within cybersecurity that we can use to help us? And then, once you get past that stage, and you recognize that you can't do it with manpower alone, you're going to have to have the additional electronic resources, including AI. Can you work your way through that, from looking outside of government, manpower needs, and then also moving to AI? Mr. Deasy. As you know, I do come from private industry, and this problem for large companies, private industry is no different; i.e., they don't have the capability to evaluate every one of their supply-chain vendors. So, what has happened in private industry, which is what we are now looking at for the DOD, is actually a process of identifying, possibly even certifying, companies that can play the role that can follow the NIST standard and actually go in and look at a second-, third-tier supplier. Senator Rounds. Are you taking invitations for that now? Mr. Deasy. No, we are just in the early discussions of how we might do that. As I said, A&S is the lead for this. I've been advising them on how this has been done elsewhere. To your AI question, there is definitely going to be value in looking at, How do you take the entire supply base, the NIST standards, the hygiene problems we see, and can you apply AI to this problem to start to identify where you most likely are going to experience problems inside your supply chain? We are literally just in discussions. I do not want to suggest that we have an active program underway. But, I would suggest that this is a good case where we can apply machine learning to looking at this problem. Senator Rounds. I will give Senator Scott an opportunity to get settled, but I'm just going to ask you one more question. Then I'll move to Senator Scott. Right now, there really is a difference between AI and machine learning. Are you deeper in with machine learning right now to cover a lot of the items right now that otherwise we just don't have the manpower to cover? How far along are we? Mr. Deasy. We are still very much in the early days. I would actually be very happy to come and have a session with you on what is called the Joint Artificial Intelligence Center (JAIC) and how we're using that to apply new AI/machine- learning algorithms to solve for some of these problems that I think you're touching upon here today. But, probably best that I come and talk to you offline about how we're approaching the AI/machine-learning problem. Senator Rounds. Very good. Thank you. Senator Scott. Senator Scott. I'm sorry if I ask a question that somebody's already asked. You get a lot of wonderful vendors from all over the United States and around the world that want to sell you stuff. How do you all make a decision on what you're going to buy and who's the best vendor? Mr. Deasy. There's a number of us that can do that. Why don't we start with Vice Admiral Norton. You use a number of suppliers. How do you go through your vetting process? Vice Admiral Norton. Well, we have a lot of different mechanisms that we interact with industry, starting with very public and very open things, like we have a forecast industry, where everybody is invited to come in and hear about what we're doing, what is already ongoing, what is planned in the near future, and then opportunities for each of those vendors to talk to the program managers and the leadership at DISA and get an understanding of what they might be interested in pursuing. We have a Small Business Programs Office that specifically targets and interacts directly with the small businesses that have interest in any of our activities. They feed back into different parts of DISA for further communications. So, that gives us the understanding with industry of what's available. From there, it's evaluation based on the performance criteria that we've set for the particular product or particular capability that we need in understanding what the acquisition strategy might be. In some cases, that means doing a major evaluation of a number of different contractors at companies that have similar products, and evaluating them for the best fit. In some cases, it means something like an other transaction authority, where we have a couple of different prototypes, and both of them are able to build out and demonstrate, what capability would best suit the need that we have. Brigadier General Crall. Sir, thank you. This really does come down, as Admiral Norton talked about, to requirements. That's both what I need today and what I anticipate, not just simply chasing after a capability that I might not need or couldn't find a use for, which sometimes they come packaged. We do look at performance. And we look at performance in measures at that tactical edge, which is different. We've found vendors, in many cases, that work very well in a flagpole or garrison environment, but, when we start getting to thin line, red line, or austere conditions, the product may not perform as well, and that's a consideration for a warfighting machine that's expected to operate in an information-contested environment. So, that's one area that we take a look at. And, of course, no shortchanging the idea of cost at something that's sustainable or affordable. But, the other piece that I think is important is how flexible it is, the thing that we're looking at. Requirements do change, and one of the big concerns is not getting locked into something that requires a level of emulation, patching, or, really, caretaking that could exceed the cost of the product to begin with. So, looking at more informative ways to do it. But, the problem really isn't so much about us finding the right vendor that can provide what it is, it's the vendor's patience in dealing with us and our lack of flexibility in acquisition. We find more vendors most likely to walk away from trying to deal with us because of simply the way that we contract. And I'm not saying that we shouldn't contract that way. There's reasons why we have some of the contracting rules and regulations, to ensure that we behave properly. But, in industry, as Mr. Deasy will attest, his experience of finding a solution, matching a vendor with a need, can be done very quickly in the civilian world, where we might find ourselves years out. By the time we compete properly, line up the resources, make sure it's within our Program Objective Memorandum (POM) cycle, and actually move on it, the product might not even be viable at the time of purchase. Senator Scott. So, what needs to change? Brigadier General Crall. Sir, I think we're doing the change on the front end, as we are focused on requirements. So, I think we're doing our part. We've had a great relationship with the vendors; really, industry is going to help us get through many of the problems we're talking about. They absolutely bring the technology we need to bear. But, focusing on requirements, that's our responsibility. I think we've done a better job. The way we consume products as a service model, vice having to own everything, is a methodology that we're looking at. I think we need to be more thoughtful on how we come back to Congress and ask for some help on how we acquire. The acquisition machine needs to change. Mr. Deasy. If you ask me, it's one word: speed. I think about how, in the private industry, from the time that they identify that the adversary now has a new set of methodologies and tactics, the ability to go out and scan industry to see who's addressing that, quickly find those companies, bring them in, evaluate them, move through the procurement cycle, and get them operationally installed inside the environment has to be done with a lot more speed than we have today. Senator Scott. May I continue? Do you ever feel taken advantage of by a vendor that talks you into a type of Request for Proposal (RFP), and then you find out, at the end, there were other vendors that you couldn't even do business with because of the RFP you started out with? How do you deal with that, if that's true? I used to be an investor in national security, and we'd do business with the Government. We won based on how well we did with the RFP. Do you feel that industry does that to you? Mr. Deasy. I have not seen that. What I have seen sometimes is a poor understanding of your requirements up front, and so you're misaligned because you haven't spent enough time really understanding what your requirements are. The vendor's trying to then come in and sell you something that may or may not meet your requirements. I see more of a disconnect between what the vendor is trying to tell you it has versus the requirements. That needs to be probably vetted at the front end better. Vice Admiral Norton. One of the things that DISA has done routinely is put out requests for information (RFIs) in advance of an RFP broadly, and have an ongoing dialogue with industry so that they get a good understanding of what it is that we're looking for, what is available, not trying to put out an RFP for something that will never be produced and will never deliver. So, we'll spend a lot of money on some vendor trying to do that. We don't do that anymore. We always baseline with an RFI, and that gives us a lot of opportunity for understanding. Senator Scott. Part of being decentralized is that it seems like it would make it difficult for somebody to intrude. As you get more centralized, are you concerned that'll make it easier for somebody to intrude, because, once they figure out exactly how to intrude in your system, they hit everybody at the same time? Do you have any concerns about that? Vice Admiral Norton. I am always concerned about that, sir, and the balance between the ease of operation and the speed at which you can operate a very homogenous network at a large scale. If everything is the same and you're able to automate the processes of changing that, then you can do that very rapidly. So, operation and cybersecurity can be done very, very rapidly. But, that same ability is also a potential weakness if an adversary is able to get in, because then they can do the same kind of thing. So, you have to balance that. How do you block that so that kind of adversary behavior isn't able to penetrate your entire network? Mr. Deasy. One of the things I've been advocating for since joining is, people always ask, are we better off being decentralized? And I would say, but then you have a thousand ways of which someone can get in, so that's the downside of that. If you centralize, then if someone could get in, the breadth of the surface space they can cause damage is much larger. I always say, it comes down to how you architect for that centralized approach. If you architect with a very flat area, where, once they get in, they can cause great havoc, that's not appropriate. If you're smartly architecting for a centralized approach, where you're limiting what I like to call the ``blast radius,'' where the problem can occur, then actually centralization has some huge merits that you don't get from a decentralized site. Senator Rounds. Thank you. Let me just move on. And I'll have Senator Wicker. Senator Wicker. Senator Wicker. Well, thank you very much. It's too bad we've got so many balls in the air; we can't be here for the entire hearing. Has anyone asked you all about China and Huawei and ZTE and Chinese-owned information companies yet? Has anyone asked that in this hearing today? Mr. Deasy. Yes sir. Earlier, it was asked. And what we said was, yes, we understand the nature of the problems with those products. We have a good understanding of where they are, and are not, inside of our environment. And we said that, if you would like to go deeper, given the sensitivity and the nature of what those products do, we'd be best to have that conversation in a closed hearing. Senator Wicker. Yes. But, let's see what we can talk about in an open setting like this. In terms of our National Security Strategy and our new national security policy, is what is contained in there adequate to meet this challenge? How much of DOD's information flows over commercial networks, for example? And do we need to be concerned about that? Is there something going on now with commercial providers to improve cybersecurity of these information networks that involve crucial national security matters? Mr. Deasy? Mr. Deasy. Yeah, there's a couple there. There's a part on strategy, and I'll let General Crall take the strategy. You bring up a good point. If you think about how data moves across the Department of Defense, both the continental United States (CONUS) and outside the continental United States (OCONUS), you have to ask yourself, Where are you touching the commercial side of an environment, and how well do we understand the commercial nature of what products, like Huawei's, might be in there? We have a very good understanding for CONUS, what that looks like and what those vulnerabilities are. For OCONUS, as you can imagine, it's a lot more complicated, because those networks sit with providers outside the United States. So, we have to architect and be a lot more thoughtful about how we set up on an OCONUS basis because of that. Senator Wicker. If there are Huawei products, what's our concern? Mr. Deasy. The concern is that, inside those products, there will be engineered solutions that allow them to capture information that can be sent back to the adversary. Senator Wicker. And those solutions would already have been engineered and already implanted, in certain instances. Isn't that correct? Mr. Deasy. I cannot speak to the detailed engineers' designs of the Huawei products, but, in theory, yes, if that product was engineered with backdoors where it was exfiltrating, that would be the case. Senator Wicker. So, I'm concerned that that capability may already be out there and installed in many places outside the continental United States, which is what you're saying when you say ``OCONUS.'' Mr. Deasy. Uh-huh. Senator Wicker. Now, General Crall, what would you like to add about that? Brigadier General Crall. Sir, I realize the focus on outside CONUS, but I don't know that I would exclude inside CONUS. Senator Wicker. Right. Brigadier General Crall. To your point, we're talking about networks and service providers and that there's some level of granularity you can have in researching the flow of traffic and how they're handled, but there's also the smaller end peripherals, the switches, the routers, and the hardware that allow these connections to take place. We understand what white gear is. It's the fact that you can't trust what's on a label. There's a concerted effort to ensure that what's marked is, in fact, what's inside. So, you have concerns that there could be challenges in making sure that the authenticity of the gear is what's stated. And that concern is shared. In a closed session, sir, we'd be able to provide a little more detail on how we examine that. Senator Wicker. Admiral, do you have anything to add? Vice Admiral Norton. Just that we have done an enumeration of that equipment, and so we do understand what is out there. Again, we can talk about the specifics in a closed hearing. Senator Wicker. Very good. Well, thank you very much. And I am told that Senator Gillibrand is next. Senator Rounds. Senator Gillibrand. Senator Gillibrand. Thank you so much. I want to ask a little bit about cybersecurity architecture, because Senator Wicker talked about ZTE and Huawei already. Forming consistent and comprehensive cybersecurity architecture across the DOD and, frankly, across all of government, is vital to our national security. What roadblocks are currently in place that inhibit this from being a reality? Do you all feel that you have the necessary authorities to overcome those roadblocks? Mr. Deasy. I don't see roadblocks. I see legacy. That is probably our biggest challenge. For years--we had this conversation earlier--we have allowed services and various components to roll and implement unique solutions that maybe aren't interoperable or standalone. As I said earlier, the new authorities that the DOD CIO office was granted, starting this year, now allow my office to establish the standards and the architectures that the components and the services have followed, which was why General Crall made the comment earlier that this is the year where there will be a lot of noise in the system, because we are going to drive those standards. We're going to drive implementation. And we know there will be people that are going to be very uncomfortable about the fact that we're no longer going to allow them to stand up their own architectures or solutions. Senator Gillibrand. Right. Do either of you have anything to add? Vice Admiral Norton. Yes, ma'am. I'll just add that one of the difficulties of changing the architecture in the military is that we rely on these systems for ongoing missions every day. Senator Gillibrand. Yep. Vice Admiral Norton. So, the time that it takes for finding time where you can take a system offline in order to make the upgrade ends up oftentimes being the long pole in the tent of actually changing the architecture, which is why we oftentimes have a lot of legacy. Funding can become a problem, but the time is actually the driver in most cases. As we build out future architectures, we have to build in the ability to make those changes very rapidly on the fly, without having, in some cases, weeks and even months of downtime for the systems for something like a ship or an airplane or a headquarters building. Senator Gillibrand. Yep. Brigadier General Crall. Ma'am, I used to think that starting things was the most difficult thing in the Department. I've since learned that stopping them, potentially, is more difficult. Senator Gillibrand. Welcome to the Federal Government. [Laughter.] Brigadier General Crall. I think that really driving toward ensuring that, while we have a plan to onboard new capabilities, we're smart in making sure that we can retire legacy, where appropriate, because we end up in this position where it's simply not affordable to keep it all alive. We've been a little slow on retiring legacy, but we have a plan, under the new Strategy, in the lines of effort to get after that. Senator Gillibrand. A section of the NDAA I helped craft directed the Secretary of Defense to enhance awareness of cybersecurity threats among small manufacturers and universities working on DOD programs. What actions have been undertaken to execute this order? And how successful do you believe these actions have been? More to that point, a lot of the industrial base has led to an emphasis on bringing in more small businesses in the process, but meeting cybersecurity requirements is really hard for them. What does the DOD do now to help those small businesses with cybersecurity so that they could participate in the future? Mr. Deasy. As we had discussed earlier, that topic is actually part of our top ten priorities, probably three dimensions. You mentioned the academia dimension of that. You mentioned the small business dimension of that. We definitely need to help figure out how we're going to handle small businesses. If you look at what it takes today to do good cyber hygienes to stay ahead of the adversary, we know many of the second- and third- or fourth-tier supply base simply doesn't have the wherewithal to do that. We have some thoughts underway about how we can bring them into cyber hygiene, whether it's a cloud or an extension of our network, and we can fortify them with services that we provide. We are in the very early days of that. But, you should know that we're in active conversations of how to do that. The other thing we're doing, as was discussed earlier, is, we've stood up a task force that reports directly to the Deputy Secretary of Defense. And that task force is looking at the end-to-end way that a supply chain works, which includes the academic world around base research that's done, or maybe more classified work that's done on our behalf, and how do we really understand and get a better handle on how that research is done, where it's done, and what are the mechanisms that these institutions are using to ensure that things are being done in a safe, sound manner. Senator Gillibrand. Thank you so much. Thank you, Mr. Chairman. Senator Manchin [presiding]: Thank you, Senator. I have a quick question, and then we'll go back to Senator Wicker for a second round. In any competition, you're always evaluating your opponent. As we evaluate our opponents in the cyber technology realm, China and Russia--where they are today, where we are today, and their opportunity either to stay ahead or pull ahead, do you feel comfortable with the direction we're going to offset the advancements they've made in such a quick period of time? We can start with General Crall, and come right across. Brigadier General Crall. Yes sir. I think I'd have difficulty answering that in open forum. To characterize your question you never rest, as you know, on any capability or laurels that we have. We know what we know, but there's a concern about what we don't know. And we have a lot of suspicions on where our peer and near-peer competitors are---- Senator Manchin. You're identifying two of your most challenging competitors. It's going to be China and Russia, correct? Brigadier General Crall. There's no doubt, sir, that they are at the top of our priorities. Their capabilities are increasing, as are ours which is why it requires great vigilance. Senator Manchin. Go ahead, Mr. Deasy. Mr. Deasy. To the General's point, it is difficult, in this setting, to answer some aspects of that. I will tell you that I have a weekly session where I am briefed by U.S. Cyber Command and the National Security Agency (NSA), and we specifically are briefed on China and Russia. One of the reasons I wanted to get into this normal cycle of doing these briefings was, to the very point that I think you're trying to poke at, is trying to understand, vis-a-vis where we are on our offensive as well as defensive capability. And suffice to say that these are very strong, capable adversaries, but, at the same time, we have some strong, capable abilities ourselves. Senator Manchin. Admiral? Vice Admiral Norton. Yes sir. I will echo their comments about specifics, but of capabilities against our adversaries would be better in a closed session. But, I will say that China and Russia both have very clearly exercised and demonstrated their, not just ability, but willingness to fight in this domain. And we see that every day. Regardless of the adversary, we see the concerted effort to attack the United States and the Department of Defense. Senator Manchin. Is Acting Director Shanahan committed to implementation of the new Cyber Strategy? Mr. Deasy. Absolutely. One of the things I said in my opening remarks that I should really stress is, when I came onboard, one of the things that he wanted to establish was a weekly cadence for CIO Cyber. We call it the CIO Cyber Working Group. He personally, before his new duties came into play, chaired that meeting. He was at it every week. He would look for the metrics. He would be quite the tasker of ensuring the activities were getting done. He's done a very strong handoff of duties to Deputy Secretary Norquist, who is now continuing that. You should know that one of the things I have been incredibly pleased with since joining the Department is to see the top of the house be extremely active on what I'll call a very frequent basis--i.e., weekly--in the engagement of all the activity that you heard us talk about today. Senator Rounds [presiding]: Senator Wicker. Senator Wicker. Well, that's good to know. It's encouraging. And I'm sure it's encouraging to Senator Manchin, too. My last question deals with data rights and data control policies, getting the best technology, but at an affordable price. You've got a company with good technology. They're profit-oriented. They don't have to make a deal with anybody. They're under no special obligation to do business with the government. So, how are we doing with regard to our policy there? Does it deter cutting-edge cybersecurity companies from doing business with the Pentagon? Is it difficult to strike a balance between getting the best and getting something we can afford? And what's your assessment of the Department's data- rights and data-control policies? Brigadier General Crall. Yes sir. I can certainly tell you there's a focus. You bring up a couple issues when it comes to rights. I think the verdict is still out, by the way, on who owns data. Lawyers will tell you, when you go through this understanding of where it's housed, how it's moved, what residual components of data reside. We care. We're concerned. And we have policies in place on where we put that data in the Department of Defense. To your comment about the struggle between affordability and really doing business with the best--the best customers are always the desired customers--it would not be truthful for me to tell you that, in every instance, we get the best of both worlds. Again, because of some ways that we acquire services, we often, or at times, have gone with what is the most expedient or those we could do business with based on rules and regulations. So, we're still finding our way through that, in some cases. But, the real focus, I think, for the Department, when it comes to policy and implementation on the strategy, is really how we start focusing on data and data security at rest and in transit. Maybe less with how data are stored or transported in conventional ways, but more accurately now is, how do we safeguard it in all aspects of it at rest and in movement? Senator Wicker. Are you able to be specific about rules and regulations that you referred to? What would be an example? Brigadier General Crall. Sir, I would like to come back to you in writing on rules and regulations, to be specific. But, the idea, for example, if we wanted to host data in a commercial cloud today, and let's say that data was unclassified data, there's a reason why we tend to put this data repository under certain controls, like Federal ramp, and conditions on storage and security, but also on premises. I can just answer for the Marine Corps, that, when I was the CIO, prior to this job, I personally felt uncomfortable in some business arrangements of putting my data in a commercial cloud, where I could not guarantee, if I stopped doing business with that company, what it meant to return the data to me. It's electronic. I didn't know what I would get back. So, a very specific example personally---- Senator Wicker. You didn't know if you would get it all back. Brigadier General Crall. That's correct, sir. So, I ended up storing that data on prem, where I could control it, and I asked for services to push that data through those commercial contractors. But, things have changed since then. There are some safeguards that are out there that make doing business that way maybe a little better when it comes to encryption, which is what I was getting after, meaning I might be able to house that data under certain rights where I hold the keys to that encryption and feel more secure about where it resides. Senator Wicker. Okay. Well, you're going to get back to me with a supplemental answer on it for the record. Brigadier General Crall. Yes sir. [The information referred to follows:] Brigadier General Crall. Following up on my 29 January testimony, I would like to confirm and further highlight Department of Defense issues, challenges and progress, associated with Data Rights Management. The anecdote I shared during my earlier testimony was based on my time as the USMC Chief Information Officer, but I believe the challenges I highlighted still reflect relevant problems. The Department is addressing some of these issues, while others remain unresolved. These include: Data Replication (If data is replicated to a foreign country, is the Department now subject to foreign or international laws?) o Storing data in facilities outside of U.S. legal jurisdiction can subject that data to foreign and international laws. The lack of legal precedents, conflicting case law, and the potential for extraterritorial jurisdiction and secret gag orders placed on the cloud providers, increase these risks. Because of these liabilities, the Department implemented contract clauses in the Defense Federal Acquisition Regulation Supplement (DFARS) that require the cloud contractor to maintain all DOD data within the United States and outlying areas, or in DOD facilities when OCONUS. Under this clause, overseas hosting locations would be limited to U.S. embassies and U.S. military facilities operated under a Status of Forces Agreement (SOFA) that provides for U.S. legal jurisdiction. Decryption Keys (Who holds them for data at rest and in transit?) o The Department requires encryption of data-in-transit and data-at-rest using NSA approved cryptographic solutions with the DOD mission owner having control over the management and use of the keys. In situations where encrypting data with DOD key control is not supported by the service provider, the Mission Owner's Authorizing Official is required perform a risk analysis and make an informed decision on the risks before transferring data into the commercial cloud. If we decide to . . . then . . . the risk is. Metadata (Who owns metadata? Can vendors sample or compile metadata?) o Metadata used for Cloud Service Provider (CSP) operational management and user-experience improvement has the potential to be exploited. This information reveals patterns in workload activity volumes and flows, as well as the relationships of those workload activity volumes and flows to specific users and locations. The Department's cloud contracting clauses establish limitations on the contractor's access to, and use and disclosure of both government data and metadata. These clauses limit the contractors use of metadata only to manage the operational environment that supports the Government data and for no other purpose unless otherwise permitted with the prior written approval of the Department. Accreditation and Assessment (How can we trust vendor accreditation packages?) The Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. Sec. 3551 et seq., Public Law (P.L.) 113-283, requires a security assessment be performed using the standard processes and controls published by the National Institute of Standards (NIST). Under FISMA, the Federal Government is not permitted to use a cloud service provided by a vendor unwilling to allow a risk assessment performed in accordance with NIST standards. Some vendors have been unwilling to conduct these assessments claiming that costs are high and hard to recoup. Additionally, not all vendors share their assessment documentation (not required to), making it difficult to assess the quality of their work. It is important to note that the Federal Risk and Authorization Management Program (FedRAMP) effort has been instrumental in helping to address these concerns. For example, FedRAMP allows third-party assessment organizations (3PAOs); a group of certified, independent assessors than can satisfy the requirements of both the Government and the commercial cloud vendors. Data Return (What happens to the data when a contract is closed?) o The DFARS cloud computing services clause requires the contractor to provide the Contracting Officer all Government data and metadata in the format specified in the contract and to dispose of the data and metadata in accordance with the terms of the contract. The contractor is required to provide confirmation of the disposition In accordance with contract closeout procedures. The contactor and its employees are not allowed to access, use or disclose Government data unless specifically authorized by the terms of the contract, and then only for the purposes specified in the contract. These prohibitions and obligations survive the expiration or termination of the contract. The DOD is free to take additional steps to secure its data. For example, just as there are utilities that overwrite PC hard drives with zeros, or randomly generated patterns, similar utilities can be deployed in the cloud to overwrite encrypted data before data deletion request is generated. This step reduces the likelihood of a dataset accidentally not being deleted by the CSP, and being discovered by an adversary that later breaks the encryption code. Despite these procedures, there is no such thing as a true ``return'' of data as electronic copies can exist. This places even greater importance on ensuring the appropriate risk decisions are made concerning encryption; assessments of controls; and where data is placed (classified or general purpose cloud)--no different than in our own environment. Senator Wicker. Thank you. Thank you, Mr. Chair. Senator Rounds. Thanks. Senator Blumenthal. Senator Blumenthal. Thank you, Mr. Chairman. Thank you all for your service and for being here today. In an annual assessment of cyber threats reported by Bloomberg News--you may have seen that report--the DOD's Operational Test and Evaluation Office (OT&E), found that the Department has not fully grasped how to counter new threats posed by emerging technologies like artificial intelligence. Mr. Deasy, the CIO position has served as the principal advisor to the Secretary of Defense for a breadth of issues beyond cybersecurity, including information technology, communications networks, and the like, command systems. In your prepared remarks, you cite a number of emerging technologies that DOD has identified for potential use, such as software-defined networks. I know that Senator Rounds asked you some questions on this topic. You also noted that DOD has evaluated machine learning, artificial intelligence systems that are working to integrate these capabilities and networks. So, for you, and maybe for all the witnesses, what are the artificial systems currently useful at DOD, and what's holding DOD back elsewhere in the field? Is it in-house expertise? Technical resources? And maybe you would comment on the Bloomberg report, as well. Mr. Deasy. Yeah. So, we work very close with the DOT&E, so are very much aware of that report. It's quite interesting. When you go through the observations in that report, it points out things like leadership responsiveness finding hygiene problems. It points out things like nuclear command and control in this age and the serviceable life of equipment. It talks about stolen credentials and breaches of defense contractors. The top-ten program that we have been referring to throughout the testimony today was actually created, as I said earlier, to look at, holistically, where are all the intervention points that adversaries can touch us, and how do we address that? So, I'm pleased that, when I look at this report, many of the things that are sitting inside of the top-ten stuff that we're starting to implement actually mirrors very nicely to the report. The very end of that report makes observations about where there could be improvements. One of the things that it points out clearly in there is that they now believe the Department of Defense is scoping the task properly, they believe there is a followup--there is an organizational construct in place across the Department of Defense to address these problems, and that we now know what are the tools and the skillsets that we have to put in place to get after it. So, that's kind of part A to your question. To the part around the other activities, may it be artificial intelligence, the use of cloud, the use of next- generation command and controls--as I stressed earlier, when I talk about the digital modernization of Department of Defense, I always like to remind people that this is a highly integrated set of things that we're doing. I always start off by saying there is no doubt that AI and what it offers the Department is going to be quite significant. How we implement that is going to require that we put in a robust enterprise cloud. How we secure that cloud, how we use commercial providers to put the AI on top of that is very important. However, if we don't solve for next-generation command-and-control communications, we will not get the necessary information out to the warfighter. So, you must look at cyber from a communications standpoint, and a satellite standpoint, as well. All of these things, to me, are tightly, tightly integrated, and that's why, when we talk about the digital modernization programs in the Department of Defense, cyber has to sit at the forefront of everything that we do, sir. Senator Blumenthal. Do either of you have any comment? Vice Admiral Norton. Yes sir. I'd like to say a couple of things. One of the things that they talk about in that report is the importance of understanding the cyber terrain and starting to really grasp that. That has been a major effort of the Joint Force Headquarters-DODIN. We actually put out an order that specifically lays that out for the 43 DOD components to identify, map their cyber terrain, map what is key cyber terrain so that we can recognize where additional forces need to be put, where additional emphasis might need to be, to include putting some of our cyber protection teams on that key cyber terrain. In my opening comments, I mentioned that I am responsible for the command readiness inspections that we have changed from just a readiness inspection of a checklist of configuration to an operational readiness inspection that operational evaluation is going to that command to understand. Do they understand what their key cyber terrain is, relevant to their mission, specific to their mission? Therefore, do they know how to protect their mission by protecting that key cyber terrain? Those are the kinds of things that DOT&E has recognized that are really critical for us to move forward and to not have to expand resources tremendously to protect everything equally, but to focus our resources on the things that are most important in the DOD. Senator Blumenthal. Thank you. Brigadier General Crall. Sir, I find it interesting that we answer that question a little bit based on some of our portfolio experience and where we sit. Mr. Deasy talks about, scoping the problem set, which is in the report. Admiral Norton talks about knowing your terrain. A third in that top three of what they talked about the Department may be doing fairly well at, or at least at the cusp of, is unity of effort. Mr. Deasy has talked about not going our own ways or allowing, these niche solutions that don't really work well together. As one of the implementors of that strategy, we have a strategy that we can execute, we have very clear goals and guidelines, and are really looking to ensure that we do this smartly, that we come together to solve that problem. So, I think those three answers really fit well in the top three that came out of the findings in that report. Senator Blumenthal. Was lack of unity of effort a problem, do you think? Brigadier General Crall. I think it has been a problem, sir, to be fair. I think that we've turned a corner on that, that, even well-intentioned people doing business in opposite directions really puts us in a fix. For example, simply putting requirements out on a table and allowing them to be solved in any way, shape, or form sometimes means to get those solutions, to work together as the government needs it to do, especially DOD, you might have more money in emulation and more engineering problems in getting things to fit that are dissimilar than you would if you had a common solution going forward. So, yes, I think it's a fair criticism of past performance, but I'd like to say that I think we're on a different track. And I'm pretty optimistic that we can pull together. Senator Blumenthal. Thank you. Thank you all. Senator Rounds. I'd like to follow up just one step further. And I'm going to go to Vice Admiral Norton with this. Today, the Department's cybersecurity architecture appears to be fairly decentralized with, in this particular case, JFHQ- DODIN possessing what I think would be only limited visibility into its components, networks, and endpoints. Number one, is my premise correct? I think it is. Second of all, if it is, then is this because of a policy decision that needs to be changed? Is it a capacity issue on behalf of JFHQ-DODIN? Or is it a technical problem? Does JFHQ-DODIN need additional resources or authorities to be more effective? Vice Admiral Norton. Well, first, it was definitely not a policy decision to decentralize the data. Remember, I said that Joint Force Headquarters-DODIN has only been in existence for 4 years. We just reached full operational capability a year ago, this week. So, all of those networks that Senator Manchin talked about--those thousand networks--they all grew up with their own ability to look at their own network independently. Over time, we're starting to aggregate that in a way that does centralize the ability to view that. Over the last year, Joint Force Headquarters-DODIN has made tremendous progress in gaining visibility on all of those networks across the DOD. Certainly at the tier-1 level, at the Internet access points, and at the endpoints, and helping to aggregate, as General Crall said, in some cases in difficult ways, because the technology doesn't necessarily make that easy, because they all acquire those in different ways. But, bringing that data together gives us, at Joint Force Headquarters-DODIN, a much better understanding of what everybody's cyber posture is across all of those networks. We're certainly not perfect. It's certainly not in a manner that is technically easy and quick, based on the disparate kinds of solutions. Senator Rounds. Specific resource needs? Vice Admiral Norton. An architecture that allows for the kind of standardization that Mr. Deasy is working on and the policy that requires more standardization that General Crall has talked about, are already in the work. I have the authority, under that Directive Authority for Cyberspace Operations, and have used that authority, to be able to get that data and start to give that visibility to both my forces and to U.S. Cyber Command. Senator Rounds. Thank you. Senator Manchin. Just one followup, there. I think, for Mr. Deasy and General Crall, I understand that there's a so-called cross-functional team composed of a small number of experts from across the Department, which works with both of you. Congress created this cross-functional team. Sometimes we're not always spot-on, to say the least. I want to know if you all agree with this team? Is it functioning well, or are there things we can do to help? Mr. Deasy. I'll start with that. Much of the work is actually led by General Crall. I think we actually have, for the first time, a series of things that are going on that are well. You have a Secretary and a Deputy, as I mentioned earlier, that are highly actively engaged in this topic. So, you need the top of the house to be highly engaged on this. But, you have a set of leaders that are very impatient, including myself, that are done admiring the problem and are moving into tasking. This is including being less tolerable on people being able to go off and use their own solutions. The authorities that you all gave me, starting this year, around being able to set architectural standards are quite significant. We are now starting to use those new authorities. Finally, you used the term, ``cross"--you know, a team that's been brought together. That, in my opinion, is probably the biggest thing that has helped us, is empowering General Crall by giving him a set of experts that cut across the Department, that are actually helping him now to drive those solutions. Brigadier General Crall. Sir, Congress got that right. The cross-functional team works. And it has several advantages. It's only as good as it's paid attention to. There are probably examples of some cross-functional teams maybe not producing. But, the cross-functional team that's involved under the PCA is well resourced, in the sense that we've got the right people. The participating agencies that provide representation in the workforce sent us their best. So, I'll start with that. We've got good people. The second piece is, we can approach problems in ways that don't have some of the biases. You know, we don't have any stake in the fight or any legacy that we hold on to. It really is about the mission. So, we normally come to the table with an advantage in solving some of those problems. It's been instrumental in moving the strategy into implementation. Senator Manchin. Great. Thank you all so much. Thank you all for being here. Senator Rounds. Okay. I want to take this opportunity to thank our members and Senator Manchin for participating today. This has been very helpful to us. I'd like to thank our witnesses today for their participation. There were several questions that you indicated you would prefer to answer in a classified setting. I would ask that you provide us with those answers. Committee staff has indicated that you may bring those in at the level of Sensitive Compartmented Information (SCI) in your responses. We would expect you to be able to do that in the next couple of weeks. Okay? With that, I want to thank everyone for participating. This subcommittee meeting is adjourned. [Whereupon, at 3:55 p.m., the subcommittee adjourned.] [Questions for the record with answers supplied follow:] Questions Submitted by Senator Mike Rounds cyber strategy 1. Senator Rounds. Mr. Deasy, there are myriad weapon systems and enclaves that are often not considered part of the standard network. How do you define the DODIN? Mr. Deasy. The Department of Defense information network (DODIN) includes all systems, subsystems, or system components (software, firmware, and hardware) performing DOD mission functions. This includes DOD systems, subsystems, and system components used to manage information, interact with the physical environment, or perform a combination of both. Weapons systems, control systems (e.g., industrial control systems), and traditional information systems are considered part of the DODIN. 2. Senator Rounds. Mr. Deasy, most topics discussed at the hearing were focused on the standard network. What cyber teams are protecting our assets such as nuclear command and control, F-35s, ships, and our aircraft carriers with industrial control systems? Mr. Deasy. Under U.S. Cyber Command, the Department of Defense has 133 cyber mission force teams operating at full operational capability, protecting Nuclear Command and Control systems, aircraft, ships, and the entirety of the Department. The force conducts a variety of missions: Cyber National Mission Teams defend the nation by identifying adversary activity, blocking attacks, and maneuvering to defeat them. Cyber Combat Mission Teams conduct military cyberspace operations in support of combatant commander priorities and missions. Cyber Protection Teams defend DOD's information network, protect priority missions, and prepare cyber forces for combat. Cyber Support Teams provide analytic and planning support to national mission and combat mission teams. Some teams are aligned to combatant commands to support combatant commander priorities and synchronize cyberspace operations with operations in the other four domains--land, sea, air and space-- and some are aligned to the individual services for defensive missions. The balance report directly to subordinate command sections of U.S. Cyber Command, the cyber national mission force, and Joint Force Headquarters-DOD Information Network. Specific to Industrial Control Systems (ICS), the Department has a much greater understanding of ICS vulnerabilities and is becoming more proactive in addressing ICS cybersecurity. As the Department continues to modernize capabilities, the use of ICS is increasing with corresponding increase in scope of what must be defended and need for means to prioritize limited cyber- defense resources. In addition to ensuring availability of trained and qualified personnel to operate the ICS, resources are needed to maintain, update, and protect them just as must be done for traditional IT networks. Providing cybersecurity oversight of ICS by a cybersecurity service provider (CSSP) is relatively new concept and requires engineering support to develop the toolset and the situational awareness/reporting capabilities necessary for effective defense 3. Senator Rounds. Mr. Deasy, how is DOD being proactive to assure that security is applied to 5G from the beginning, rather than as an afterthought? Mr. Deasy. The Department of Defense (DOD) is aggressively working on establishing a DOD 5G Strategy that addresses all aspects of 5G to include security. Deputy Secretary of Defense Shanahan commissioned a number of high level studies to include the Defense Policy Board, the Defense Science Board and the Defense Business Board each with their own area of focus. The results and recommendations from these boards are currently being submitted and evaluated. With specific regard to security it is critical the DOD engage with other Departments and Agencies (National Institute of Standards and Technology, Federal Communications Commission, National Telecommunications and Information Administration), industry, Federally Funded Research and Development Centers / University Affiliated Research Center, and universities to ensure any security objectives meet national requirements. Although the Department is still working on specific recommendations and courses of actions the DOD Chief Information Officer is considering the following with regards to 5G security and standards: Resource 5G cyber testbeds Identify objectives for National Security Policy Identify vulnerabilities and mitigation plans Introduce Supply Chain specifications into 5G standards Support 5G Institute of Electrical and Electronics Engineers Effort on Microelectronics Integrity Stand-up red/blue team Telecommunications security program(s) Employ Federal Risk and Authorization Management Program moderate/high security baselines to 5G. 4. Senator Rounds. Mr. Deasy, has the DOD performed a comprehensive risk assessment on cloud computing as well as a comparative analysis on using one cloud service provider versus multiple providers? Mr. Deasy. The Department continues to perform an ongoing comprehensive risk assessment of cloud security risks. This assessment is not limited to a particular current or future program, but rather is a holistic assessment across the Department's cloud portfolio. The Department's assessment is ongoing, continuously analyzing and understanding how to characterize risks and effectively mitigate them. When considering one cloud service provider versus multiple providers, the Department's strategy incorporates a multiple cloud, multiple vendor environment, which includes General-Purpose cloud and Fit-For- Purpose clouds. The cloud security risks resulting from the aforementioned risk assessment are relevant across the commercial cloud industry. Whether any particular contract is a single award or multiple award does not alter the fact that the Department is a multiple cloud, multiple vendor environment with security risks relevant across all environments. 5. Senator Rounds. Mr. Deasy, you briefly mentioned the Joint Artificial Intelligence Center (JAIC) and that the JAIC is applying AI and machine learning to solve some of present day's most complex problems. What are some of the problems that the JAIC is solving? Mr. Deasy. Artificial Intelligence (AI) has the potential to transform every corner of the DOD. AI will enhance the Department's operational effectiveness, improve readiness, and increase efficiency of business practices. To harness the power of AI, the JAIC partners with the Military Services and other components across the Joint Force to systematically identify, prioritize, and select new AI mission initiatives. At the same time, the JAIC will develop a common foundation that is essential for scaling AI's impact across DOD. This foundation includes shared data, reusable tools, frameworks, libraries, and standards, and cloud and edge services. The JAIC will deliver AI capabilities through two means: National Mission Initiatives (NMIs) and Component Mission Initiatives (CMIs). NMIs are broad, joint, hard cross-cutting Artificial Intelligence/Machine Learning challenges that the JAIC will actually take on and run using a proven-successful, cross-functional team approach. CMIs are specific to individual components who are looking for an AI solution to a particular problem. Initially, JAIC is focusing on the following NMIs to deliver mission impact at speed, demonstrate the proof of concept for the JAIC operational model, enable rapid learning and iterative process refinement, and build out a library of reusable tools while validating an enterprise cloud architecture: Predictive Maintenance to better forecast, diagnose, and manage maintenance issues to reduce costs, increase safety and improve operational efficiency. Humanitarian Assistance / Disaster Relief to reduce the time associated with search and discovery, resource allocation decisions, and executing rescue and relief operations to save lives and livelihood during disaster operations. Cyber Sensemaking to detect and deter advanced adversarial cyber actors who infiltrate and operate within the DOD Information Network (DODIN) to increase security, safeguard sensitive information and allow warfighters and engineers to focus on strategic analysis and response. Future NMIs may include smart automation projects to increase back-office efficiency and effectiveness, and a focus on the National Defense Strategy and operations against peer competitors. These early projects serve a dual purpose: Deliver new AI-enabled capabilities to end users Incrementally develop a common foundation that is essential for scaling AI's impact across the Department. Each of the NMIs and CMIs will contribute to the Department's AI toolset, or common foundation that includes shared data, reusable tools, frameworks, libraries, and standards, and cloud and edge services. As the JAIC builds and scales each project, the Department's ability to harness the full operational potential of AI increases. The benefits to the Department will continue to accrue over time, increasing the level of understanding of AI across the force while accelerating the delivery and adoption of AI throughout DOD. 6. Senator Rounds. Mr. Deasy, have the services finalized their annexes to the DOD AI strategy or have an estimated date of completion? Mr. Deasy. The United States Marine Corps' annex is complete. The other Services annexes are still being drafted and undergoing coordination throughout the Department. cyber policy implementation 7. Senator Rounds. Brigadier General Crall, you indicated that you have concerns with industry securing and storing DOD data, as well as having appropriate accesses to that data. How can Congress help to maintain the security, confidentiality, integrity, and availability of your DOD data? Brigadier General Crall. Following up on my 29 January testimony, I would like to confirm and further highlight Department of Defense issues, challenges and progress, associated with Data Rights Management. The anecdote I shared during my earlier testimony was based on my time as the USMC Chief Information Officer, but I believe the challenges I highlighted still reflect relevant problems. The Department is addressing some of these issues, while others remain unresolved. These include: Data Replication (If data is replicated to a foreign country, is the Department now subject to foreign or international laws?) o Storing data in facilities outside of U.S. legal jurisdiction can subject that data to foreign and international laws. The lack of legal precedents, conflicting case law, and the potential for extraterritorial jurisdiction and secret gag orders placed on the cloud providers, increase these risks. Because of these liabilities, the Department implemented contract clauses in the Defense Federal Acquisition Regulation Supplement (DFARS) that require the cloud contractor to maintain all DOD data within the United States and outlying areas, or in DOD facilities when OCONUS. Under this clause, overseas hosting locations would be limited to U.S. embassies and U.S. military facilities operated under a Status of Forces Agreement (SOFA) that provides for U.S. legal jurisdiction. Decryption Keys (Who holds them for data at rest and in transit?) o The Department requires encryption of data-in-transit and data-at-rest using NSA approved cryptographic solutions with the DOD mission owner having control over the management and use of the keys. In situations where encrypting data with DOD key control is not supported by the service provider, the Mission Owner's Authorizing Official is required perform a risk analysis and make an informed decision on the risks before transferring data into the commercial cloud. If we decide to . . . then . . . the risk is. Metadata (Who owns metadata? Can vendors sample or compile metadata?) o Metadata used for Cloud Service Provider (CSP) operational management and user-experience improvement has the potential to be exploited. This information reveals patterns in workload activity volumes and flows, as well as the relationships of those workload activity volumes and flows to specific users and locations. The Department's cloud contracting clauses establish limitations on the contractor's access to, and use and disclosure of both government data and metadata. These clauses limit the contractors use of metadata only to manage the operational environment that supports the Government data and for no other purpose unless otherwise permitted with the prior written approval of the Department. Accreditation and Assessment (How can we trust vendor accreditation packages?) The Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. Sec. 3551 et seq., Public Law (P.L.) 113-283, requires a security assessment be performed using the standard processes and controls published by the National Institute of Standards (NIST). Under FISMA, the Federal Government is not permitted to use a cloud service provided by a vendor unwilling to allow a risk assessment performed in accordance with NIST standards. Some vendors have been unwilling to conduct these assessments claiming that costs are high and hard to recoup. Additionally, not all vendors share their assessment documentation (not required to), making it difficult to assess the quality of their work. It is important to note that the Federal Risk and Authorization Management Program (FedRAMP) effort has been instrumental in helping to address these concerns. For example, FedRAMP allows third-party assessment organizations (3PAOs); a group of certified, independent assessors than can satisfy the requirements of both the Government and the commercial cloud vendors. Data Return (What happens to the data when a contract is closed?) o The DFARS cloud computing services clause requires the contractor to provide the Contracting Officer all Government data and metadata in the format specified in the contract and to dispose of the data and metadata in accordance with the terms of the contract. The contractor is required to provide confirmation of the disposition In accordance with contract closeout procedures. The contactor and its employees are not allowed to access, use or disclose Government data unless specifically authorized by the terms of the contract, and then only for the purposes specified in the contract. These prohibitions and obligations survive the expiration or termination of the contract. The DOD is free to take additional steps to secure its data. For example, just as there are utilities that overwrite PC hard drives with zeros, or randomly generated patterns, similar utilities can be deployed in the cloud to overwrite encrypted data before data deletion request is generated. This step reduces the likelihood of a dataset accidentally not being deleted by the CSP, and being discovered by an adversary that later breaks the encryption code. Despite these procedures, there is no such thing as a true ``return'' of data as electronic copies can exist. This places even greater importance on ensuring the appropriate risk decisions are made concerning encryption; assessments of controls; and where data is placed (classified or general purpose cloud)--no different than in our own environment. 8. Senator Rounds. Brigadier General Crall, how does the DOD prioritize the Cyber Strategy's lines of effort? Brigadier General Crall. The Department's Cyber Strategy is distilled into nine Lines of Effort (LOE), which is comprised of specific objectives and tasks mapped to achieving the LOE end state as well as addressing gaps identified in the Department's Cyber Posture Review. The Department considers all nine LOEs equally important and interconnected in achieving the objectives of the Cyber Strategy. The Office of the Principal Cyber Advisor (OPCA) continues to implement the Cyber Strategy LOEs with emphasis on warfighting outcomes, defense of the nation, achieving the strategic intent of the National Security Strategy and the National Defense Strategy. cyber readiness 9. Senator Rounds. Mr. Deasy, our weapon systems are becoming increasingly complex. How is the DOD integrating cybersecurity solutions to maximize interoperability and information sharing in our current threat environment? Mr. Deasy. Cyber capabilities have opened new opportunities for weapons systems. The weapons systems are becoming increasingly complex, as you stated, but these weapons systems are also integrated into networks and systems of systems as well. This increases cyber complexity and risk to the weapons system, the networks and the mission itself. No single organization in the DOD can hope to solve this problem by themselves. To tackle this problem my office is working across the Services, and DOD Components, through the DOD Cyber Strategy Lines of effort, to holistically improve how we build and engineer these systems from a cyber-resiliency and security perspective, to ensure the networks these systems rely on are robust and secure to meet mission need, and ensure the cyber workforce and mission forces have the training and tools necessary to maintain and defend these systems. DOD is working collaboratively to address weapons system cybersecurity implementation during development and in operations and sustainment. My office has implemented policy and guidance changes to improve weapons systems cybersecurity, to include requiring program sponsors to articulate cyber survivability requirements in the JCIDS process and requiring weapons systems assessment and authorization to operate through the cybersecurity Risk Management Framework. USD(A&S) is incorporating cybersecurity into large-scale military exercises to achieve a mission view of survivability in a cyber-contested environment. The DOD Components are leaning forward through efforts such as the Navy's CYBERSAFE initiative, Air Force's Cyber Resiliency Office of Weapon Systems (CROWS), the Army's Task Force Cyber Strong and execution of the Department-wide Fiscal Year 2016 NDAA Section 1647, Evaluation of Cyber Vulnerabilities of Major DOD Weapon Systems, to identify cybersecurity solutions and leverage individual service solutions across the broader DOD enterprise. 10. Senator Rounds. Mr. Deasy, is there a prioritized Defended Asset List for cyber across the DOD? Mr. Deasy. Defended Asset Lists are maintained by each Combatant Command for their respective defense and task critical assets. Identification of Combatant Command, Military Service, and Agency mission relevant terrain in cyberspace is ongoing and will inform prioritization of critical assets supporting Defense Critical Missions. Cyber defense is dynamic and priorities change based on factors such as missions, threats, vulnerabilities, intelligence, and adversary posturing. Cyber Protection Teams are currently aligned to monitor and secure some of DOD's most critical mission assets. cyber incident response 11. Senator Rounds. Mr. Deasy, insider threats continue to impact cybersecurity. How is DOD leveraging machine learning and AI as an analytical tool to proactively identify insider threats? Mr. Deasy. Detecting insider threats is particularly challenging and requires analysis of cyber and non-cyber information. The Defense Security Service is pursuing a project to improve insider threat detection by leveraging AI to search for anomalous employee behaviors. Partnering with the Army Analytics Group, we're building machine learning models that include security clearance, background investigation, security records, and personnel records (if / when available). The goal is to give context to the AI capability as it seeks to interpret anomalies in the cyber data. If successful, we will be able to detect changes in behavior much earlier and with greater granularity, while keeping the identity of the individual masked unless and until absolutely necessary. If unmasked, we'll put supervisors in a position to have a positive impact on the individual's future through early intervention. The Joint AI Center is planning an AI effort to leverage this DSS project to identify misused user accounts based on cyber data. Together these efforts represent significant initiatives to afford rapid detection of insider threats as well as compromised user accounts. 12. Senator Rounds. Vice Admiral Norton and Brigadier General Crall, you indicated that the DOD has not yet developed a similar benchmark such as CrowdStrike's 1/10/60 for cyber intrusions; however, you indicated that you are looking at the requirements for rapid detection and response, as well as metrics. What requirements and metrics does the DOD use when analyzing cyber incidents and events to prevent future occurrences? Vice Admiral Norton. The DODIN is comprised of multiple networks, with multiple layers of security across multiple classifications. There are varying levels of cyber professionals securing and defending the thousands of networks that comprise the DODIN. CJCSM 6510.01B Cyber Incident Handling Program is the directive that identifies the system of record (JIMS) and minimum requirements for incident response, and specifies the categories of response along with the requirement for reporting. Brigadier General Crall. My fellow witness, VADM Norton, is best positioned to provide a response regarding the requirements and metrics used by the DOD when analyzing cyber incidents and events and the prevention of future occurrences. cyber investment 13. Senator Rounds. Mr. Deasy, China and Russia are making investments in state-sponsored companies to pursue machine learning and AI capabilities. What investments should be the focus of our industrial base to maintain the advantage over China, Russia, and other competitors? Mr. Deasy. In pursuit of military AI, China relies on both its traditional, state-owned defense enterprises and privately-owned technology companies. For instance, China's large and diverse technology sector is fiercely competitive and entrepreneurial, which provides significant advantages in developing AI systems for both commercial and military applications, compared to Russia. Whereas, the United States must upon its companies to voluntarily support national security; the Chinese government has many tools available to induce and even coerce the cooperation of Chinese technology firms for military and espionage activities. There are two categories of investments that the Department of Defense needs to make in order to improve our overall competitive position in AI: those that pick low-hanging fruit, and those that address the long-lead items of AI transformation. Low hanging fruit project opportunities are those in which the Department already possesses a great deal of data in a format for which there is mature AI technology available. An example would be Project Maven's use of drone video imagery; as, image analysis AI technology is mature in the commercial and academic technology community. Additionally, the Department of Defense had collected far more drone video data than its human analyst community could ever hope to analyze. Currently, the Department of Defense is engaged in an effort to identify other existing datasets that are strong candidates for AI projects. Long- lead, AI transformation projects address those aspects of DOD operations where AI could make a powerful impact, but data is not being collected or stored in a way that is easily amenable to machine learning analysis and AI system development. Currently, the DOD possesses large and potentially very useful datasets that continue to be recorded using outdated practices. Even when digital data collection is the norm, the use of different dataset structures and processes may make machine learning data analysis difficult. Over the last decade, leading commercial AI companies began addressing data collection, standardization, and quality improvement activities, to their benefits today.. Improving DOD's data management to better enable AI applications development will not be quick or simple. However, addressing data integrity and other AI long lead items is a vital prerequisite to our goal of transforming the Department of Defense through AI. We are committed to fulfilling the promise of the DOD AI Strategy to ensure that the U.S. military retains its competitive edge. __________ Questions Submitted by Senator David Perdue cyber investments 14. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, our adversaries are making significant investments in their cyber capabilities to include artificial intelligence and machine learning capabilities. What investments is the DOD making to improve our cyber capabilities to include artificial intelligence and machine learning - R&D, industry, universities, personnel, education & training? Mr. Deasy. The JAIC is establishing a National Mission Initiative for Cyberspace Sensemaking. This effort is meant to bring advanced, but ready AI, approaches to improve cybersecurity and cyberspace operations. Our first product lines for this initiative will be: 1) novel event detection; 2) detecting misused user accounts; and 3) network mapping for the cyber mission force. Future product lines will be identified through collaborations with cyber teams, and government and commercial research and development efforts. DSS and the NBIS PEO, in partnership with the Army Analytics Group, are investing in AI enabled capabilities to look across enterprise cyber audit and user monitoring data, detect minor anomalies, combine it with available contextual information, characterize events/patterns as internal or external threats, then route the evidence packages to the appropriate authorities for action. Vice Admiral Norton. DISA is currently making several investments in the Artificial Intelligence and Machine Learning (AI & ML) solution arena as well as taking advantage of existing investments within the Department. DISA began teaming with advanced research groups such as DARPA and MIT Lincoln Labs to begin development of cyber focused AI & ML capabilities, these efforts include a robust cloud-based environment to support the development of advanced AI & ML algorithms. Working with the DOD High Performance Computing Center (HPCC), DISA has been able to leverage the use of super computers that will greatly support performance gains on advanced AI & ML solutions. These investments into research will help determine not only the benefits but the strategy for DISA's future implementation of AI & ML architectures. DISA is also currently utilizing the Rapid Innovation Fund (RIF) program, sponsored by the DOD Small Business Office, to contract with small innovative companies who specialize in AI/ML solutions. Brigadier General Crall. I support the responses from my fellow witnesses, Mr. Deasy and VADM Norton, on this specific question regarding the investments the DOD is making to improve our cyber capabilities to include artificial intelligence and machine learning. 15. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, Secretary Deasy testified that DOD is in the initial phases of identifying and possibly certifying certain private companies that can be used to vet expertise within the cybersecurity field that can be used to help in its cybersecurity efforts. Has DOD considered including universities in this effort? Mr. Deasy. As the DOD CIO has previously testified, the DOD is reviewing the right approaches to assess the ability of private companies and their suppliers to protect DOD sensitive information on their systems and networks. One approach being evaluated is identifying and possibly even certifying companies that can play this role using the National Institute of Science and Technology (NIST) standards assess private companies and their second-, third-tier suppliers capability to protect DOD information. While at this time no decision has been made, universities may be able assist the Department. Vice Admiral Norton. As the DOD CIO has previously testified, the DOD is reviewing the right approaches to assess the ability of private companies and their suppliers to protect DOD sensitive information on their systems and networks. One approach being evaluated is identifying and possibly even certifying companies that can play this role using the National Institute of Science and Technology (NIST) standards assess private companies and their second-, third-tier suppliers capability to protect DOD information. While at this time no decision has been made, universities may be able assist the Department. Brigadier General Crall. My fellow witness, Mr. Deasy, is best positioned to provide a response regarding the use of universities to vet expertise within the cybersecurity field that can be used to help in our cybersecurity efforts. 16. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, what investments has DOD made in our universities to grow our cyber force to include artificial intelligence, machine learning, and engineering? Mr. Deasy. DOD uses a variety of programs to invest in universities. These may be individual partnerships at the DOD Component-level, or enterprise-level investments. For example, in fiscal year 2018, DOD announced awards to 175 university researchers at 91 institutions in 36 states, totaling $53 million through the Defense University Research Instrumentation Program (DURIP). DURIP augments research capabilities at universities conducting cutting edge research for DOD, through the procurement of state-of-the-art equipment. Research areas include: Intelligence Collaborative Wireless networks Research to Maximize Warrior Performance Distributed Deep Learning Mobile Sensor System Quantitative Metabarcoding of Pollen for Security- Related Forensics Observational System for Monitoring and Modeling Group Social Dynamics Internet of Things (IoT) Testing capability Learning-based Autonomous Systems Secure Data Processing Infrastructure Another example is the DOD Historically Black Colleges & Universities/ Minority Institutions (HBCU/MI) Science Program. DOD awarded $25.8M to HBCU/MI institutions in fiscal year 2018 to increase the research and educational capacity of these colleges and universities and foster the entry of underrepresented minorities into STEM disciplines. Vice Admiral Norton. DISA has established a partnership through the Office of Personnel Management's CyberCorps Scholarship for Service Program. The program provides funds to colleges and universities for student scholarships in support of education in areas relevant to cybersecurity. In return for the scholarships, recipients agree to work after graduation for the federal government or a federally funded research and development center, in a cybersecurity-related position for a period equal to the length of the scholarship. DISA uses this program to hire students from over 70 colleges and universities across the United States. DISA has also partnered with NSA to administer the DOD Cybersecurity Scholarship Program. This program provides full undergraduate tuition and a $25,000 stipend to students pursuing degrees in information technology, cybersecurity, and information assurance. Participants are obligated to work for the DOD as a civilian employee for one calendar year for each year of scholarship assistance. Brigadier General Crall. I support the responses from my fellow witnesses, Mr. Deasy and VADM Norton, on this specific question regarding the investments the Department has made with universities to grow our cyber force to include artificial intelligence, machine learning, and engineering. 17. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, is DOD partnering with universities on cyber education and training to include curriculum, courseware, instruction and instructors? Mr. Deasy. DOD CIO is a supporting partner and collaborator with the National Security Agency/Department of Homeland Security (NSA/DHS) Centers of Academic Excellence in Cyber Defense (CAE-CD). There are currently 270 colleges and universities designated in the program, including 76 research universities. New CAE designees are announced annually. Requirements for designation include alignment of curriculum, Carnegie research classification, and faculty qualifications to cyber excellence academic standards established by NSA in collaboration with participating colleges and universities. Additionally, under the DOD Cyber Scholarship Authority in Title 10, DOD provides capacity building grants to selected CAEs each year to enhance faculty and curriculum development. Vice Admiral Norton. I agree with the DOD CIO in our effort to equip the Warfighter, under his leadership the CIO is employing cutting-edge approaches to deliver advanced military technologies. This includes Winner Take All competitions (WTAC), Bug Bounties, and Hackathons, as well as traditional acquisition processes. The Department of Defense spends billions of dollars every year on information security. However, until Hack the Pentagon, the DOD had not yet taken advantage of the crowdsourced approach to identifying security vulnerabilities that has gained traction in the private sector. Crowdsourced security brings in world-class security talent that may not otherwise engage with the DOD and allows these experts to contribute to national security missions. More than 6,000 vulnerabilities have been reported in government systems through the Defense Department's crowdsourced security programs and hundreds of thousands of dollars have been paid to ethical hackers. The program has also helped the DOD save millions of dollars across multiple challenges. For instance, the first pilot cost $150,000, while the normal process of hiring an outside firm to do an audit would have cost over $1 million. Effectively executed, Winner Take All speeds acquisition, delivering modernized systems faster, mitigating risk from outdated tools and systems. The competition yields a single winner which streamlines implementation, smoothing what is already a complex operating environment, minimizing unnecessary friction in battlefield technology. There are potential dangers in WTAC, too; underscoring the need for transparency and fairness in conducting acquisition this way. WTAC could lead to frustration in the competitive space, potentially stymying competition and even innovation in the global technology market, in the most extreme WTAC worst-case-scenario. Given the importance of private sector engineering and innovation, fair and open WTAC are in both the government and industry's fervent best interest. WTAC enables an innovative private sector to deliver focused technologies and development to the warfighter at the required pace and agility. Brigadier General Crall. My fellow witness, Mr. Deasy, is best positioned to provide a response regarding the Department's partnership with universities on cyber education and training to include curriculum, courseware, instruction and instructors. 18. Senator Perdue. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, is DOD working with our universities to improve their support and cooperation with DOD? Mr. Deasy. As the DOD CIO has emphasized, the DOD has numerous partnerships with academic institutions to provide research opportunities, faculty development fellowships, curriculum development support, and student scholarships, fellowships, and internships. We also continue to seek new avenues for meaningful collaboration in STEM, cyber, and artificial intelligence topic areas. For example, within the cyber community, the NSA/DHS CAE program has developed a collaborative CAE consortium. Through various grants, these institutions are developing solutions to produce more cybersecurity educators, share curriculum modules, and provide regional assistance to new academic institutions to support their designation as a CAE in Cyber Defense. While some DOD activities are enterprise-level engagements, others benefit specific DOD Components. For example, DOD organizations have participated in the Information Security Research and Education (INSuRE) project. Through the project, students engage in interdisciplinary, distributed-team research on tasks in the national information security domain. Students bid on and propose work on problems that have been contributed by problem sponsors at government laboratories and research organizations. Research teams are formed and check in with technical advisors at these sponsors. Teleconferencing technology is used to connect students in simultaneous class sessions for problem overviews, student presentations, and other resource presentations. Students prepare formal proposal and report documents, and learn to work with mentors (and sometimes teammates) who are not co-located. Vice Admiral Norton. As the DOD CIO has emphasized, the DOD has numerous partnerships with academic institutions to provide research opportunities, faculty development fellowships, curriculum development support, and student scholarships, fellowships, and internships. We also continue to seek new avenues for meaningful collaboration in STEM, cyber, and artificial intelligence topic areas. For example, within the cyber community, the NSA/DHS CAE program has developed a collaborative CAE consortium. Through various grants, these institutions are developing solutions to produce more cybersecurity educators, share curriculum modules, and provide regional assistance to new academic institutions to support their designation as a CAE in Cyber Defense. While some DOD activities are enterprise-level engagements, others benefit specific DOD Components. For example, DOD organizations have participated in the Information Security Research and Education (INSuRE) project. Through the project, students engage in interdisciplinary, distributed-team research on tasks in the national information security domain. Students bid on and propose work on problems that have been contributed by problem sponsors at government laboratories and research organizations. Research teams are formed and check in with technical advisors at these sponsors. Teleconferencing technology is used to connect students in simultaneous class sessions for problem overviews, student presentations, and other resource presentations. Students prepare formal proposal and report documents, and learn to work with mentors (and sometimes teammates) who are not co-located. Brigadier General Crall. My fellow witness, Mr. Deasy, is best positioned to provide a response on the working relationship with our universities and the current level of support and cooperation with the DOD. __________ Questions Submitted by Senator Jeanne Shaheen fiscal year 2019 ndaa implementation 19. Senator Shaheen. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, how does the Department of Defense plan to implement sections 1654 and 1655 of the Fiscal Year 2019 NDAA? What is the timeline for implementation? Which offices in DOD will be responsible for the implementation of section 1655? Will DOD seek industry's input while creating corresponding regulations? Mr. Deasy. The Department is currently engaged on working through the timeline and offices for implementation for Sec. 1654 and Sec. 1655 of the Fiscal Year 2019 NDAA. Vice Admiral Norton. The Department is currently engaged on working through the timeline and offices for implementation for Sec. 1654 and Sec. 1655 of the Fiscal Year 2019 NDAA. Brigadier General Crall. The Department is currently engaged on working through the timeline and offices for implementation for Sec. 1654 and Sec. 1655 of the Fiscal Year 2019 NDAA. __________ Questions Submitted by Senator Martin Heinrich chinese cyber investments 20. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, do you have concerns about the investments China is making in Chinese companies to pursue Artificial and Machine Learning capabilities? If so, how important is it for the U.S. to have a robust technology industrial base? Mr. Deasy. I agree with the DOD CIO, having a robust technology industrial base is vital to executing our A.I. strategy. One of the JAIC's foundational goals is to developing strong, forward-looking partnerships with industry, and, also, academia. That are based on the Department's steadfast commitment to ethics, safety, and international law. AI in the DOD will be working to solve really big problems. Commerciality is at the center of what we're trying to accomplish, when it comes to the actual algorithms. The Department has to build more expertise with people who have the skills needed. The President's Executive Order speaks to the need to build that in the United States over the next 10 years. With the Defense Industrial Base, the Department will build mutual capacity through AI or data sharing initiatives, communicating key areas of focus for AI, and coordinating missions that link defense firms with non-traditional AI providers for teaming opportunities. Vice Admiral Norton. I agree with the DOD CIO in our effort to equip the Warfighter, under his leadership the CIO is employing cutting-edge approaches to deliver advanced military technologies. This includes Winner Take All competitions (WTAC), Bug Bounties, and Hackathons, as well as traditional acquisition processes. The Department of Defense spends billions of dollars every year on information security. However, until Hack the Pentagon, the DOD had not yet taken advantage of the crowdsourced approach to identifying security vulnerabilities that has gained traction in the private sector. Crowdsourced security brings in world-class security talent that may not otherwise engage with the DOD and allows these experts to contribute to national security missions. More than 6,000 vulnerabilities have been reported in government systems through the Defense Department's crowdsourced security programs and hundreds of thousands of dollars have been paid to ethical hackers. The program has also helped the DOD save millions of dollars across multiple challenges. For instance, the first pilot cost $150,000, while the normal process of hiring an outside firm to do an audit would have cost over $1 million. Effectively executed, Winner Take All speeds acquisition, delivering modernized systems faster, mitigating risk from outdated tools and systems. The competition yields a single winner which streamlines implementation, smoothing what is already a complex operating environment, minimizing unnecessary friction in battlefield technology. There are potential dangers in WTAC, too; underscoring the need for transparency and fairness in conducting acquisition this way. WTAC could lead to frustration in the competitive space, potentially stymying competition and even innovation in the global technology market, in the most extreme WTAC worst-case-scenario. Given the importance of private sector engineering and innovation, fair and open WTAC are in both the government and industry's fervent best interest. WTAC enables an innovative private sector to deliver focused technologies and development to the warfighter at the required pace and agility. Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM Norton, are better positioned to provide a response regarding China's investments in Chinese companies pursuing Artificial and Machine Learning capabilities as well as the gauge of importance for the U.S. to have a robust technology industrial base. 21. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, how do winner take all competitions help bolster or hinder a robust industrial base? Mr. Deasy. In our effort to equip the Warfighter, under my leadership the CIO is employing cutting-edge approaches to deliver advanced military technologies. This includes Winner Take All competitions (WTAC), Bug Bounties, and Hackathons, as well as traditional acquisition processes. The Department of Defense spends billions of dollars every year on information security. However, until Hack the Pentagon, the DOD had not yet taken advantage of the crowdsourced approach to identifying security vulnerabilities that has gained traction in the private sector. Crowdsourced security brings in world-class security talent that may not otherwise engage with the DOD and allows these experts to contribute to national security missions. More than 6,000 vulnerabilities have been reported in government systems through the Defense Department's crowdsourced security programs and hundreds of thousands of dollars have been paid to ethical hackers. The program has also helped the DOD save millions of dollars across multiple challenges. For instance, the first pilot cost $150,000, while the normal process of hiring an outside firm to do an audit would have cost over $1 million. Effectively executed, Winner Take All speeds acquisition, delivering modernized systems faster, mitigating risk from outdated tools and systems. The competition yields a single winner which streamlines implementation, smoothing what is already a complex operating environment, minimizing unnecessary friction in battlefield technology. There are potential dangers in WTAC, too; underscoring the need for transparency and fairness in conducting acquisition this way. WTAC could lead to frustration in the competitive space, potentially stymying competition and even innovation in the global technology market, in the most extreme WTAC worst-case-scenario. Given the importance of private sector engineering and innovation, fair and open WTAC are in both the government and industry's fervent best interest. WTAC enables an innovative private sector to deliver focused technologies and development to the warfighter at the required pace and agility. Vice Admiral Norton. I agree with the DOD CIO in our effort to equip the Warfighter, under his leadership the CIO is employing cutting-edge approaches to deliver advanced military technologies. This includes Winner Take All competitions (WTAC), Bug Bounties, and Hackathons, as well as traditional acquisition processes. The Department of Defense spends billions of dollars every year on information security. However, until Hack the Pentagon, the DOD had not yet taken advantage of the crowdsourced approach to identifying security vulnerabilities that has gained traction in the private sector. Crowdsourced security brings in world-class security talent that may not otherwise engage with the DOD and allows these experts to contribute to national security missions. More than 6,000 vulnerabilities have been reported in government systems through the Defense Department's crowdsourced security programs and hundreds of thousands of dollars have been paid to ethical hackers. The program has also helped the DOD save millions of dollars across multiple challenges. For instance, the first pilot cost $150,000, while the normal process of hiring an outside firm to do an audit would have cost over $1 million. Effectively executed, Winner Take All speeds acquisition, delivering modernized systems faster, mitigating risk from outdated tools and systems. The competition yields a single winner which streamlines implementation, smoothing what is already a complex operating environment, minimizing unnecessary friction in battlefield technology. There are potential dangers in WTAC, too; underscoring the need for transparency and fairness in conducting acquisition this way. WTAC could lead to frustration in the competitive space, potentially stymying competition and even innovation in the global technology market, in the most extreme WTAC worst-case-scenario. Given the importance of private sector engineering and innovation, fair and open WTAC are in both the government and industry's fervent best interest. WTAC enables an innovative private sector to deliver focused technologies and development to the warfighter at the required pace and agility. Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM Norton, are better positioned to provide a response regarding the industrial base. artificial intelligence and machine learning capabilities 22. Senator Heinrich. Mr. Deasy, in the last 3 years, how much has the DOD invested in classified and unclassified accounts on Artificial Intelligence and Machine Learning capabilities? Please delineate by budget accounts and line items. Mr. Deasy. In the past, the Department of Defense has not delineated the budget/costs for Artificial Intelligence (AI) or Machine Learning capabilities. In fiscal year 2018 the DOD CIO established the Joint Artificial Intelligence Center (JAIC) and, in June 2018, published a DOD Artificial Intelligence Strategy. Additionally, on December 4, 2018 my office issued supplemental budget guidance requiring DOD Components to report their AI budget requests for JAIC, AI National Mission Initiatives, and AI Component Initiatives within the DOD IT/Cyberspace Activities budget. cyber infrastructure and security 23. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, what are the benefits and risks of placing most of our national security sensitive data within the infrastructure of a single cloud provider? Mr. Deasy. Applications and data within a single cloud environment are able to maximize the native security features of cloud technology, which includes robust and automated failover and redundancy features. In addition, one of the main benefits is operationalizing data through data analytics, machine learning, and artificial intelligence. Having the ability to consolidate and pool data significantly reduces barriers to providing access to the necessary data where and when needed for our warfighters to maximize mission effectiveness. Other examples of benefits the Department will see is having data pooled to enhance deep synthetic training of machine learning based on robust data sets, which will increase readiness and lethality. The general benefits of cloud computing, such as rapid provisioning, increased availability, elasticity, on demand usage and automated logging, apply to all levels of data and are integrated within a single provider environment. The risks are managed according to the sensitivity of the data by adding controls at the specified security level. It is also important to note that a single cloud environment does not mean that all data and applications are hosted in a single physical environment where everything is vulnerable to a single attack. Rather, the provider will have varying levels of logical and physical isolation available, based the sensitivity of the data, which will work in concert with the Department's existing cyber security tool sets. Leveraging a single versus multiple cloud provider environment reduces the number of potential vulnerabilities, since with each provider comes additional connection points and accreditations, resulting in the possible increase in both vulnerabilities and time/cost. Vice Admiral Norton. As the DOD CIO has emphasized, applications and data within a single cloud environment are able to maximize the native security features of cloud technology, which includes robust and automated failover and redundancy features. In addition, one of the main benefits is operationalizing data through data analytics, machine learning, and artificial intelligence. Having the ability to consolidate and pool data significantly reduces barriers to providing access to the necessary data where and when needed for our warfighters to maximize mission effectiveness. Other examples of benefits the Department will see is having data pooled to enhance deep synthetic training of machine learning based on robust data sets, which will increase readiness and lethality. The general benefits of cloud computing, such as rapid provisioning, increased availability, elasticity, on demand usage and automated logging, apply to all levels of data and are integrated within a single provider environment. The risks are managed according to the sensitivity of the data by adding controls at the specified security level. It is also important to note that a single cloud environment does not mean that all data and applications are hosted in a single physical environment where everything is vulnerable to a single attack. Rather, the provider will have varying levels of logical and physical isolation available, based the sensitivity of the data, which will work in concert with the Department's existing cyber security tool sets. Leveraging a single versus multiple cloud provider environment reduces the number of potential vulnerabilities, since with each provider comes additional connection points and accreditations, resulting in the possible increase in both vulnerabilities and time/cost. Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM Norton, are better positioned to provide a response regarding the benefits and risks of placing most of our national security sensitive data within the infrastructure of a single cloud provider. 24. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, what are the security benefits and risks of cloud diversity? Mr. Deasy. The benefits of cloud diversity include more variety of choices in services, partnerships and unique solutions along with the increased availability of hosting locations. However, technical complexity increases, based on the number of cloud providers and available offerings. Cloud diversity may introduce substantial technical burden to the Department, because the systems in different clouds, even when designed to work together, will require complex integration and ongoing management. User training must be specific to each cloud environment; thus, it means additional training, and in certain circumstances, specific skills must be learned for the integration of more than one provider. The greater the number and diversity of cloud provider solutions and services, the greater the demand for a cyber workforce with varied skills in a Department already facing a challenge in hiring and maintaining qualified personnel. Each provider offers specific services based on proprietary solutions, which will each need individual authorization. These factors increase the burdens on the Department's resources. Vice Admiral Norton. I agree with the DOD CIO, the benefits of cloud diversity include more variety of choices in services, partnerships and unique solutions along with the increased availability of hosting locations. However, technical complexity increases, based on the number of cloud providers and available offerings. Cloud diversity may introduce substantial technical burden to the Department, because the systems in different clouds, even when designed to work together, will require complex integration and ongoing management. User training must be specific to each cloud environment; thus, it means additional training, and in certain circumstances, specific skills must be learned for the integration of more than one provider. The greater the number and diversity of cloud provider solutions and services, the greater the demand for a cyber workforce with varied skills in a Department already facing a challenge in hiring and maintaining qualified personnel. Each provider offers specific services based on proprietary solutions, which will each need individual authorization. These factors increase the burdens on the Department's resources. Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM Norton, are better positioned to respond regarding the security benefits and risks of cloud diversity. 25. Senator Heinrich. Mr. Deasy, Vice Admiral Norton, and Brigadier General Crall, what is the DOD doing to address the risk of insider threats? Mr. Deasy. In accordance with Executive Order 13587--Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, DOD is implementing a strategic and layered approach to strengthen the governance, management and mitigation of insider threats as it relates to technology, people, and processes. First, with respect to technology, the Department is actively improving both user and network monitoring to better mitigate insider threats. DOD organizations are employing User Activity Monitoring tools and analysis to monitor individual user activities on computers accessing and storing information. In addition, we are developing new tactics, techniques, and procedures that increase our ability to detect and report cyber insider threat events on information networks. Second, with respect to people and processes, the insider threat must be addressed through understanding the individual and their interaction points with the Department. Thus, the Department is investing in the area of insider threat social and behavioral sciences (SBS) and considers this one of its strategic pillars. DOD researchers and social scientists have partnered with industrial and academic entities to conduct a number of SBS projects that will help understand the human and the behaviors of insiders. Building on the outcome of these projects, we are modernizing and strengthening the hiring process and changing organizational processes and culture to encourage reporting (including identification for self-help). We must be able to detect and manage at-risk employees early-on so any potential threats may be mitigated as early as possible. Finally, the Department takes a proactive approach to protect the privacy and civil liberties of its employees and contractors. Accordingly, all Insider Threat and cyber security related policy and procedures are reviewed and cleared by the DOD Privacy, Civil Liberties, and Transparency Division prior to release or implementation. Vice Admiral Norton. In accordance with Executive Order 13587-- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, DOD is implementing a strategic and layered approach to strengthen the governance, management and mitigation of insider threats as it relates to technology, people, and processes. First, with respect to technology, the Department is actively improving both user and network monitoring to better mitigate insider threats. DOD organizations are employing User Activity Monitoring tools and analysis to monitor individual user activities on computers accessing and storing information. In addition, we are developing new tactics, techniques, and procedures that increase our ability to detect and report cyber insider threat events on information networks. Second, with respect to people and processes, the insider threat must be addressed through understanding the individual and their interaction points with the Department. Thus, the Department is investing in the area of insider threat social and behavioral sciences (SBS) and considers this one of its strategic pillars. DOD has partnered with industrial and academic entities to conduct a number of SBS projects that will help understand the behaviors of insiders. Building on the outcome of these projects, we are strengthening the hiring process and changing organizational processes and culture to encourage reporting (including identification for self-help). We must be able to detect and manage at-risk employees so any potential threats are mitigated as early as possible. Finally, the Department takes a proactive approach to protect the privacy and civil liberties of its employees and contractors. Accordingly, all Insider Threat and cyber security related policy and procedures are reviewed and cleared by the DOD Privacy, Civil Liberties, and Transparency Division prior to release or implementation. Brigadier General Crall. My fellow witnesses, Mr. Deasy and VADM Norton, are better positioned to respond to the DOD's efforts to address the risk of insider threats.